03-12-2014 08:38 AM
what i currently have doesn't work. You can see in the picture i tried to deny access to interface gigabitethernet 1/0/21 through 25. I've tried ? and * and 1/0/[21-25]. I'm hoping to not have to enter every interface to allow or disallow access to including vlan interfaces.
Pic to show where im at.
03-12-2014 09:37 AM
just tried it and it doesn't work. adding just gigabitethernet 1/0/21 works. as soon as wildcards are in place it fails.
03-12-2014 11:32 AM
03-12-2014 11:52 AM
Agreed. I've had a TAC case open since yesterday and had my SE onsite and still haven't had this one question answered.
04-08-2014 01:51 PM - edited 04-08-2014 02:03 PM
Ok with a little help from some Aruba friends i was able to get this working.
Cisco switch side must have.
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
keep in mind depending on the command you want to restrict you may need all commands 1 - 15 in your cisco config.
In your enforcement profile
selected service = shell
privilege level = 15
In your commands tab
service type = shell
check enable to permit unmatched commands.
command = show
argument = version
leave the rest default click save and test.
*edit* forgot to mention the wildcards.
The wildcard is .* (period star)
so GigabitEthernet 1/0/.* cover all ports on switch 1.