Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

aaa authorization bypass

Is their a command that will bypass the aaa authorization from a particular host? I would like to use something like the aaa mac-exempt command, but have it only exempt on the authorization part. Background: i have a firewall management station that pushes out policies (configs) with over 2000 commands, and if i was to do this to say 500 firewalls... i could have 1000's of authorization statements to authorize. I would like to do the proper aaa authentication against this mgmt server, but have the nas ignore the authorization part.


Re: aaa authorization bypass

Hi Matt

this is a interesting scenario. I can imagine that other config Management servers would need this such as Ciscoworks LMS, QPM and ISC. I believe this would be a specific config in aaa section - can you attach your aaa config and send, so i can investigate - i would like test in a lab. Also , are we using ACS 4.0?

New Member

Re: aaa authorization bypass

I would agree, would be nice to have aaa statement to ignore aaa authorization from a specific mac/ip/or something like that, but not to ignore the aaa authentication. I have some firewall configurations with over 3000 lines, so when I do a firewall config change my policy server has to re-write all those lines of code... and that means 3000 aaa authorization requests/responses. Here are configs... We use unix version of tacacs+. Thank you for any assistance.


(PIX 7.x configuration)

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (outside) host x.x.x.x

key xxxxx

server-port xxxx

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL


(TACACS+ configuration)

group = FULLPRIV {

default service = permit

service = shell {


cmd=enable {

permit .*


enable = ldap




Re: aaa authorization bypass


I can see why you might want to do this, but you'd effectively be building-in your own security vulnerability.

Often, security is mutually exclusive with ease of use & performance :(

As it happens I cant think of a way to implement this in ACS windows/appliance. Would probably need something configured on the device to make it not try to authorise commands from a specific address.


New Member

Re: aaa authorization bypass

I believe this is possible if the device in question is a Cisco PIX as you can use the command

aaa authorization include

I'm not aware of this being available on a Cisco IOS Router.