Configuring interface policy
Run the
aaa authorization group
command.Specify the
group
parameter.Specify the
match-command
parameter for the desired interface policy.Specify the access:
permit
ordeny
.
If a command must be preceded by the execution of another command, you must first permit both commands for the command authorization group. You can then configure the rule.
In this example, the network-admin
role
is denied access to the "policy:interface:A10-A12,A20,L20-L24"
interface
policy. The sequence
parameter is used to give
order to the sequence of commands to be executed.
Configuring interface policy rules
# aaa authorization group "network-admin" 1 match-command "command:^configure$" permit
# aaa authorization group "network-admin" 2 match-command "command:configure interface" permit log
# aaa authorization group "network-admin" 3 match-command "policy:interface:A10-A12,A20,L20-L24" deny log
Since only one interface policy rule can be assigned per role, if access is permitted for A10 to A12, access to the rest of the interfaces is denied for the same role. Similarly if access is denied for A10 to A12, then access to rest of the interfaces is permitted for the same role.