The Cisco IOS XE router must have a single local account that will only be used as an account of last resort with full access to the network device.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-74009 | CISR-ND-000049 | SV-88683r2_rule | High |
| Description |
|---|
| Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use in an emergency, such as when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is also referred to as the account of last resort since the emergency administration account is strictly intended to be used only as a last resort and immediate administrative access is absolutely necessary. The number of emergency administration accounts is restricted to at least one, but no more than operationally required as determined by the ISSO. The emergency administration account logon credentials must be stored in a sealed envelope and kept in a safe. |
| STIG | Date |
|---|---|
| Cisco IOS XE Release 3 NDM Security Technical Implementation Guide | 2018-12-20 |
Details
| Check Text ( C-74095r3_chk ) |
|---|
| Verify that there is one local account configured on the Cisco IOS XE router. The configuration should look similar to the example below: username If there is not a local account configured, this is a finding. If there is more than one local account configured, this is a finding. |
| Fix Text (F-80551r3_fix) |
|---|
| If there is more than one local account, delete the additional account by using the NO form of the username command. If there is no local account, create one using the following username command: |