Configuring Command Authorization
For commands that are a single word, you must permit unmatched arguments, even if there are no
•
arguments for the command, for example enable or help. (See
Figure 12-4 Permitting Single Word Commands
To disallow some arguments, enter the arguments preceded by deny.
•
For example, to allow enable, but not enable password, enter enable in the commands box, and
deny password in the arguments box. Be sure to select the Permit Unmatched Args check box so
that enable alone is still allowed. (See
Figure 12-5 Disallowing Arguments
When you abbreviate a command at the command line, the FWSM expands the prefix and main
•
command to the full text, but it sends additional arguments to the TACACS+ server as you enter
them.
For example, if you enter sh log, then the FWSM sends the entire command to the TACACS+ server,
show logging. However, if you enter sh log mess, then the FWSM sends show logging mess to the
TACACS+ server, and not the expanded command show logging message. You can configure
multiple spellings of the same argument to anticipate abbreviations. (See
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
12-16
Figure
Figure
12-5.)
Chapter 12
Configuring AAA
12-4.)
Figure
12-6.)
OL-6392-01