I'm runnig ASA with TACACS console authentication in order to have authentication/authorization on console access (telnet/SSH) via AAA but I need to exclude a particular SSH host from the authentication process. It seems that the include/exclude or match commands applies only to the traffic going trought the ASA but not to the traffic going "to" the ASA, as console access traffic should be. I've done some testing, playing around include/exclude without success, of course
Can someone give a clue about?
I believe you are correct. There is no way to just exclude one IP from being exempted from AAA authentication when managing the device via ssh while allowing the rest to authenticate via TACACS.