Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 3.2 Command Authorization Wildcards??

Does anyone know if it is possible to use wildcards with a Shell Command Authorization Set?

I am setting up the following types of users:

Cisco Admins (Unrestricted)

Cisco Operators (restricted, but capable of a lot).

What we want to allow the operators to have enough access to fix a problem, (with us walking them through on the phone), but not allow them the following:

Show run, show start... So they cannot get the passwords.

copy ANYTHING into startup-config. We do not want them to be able to write any configs.

There are so many options to copy from: ftp, tftp, run, flash, etc... I wanted to use a wildcard for

copy; deny * startup-config

copy; deny running-config *

copy; deny startup-config *

this will prevent them from overwriting the startup-config, and will prevent them from copying the configs anywhere, where they can get the encrypted passwords & run a utility to crack the passwords.

As of now, I am putting in all possible options into the authorization set, but I would LOVE to use a wildcard.

Any thoughts?


Re: ACS 3.2 Command Authorization Wildcards??

As of now, wildcards can be used with IP addresses only I guess.

Community Member

Re: ACS 3.2 Command Authorization Wildcards??

I ended up with the following:


deny running-config

deny startup-config

deny tftp startup-config

deny /erase

deny flash startup-config

deny ftp startup-config

deny null startup-config

deny pram startup-config

deny rcp startup-config

deny system startup-config

deny xmodem startup-config

deny ymodem startup-config

CreatePlease to create content