Table 1: Context-level Administrative User AAA Context Selection
DescriptionItem
During authentication, the system determines whether local authentication is enabled in the local context.
If it is, the system attempts to authenticate the administrative user in the local context. If it is not, proceed to item 2 in
this table.
If the administrative user's username is configured, authentication is performed by using the AAA configuration within
the local context. If not, proceed to item 2 in this table.
1
If local authentication is disabled on the system or if the administrative user's username is not configured in the local
context, the system determines if a domain was received as part of the username.
If there is a domain and it matches the name of a configured context or domain, the systems uses the AAA configuration
within that context.
If there is a domain and it does not match the name of a configured context or domain, Go to item 4 in this table.
If there is no domain as part of the username, go to item 3 in this table.
2
If there was no domain specified in the username or the domain is not recognized, the system determines whether an AAA
Administrator Default Domain is configured.
If the default domain is configured and it matches a configured context, the AAA configuration within the AAA
Administrator Default Domain context is used.
If the default domain is not configured or does not match a configured context or domain, go to item 4 item below.
3
If a domain was specified as part of the username but it did not match a configured context, or if a domain was not specified
as part of the username, the system determines if the AAA Administrator Last Resort context parameter is configured.
If a last resort, context is configured and it matches a configured context, the AAA configuration within that context is
used.
If a last resort context is not configured or does not match a configured context or domain, the AAA configuration within
the local context is used.
4
In Release 21.4 and higher (Trusted builds only):
•
Users can only access the system through their respective context interface.
•
If the user attempts to log in to their respective context through a different context interface, that user
will be rejected.
•
Irrespective of whether the users are configured in any context with 'authorized-keys' or 'allowusers',
with this feature these users will be rejected if they attempt to log in via any other context interface other
than their own context interface.
•
Users configured in any non-local context are required to specify which context they are trying to log
in to. For example:
ssh username@ctx_name@ctx_ip_addrs
ASR 5500 System Administration Guide, StarOS Release 21.4
9
System Operation and Configuration
Context Selection for Context-level Administrative User Sessions
To Next Page
Loading...
Need help?
General
