37-27
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter37 Configuring Management Access
Configuring AAA for System Administrators
Note Cisco Secure ACS might include a command type called “pix-shell.” Do not use this type for
ASA command authorization.
The first word of the command is considered to be the main command. All additional words are
considered to be arguments, which need to be preceded by permit or deny.
For example, to allow the show running-configuration aaa-server command, add show
running-configuration to the command field, and type permit aaa-server in the arguments field.
You can permit all arguments of a command that you do not explicitly deny by checking the Permit
Unmatched Args check box.
For example, you can configure just the show command, and then all the show commands are
allowed. We recommend using this method so that you do not have to anticipate every variant of a
command, including abbreviations and ?, which shows CLI usage (see Figure37-1).
Figure37-1 Permitting All Related Commands
For commands that are a single word, you must permit unmatched arguments, even if there are no
arguments for the command, for example enable or help (see Figure37-2).
Figure37-2 Permitting Single Word Commands
To disallow some arguments, enter the arguments preceded by deny.