Configuring groups for local authorization
You must create a group for local authorization before you can assign local users to it. When creating the group, at least one command is created as part of that group. Typically, multiple commands are assigned to a group.
You must enable local authorization by executing
aaa authorization
commands
local
to use this feature.
To create a group, enter this command:
Syntax:
aaa authorization group <group-name> <1-2147483647> match-command <command-string> <permit|deny> [log]
no aaa authorization group <group-name> <1-2147483647> match-command <command-string> <permit|deny> [log]
Create a local authorization group with the specified name. The name is case-sensitive and may not contain spaces. Duplicate names are not allowed. You can create a maximum of 16 groups. The name of the group can have a maximum of 16 characters.
<1-2147483647>
The evaluation order for the match commands.
match-command <command-string>
The
<command-string>
is the CLI command. It must be surrounded in double quotes of it contains any spaces, for example,
“vlan*”
.
The
<command-string>
is a POSIX regular expression and follows POSIX matching rules. For example, the “*” character means match the preceding character zero or more times, so ab*c will match “ac”, “abc”, “abbc”, etc. The “.” character means match any character, so “.*” would match anything, while the command string “aaa.*” would match commands that have “aaa” followed by zero or more characters. The “^” character means match to the beginning of the string, so “^aaa.*” would mean the string must start with “aaa” and can have anything after that.
<permit|deny>
Either permit or deny execution of the command.
[log]
Optional. Indicates the matching of such commands will generate an event log entry for either permitted or denied.
Typically multiple commands are assigned to a group. Each command is entered on a separate line. Commands are evaluated in numerical order of the sequence number until a match is found, then the
permit
or
deny
action for that command is executed.
Commands are expanded before the comparison is done, for example,
sh ver
would be expanded to
show version
and then this command is compared against the command strings of the authorization group.See: example
When a command must be preceded by the execution of another command, then both commands need to be permitted for the command authorization group. For example, you must execute the
configure
command before you can enter the
vlan
context, so both commands must be permitted.
Configuring authorized commands for a group in the correct order
switch(config)# aaa authorization group Redgroup 100 match-command configure permit switch(config)# aaa authorization group Redgroup 200 match-command “vlan *” permit
Some commands cause the switch CLI to enter a special context, such as test mode, and the input is not processed by the normal CLI. Keyboard input is not checked against the command authorization group. If these special contexts are permitted, the user can proceed outside the control and logging of the command group configuration.
Creating a local authorization group and assigning the commands authorized
switch(config)# aaa authorization group Bluegroup 100 match-command configure permit switch(config)# aaa authorization group Bluegroup 200 match-command telnet permit switch(config)# aaa authorization group Bluegroup 300 match-command menu permit