- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- @system domain query
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2021 01:59 AM - last edited on 08-23-2021 08:49 PM by support_s
08-23-2021 01:59 AM - last edited on 08-23-2021 08:49 PM by support_s
@system domain query
Hi there,
Eventhough we have AAA on the switch authenticating with TACACs ISE etc. We can still get in via @SYSTEM domain with local user, I am assuming this is correct as essentially a back door in? How do we lock it down further?
Many thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2021 02:14 AM - edited 08-23-2021 02:16 AM
08-23-2021 02:14 AM - edited 08-23-2021 02:16 AM
Re: @system domain query
Hi @prodigy811 !
The 'system' domain is the default and can't be deleted. As you mentioned you can always specify the domain you want to use for authentication/authorization session using '@<domain_name>', so it works as it should. What you can do is to restrict authentication and authorization for the 'system' domain to 'local', e.g. it will use locally configured users. It is always good to have alternative way to access your device if TACACS server becomes unavailable, I am sure even in your default domain you keep 'local' as a secondary authentication/authorization method.
Maybe there is even better method to restrict any connection with '@SYSTEM', let's keep this discussion open for better ideas from other users (-:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2021 02:33 AM
08-23-2021 02:33 AM
Re: @system domain query
Hello prodigy811,
In addtion to what Ivan said I assume you can remove the local users, but this could be a problem if you do not have the RADIUS ot TACACS server to log in.
Hope this helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2021 05:48 AM
08-25-2021 05:48 AM
Re: @system domain query
Many thanks for the info and the reconfirmation.