Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
171172173174175176177178179180
Syntax:
[no] aaa autnorization group group-name <1-2147483647>
match-command command-string <permit|deny>[log]
Create a local authorization group with the specified name. The name is
case-sensitive and may not contain spaces. Duplicate names are not allowed. You
can create a maximum of 16 groups. The name of the group can have a maximum
of 16 characters.
<1-2147483647>
The evaluation order for the match commands.
match-command <command-string>
The <command-string>is the CLI command. It must be surrounded in double
quotes of it contains any spaces, for example, vlan*.
The <command-string> is a POSIX regular expression and follows POSIX
matching rules. For example, the “*” character means match the preceding
character zero or more times, so ab*c will match “ac, “abc, “abbc, etc. The
.” character means match any character, so “.*” would match anything, while
the command string aaa.*” would match commands that have aaa followed
by zero or more characters. The “^” character means match to the beginning
of the string, so “^aaa.*” would mean the string must start with aaa” and can
have anything after that.
<permit|deny>
Either permit or deny execution of the command.
[log]
Optional. Indicates the matching of such commands will generate an event log
entry for either permitted or denied.
Typically multiple commands are assigned to a group. Each command is entered on a separate
line. Commands are evaluated in numerical order of the sequence number until a match is found,
then the permit or deny action for that command is executed.
NOTE: Commands are expanded before the comparison is done, for example, sh ver would
be expanded to show version and then this command is compared against the command strings
of the authorization group.
Figure 137 Creating a local authorization group and assigning the commands authorized
When a command must be preceded by the execution of another command, then both commands
need to be permitted for the command authorization group. For example, you must execute the
configure command before you can enter the vlan context, so both commands must be
permitted.
Using 177