Exception for AAA

rishikesh_khedkar · ‎12-18-2007

Hi, I am using RADIUS for AAA authentication. Authentication is configured for device access. I want to know if i will be able to put an exception i.e. i want one user to be authenticated locally (local username and passwowrd) on a firewall(ASA 5500), while others to be authenticated by AAA. If it is possible, how do it do it?

Collin Clark · ‎12-18-2007

AFAIK no. Why would you want to do that anyway? That's a security hole.

rishikesh_khedkar · ‎12-18-2007

Ok. I have Cisco Security Manager, Cisco MARS, LMS and VMS in my network. Now, the requirement is something like this:

Everyone (including CSM) accessing devices like firewalls, routers, switchces, IPS Sensors should be authenticated by the ACS.

But when I went throught the CSM documentation I understood that the best way for CSM to logon to the firewall is by a local user.

Hence I an looking for a mechanism for the CSM only to bypass the AAA authentication while the network administrators being authenticated by the AAA.

Regards,

Rishikesh Khedkar

Collin Clark · ‎12-18-2007

What we did was create a local user account in ACS. That way the user account is still AAA'd and you can set the password to no expiry, limit the access, etc.

HTH

rishikesh_khedkar · ‎12-19-2007

Thanks,

Regards,

Rishikesh Khedkar