Are wildcards required in Command Sets for ACS?

glenhusack · ‎05-03-2017

When creating a 'Permit' <Command> with no argument, does that mean everything is allowed for that command or is a wildcard (*) required?

Similarly, with a 'Permit' <Command> <Argument>, is a wildcard required after the argument if you want everything allowed?

Thank you

eudesrego · ‎05-17-2017

Hi, Glen.

When creating a "Permit" <command> without argument, this means that every argument will be allowed for this command.

When creating a "Permit" <command> <arguments>, this means that you will allow this command line. But if you want to block the command and only allow the command with argument, you will have to configure a "Deny" rule <command>.

Example:

Permit | show | running-config ---> Allows the command with argument.
Deny | show -> Deny the command without argument.

CSCO12190770 · ‎05-18-2017

Hi,

can you pls help me to resolve this,

Trying to permit interface range in command set for allowing particular port to be accessed other should be blocked. I Tried

FastEthernet 0/([1-9]|1[0-9]|2[0-9]|3[0-9]|4[0-7])$

It's not working. Tried to allow show running-config interface 0/1 to 0/47. Interface 0/48 should be blocked. how to write command sets for this.

I tried...

Grant Command Arguments

Permit interface fa* [0]/[0-22]

Command authorization failed trying to get to any interface

Grant Command Arguments

Permit interface fa* 0/*

Allows access to any interface

Grant Command Arguments

Permit interface fa* 0/[0-22]

Permit interface fa* 0/0-22

Command authorization failed trying to get to any interface

So if you can point me in the right direction on the wildcards in the arguments statement, if you can provide an example of how you would only allow access to to fa 0/1 - 46 and fa 0/47-48 should be blocked for example...