You need to specify the cmd-arg multiple times, one for each space separated argument:
authorizedgroup <readonly group> deny service=shell cmd=changeto cmd-arg=context cmd-arg=system authorizedgroup <readonly group> permit service=shell cmd=changeto cmd-arg=context cmd-arg=<other context name> authorizedgroup <readonly group> deny .* BR Alex On 2015-01-05 15:25, Heikki Vatiainen wrote: > On 5.1.2015 15.34, Steve Normoyle wrote: > >> I have a Cisco ASA with multiple context. I am trying to deny the use >> of the command "changeto context system", but allow authorized group to >> be able to change to any of the other context. When user types in the >> command they get denied. > Hello Steve, > > does it work if you reorder the first two lines? That is, deny the more > specific first and allow the less specific then. > > If this does not help, please reply with more debug logs that shows the > authorization request from ASA with the processing Radiator does. > >> I have entered >> "authorizedgroup <readonly group> permit service=shell cmd=changeto >> cmd-arg="context <other context name>" >> "authorizedgroup <readonly group> deny service=shell cmd=changeto >> cmd-arg="context system" >> "authorizedgroup <readonly group> deny .*" > Just to make sure: the configuration parameter is AuthorizeGroup (no d > and with capital A and G). There should especially be no d. > > Thanks, > Heikki > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator