Chapter 4
Managing GSS User Accounts Through a TACACS+ Server
4.
5.
6.
7.
8.
The following are examples of permitting and denying CLI commands:
•
OL-10410-01
For unlimited GSS command access, under Unmatched Cisco IOS
Commands, click the Permit option. Leave the command field blank.
Set access restrictions on specific GSS CLI commands as follows:
a.
Check the Command check box.
Click the Deny option.
b.
Type the command name in the Command text box, along with any
c.
required arguments to the command that you want to permit or deny.
The specified commands are denied for the group depending on the
setting of the Unmatched Cisco IOS Commands parameters.
Configure arguments for a specified CLI command by entering strings in the
Arguments text box as follows:
deny <arg1 ... argN>
permit <arg1 ... argN>
Arguments are case sensitive and must match the text exactly that the GSS
sends to the Cisco Secure ACS. For each argument of the Cisco IOS
command, specify whether the argument is to be permitted or denied. These
should be entered in the format permit argument or deny argument.
The GSS device may submit arguments in a format different from what a user
types at a GSS CLI prompt. To create effective device CLI command sets, see
the Cisco Global Site Selector Command Reference for proper CLI command
syntax.
Choose Deny to permit only those arguments listed, under Unlimited
Arguments. Choose Permit to allow users to issue all arguments not
specifically listed.
Repeat Steps 5 through 7 for each CLI command that you want to restrict.
Configure multiple commands by clicking the Submit button after each
command. A new command configuration section appears for subsequent
commands.
To deny all CLI commands except the show users CLI command (see
Figure
4-4), do the following:
Click the Deny option under Per Group Command Authorization.
a.
Enter show in the Command text box.
b.
Configuring a TACACS+ Server for Use with the GSS
Cisco Global Site Selector Administration Guide
4-9