Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-96381 | CISC-ND-000150 | SV-105519r1_rule | Medium |
Description |
---|
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. |
STIG | Date |
---|---|
Cisco IOS XR Router NDM Security Technical Implementation Guide | 2020-06-04 |
Check Text ( C-95217r1_chk ) |
---|
The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured to utilize an authentication server to authenticate and authorize users for administrative access. Review the router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example: radius-server host 10.1.3.16 auth-port 1645 acct-port 1646 key xxxxxxxxxx … … … aaa authentication login LOGIN_AUTHENTICATION group radius local line console login authentication LOGIN_AUTHENTICATION ! line default login authentication LOGIN_AUTHENTICATION transport input ssh If the router is not configured to use an authentication server to authenticate and authorize users for administrative access, this is a finding. |
Fix Text (F-102057r2_fix) |
---|
Step 1: Configure the router to use an authentication server as shown in the following example: RP/0/0/CPU0:R3(config)#radius-server host 10.1.3.16 key xxxxxxxx Step 2: Configure the authentication order to use the authentication server as primary source for authentication as shown in the following example: RP/0/0/CPU0:R3(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local Step 3: Configure all network connections associated with a device management to use an authentication server for the purpose of login authentication as shown in the following example: RP/0/0/CPU0:R3(config)#line default RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION RP/0/0/CPU0:R3(config-line)#exit RP/0/0/CPU0:R3(config)#line console RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION |