UCF STIG Viewer Logo

The Cisco ISE must change the password for the local CLI and web-based account when members who have access to the password leave the role and are no longer authorized access.


Overview

Finding ID Version Rule ID IA Controls Severity
V-242608 CSCO-NM-000020 SV-242608r851052_rule Medium
Description
If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. There may also be instances when specific user actions need to be performed on the network device without unique administrator identification or authentication. A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. Cisco ISE introduces a Generate Password option on the user and administrator creation page to generate instant password adhering to Cisco ISE password policies. This helps the users or administrators to use the password generated by Cisco ISE than spending time in thinking of a safe password to be configured.
STIG Date
Cisco ISE NDM Security Technical Implementation Guide 2022-09-20

Details

Check Text ( C-45883r714132_chk )
Verify by viewing site SSP to view that there is a procedure that requires password change with administrators leave the group.

If Cisco ISE does not change the password for the local CLI and web-based account when members who have access to the password leave the role and are no longer authorized access, this is a finding.
Fix Text (F-45840r714133_fix)
Generate Automatic Password for Users and Administrators (or generate using other encryption method).

Navigate to Administrators—Administration >> System >> Admin Access >> Administrators >> Admin Users.

Select the CLI and the web Admin users and select the option to generate the password.

Document the generated password and secure it for emergency use as an Account of Last Resort. Do not share with other Admins unless necessary.