UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The network device must require authentication for console access.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4582 NET1623 SV-28747r3_rule IAIA-1 IAIA-2 High
Description
Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.
STIG Date
Perimeter Router Security Technical Implementation Guide Juniper 2016-12-23

Details

Check Text ( C-29084r3_chk )
Review the network device's configuration and verify authentication is required for console access.

With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class as shown in the following example:

[edit system]
authentication-order [ radius password ];
radius-server {
192.168.6.5 {
secret "xxxxxxx";
}
}
login {
/* login classes */
class tier1 {
idle-timeout 10;
permissions all;
}
class tier2 {
idle-timeout 10;
permissions [ configure interface network routing snmp system trace view firewall ];
}
/* local emgergency account */
user admin {
full-name Administrator;
uid 2000;
class tier1;
authentication {
encrypted-password "xxxx"; # SECRET-DATA
}
}
/* RADIUS templates */
user tier1 {
uid 2001;
class tier1;
}
user tier2 {
uid 2002;
class tier2;
}
}

Note: Since the root account does not belong to a class and you can access root via console, disable the ability to login at the console using the root account by making the console insecure as follows:

[edit system]
console {
insecure;
}
Fix Text (F-4515r4_fix)
Configure authentication for console access on the network device.