topic Hi, in Network Access Control

Are wildcards required in Command Sets for ACS?

glenhusack — Mon, 11 Mar 2019 07:41:39 GMT

Are wildcards required in Command Sets for ACS?

When creating a 'Permit' <Command> with no argument, does that mean everything is allowed for that command or is a wildcard (*) required?

Similarly, with a 'Permit' <Command> <Argument>, is a wildcard required after the argument if you want everything allowed?

Thank you

Hi, Glen.

eudesrego — Wed, 17 May 2017 15:56:25 GMT

Hi, Glen.

When creating a "Permit" <command> without argument, this means that every argument will be allowed for this command.

When creating a "Permit" <command> <arguments>, this means that you will allow this command line. But if you want to block the command and only allow the command with argument, you will have to configure a "Deny" rule <command>.

Example:

Permit | show | running-config ---> Allows the command with argument.
Deny | show -> Deny the command without argument.

Hi,

CSCO12190770 — Thu, 18 May 2017 10:18:09 GMT

Hi,

can you pls help me to resolve this,

Trying to permit interface range in command set for allowing particular port to be accessed other should be blocked. I Tried

FastEthernet 0/([1-9]|1[0-9]|2[0-9]|3[0-9]|4[0-7])$

It's not working. Tried to allow show running-config interface 0/1 to 0/47. Interface 0/48 should be blocked. how to write command sets for this.

I tried...

Grant Command Arguments

Permit interface fa* [0]/[0-22]

Command authorization failed trying to get to any interface

Grant Command Arguments

Permit interface fa* 0/*

Allows access to any interface

Grant Command Arguments

Permit interface fa* 0/[0-22]

Permit interface fa* 0/0-22

Command authorization failed trying to get to any interface

So if you can point me in the right direction on the wildcards in the arguments statement, if you can provide an example of how you would only allow access to to fa 0/1 - 46 and fa 0/47-48 should be blocked for example...