@system domain query

prodigy811 · ‎08-23-2021

Hi there,

Eventhough we have AAA on the switch authenticating with TACACs ISE etc. We can still get in via @SYSTEM domain with local user, I am assuming this is correct as essentially a back door in? How do we lock it down further?

Many thanks

Ivan_B · ‎08-23-2021

Hi @prodigy811 !

The 'system' domain is the default and can't be deleted. As you mentioned you can always specify the domain you want to use for authentication/authorization session using '@<domain_name>', so it works as it should. What you can do is to restrict authentication and authorization for the 'system' domain to 'local', e.g. it will use locally configured users. It is always good to have alternative way to access your device if TACACS server becomes unavailable, I am sure even in your default domain you keep 'local' as a secondary authentication/authorization method.

Maybe there is even better method to restrict any connection with '@SYSTEM', let's keep this discussion open for better ideas from other users (-:

I am an HPE employee

-Alex- · ‎08-23-2021

Hello prodigy811,

In addtion to what Ivan said I assume you can remove the local users, but this could be a problem if you do not have the RADIUS ot TACACS server to log in.

Hope this helps!

I am an HPE Employee

prodigy811 · ‎08-25-2021

Many thanks for the info and the reconfirmation.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

@system domain query

@system domain query

Re: @system domain query

Re: @system domain query

Re: @system domain query