Ensuring centrally managed authentication settings
Rule Title: RiOS must employ automated mechanisms to centrally manage authentication settings.
STIG ID: RICX-DM-000092
Rule ID: SV-77433r1_rule Severity: CAT II
Vuln ID: V-62943 Class: Unclass
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.
Verifying centrally managed authentication settings
Verify that RiOS is configured to employ automated mechanisms to centrally manage authentication settings.
1. Connect to the Management Console.
2. Choose Administration > Security: TACACS+ to display the TACACS+ page.
3. Verify that TACACS+ Servers has at least one server defined. Verify that TACACS+ Servers has at least one server defined. f no servers exist in the TACACS+ Servers list, this is a security vulnerability finding.
— or —
4. Choose Administration > Security: RADIUS to display the RADIUS page.
5. Verify that RADIUS Servers has at least one server defined. If no servers exist in the RADIUS Servers list, this is a security vulnerability finding.
Configuring centrally managed authentication
Appliances support TACACS+ and RADIUS.
For TACACS+:
1. Connect to the Management Console.
2. Choose Administration > Security: TACACS+ to display the TACACS+ page.
3. Click Add a TACACS+ Server to expand the page.
4. Configure TACACS+ settings.
5. Configure a global default key.
6. Apply, and then save your changes.
For RADIUS:
1. Choose Administration > Security: RADIUS to display the RADIUS page.
2. Add a RADIUS Server and configure its settings.
3. Apply, and then save your changes.
TACAS+ settings
Hostname or IP Address specifies the hostname or server IP address.
Authentication Port specifies the port for the server. The default value is 49.
Authentication Type specifies either PAP or ASCII as the authentication type. The default value is PAP.
Override the Global Default Key overrides the global server key for the server.
Server Key specifies the override server key.
Confirm Server Key confirms the override server key.
Timeout specifies the time-out period in seconds (1 to 60). The default is 3.
Retries specifies the number of times you want to allow the user to retry authentication. Valid values are from 0 to 5. The default is 1.
Enabled Enables the new server.
RADIUS settings
Hostname or IP Address specifies the hostname or server IP address. RiOS does not support IPv6 server IP addresses.
Authentication Port specifies the port for the server.
Authentication Type specifies the CHAP authentication type. Challenge-Handshake Authentication Protocol (CHAP), which provides better security than PAP, validates the identity of remote clients by periodically verifying the identity of the client using a three-way handshake. This validation happens at the time of establishing the initial link and might happen again at any time. CHAP bases verification on a user password and transmits an MD5 sum of the password from the client to the server.
Override the Global Default Key overrides the global server key for the server:
• Server Key specifies the override server key.
• Confirm Server Key confirms the override server key.
Timeout specifies the time-out period in seconds (1 to 60). The default value is 3.
Retries specifies the number of times you want to allow the user to retry authentication. Valid values are from 0 to 5. The default value is 1.
Enabled enables the new server.
Global default key settings
Set a Global Default Key enables a global server key for the RADIUS server.
Global Key specifies the global server key to the required value.
Confirm Global Key confirms the global server key.
Timeout specifies the time-out period in seconds (1 to 60). The default value is 3.
Retries specifies the number of times you want to allow the user to retry authentication. The default value is 1.