Administrative accounts for device management must be configured on the authentication server and not the Cisco IOS XE router itself (except for the emergency administration account).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-74079 | CISR-ND-000134 | SV-88753r2_rule | Medium |
| Description |
|---|
| The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. Administrative accounts for network device management must be configured on the authentication server and not the network device itself. The only exception is for the emergency administration account (also known as the account of last resort), which is configured locally on each device. Note that more than one emergency administration account may be permitted if approved. |
| STIG | Date |
|---|---|
| Cisco IOS XE Release 3 NDM Security Technical Implementation Guide | 2018-12-20 |
Details
| Check Text ( C-74171r3_chk ) |
|---|
| Verify that administrative accounts are configured on the authentication server. The configuration should look similar to the example below: aaa authentication login default radius radius server RADIUS1 address ipv4 1.1.1.1 key If administrative accounts are not configured on the authentication server, this is a finding. |
| Fix Text (F-80619r3_fix) |
|---|
| Configure the Cisco IOS XE router to use multiple authentication servers. The configuration should look similar to the example below: aaa authentication login default radius radius server RADIUS1 address ipv4 1.1.1.1 key |