Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

removing aaa restrictions on-the-fly

we're moving away from an inbound authentication/authorisation scheme (which takes place within an unencrypted http session) to one that takes place at the https level, at the target website (within the encrypted https session).

PIX Version 5.2(5) ... config includes a slew of exclusions from the current aaa, anyway, to account for some customer proxies that don't behave nicely, like this:


aaa authentication exclude tcp/443 outside some.un.nice.proxy TACACS+

aaa authentication exclude tcp/443 outside someother.un.nice.proxy TACACS+

... etc ...

followed by the 'kicker':

aaa authentication include tcp/443 outside TACACS+

finally the question: i THINK i can do the following:

IF i remove the 'include' lines ... i think that opens up the https protocol through the PIX (subject to all the other 'conduit permit' lines).

then test to make sure allowed traffic is still allowed and denied traffic is still denied ...

then i can leisurely remove all of the other aaa-server lines.

all without affecting ongoing customer sessions.

just looking for a confirmation on my supposition.


Cisco Employee

Re: removing aaa restrictions on-the-fly

Hmmm, I'm open to other suggestions from people here, but I'd be very careful removing an "include" and leaving an "exclude" by itself. Exclude's are really defined as "an exclude to a previously defined include", if you remove the include I'm not 100% sure what will happen.

If you're going to get rid of all the authentication on the PIX, why not just do "clear aaa" to remove all the statements in one hit (assuming you don't have other aaa statements you want to keep)? You'd probably want to do a "clear uauth" as well, but then you should be good to go after that.

CreatePlease to create content