6-76
RADIUS Authentication, Authorization, and Accounting
Creating Local Privilege Levels
Configuring Groups for Local Authorization
You must create a group for local authorization before you can assign local 
users to it. When creating the group, at least one command is created as part 
of that group. Typically, multiple commands are assigned to a group. To create 
a group, enter this command.
Typically multiple commands are assigned to a group. Each command is 
entered on a separate line. Commands are evaluated in numerical order of the 
sequence number until a match is found, then the permit or deny action for that 
command is executed. 
Syntax: [no] aaa authorization group <group-name> <1-2147483647> match-
command 
<command-string> <permit | deny> [log]
Create a local authorization group with the specified name. 
The name is case-sensitive and may not contain spaces. 
Duplicate names are not allowed.
You can create a maximum of 16 groups. The name of the 
group can have a maximum of 16 characters. 
 <1-2147483647>: The evaluation order for the match 
commands.
match-command <command-string>: The command string is the 
CLI command. It must be surrounded in double quotes if it 
contains any spaces, for example, 
“vlan *”. 
The <command-string> is a POSIX regular expression and 
follows POSIX matching rules. For example, the “*” character 
means match the preceding character zero or more times, so 
ab*c will match “ac”, “abc”, “abbc”, etc. The “.” character 
means match any character, so “.*” would match anything, 
while the command string “aaa.*” would match commands 
that have “aaa” followed by zero or more characters. The “^” 
character means match to the beginning of the string, so 
“^aaa.*” would mean the string must start with “aaa” and 
can have anything   after that.
<permit | deny>: Either permit or deny execution of the 
command.
[log]: Optional. Indicates the matching of such commands will 
generate an event log entry for either permitted or denied.