[c-nsp] ACS and overlapping ranges

[Tim Franklin]

Hi all,

I'm in the process of migrating router AAA from RADIUS on Some Other
Platform to TACACS on ACS, and I've hit a bit of a snag.

I'm making extensive use of the Network Groups in combination with User
Groups to give a matrix of appropriate access rights, which has worked
well for core and edge devices and various ops teams across different
countries, but not so well for CE routers.

We have, at the moment, a /19 allocated to management addresses for CE
devices.  Obviously I don't want to list every single one of those devices
as an individual AAA client, so I was looking at putting in a single entry
with a range.  (Ignoring for the moment the very strange address
wildcarding in ACS).

However, there are some CE routers that need to go into a distinct group
from the rest, as they need special treatment - typically that a customer
has limited access.  I'd have hoped that ACS would follow the common-sense
route of taking the most specfic match - but it doesn't even let you
configure an AAA client with a range at the same time as a specific host
entry from within that range.

Am I really the first person to want to do this?  It seems an obvious way
to work, general case, then pull out specific exceptions... Is there some
simple solution that I'm missing?

Going forward, I could carve off part of my /19 to be reserved for
'special cases' and take it out of the general range, but that would still
necessitate re-numbering all the 'special case' devices that already exist
in the network :(

Advice is very welcome.

Thanks in advance,
Tim.