Configuring groups for local authorization

You must create a group for local authorization before you can assign local users to it. When creating the group, at least one command is created as part of that group. Typically, multiple commands are assigned to a group.

NOTE:

You must enable local authorization by executing aaa authorization commands local to use this feature.

To create a group, enter this command:

Syntax:


aaa authorization group <group-name> <1-2147483647> match-command <command-string> <permit|deny> [log]
no aaa authorization group <group-name> <1-2147483647> match-command <command-string> <permit|deny> [log]

Create a local authorization group with the specified name. The name is case-sensitive and may not contain spaces. Duplicate names are not allowed. You can create a maximum of 16 groups. The name of the group can have a maximum of 16 characters.


<1-2147483647>

The evaluation order for the match commands.


match-command <command-string>

The <command-string> is the CLI command. It must be surrounded in double quotes of it contains any spaces, for example, “vlan*”.

The <command-string> is a POSIX regular expression and follows POSIX matching rules. For example, the “*” character means match the preceding character zero or more times, so ab*c will match “ac”, “abc”, “abbc”, etc. The “.” character means match any character, so “.*” would match anything, while the command string “aaa.*” would match commands that have “aaa” followed by zero or more characters. The “^” character means match to the beginning of the string, so “^aaa.*” would mean the string must start with “aaa” and can have anything after that.


<permit|deny>

Either permit or deny execution of the command.


[log]

Optional. Indicates the matching of such commands will generate an event log entry for either permitted or denied.

Typically multiple commands are assigned to a group. Each command is entered on a separate line. Commands are evaluated in numerical order of the sequence number until a match is found, then the permit or deny action for that command is executed.

NOTE:

Commands are expanded before the comparison is done, for example, sh ver would be expanded to show version and then this command is compared against the command strings of the authorization group.See: example

When a command must be preceded by the execution of another command, then both commands need to be permitted for the command authorization group. For example, you must execute the configure command before you can enter the vlan context, so both commands must be permitted.

Configuring authorized commands for a group in the correct order

switch(config)# aaa authorization group Redgroup 100
match-command configure permit
switch(config)# aaa authorization group Redgroup 200 
match-command “vlan *” permit

Some commands cause the switch CLI to enter a special context, such as test mode, and the input is not processed by the normal CLI. Keyboard input is not checked against the command authorization group. If these special contexts are permitted, the user can proceed outside the control and logging of the command group configuration.

Creating a local authorization group and assigning the commands authorized

switch(config)# aaa authorization group Bluegroup 100 
match-command configure permit
switch(config)# aaa authorization group Bluegroup 200 
match-command telnet permit
switch(config)# aaa authorization group Bluegroup 300 
match-command menu permit