aaa authorization bypass

Unanswered Question
Oct 23rd, 2006
User Badges:

Is their a command that will bypass the aaa authorization from a particular host? I would like to use something like the aaa mac-exempt command, but have it only exempt on the authorization part. Background: i have a firewall management station that pushes out policies (configs) with over 2000 commands, and if i was to do this to say 500 firewalls... i could have 1000's of authorization statements to authorize. I would like to do the proper aaa authentication against this mgmt server, but have the nas ignore the authorization part.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pvanvuuren Wed, 10/25/2006 - 00:43
User Badges:
  • Bronze, 100 points or more

Hi Matt

this is a interesting scenario. I can imagine that other config Management servers would need this such as Ciscoworks LMS, QPM and ISC. I believe this would be a specific config in aaa section - can you attach your aaa config and send, so i can investigate - i would like test in a lab. Also , are we using ACS 4.0?

matt.walls Wed, 10/25/2006 - 05:19
User Badges:

I would agree, would be nice to have aaa statement to ignore aaa authorization from a specific mac/ip/or something like that, but not to ignore the aaa authentication. I have some firewall configurations with over 3000 lines, so when I do a firewall config change my policy server has to re-write all those lines of code... and that means 3000 aaa authorization requests/responses. Here are configs... We use unix version of tacacs+. Thank you for any assistance.


(PIX 7.x configuration)

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (outside) host x.x.x.x

key xxxxx

server-port xxxx

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL


(TACACS+ configuration)

group = FULLPRIV {

default service = permit

service = shell {


cmd=enable {

permit .*


enable = ldap



darpotter Fri, 10/27/2006 - 01:18
User Badges:
  • Silver, 250 points or more


I can see why you might want to do this, but you'd effectively be building-in your own security vulnerability.

Often, security is mutually exclusive with ease of use & performance :(

As it happens I cant think of a way to implement this in ACS windows/appliance. Would probably need something configured on the device to make it not try to authorise commands from a specific address.


elliott.fougman Thu, 11/02/2006 - 03:20
User Badges:

I believe this is possible if the device in question is a Cisco PIX as you can use the command

aaa authorization include

I'm not aware of this being available on a Cisco IOS Router.


This Discussion