Users Guide
312 Authentication, Authorization, and Accounting
The above example attribute will give the user access to the commands
permitted by the router-admin profile.
TACACS+ Authorization Example—Custom Administrative Profile
This example creates a custom profile that allows the user to control user
access to the switch by configuring a administrative profile that only allows
access to AAA related commands. Use the following commands to create the
administrative profile:
1
Create an administrative profile called “aaa” and place the user in admin-
profile-config mode.
console#config
console(config)#admin-profile aaa
2
Enter
rule
number
permit command
regex commands to allows any
command that matches the regular expression.
The command rules use regular expressions as implemented by Henry
Spencer's regex library (the POSIX 1003.2 compliant version). In the
regular expressions used in this example, the caret (^) matches the null
string at the beginning of a line, the period (.) matches any single
character, and the asterisk (*) repeats the previous match zero or more
times.
console(config)#rule 99 permit command “^show aaa .*”
console(admin-profile)#rule 98 permit command “^show
authentication .*”
console(admin-profile)#rule 97 permit command "^show
authorization .*”
console(admin-profile)#rule 96 permit command “^show
accounting .*”
console(admin-profile)#rule 95 permit command “^show tacacs
.*”
console(admin-profile)#rule 94 permit command “^aaa .*”
console(admin-profile)#rule 93 permit command “^line .*”
console(admin-profile)#rule 92 permit command “^login .*”
console(admin-profile)#rule 91 permit command “^authorization
.*”
console(admin-profile)#rule 90 permit command “^accounting .*”
console(admin-profile)#rule 89 permit command “^configure .*”
NOTE: If the priv-lvl attribute is also supplied, the user can also be placed directly
into Privileged Exec mode.