https://community.cisco.com/t5/network-access-control/aaa-authorization-bypass/m-p/645527#M422604 <P>Is their a command that will bypass the aaa authorization from a particular host? I would like to use something like the aaa mac-exempt command, but have it only exempt on the authorization part. Background: i have a firewall management station that pushes out policies (configs) with over 2000 commands, and if i was to do this to say 500 firewalls... i could have 1000's of authorization statements to authorize. I would like to do the proper aaa authentication against this mgmt server, but have the nas ignore the authorization part.</P> Sun, 10 Mar 2019 21:48:25 GMT matt.walls 2019-03-10T21:48:25Z https://community.cisco.com/t5/network-access-control/aaa-authorization-bypass/m-p/645527#M422604 <P>Is their a command that will bypass the aaa authorization from a particular host? I would like to use something like the aaa mac-exempt command, but have it only exempt on the authorization part. Background: i have a firewall management station that pushes out policies (configs) with over 2000 commands, and if i was to do this to say 500 firewalls... i could have 1000's of authorization statements to authorize. I would like to do the proper aaa authentication against this mgmt server, but have the nas ignore the authorization part.</P> Sun, 10 Mar 2019 21:48:25 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-bypass/m-p/645527#M422604 matt.walls 2019-03-10T21:48:25Z https://community.cisco.com/t5/network-access-control/aaa-authorization-bypass/m-p/645528#M422606 <HTML><HEAD></HEAD><BODY><P>Hi Matt</P><P></P><P>this is a interesting scenario. I can imagine that other config Management servers would need this such as Ciscoworks LMS, QPM and ISC. I believe this would be a specific config in aaa section - can you attach your aaa config and send, so i can investigate - i would like test in a lab. Also , are we using ACS 4.0?</P></BODY></HTML> Wed, 25 Oct 2006 07:43:02 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-bypass/m-p/645528#M422606 pvanvuuren 2006-10-25T07:43:02Z https://community.cisco.com/t5/network-access-control/aaa-authorization-bypass/m-p/645529#M422607 <HTML><HEAD></HEAD><BODY><P>I would agree, would be nice to have aaa statement to ignore aaa authorization from a specific mac/ip/or something like that, but not to ignore the aaa authentication. I have some firewall configurations with over 3000 lines, so when I do a firewall config change my policy server has to re-write all those lines of code... and that means 3000 aaa authorization requests/responses. Here are configs... We use unix version of tacacs+. Thank you for any assistance.</P><P>============================================</P><P>(PIX 7.x configuration)</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server TACACS+ (outside) host x.x.x.x</P><P> key xxxxx</P><P> server-port xxxx</P><P>aaa authentication ssh console TACACS+ LOCAL</P><P>aaa authentication serial console TACACS+ LOCAL</P><P>aaa authentication enable console TACACS+ LOCAL</P><P>aaa authorization command TACACS+ LOCAL</P><P>========================================</P><P>(TACACS+ configuration)</P><P>group = FULLPRIV {</P><P>default service = permit</P><P>service = shell {</P><P>}</P><P>cmd=enable {</P><P>permit .*</P><P>}</P><P>enable = ldap</P><P>}</P><P>}</P></BODY></HTML> Wed, 25 Oct 2006 12:19:16 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-bypass/m-p/645529#M422607 matt.walls 2006-10-25T12:19:16Z https://community.cisco.com/t5/network-access-control/aaa-authorization-bypass/m-p/645530#M422608 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I can see why you might want to do this, but you'd effectively be building-in your own security vulnerability.</P><P></P><P>Often, security is mutually exclusive with ease of use &amp; performance <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P></P><P>As it happens I cant think of a way to implement this in ACS windows/appliance. Would probably need something configured on the device to make it not try to authorise commands from a specific address.</P><P></P><P>Darran</P></BODY></HTML> Fri, 27 Oct 2006 08:18:08 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-bypass/m-p/645530#M422608 darpotter 2006-10-27T08:18:08Z https://community.cisco.com/t5/network-access-control/aaa-authorization-bypass/m-p/645531#M422609 <HTML><HEAD></HEAD><BODY><P>I believe this is possible if the device in question is a Cisco PIX as you can use the command</P><P></P><P>aaa authorization include </P><P></P><P>I'm not aware of this being available on a Cisco IOS Router.</P></BODY></HTML> Thu, 02 Nov 2006 11:20:51 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-bypass/m-p/645531#M422609 elliott.fougman 2006-11-02T11:20:51Z