Let describe every type of groups.
A TACACS user can be a member of several group, BUT! a user will be a member of only one general user group after login. A user can choose or switch user group while login. The best way to explain is to give you an example.
For example we have 3 user groups:
group = group1 { default service = deny ###Service set-privilege-15 START### service = shell { set priv-lvl = 15 default attribute = permit default cmd = permit } #END OF Cisco Router/Switch Service ###Service set-privilege-15 END### } #END OF group1
group = group2 { default service = deny ###Service set-privilege-14 START### service = shell { set priv-lvl = 14 default attribute = permit default cmd = permit } #END OF Cisco Router/Switch Service ###Service set-privilege-14 END### } #END OF group2
group = group3 { default service = deny ###Service set-privilege-13 START### service = shell { set priv-lvl = 13 default attribute = permit default cmd = permit } #END OF Cisco Router/Switch Service ###Service set-privilege-13 END### } #END OF group3
The main difference between groups is different privilege-level.
And a user:
user = user { login = clear "12345678" member = group1/group2/group3 pap = login # Clone login } #END OF user
By default, user be a member of group1, because it is the first group in the list. A user can change group while login, to do that it should use username, separator and user group name. By default, separator is * (asterisk), you can change it in Global Settings. Below you can see three different login output:
The login user@group1 and user will take the same effect and the user will be a member of group1. Also you can change order of groups inside a user profile.
Associated user group will be applied to a user only in case of ACL will match to a connection (Client and Device ip addresses).
For example, there are two ACL and two groups:
###ACL only-router-15 START### acl = only-router-15 permit { # nac = any nas = 192.168.11.4 }
group = group1 { ### Associated with ACL only-router-15 default service = deny ###Service set-privilege-15 START### service = shell { set priv-lvl = 15 default attribute = permit default cmd = permit } #END OF Cisco Router/Switch Service ###Service set-privilege-15 END### } #END OF group1
###ACL only-router-12 START### acl = only-router-12 permit { # nac = any nas = 192.168.11.3 }
group = group2 { ### Associated with ACL only-router-12 default service = deny ###Service set-privilege-14 START### service = shell { set priv-lvl = 14 default attribute = permit default cmd = permit } #END OF Cisco Router/Switch Service ###Service set-privilege-14 END### } #END OF group2
And a user:
user = user { login = clear "12345678" member acl only-router-15 = group1 member acl only-router-12 = group2 pap = login # Clone login } #END OF user
Now we can try to connect to device router_12 with ip address 192.168.11.3, then we expect the user will get settings of group2 and finally will be with privilege level 14. group2 associated with ACL only-router-12 where NAS IP (device ip) is 192.168.11.3 and NAC IP (user ip) is any.
