Comware Based

@system domain query

 
prodigy811
Frequent Advisor

@system domain query

Hi there,

 

Eventhough we have AAA on the switch authenticating with TACACs ISE etc. We can still get in via @SYSTEM domain with local user, I am assuming this is correct as essentially a back door in? How do we lock it down further?

Many thanks

3 REPLIES 3
Ivan_B
HPE Pro

Re: @system domain query

Hi @prodigy811 !

The 'system' domain is the default and can't be deleted. As you mentioned you can always specify the domain you want to use for authentication/authorization session using '@<domain_name>', so it works as it should. What you can do is to restrict authentication and authorization for the 'system' domain to 'local', e.g. it will use locally configured users. It is always good to have alternative way to access your device if TACACS server becomes unavailable, I am sure even in your default domain you keep 'local' as a secondary authentication/authorization method.

Maybe there is even better method to restrict any connection with '@SYSTEM', let's keep this discussion open for better ideas from other users (-:

 

 

I am an HPE employee

Accept or Kudo

-Alex-
HPE Pro

Re: @system domain query

Hello  prodigy811,

In addtion to what Ivan said I assume you can remove the local users, but this could be a problem if you do not have the RADIUS ot TACACS server to log in.

Hope this helps!

I am an HPE Employee

Accept or Kudo

prodigy811
Frequent Advisor

Re: @system domain query

Many thanks for the info and the reconfirmation.