Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACS 3.2 Command Authorization Wildcards??

Unanswered Question
Mar 31st, 2004
User Badges:

Does anyone know if it is possible to use wildcards with a Shell Command Authorization Set?

I am setting up the following types of users:

Cisco Admins (Unrestricted)

Cisco Operators (restricted, but capable of a lot).

What we want to allow the operators to have enough access to fix a problem, (with us walking them through on the phone), but not allow them the following:

Show run, show start... So they cannot get the passwords.

copy ANYTHING into startup-config. We do not want them to be able to write any configs.

There are so many options to copy from: ftp, tftp, run, flash, etc... I wanted to use a wildcard for

copy; deny * startup-config

copy; deny running-config *

copy; deny startup-config *

this will prevent them from overwriting the startup-config, and will prevent them from copying the configs anywhere, where they can get the encrypted passwords & run a utility to crack the passwords.

As of now, I am putting in all possible options into the authorization set, but I would LOVE to use a wildcard.

Any thoughts?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Tue, 04/06/2004 - 08:46
User Badges:
  • Silver, 250 points or more

As of now, wildcards can be used with IP addresses only I guess.

aaronw Tue, 04/06/2004 - 09:33
User Badges:

I ended up with the following:


deny running-config

deny startup-config

deny tftp startup-config

deny /erase

deny flash startup-config

deny ftp startup-config

deny null startup-config

deny pram startup-config

deny rcp startup-config

deny system startup-config

deny xmodem startup-config

deny ymodem startup-config


This Discussion