Comware

 View Only

  • 1.  @system domain query

    Posted Aug 23, 2021 04:59 AM

    Hi there,

     

    Eventhough we have AAA on the switch authenticating with TACACs ISE etc. We can still get in via @SYSTEM domain with local user, I am assuming this is correct as essentially a back door in? How do we lock it down further?

    Many thanks


    #Commware
    #Switch_Router_Interconnect


  • 2.  RE: @system domain query

    Posted Aug 23, 2021 05:14 AM

    Hi @prodigy811 !

    The 'system' domain is the default and can't be deleted. As you mentioned you can always specify the domain you want to use for authentication/authorization session using '@<domain_name>', so it works as it should. What you can do is to restrict authentication and authorization for the 'system' domain to 'local', e.g. it will use locally configured users. It is always good to have alternative way to access your device if TACACS server becomes unavailable, I am sure even in your default domain you keep 'local' as a secondary authentication/authorization method.

    Maybe there is even better method to restrict any connection with '@SYSTEM', let's keep this discussion open for better ideas from other users (-:

     

     



  • 3.  RE: @system domain query

    Posted Aug 25, 2021 08:48 AM

    Many thanks for the info and the reconfirmation. 



  • 4.  RE: @system domain query

    Posted Aug 23, 2021 05:34 AM

    Hello  prodigy811,

    In addtion to what Ivan said I assume you can remove the local users, but this could be a problem if you do not have the RADIUS ot TACACS server to log in.

    Hope this helps!



Related Content