Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-239940 | CASA-ND-001310 | SV-239940r877988_rule | High |
Description |
---|
Centralized management of authentication settings increases the security of remote and non-local access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. |
STIG | Date |
---|---|
Cisco ASA NDM Security Technical Implementation Guide | 2022-11-21 |
Check Text ( C-43173r666181_chk ) |
---|
Review the Cisco ASA configuration to verify the device is configured to use an authentication server as primary source for authentication. Step 1: Verify that an AAA group is configured for login authentication for both in-band and console access methods. aaa authentication serial console RADIUS_GROUP LOCAL aaa authentication ssh console RADIUS_GROUP LOCAL Step 2: Verify that an AAA group and server has been defined for the group referenced in the above example. aaa-server RADIUS_GROUP protocol radius aaa-server RADIUS_GROUP (NDM_INTERFACE) host 10.1.48.10 key ***** If the Cisco ASA is not configured to use an authentication server for the purpose of authenticating users prior to granting administrative access, this is a finding. |
Fix Text (F-43132r666182_fix) |
---|
Configure the Cisco ASA to use an authentication server as shown in the following example. Step 1: Define the authentication group and protocol. ASA(config)# aaa-server RADIUS_GROUP protocol radius Step 2: Define the authentication server. ASA(config)# aaa-server RADIUS_GROUP (NDM_INTERFACE) host 10.1.48.10 ASA(config-aaa-server-host)# key bobby ASA(config-aaa-server-host)# exit Step 3: Use the AAA server for login authentication for both in-band and console access methods. ASA(config)# aaa authentication serial console RADIUS_GROUP LOCAL ASA(config)# aaa authentication ssh console RADIUS_GROUP LOCAL ASA(config)# end |