The Cisco router must be configured to be compliant with at least one IETF Internet standard authentication protocol.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-96437	CISC-ND-000900	SV-105575r1_rule		Medium

Description
Protecting access authorization information (i.e., access control decisions) ensures that authorization information cannot be altered, spoofed, or otherwise compromised during transmission. In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit, as part of the access authorization information, supporting security attributes. This is because, in distributed information systems, there are various access control decisions that need to be made, and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions. The network device must be compliant with at least one IETF standard authentication protocol such as Remote Authentication Dial-In User Service (RADIUS), Extensible Authentication Protocol (EAP), Lightweight Directory Access Protocol (LDAP), and Terminal Access Controller Access-Control System Plus (TACACS+). Protocols that are clearly defined in IETF RFC Internet standards (a.k.a. full standards), and are capable of securely conveying authorization information, are suitable for use.

Description

Protecting access authorization information (i.e., access control decisions) ensures that authorization information cannot be altered, spoofed, or otherwise compromised during transmission. In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit, as part of the access authorization information, supporting security attributes. This is because, in distributed information systems, there are various access control decisions that need to be made, and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions. The network device must be compliant with at least one IETF standard authentication protocol such as Remote Authentication Dial-In User Service (RADIUS), Extensible Authentication Protocol (EAP), Lightweight Directory Access Protocol (LDAP), and Terminal Access Controller Access-Control System Plus (TACACS+). Protocols that are clearly defined in IETF RFC Internet standards (a.k.a. full standards), and are capable of securely conveying authorization information, are suitable for use.

STIG	Date
Cisco IOS XR Router NDM Security Technical Implementation Guide	2019-07-26

Details

Check Text ( C-95273r1_chk )
Review the Cisco router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example: radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 070D2E4E4C10 … … … aaa authentication login LOGIN_AUTHENTICATION group radius local line console login authentication LOGIN_AUTHENTICATION ! line default login authentication LOGIN_AUTHENTICATION transport input ssh If the Cisco router is not configured to use an authentication server as primary source for authentication, this is a finding.

Check Text ( C-95273r1_chk )

Review the Cisco router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example:

radius-server host x.x.x.x auth-port 1645 acct-port 1646
key 7 070D2E4E4C10
…
…
…
aaa authentication login LOGIN_AUTHENTICATION group radius local
line console
login authentication LOGIN_AUTHENTICATION
!
line default
login authentication LOGIN_AUTHENTICATION
transport input ssh

If the Cisco router is not configured to use an authentication server as primary source for authentication, this is a finding.

Fix Text (F-102113r2_fix)
Step 1: Configure the router to use an authentication server as shown in the following example: RP/0/0/CPU0:R3(config)#radius-server host x.x.x.x key xxxxxxxx Step 2: Configure the authentication order to use the authentication server as primary source for authentication as shown in the following example: RP/0/0/CPU0:R3(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local Step 3: Configure all network connections associated with a device management to use an authentication server for the purpose of login authentication as shown in the following example: RP/0/0/CPU0:R3(config)#line default RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION RP/0/0/CPU0:R3(config-line)#exit RP/0/0/CPU0:R3(config)#line console RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION

Fix Text (F-102113r2_fix)

Step 1: Configure the router to use an authentication server as shown in the following example:

RP/0/0/CPU0:R3(config)#radius-server host x.x.x.x key xxxxxxxx

Step 2: Configure the authentication order to use the authentication server as primary source for authentication as shown in the following example:

RP/0/0/CPU0:R3(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local

Step 3: Configure all network connections associated with a device management to use an authentication server for the purpose of login authentication as shown in the following example:

RP/0/0/CPU0:R3(config)#line default
RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION
RP/0/0/CPU0:R3(config-line)#exit
RP/0/0/CPU0:R3(config)#line console
RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION