beautypg.com

Cisco 3.3 User Manual

Page 224

background image

Chapter 6 User Group Management

Configuration-specific User Group Settings

6-34

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Step 6

To assign a particular shell command authorization set to be effective on any
configured network device, follow these steps:

a.

Select the Assign a Shell Command Authorization Set for any network
device
option.

b.

Then, from the list directly below that option, select the shell command
authorization set you want applied to this group.

Step 7

To create associations that assign a particular shell command authorization set to
be effective on a particular NDG, for each association, follow these steps:

a.

Select the Assign a Shell Command Authorization Set on a per Network
Device Group Basis
option.

b.

Select a Device Group and a corresponding Command Set.

Tip

You can select a Command Set that will be effective for all Device
Groups
, that are not otherwise assigned, by assigning that set to the
Device Group.

c.

Click Add Association.

The associated NDG and shell command authorization set appear in the table.

Step 8

To define the specific Cisco IOS commands and arguments to be permitted or
denied at the group level, follow these steps:

a.

Select the Per Group Command Authorization option.

b.

Under Unmatched Cisco IOS commands, select either Permit or Deny.

If you select Permit, users can issue all commands not specifically listed. If
you select Deny, users can issue only those commands listed.

c.

To list particular commands to be permitted or denied, select the Command
check box and then type the name of the command, define its arguments using
standard permit or deny syntax, and select whether unlisted arguments should
be permitted or denied.

Caution

This is a powerful, advanced feature and should be used by an administrator
skilled with Cisco IOS commands. Correct syntax is the responsibility of the
administrator. For information on how Cisco Secure ACS uses pattern matching
in command arguments, see

About Pattern Matching, page 5-30

.