10-23-2006 10:39 AM - edited 03-10-2019 02:48 PM
Is their a command that will bypass the aaa authorization from a particular host? I would like to use something like the aaa mac-exempt command, but have it only exempt on the authorization part. Background: i have a firewall management station that pushes out policies (configs) with over 2000 commands, and if i was to do this to say 500 firewalls... i could have 1000's of authorization statements to authorize. I would like to do the proper aaa authentication against this mgmt server, but have the nas ignore the authorization part.
10-25-2006 12:43 AM
Hi Matt
this is a interesting scenario. I can imagine that other config Management servers would need this such as Ciscoworks LMS, QPM and ISC. I believe this would be a specific config in aaa section - can you attach your aaa config and send, so i can investigate - i would like test in a lab. Also , are we using ACS 4.0?
10-25-2006 05:19 AM
I would agree, would be nice to have aaa statement to ignore aaa authorization from a specific mac/ip/or something like that, but not to ignore the aaa authentication. I have some firewall configurations with over 3000 lines, so when I do a firewall config change my policy server has to re-write all those lines of code... and that means 3000 aaa authorization requests/responses. Here are configs... We use unix version of tacacs+. Thank you for any assistance.
============================================
(PIX 7.x configuration)
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host x.x.x.x
key xxxxx
server-port xxxx
aaa authentication ssh console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
========================================
(TACACS+ configuration)
group = FULLPRIV {
default service = permit
service = shell {
}
cmd=enable {
permit .*
}
enable = ldap
}
}
10-27-2006 01:18 AM
Hi
I can see why you might want to do this, but you'd effectively be building-in your own security vulnerability.
Often, security is mutually exclusive with ease of use & performance :(
As it happens I cant think of a way to implement this in ACS windows/appliance. Would probably need something configured on the device to make it not try to authorise commands from a specific address.
Darran
11-02-2006 03:20 AM
I believe this is possible if the device in question is a Cisco PIX as you can use the command
aaa authorization include
I'm not aware of this being available on a Cisco IOS Router.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: