Specifications
4-9
Cisco Global Site Selector Administration Guide
OL-5480-01
Chapter 4 Managing GSS User Accounts Through a TACACS+ Server
Configuring a TACACS+ Server for Use with the GSS
3. Click the Per Group Command Authorization check box.
4. For unlimited GSS command access, under Unmatched Cisco IOS
Commands, click the Permit option. Leave the command field blank.
5. To set access restrictions on specific GSS CLI commands:
a. Check the Command check box.
b. Click the Deny option.
c. Type the command name in the Command text box, along with any
required arguments to the command that you wish to permit or deny.
The specified commands are denied for the group depending on the setting of
the Unmatched Cisco IOS Commands parameters.
6. To configure arguments for a specified CLI command, enter strings in the
Arguments text box as follows:
deny <arg1 … argN>
permit <arg1 … argN>
Arguments are case sensitive and must exactly match the text that the GSS
sends to the Cisco Secure ACS. For each argument of the Cisco IOS
command, specify whether the argument is to be permitted or denied. These
should be entered in the format permit argument or deny argument.
The GSS device may submit arguments in a format different from what a user
types at a GSS CLI prompt. To create effective device CLI command sets,
refer to the Cisco Global Site Selector Command Reference for proper CLI
command syntax.
7. To permit only those arguments listed, under Unlimited Arguments select
Deny. To allow users to issue all arguments not specifically listed, select
Permit.
8. Repeat steps 5 through 7 for each CLI command you wish to restrict.
Configure multiple commands by clicking the Submit button after each
command. A new command configuration section appears for subsequent
commands.
The following are examples of permitting and denying CLI commands:
• To deny all CLI commands except the show users CLI command (see
Figure 4-4):
a. Click the Deny option under Per Group Command Authorization.