Chapter 5 Shared Profile Components
Command Authorization Sets
5-30
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
For example, if a user typed the following command during a router-hosted
session:
interface FastEthernet0/1
the router may send the command and arguments Cisco Secure ACS as follows:
01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd=interface
01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd-arg=FastEthernet
01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd-arg=0
01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd-arg=1
01:44:53: tty2 AAA/AUTHOR/CMD(390074395): send AV cmd-arg=<cr>
In this example, the router sees multiple arguments where the user typed one
string of characters without spaces after the command. It also omits the slash
character that separated 0 and 1 when the user issued the command.
If the command authorization rule for the interface command explicitly permits
the FastEthernet argument using the spelling “FastEthernet0/1”, Cisco Secure
ACS fails the command authorization request because it does not match what the
router submitted to Cisco Secure ACS. If the command authorization rule instead
permits the argument “FastEthernet 0 1", Cisco Secure ACS grants the command
authorization request. The case of arguments specified in command authorization
sets must match what the device sends, which may or may not match the case you
use when you type the arguments.
About Pattern Matching
For permit/deny command arguments, Cisco Secure ACS applies pattern
matching. That is, the argument permit wid matches any argument that contains
the string wid. Thus, for example, permit wid would allow not only the argument
wid but also the arguments anywid and widget.
To limit the extent of pattern matching you can add the following expressions:
•dollarsign ($)—Expresses that the argument must end with what has gone
before. Thus permit wid$ would match wid or anywid, but not widget.
•caret (^)—Expresses that the argument must begin with what follows. Thus
permit ^wid would match wid or widget, but not anywid.
You can combine these expressions to specify absolute matching. In the example
given, you would use permit ^wid$ to ensure that only wid was permitted, and
not anywid or widget.