The system comes
configured with a context called
local
that you use specifically for management purposes. The context selection
process for context-level administrative users (those configured within a
context) is simplified because the management ports on the MIO are associated
only with the Local context. Therefore, the source and destination contexts for
a context-level administrative user responsible for managing the entire system
should always be the local context.
A context-level
administrative user can be created in a non-local context. These management
accounts have privileges only in the context in which they are created. This
type of management account can connect directly to a port in the context in
which they belong, if local connectivity is enabled (SSHD, for example) in that
context.
For all FTP or SFTP
connections, you must connect through an MIO management interface. If you SFTP
or FTP as a non-local context account, you must use the username syntax of
username@contextname.
Important:
In release 20.0
and higher
Trusted
StarOS builds, FTP is not supported.
The context
selection process becomes more involved if you are configuring the system to
provide local authentication or work with a AAA server to authenticate the
context-level administrative user.
The system gives you
the flexibility to configure context-level administrative users locally
(meaning that their profile will be configured and stored in its own memory),
or remotely on an AAA server. If a locally-configured user attempts to log onto
the system, the system performs the authentication. If you have configured the
user profile on an AAA server, the system must determine how to contact the AAA
server to perform authentication. It does this by determining the AAA context
for the session.
The following table
and flowchart describe the process that the system uses to select an AAA
context for a context-level administrative user. Items in the table correspond
to the circled numbers in the flowchart.
Figure 1. Context-level Administrative User AAA Context
Table 1 Context-level Administrative User AAA Context SelectionItem |
Description |
1 |
During authentication, the system determines whether local authentication is enabled in the local context.
If it is, the system attempts to authenticate the administrative user in the local context. If it is not, proceed to item 2 in this table.
If the administrative user's username is configured, authentication is performed by using the AAA configuration within the local context. If not, proceed to item 2 in this table.
|
2 |
If local authentication is disabled on the system or if the administrative user's username is not configured in the local context, the system determines if a domain was received as part of the username.
If there is a domain and it matches the name of a configured context or domain, the systems uses the AAA configuration within that context.
If there is a domain and it does not match the name of a configured context or domain, Go to item 4 in this table.
If there is no domain as part of the username, go to item 3 in this table.
|
3 |
If there was no domain specified in the username or the domain is not recognized, the system determines whether an AAA Administrator Default Domain is configured.
If the default domain is configured and it matches a configured context, the AAA configuration within the AAA Administrator Default Domain context is used.
If the default domain is not configured or does not match a configured context or domain, go to item 4 item below.
|
4 |
If a domain was specified as part of the username but it did not match a configured context, or if a domain was not specified as part of the username, the system determines if the AAA Administrator Last Resort context parameter is configured.
If a last resort, context is configured and it matches a configured context, the AAA configuration within that context is used.
If a last resort context is not configured or does not match a configured context or domain, the AAA configuration within the local context is used.
|
In Release 21.4 and higher (Trusted builds only):
-
Users can only access the system through their respective context interface.
-
If the user attempts to log in to their respective context through a different context interface, that user will be rejected.
-
Irrespective of whether the users are configured in any context with 'authorized-keys' or 'allowusers', with this feature these users will be rejected if they attempt to log in via any other context interface other than their own context interface.
-
Users configured in any non-local context are required to specify which context they are trying to log in to. For example:
ssh username@ctx_name@ctx_ip_addrs