Have been able to restrict access to certain interfaces through command authorization but when I try to allow access to shutdown or no shutdown arguments ACS report "unknown command" in logs and command auth fails. If it is an error with syntax log reports "command denied" so I don't think that's the problem. Am I adding argument to the correct command, for instance:
Ethernet -> permit shutdown
This is what you need to define under shell command authorization
Unmatched command >> Permit unmatched arg
no -- Permit shutdown
shutdown -- Permit
NOTE: Do not check permit Unmatched args for above args.