UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The communications server is not configured accept a callback request or in a secured mode so that it will not callback an unauthorized user.


Overview

Finding ID Version Rule ID IA Controls Severity
V-17842 NET1617 SV-19117r1_rule EBRP-1 Low
Description
A communications server (aka terminal server) can be used to provide interconnectivity between all managed network elements and the OOBM gateway router for administrative access to the device’s console port. In the event the OOBM network is not able to provide connectivity due to an outage, the communications server can provide a dial-up PPP connection to access a network element. The auxiliary port, consol port, as well as any slow-speed async serial port with an analog modem connected to the managed device also provides the capability for direct dial-up administrative access for infrastructures that do not have a communications server for management access.
STIG Date
Network Devices Security Technical Implementation Guide 2018-11-27

Details

Check Text ( C-19326r1_chk )
Review the configuration of the communications server. The following example configuration would enable a secured call back on a Cisco network access server:

interface s0/1
physical-layer async
ip address 192.168.8.1 255.255.255.252
encapsulation ppp
async mode dedicated
ppp authentication chap
ppp callback accept
dialer callback-secure
dialer map ip 192.168.8.2 name Dean class dial-back-admin 1112223333
dialer map ip 192.168.8.3 name Dana class dial-back-admin 1113334444
!
map-class dialer dial-back-admin
dialer callback-server username
dialer hold-queue timeout 60

The call-back numbers used for each authorized user must be defined within the communications server local database or the AAA server. In the example above, the username identifies the return call by looking up the authenticated host name in a dialer map command. Do not allow the client to supply the callback number such as, pre-configuring a null dial string for an authorized dial-up user in the access server database or the AAA.

An alternative to the communication server and AAA server implementation is an integrated solution that includes the following:

1. a secured modem using FIPS 140-2 compliant encryption for the connection
2. an integrated RSA Secure ID server for 2-factor authentication
3. OOB connectivity to the managed device via console port access granted after the administrator has been authenticated
Fix Text (F-17774r1_fix)
The communications server must be configured to accept a callback request. In addition, it must be configured in a secured mode so that it will not callback an unauthorized user.