Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
890
Views
0
Helpful
4
Replies

aaa authorization bypass

matt.walls
Level 1
Level 1

‎10-23-2006 10:39 AM - edited ‎03-10-2019 02:48 PM

Is their a command that will bypass the aaa authorization from a particular host? I would like to use something like the aaa mac-exempt command, but have it only exempt on the authorization part. Background: i have a firewall management station that pushes out policies (configs) with over 2000 commands, and if i was to do this to say 500 firewalls... i could have 1000's of authorization statements to authorize. I would like to do the proper aaa authentication against this mgmt server, but have the nas ignore the authorization part.

Labels:
0 Helpful
4 Replies 4

pvanvuuren
Level 3
Level 3

‎10-25-2006 12:43 AM

Hi Matt

this is a interesting scenario. I can imagine that other config Management servers would need this such as Ciscoworks LMS, QPM and ISC. I believe this would be a specific config in aaa section - can you attach your aaa config and send, so i can investigate - i would like test in a lab. Also , are we using ACS 4.0?

0 Helpful

matt.walls
Level 1
Level 1
In response to pvanvuuren

‎10-25-2006 05:19 AM

I would agree, would be nice to have aaa statement to ignore aaa authorization from a specific mac/ip/or something like that, but not to ignore the aaa authentication. I have some firewall configurations with over 3000 lines, so when I do a firewall config change my policy server has to re-write all those lines of code... and that means 3000 aaa authorization requests/responses. Here are configs... We use unix version of tacacs+. Thank you for any assistance.

============================================

(PIX 7.x configuration)

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (outside) host x.x.x.x

key xxxxx

server-port xxxx

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL

========================================

(TACACS+ configuration)

group = FULLPRIV {

default service = permit

service = shell {

}

cmd=enable {

permit .*

}

enable = ldap

}

}

0 Helpful

darpotter
Level 5
Level 5
In response to matt.walls

‎10-27-2006 01:18 AM

Hi

I can see why you might want to do this, but you'd effectively be building-in your own security vulnerability.

Often, security is mutually exclusive with ease of use & performance :(

As it happens I cant think of a way to implement this in ACS windows/appliance. Would probably need something configured on the device to make it not try to authorise commands from a specific address.

Darran

0 Helpful

elliott.fougman
Level 1
Level 1
In response to darpotter

‎11-02-2006 03:20 AM

I believe this is possible if the device in question is a Cisco PIX as you can use the command

aaa authorization include

I'm not aware of this being available on a Cisco IOS Router.

0 Helpful
Customers Also Viewed These Support Documents