37-28
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter37 Configuring Management Access
Configuring AAA for System Administrators
For example, to allow enable, but not enable password, enter enable in the commands field, and
deny password in the arguments field. Be sure to check the Permit Unmatched Args check box so
that enable alone is still allowed (see Figure 37-3).
Figure37-3 Disallowing Arguments
When you abbreviate a command at the command line, the ASA expands the prefix and main
command to the full text, but it sends additional arguments to the TACACS+ server as you enter
them.
For example, if you enter sh log, then the ASA sends the entire command to the TACACS+ server,
show logging. However, if you enter sh log mess, then the ASA sends show logging mess to the
TACACS+ server, and not the expanded command show logging message. You can configure
multiple spellings of the same argument to anticipate abbreviations (see Figure 37-4).
Figure37-4 Specifying Abbreviations
We recommend that you allow the following basic commands for all users:
show checksum
show curpriv
enable
help
show history