The Juniper SRX Services Gateway must specify the order in which authentication servers are used.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-229026	JUSX-DM-000098	SV-229026r518256_rule		Low

Description
Specifying an authentication order implements an authentication, authorization, and accounting methods list to be used, thus allowing the implementation of redundant or backup AAA servers. These commands also ensure that a default method or order will not be used by the device (e.g., local passwords). The Juniper SRX must specify the order in which authentication is attempted by including the authentication-order statement in the authentication server configuration. Remote logon using password results in a CAT 1 finding (CCI-000765) for failure to use two-factor authentication. Thus, if the account of last resort uses only password authentication, this configuration prevents remote access. DoD policy is that redundant AAA servers are required to mitigate the risk of a failure of the primary AAA device.

Description

Specifying an authentication order implements an authentication, authorization, and accounting methods list to be used, thus allowing the implementation of redundant or backup AAA servers. These commands also ensure that a default method or order will not be used by the device (e.g., local passwords). The Juniper SRX must specify the order in which authentication is attempted by including the authentication-order statement in the authentication server configuration. Remote logon using password results in a CAT 1 finding (CCI-000765) for failure to use two-factor authentication. Thus, if the account of last resort uses only password authentication, this configuration prevents remote access. DoD policy is that redundant AAA servers are required to mitigate the risk of a failure of the primary AAA device.

STIG	Date
Juniper SRX SG NDM Security Technical Implementation Guide	2021-03-25

Details

Check Text ( C-31341r518254_chk )
Verify a RADIUS or TACACS+ server order has been configured. From operational mode enter the command: show system authentication-order If the authentication-order for either or both RADIUS or TACACS+ server order has not been configured, this is a finding. If the authentication-order includes the password method, this is a finding.

Fix Text (F-31318r518255_fix)
Add an external RADIUS or TACACS+ server, and specify the port number and shared secret of the server. Remote logon using password results in a CAT 1 finding (CCI-000765) for failure to use two-factor authentication. Thus, if the account of last resort uses only password authentication, this configuration prevents remote access. DoD policy is that redundant AAA servers are required to mitigate the risk of a failure of the primary AAA device. [edit] set system authentication-order tacplus or [edit] set system authentication-order radius From operational mode enter the command: show system authentication-order If password is set as an option, remove this command from the configuration. [edit] delete system authentication-order password

Fix Text (F-31318r518255_fix)

Add an external RADIUS or TACACS+ server, and specify the port number and shared secret of the server. Remote logon using password results in a CAT 1 finding (CCI-000765) for failure to use two-factor authentication. Thus, if the account of last resort uses only password authentication, this configuration prevents remote access. DoD policy is that redundant AAA servers are required to mitigate the risk of a failure of the primary AAA device.

[edit]
set system authentication-order tacplus

or

[edit]
set system authentication-order radius

From operational mode enter the command:
show system authentication-order

If password is set as an option, remove this command from the configuration.
[edit]
delete system authentication-order password