Case sensitivity and command authorization, Arguments and command authorization – Cisco 3.3 User Manual

5-29

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 5 Shared Profile Components

Command Authorization Sets

•

Device Management Command Authorization Sets—See either of the
following:

–

Configuring Device-Management Command Authorization for a User
Group, page 6-37

–

Configuring Device-Management Command Authorization for a User,
page 7-30

Case Sensitivity and Command Authorization

When performing command authorization, Cisco Secure ACS evaluates
commands and arguments in a case-sensitive manner. For successful command
authorization, you must configure command authorization sets with case-sensitive
commands and arguments.

As an additional complication, a device requesting command authorization may
send commands and arguments using a case different from the one you typed to
issue the command.

For example, if you type the following command during a router-hosted session:

interface FASTETHERNET 0/1

the router may submit the command and arguments to Cisco Secure ACS as:

interface FastEthernet 0 1

If, for the interface command, the command authorization set explicitly permits
the FastEthernet argument using the spelling “fastethernet”, Cisco Secure ACS
fails the command authorization request. If the command authorization rule
instead permits the argument “FastEthernet”, Cisco Secure ACS grants the
command authorization request. The case used in command authorization sets
must match what the device sends, which may or may not match the case you use
when you type the command.

Arguments and Command Authorization

When you explicitly permit or deny arguments rather than rely on Cisco Secure
ACS to permit unmatched arguments, you must make certain that you know how
devices send arguments to Cisco Secure ACS. A device requesting command
authorization may send different arguments than the user typed to issue the
command.