UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The communications server is not configured to require AAA authentication for PPP connections using a RADIUS or TACACS+ authentication server in conjunction with 2-factor authentication.


Overview

Finding ID Version Rule ID IA Controls Severity
V-17841 NET1616 SV-19116r1_rule EBRP-1 Low
Description
A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access.
STIG Date
Network Devices Security Technical Implementation Guide 2017-12-07

Details

Check Text ( C-19325r1_chk )
Review the communications server configuration and verify that PPP connections require AAA authentication using a RADIUS or TACACS+ authentication server.

aaa new-model
aaa authentication ppp list-name tacacs+ local
..
tacacs-server host 200.200.2.2
tacacs-server host 300.300.3.3

Upon verifying that an AAA server is used for authenticating dial-up connections to the communications server, review the AAA server to ensure two-factor is used.
Fix Text (F-17768r1_fix)
Configure the communications server to use an AAA server to authenticate all administrators authorized for dial-up access using 2-factor authentication.