configured with a context called local that you use specifically for management
purposes. The source and destination contexts for a context-level
administrative user responsible for managing the entire system should always be
the local context.
administrative user can also connect through other interfaces on StarOS and
still have full management privileges.
administrative user can be created in a non-local context. These management
accounts have privileges only in the context in which they are created. This
type of management account can connect directly to a port in the context in
which they belong, if local connectivity is enabled (SSHD, for example) in that
For all FTP or SFTP
connections, you must connect through a management interface. If you SFTP or
FTP as a non-local context account, you must use the username syntax of
selection process becomes more involved if you are configuring StarOS to
provide local authentication or work with a AAA server to authenticate the
context-level administrative user.
StarOS gives you the
flexibility to configure context-level administrative users locally (meaning
that their profile will be configured and stored in its own memory), or
remotely on an AAA server. If a locally-configured user attempts to log onto
StarOS, StarOS performs the authentication. If you have configured the user
profile on an AAA server, StarOS must determine how to contact the AAA server
to perform authentication. It does this by determining the AAA context for the
The following table
and flowchart describe the process that StarOS uses to select an AAA context
for a context-level administrative user. Items in the table correspond to the
circled numbers in the flowchart.
Figure 1. Context-level
Administrative User AAA Context
Table 1 Context-level
Administrative User AAA Context Selection
authentication, StarOS determines whether local authentication is enabled in
If it is,
StarOS attempts to authenticate the administrative user in the
local context. If it is not, proceed to item 2 in this
administrative user\'s username is configured, authentication is performed by
using the AAA configuration within the
local context. If not, proceed to item 2 in this table.
authentication is disabled in StarOS or if the administrative user username is
not configured in the
local context, StarOS determines if a domain was received
as part of the username.
If there is
a domain and it matches the name of a configured context or domain, StarOS uses
the AAA configuration within that context.
If there is
a domain and it does not match the name of a configured context or domain, Go
to item 4 in this table.
If there is
no domain as part of the username, go to item 3 in this table.
If there was
no domain specified in the username or the domain is not recognized, StarOS
determines whether an
Administrator Default Domain is configured.
default domain is configured and it matches a configured context, the AAA
configuration within the
Administrator Default Domain context is used.
default domain is not configured or does not match a configured context or
domain, go to item 4 item below.
If a domain
was specified as part of the username but it did not match a configured
context, or if a domain was not specified as part of the username, StarOS
determines if the
Administrator Last Resort context parameter is configured.
If a last
resort, context is configured and it matches a configured context, the AAA
configuration within that context is used.
If a last
resort context is not configured or does not match a configured context or
domain, the AAA configuration within the
local context is used.