aaa authorization bypass

Unanswered Question
Oct 23rd, 2006

Is their a command that will bypass the aaa authorization from a particular host? I would like to use something like the aaa mac-exempt command, but have it only exempt on the authorization part. Background: i have a firewall management station that pushes out policies (configs) with over 2000 commands, and if i was to do this to say 500 firewalls... i could have 1000's of authorization statements to authorize. I would like to do the proper aaa authentication against this mgmt server, but have the nas ignore the authorization part.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
pvanvuuren Wed, 10/25/2006 - 00:43

Hi Matt

this is a interesting scenario. I can imagine that other config Management servers would need this such as Ciscoworks LMS, QPM and ISC. I believe this would be a specific config in aaa section - can you attach your aaa config and send, so i can investigate - i would like test in a lab. Also , are we using ACS 4.0?

matt.walls Wed, 10/25/2006 - 05:19

I would agree, would be nice to have aaa statement to ignore aaa authorization from a specific mac/ip/or something like that, but not to ignore the aaa authentication. I have some firewall configurations with over 3000 lines, so when I do a firewall config change my policy server has to re-write all those lines of code... and that means 3000 aaa authorization requests/responses. Here are configs... We use unix version of tacacs+. Thank you for any assistance.

============================================

(PIX 7.x configuration)

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (outside) host x.x.x.x

key xxxxx

server-port xxxx

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL

========================================

(TACACS+ configuration)

group = FULLPRIV {

default service = permit

service = shell {

}

cmd=enable {

permit .*

}

enable = ldap

}

}

darpotter Fri, 10/27/2006 - 01:18

Hi

I can see why you might want to do this, but you'd effectively be building-in your own security vulnerability.

Often, security is mutually exclusive with ease of use & performance :(

As it happens I cant think of a way to implement this in ACS windows/appliance. Would probably need something configured on the device to make it not try to authorise commands from a specific address.

Darran

elliott.fougman Thu, 11/02/2006 - 03:20

I believe this is possible if the device in question is a Cisco PIX as you can use the command

aaa authorization include

I'm not aware of this being available on a Cisco IOS Router.

Actions

Login or Register to take actions

This Discussion

Posted October 23, 2006 at 10:39 AM
Stats:
Replies:4 Avg. Rating:
Views:283 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard