However do you know if there are any solutions without ACS for this?
Or is it required to use third-party software (i still refer ACS as third party software since it's not part of the devices) to accomplish this?
What im thinking about is if there is a way to configure different administrative views with access to various commands on one router/switch/network device and globally "push" that config to the rest of the devices?
That way i can use AD for authentication to get access to the devices, and when they login there would be a local database with same credentials that would define which commands they'd have access to.... but my administration would still be a single point.
Do i confuse you? I know ACS and various softwares can accomplish this....but think of it as a "single sign on" solution for the end user.
As far as I know, only TACACS+ is able to separate authentication from authorization, as this is what you're after, and, as a consequence, you have to use Cisco ACS for this. It allows you to implement SSO since it passes the authentication to AD, and then you can map the AD groups to privileges, commands, or views that you define in ACS for the authorization part. I think this is the most cost effective solution, but, if the budget allows, you can implement TrustSec/ISE that is a more granular (and expensive) solution based on 802.1X authentication.