The network device must require authentication for console access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4582	NET1623	SV-28747r3_rule	IAIA-1 IAIA-2	High

Description
Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.

STIG	Date
Perimeter Router Security Technical Implementation Guide Juniper	2015-07-01

Details

Check Text ( C-29084r3_chk )
Review the network device's configuration and verify authentication is required for console access. With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class as shown in the following example: [edit system] authentication-order [ radius password ]; radius-server { 192.168.6.5 { secret "xxxxxxx"; } } login { /* login classes / class tier1 { idle-timeout 10; permissions all; } class tier2 { idle-timeout 10; permissions [ configure interface network routing snmp system trace view firewall ]; } / local emgergency account / user admin { full-name Administrator; uid 2000; class tier1; authentication { encrypted-password "xxxx"; # SECRET-DATA } } / RADIUS templates */ user tier1 { uid 2001; class tier1; } user tier2 { uid 2002; class tier2; } } Note: Since the root account does not belong to a class and you can access root via console, disable the ability to login at the console using the root account by making the console insecure as follows: [edit system] console { insecure; }

Check Text ( C-29084r3_chk )

Review the network device's configuration and verify authentication is required for console access.

With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class as shown in the following example:

[edit system]
authentication-order [ radius password ];
radius-server {
192.168.6.5 {
secret "xxxxxxx";
}
}
login {
/* login classes */
class tier1 {
idle-timeout 10;
permissions all;
}
class tier2 {
idle-timeout 10;
permissions [ configure interface network routing snmp system trace view firewall ];
}
/* local emgergency account */
user admin {
full-name Administrator;
uid 2000;
class tier1;
authentication {
encrypted-password "xxxx"; # SECRET-DATA
}
}
/* RADIUS templates */
user tier1 {
uid 2001;
class tier1;
}
user tier2 {
uid 2002;
class tier2;
}
}

Note: Since the root account does not belong to a class and you can access root via console, disable the ability to login at the console using the root account by making the console insecure as follows:

[edit system]
console {
insecure;
}

Fix Text (F-4515r4_fix)
Configure authentication for console access on the network device.