UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.


Overview

Finding ID Version Rule ID IA Controls Severity
V-251789 TNDM-3X-000092 SV-251789r916111_rule High
Description
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Use VMware Identity Manager or Workspace ONE configured to meet DoD requirements for authentication, authorization, and access control. This does not require an additional license. Configuration details of this product are not in scope beyond this requirement. Ensure the VMware Workspace ONE Access/VMware Identity Manager acts as a broker to different identity stores and providers, including Active Directory and SAML. Two supplements are included with the VMware NSX-T STIG package that provide guidance from the vendor for configuration of VMware Identity Manager and VMware Workspace ONE Access. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000177-NDM-000263, SRG-APP-000149-NDM-000247, SRG-APP-000080-NDM-000220
STIG Date
VMware NSX-T Manager NDM Security Technical Implementation Guide 2023-06-22

Details

Check Text ( C-55249r819177_chk )
From the NSX-T Manager web interface, go to System >> Users and Roles >> VMware Identity Manager.

If the VMware Identity Manager integration is not enabled, this is a finding.

If the user is not redirected to VMware Identity Manager or Workspace ONE Access when attempting to log in to the NSX-T Manager web interface and prompted to select a certificate and enter a PIN, this is a finding.
Fix Text (F-55203r819721_fix)
To configure NSX-T to integrate with VMware Identity Manager or Workspace ONE Access as the authentication source, do the following:

From the NSX-T Manager web interface, go to System >> Users and Roles >> VMware Identity Manager and click "Edit".

If using an external load balancer for the NSX-T Management cluster, enable "External Load Balancer Integration". If using a cluster VIP, leave this disabled.

Click the toggle button to enable "VMware Identity Manager Integration".

Enter the VMware Identity Manager or Workspace ONE Access appliance name, OAuth Client ID, OAuth Client Secret, and certificate thumbprint as provided by the administrators.

Enter the NSX Appliance FQDN. For a cluster, enter the load balancer FQDN or cluster VIP FQDN.

Click "Save", import users and groups, and then assign them roles.

Ensure the VMware Identity Manager administrators have configured the certificate authentication adapter to provide two-factor authentication.