removing aaa restrictions on-the-fly

admin_2 · ‎10-21-2002

we're moving away from an inbound authentication/authorisation scheme (which takes place within an unencrypted http session) to one that takes place at the https level, at the target website (within the encrypted https session).

PIX Version 5.2(5) ... config includes a slew of exclusions from the current aaa, anyway, to account for some customer proxies that don't behave nicely, like this:

...

aaa authentication exclude tcp/443 outside 192.168.1.0 255.255.255.0 some.un.nice.proxy 255.255.255.255 TACACS+

aaa authentication exclude tcp/443 outside 192.168.1.0 255.255.255.0 someother.un.nice.proxy 255.255.255.255 TACACS+

... etc ...

followed by the 'kicker':

aaa authentication include tcp/443 outside 192.168.1.0 255.255.255.0 0.0.0.0 0.0.0.0 TACACS+

finally the question: i THINK i can do the following:

IF i remove the 'include' lines ... i think that opens up the https protocol through the PIX (subject to all the other 'conduit permit' lines).

then test to make sure allowed traffic is still allowed and denied traffic is still denied ...

then i can leisurely remove all of the other aaa-server lines.

all without affecting ongoing customer sessions.

just looking for a confirmation on my supposition.

comments?

gfullage · ‎10-23-2002

Hmmm, I'm open to other suggestions from people here, but I'd be very careful removing an "include" and leaving an "exclude" by itself. Exclude's are really defined as "an exclude to a previously defined include", if you remove the include I'm not 100% sure what will happen.

If you're going to get rid of all the authentication on the PIX, why not just do "clear aaa" to remove all the statements in one hit (assuming you don't have other aaa statements you want to keep)? You'd probably want to do a "clear uauth" as well, but then you should be good to go after that.