Bypass 2-factor Authentication for config management

h.perrett · ‎04-15-2016

I need some help in locating information or a Cisco document on configuring Cisco ACS to bypass 2-factor authentication.

We are running Cisco ACS 5.60.22.2 that is used to authenticate users with 2-factor authentication against AD and RSA - this all works without any issues.

I have a toolset that can be used for configuration management i.e. collect configs. But this requires an account to login to each device over SSH/Telnet before the config can be collected so I need to bypass 2-factor authentication in this case.

I have found some articles posted here that I have followed, created a local user in the ACS server Internal Identity Store, created an Identity Store Sequence and changed the Service Selection Rules > Identity "If user not found - Continue".

When I test the local user I can login to a device without 2-Factor Authentication - all great. But when I test the login with my AD account I can also login using my AD account without the need for 2-Factor Authentication - not great. If I backout the change and set the Service Selection Rules > Identity "If user not found - Reject" then I am back to using 2-Factor Authentication.

Any help would be appreciated.

nspasov · ‎04-15-2016

What are your authorization rules look like? What you are experiencing is expected since the Authentication process is set to "continue." You will need to make your authorization rules very specific/detailed to make sure that the appropriate users get access while everyone else gets "Access Denied"

Thank you for rating helpful posts!