Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

EEM Lightweight AAA Server Sample

Sample applet to deny certain users from running commands, and also store each command users have entered into a file.

This applet uses a denylist file to compare against who is running each command.  If the user and command is listed in the denylist file, the user

will not be able to run the command.  This applet also creates a cmdhistory file that logs all commands.  This applet currently registers against files in disk2:  Please modify disk location when using.   EEM 4.0 is required to run this applet.

Sample denylist file:

cisco show users

cisco configure terminal


event manager applet testcli

event cli pattern .* sync yes

action 101 file open in disk2:denylist r

action 102 file open out disk2:cmdhistory a

action 103 file read in _jpres

action 104 set tester "$_cli_username"

action 105 append tester " $_cli_msg"

action 106 foreach value "$_jpres" "\n"

action 107  if $tester eq $value

action 108   puts "$_cli_username is not authorized to run $_cli_msg"

action 109   file puts out "REJECT: $_cli_username: $_cli_msg"

action 110   exit 0

action 111  end

action 112 end

action 113 file puts out "ACCEPT: $_cli_username: $_cli_msg"

action 114 exit 1

Here is a demo showing how this applet works.

Version history
Revision #:
1 of 1
Last update:
‎06-18-2012 02:29 PM
Updated by:
Labels (1)
New Member

Is it possible to show example of denylist file?

Cisco Employee

It's just a list of usernames followed by a space, followed by a command they are not allowed to run.  For example:

user1 configure terminal

user1 tclsh

New Member

Thank you very much, Joe.