The A10 Networks ADC must employ centrally managed authentication server(s).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-68103	AADC-NM-000137	SV-82593r1_rule		Medium

Description
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. You can configure the device to use remote servers for Authentication, Authorization, and Accounting (AAA) for administrative sessions. The device supports RADIUS, TACACS+, and LDAP servers.

Description

The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. You can configure the device to use remote servers for Authentication, Authorization, and Accounting (AAA) for administrative sessions. The device supports RADIUS, TACACS+, and LDAP servers.

STIG	Date
A10 Networks ADC NDM Security Technical Implementation Guide	2016-04-15

Details

Check Text ( C-68663r1_chk )
Review the device configuration. Since the device supports RADIUS, TACACS+, and LDAP, one of these must be configured. The following is a sample verification for TACACS+. The following command shows the parts of the configuration with the word "tacplus": show run \| inc tacplus If the output is blank, this is a finding. The following command shows information for all configured TACACS servers: show tacacs-server If no servers are configured, this is a finding.

Check Text ( C-68663r1_chk )

Review the device configuration.

Since the device supports RADIUS, TACACS+, and LDAP, one of these must be configured. The following is a sample verification for TACACS+.

The following command shows the parts of the configuration with the word "tacplus":
show run | inc tacplus

If the output is blank, this is a finding.

The following command shows information for all configured TACACS servers:
show tacacs-server

If no servers are configured, this is a finding.

Fix Text (F-74217r1_fix)
Since the device supports RADIUS, TACACS+, and LDAP, one of these must be configured. The following is a sample configuration for TACACS+. The following command sets the authentication method to TACACS+ for administrative access to the device: authentication type tacplus The local database (local option) must be included as one of the authentication sources, regardless of the order in which the sources are used. Authentication using only a remote server is not supported. The following command configures the device to use a TACACS+ server: tacacs-server host [hostname \| ipaddr] secret [secret-string] "hostname \| ipaddr" is the hostname or IP address of the TACACS+ server. "secret-string" is the secret key to authenticate the switch to the TACACS+ server. Up to two TACACS+ servers can be configured. The secondary server is used only if the primary server does not respond. The servers are used in the order in which you add them to the configuration. Use a separate command for each of the servers.

Fix Text (F-74217r1_fix)

Since the device supports RADIUS, TACACS+, and LDAP, one of these must be configured. The following is a sample configuration for TACACS+.

The following command sets the authentication method to TACACS+ for administrative access to the device:
authentication type tacplus

The local database (local option) must be included as one of the authentication sources, regardless of the order in which the sources are used. Authentication using only a remote server is not supported.

The following command configures the device to use a TACACS+ server:
tacacs-server host [hostname | ipaddr] secret [secret-string]
"hostname | ipaddr" is the hostname or IP address of the TACACS+ server.
"secret-string" is the secret key to authenticate the switch to the TACACS+ server.

Up to two TACACS+ servers can be configured. The secondary server is used only if the primary server does not respond. The servers are used in the order in which you add them to the configuration. Use a separate command for each of the servers.