UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper router must be configured to be compliant with at least one IETF Internet standard authentication protocol.


Overview

Finding ID Version Rule ID IA Controls Severity
V-91147 JUNI-ND-000890 SV-101247r1_rule Medium
Description
Protecting access authorization information (i.e., access control decisions) ensures that authorization information cannot be altered, spoofed, or otherwise compromised during transmission. In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit, as part of the access authorization information, supporting security attributes. This is because, in distributed information systems, there are various access control decisions that need to be made, and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions. The network device must be compliant with at least one IETF standard authentication protocol such as Remote Authentication Dial-In User Service (RADIUS), Extensible Authentication Protocol (EAP), Lightweight Directory Access Protocol (LDAP), and Terminal Access Controller Access-Control System Plus (TACACS+). Protocols that are clearly defined in IETF RFC Internet standards (a.k.a. full standards), and are capable of securely conveying authorization information, are suitable for use.
STIG Date
Juniper Router NDM Security Technical Implementation Guide 2018-11-14

Details

Check Text ( C-90301r2_chk )
Review the router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example:

system {
authentication-order radius;
}
radius-server {
10.1.58.2 secret "$8$xYW-dsq.5zF/wYnC"; ## SECRET-DATA
}

or

system {
authentication-order [tacplus password ];
root-authentication {
encrypted-password "$1$4Ou0B0Nk$IXPAsRmgLqLM./.I1XUuh1"; ## SECRET-DATA
}
tacplus-server {
10.1.58.2 secret "$8$emHMWxZGiq.5X7PQ"; ## SECRET-DATA
}

If the router is not configured to use an authentication server as primary source for authentication, this is a finding.
Fix Text (F-97345r2_fix)
Step 1: Configure the router to use an authentication server as shown in the following examples:

[edit system]
set radius-server 10.1.58.2 secret xxxxxxxxx

or

set tacplus-server 10.1.58.2 secret xxxxxxxxx


Step 2: Configure the authentication order to use the authentication server as primary source for authentication as shown in the following examples:

set authentication-order radius

or

set authentication-order tacplus

Note: If there is no response from the authentication server, JUNOS will authenticate using a local account as last resort. It is recommended to not configure password at the end of the authentication order, as JUNOS will attempt to authenticate using a local account upon a rejection from the authentication server.