UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The CA API Gateway must employ RADIUS + LDAPS or LDAPS to centrally manage authentication settings.


Overview

Finding ID Version Rule ID IA Controls Severity
V-71521 CAGW-DM-000110 SV-86145r1_rule Medium
Description
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. Use of RADIUS + LDAPS or LDAPS for authentication and authorization provides the Gateway with an ability to authenticate credentials against a centralized and secured identity management system. This allows permissions for administration of the Gateway to be governed independently of the Gateway.
STIG Date
CA API Gateway NDM Security Technical Implementation Guide 2016-09-20

Details

Check Text ( C-71893r1_chk )
Review the CA API Gateway configuration to determine if RADIUS + LDAPS or LDAPS is employed to centrally manage authentication settings.

- SSH to SSG as a member of ssgconfig.
- Select: 1) Configure system settings, 6) Export configuration.
- Export configuration to "file".
- Go back to main menu, select 3) Use a privileged shell (root).
- Navigate to /home/ssgconfig, open "file".
- Check "authenticationType".

If "authenticationType" is not RADIUS_WITH_LDAP or RADIUS_WITH_LDAPS, this is a finding.
Fix Text (F-77841r2_fix)
Configure the CA API Gateway to employ RADIUS + LDAPS or LDAPS to centrally manage authentication settings.

Prerequisites:

- RADIUS server (for the RADIUS+LDAPS configuration)
- LDAPS server with posixAccount objects for user logins
- LDAPS server CA certificate available via HTTP at a specific URL
- LDAP account for the SSG to bind and lookup info
- posixUser object within LDAP contain object (OU)
- All SSG LDAP posixAccount objects are filtered either by a fixed gidNumber or by membership in an LDAP group containing a sequence of memberUid attributes, one for each user.

Configure SSG to use LDAPS.

- SSH to SSG as a member of ssgconfig
- Select: 1) Configure system settings, 4) Configure authentication method.
- Select: 2) ldap.
- Walk through configuration steps, providing requisite information ensuring:
- Select LDAPS (secure) "y".
- Select the appropriate TLS port (636 is the default).
- Disable anonymous bind.
- Specify the URL containing the PEM of the CA certificate to download.
- Specify that the SSG LDAP client "demand" the server's certificate.
- Set the user filter to use either a specific gidNumber or a group DN.
- Set the posixAccount attribute to use as login name (uid).

Confirmation configuration should be approximately:

Authentication Type: LDAP_ONLY

Label | Value
---------------------------------------------------------------------------------------------
Secure | true
ActiveDirectory | false
Server | smldap.l7tech.com
BaseDn | dc=l7tech,dc=com
Port | 636
AnonymousBind | false
BindDn | cn=Manager,dc=l7tech,dc=com
BindPassword |
Object for finding the password for users | ou=posixAccounts
Object class name of users in the LDAP | posixAccount
Server CaCert File | /etc/openldap/cacerts/ldapcacert
Certificate Action | DEMAND
GroupDn | cn=ssgconfig_ldap,ou=posixGroups,dc=l7tech,dc=com
PAM login attribute | uid

Finally, apply configuration and restart the SSG.

Configure SSG to use RADIUS+LDAPS.

- SSH to SSG as ssgconfig.
- Select: 1) Configure system settings, 4) Configure authentication method.
- Select: 4) ldap_radius.
- Walk through configuration steps, providing requisite information ensuring:
- Enter the RADIUS server's address and secret.
- Complete the LDAP questions as for the LDAPS only case (above).

Confirmation configuration should be approximately:

Authentication Type: RADIUS_WITH_LDAP

Label | Value
-------------------------------
Server | freerad217.l7tech.com
Secret |
Timeout | 3

Label | Value
---------------------------------------------------------------------------------------------
Secure | true
ActiveDirectory | false
Server | smldap.l7tech.com
BaseDn | dc=l7tech,dc=com
Port | 636
AnonymousBind | false
BindDn | cn=Manager,dc=l7tech,dc=com
BindPassword |
Object for finding the password for users | ou=posixAccounts
Object class name of users in the LDAP | posixAccount
Server CaCert Url | http://localhost:8080/cert
Certificate Action | DEMAND
GroupDn | cn=ssgconfig_ldap,ou=posixGroups,dc=l7tech,dc=com
PAM login attribute | uid