The IDPS must be configured to work with an authentication server to enforce the assigned privilege and authorization level for each administrator.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000015-IDPS-000040	SRG-NET-000015-IDPS-000040	SRG-NET-000015-IDPS-000040_rule		Medium

Description
The use of authentication, authorization, and accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. Privilege levels, as well as, which commands each administrator is authorized to use based on the privilege level or account group membership, must be controlled and assigned accordingly. By using the IDPS in conjunction with an authentication server, the administrators can easily add, modify, or delete accounts as well as add or remove command authorizations and privilege levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups that contain their associated or required privilege level. By configuring the IDPS to collaborate with an authentication server, it can enforce the appropriate authorization for each administrator. Additionally, separation of services provides added assurance to the network if the access control server is compromised. This requirement does not apply to local emergency accounts which should be used sparingly. If management of authorizations and privileges is not centralized, it will be difficult to track and manage user authorizations and privileges and there is an increased risk of misconfiguration.

Description

The use of authentication, authorization, and accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. Privilege levels, as well as, which commands each administrator is authorized to use based on the privilege level or account group membership, must be controlled and assigned accordingly. By using the IDPS in conjunction with an authentication server, the administrators can easily add, modify, or delete accounts as well as add or remove command authorizations and privilege levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups that contain their associated or required privilege level. By configuring the IDPS to collaborate with an authentication server, it can enforce the appropriate authorization for each administrator. Additionally, separation of services provides added assurance to the network if the access control server is compromised. This requirement does not apply to local emergency accounts which should be used sparingly. If management of authorizations and privileges is not centralized, it will be difficult to track and manage user authorizations and privileges and there is an increased risk of misconfiguration.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43158_chk )
This requirement does not apply to emergency account defined directly on the devices. These accounts must be used sparingly. Verify the primary method of user login is an authentication server by viewing the account configuration screen. Verify a AAA server is configured and users are defined on the AAA server. If accounts are not defined, controlled, and assigned authorizations primarily on the AAA server, this is a finding.

Check Text ( C-43158_chk )

This requirement does not apply to emergency account defined directly on the devices. These accounts must be used sparingly.
Verify the primary method of user login is an authentication server by viewing the account configuration screen.
Verify a AAA server is configured and users are defined on the AAA server.

If accounts are not defined, controlled, and assigned authorizations primarily on the AAA server, this is a finding.

Fix Text (F-43158_fix)
Configure the IDPS to use the TACACS+, Radius or Diameter server for administrative access to the IDPS devices. Special IDPS privileges and authorizations must either be configured on the AAA server or synchronized once configured on the IDPS.