Is their a command that will bypass the aaa authorization from a particular host? I would like to use something like the aaa mac-exempt command, but have it only exempt on the authorization part. Background: i have a firewall management station that pushes out policies (configs) with over 2000 commands, and if i was to do this to say 500 firewalls... i could have 1000's of authorization statements to authorize. I would like to do the proper aaa authentication against this mgmt server, but have the nas ignore the authorization part.
this is a interesting scenario. I can imagine that other config Management servers would need this such as Ciscoworks LMS, QPM and ISC. I believe this would be a specific config in aaa section - can you attach your aaa config and send, so i can investigate - i would like test in a lab. Also , are we using ACS 4.0?
I would agree, would be nice to have aaa statement to ignore aaa authorization from a specific mac/ip/or something like that, but not to ignore the aaa authentication. I have some firewall configurations with over 3000 lines, so when I do a firewall config change my policy server has to re-write all those lines of code... and that means 3000 aaa authorization requests/responses. Here are configs... We use unix version of tacacs+. Thank you for any assistance.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...