How The System Selects Contexts - Cisco ASR 5500 Administration Manual

How the System Selects Contexts

• Management Subscribers: A management user is an authorized user who can monitor, control, and
How the System Selects Contexts
This section describes the process that determines which context to use for context-level administrative users
or subscriber sessions. Understanding this process allows you to better plan your configuration in terms of
how many contexts and interfaces you need to configure.
Context Selection for Context-level Administrative User Sessions
The system comes configured with a context called local that you use specifically for management purposes.
The context selection process for context-level administrative users (those configured within a context) is
simplified because the management ports on the MIO are associated only with the Local context. Therefore,
the source and destination contexts for a context-level administrative user responsible for managing the entire
system should always be the local context.
A context-level administrative user can also connect through other interfaces on the system and still have full
system management privileges.
A context-level administrative user can be created in a non-local context. These management accounts have
privileges only in the context in which they are created. This type of management account can connect directly
to a port in the context in which they belong, if local connectivity is enabled (SSHD, for example) in that
context.
For all FTP or SFTP connections, you must connect through an MIO management interface. If you SFTP or
FTP as a non-local context account, you must use the username syntax of username@contextname.
The context selection process becomes more involved if you are configuring the system to provide local
authentication or work with a AAA server to authenticate the context-level administrative user.
The system gives you the flexibility to configure context-level administrative users locally (meaning that their
profile will be configured and stored in its own memory), or remotely on an AAA server. If a locally-configured
user attempts to log onto the system, the system performs the authentication. If you have configured the user
profile on an AAA server, the system must determine how to contact the AAA server to perform authentication.
It does this by determining the AAA context for the session.
ASR 5500 System Administration Guide, StarOS Release 19
6
named default which is created automatically by the system for each system context. When configuring
local profile attributes, the changes are made on a subscriber-by-subscriber basis.
Attributes configured for local subscribers take precedence over context-level parameters.
Important
However, they could be over-ridden by attributes returned from a RADIUS AAA server.
configure the system through the CLI or Web Element Manager application. Management is performed
either locally, through the system Console port, or remotely through the use of the Telnet or secure shell
(SSH) protocols. Management users are typically configured as a local subscriber within the Local
context, which is used exclusively for system management and administration. As with a local subscriber,
a management subscriber's user profile is configured within the context where the subscriber was created
(in this case, the Local context). However, management subscribers may also be authenticated remotely
via RADIUS, if an AAA configuration exists within the local context, or TACACS+.
System Operation and Configuration