Command Authorization Sets
■ Assign a Shell Command Authorization Set on a Per Network Device Group Basis—In
ACS version 3.1 and later, to apply a shell command authorization set to the TACACS+
AAA clients who belong to a particular Network Device Group (NDG), select this
option, and then use the following options:
— Device Group—From the list, select the NDG to which you want to assign
a shell command authorization set.
— Command Set—From the list, select the shell command authorization set
you want to apply to the NDG.
— Add Association—Click to add the NDG and command set selected to the
Device Group/Command Set list.
— Remove Association—To remove an NDG/command set association,
select the NDG/command set association you want to remove from the
Device Group/Privilege list, and then click Remove Association.
Shell command authorization sets are created and configured in the Shared
Profile Components window.
■ Per Group Command Authorization—To set TACACS+ shell command authorization
on a command-by-command basis, select this option, and then use the following options:
— Unmatched Cisco IOS Commands—To determine how Cisco Secure ACS
handles commands that you do not specify in this section, select either
Permit or Deny as applicable.
— Command—Select this check box, and then enter the command in the
corresponding box. The command can be listed by name for well-known
commands such as telnet, ftp, or http; otherwise, the command should be
listed by protocol/port number (i.e., tcp/23).
— Arguments—In this case, the term “argument” refers to the target address.
This box lists to which target host you should allow (or deny) access via
the previously listed command. These should be entered in the format
permit argument or deny argument. This allows you to specify which
commands are permitted or denied.
— Unlisted Arguments—To permit only the arguments listed, select Deny. To
allow users to issue all arguments not specifically listed, select Permit. This
setting allows you to permit or deny all commands and arguments not
listed previously.
Figure 18-11 shows the configuration that would allow Telnet access to hosts at 172.16.1.5
and 172.16.1.7.