STIGQter: STIG Summary: Cisco IOS XR Router NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco router must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

DISA Rule

SV-216544r531088_rule

Vulnerability Number

V-216544

Group Title

SRG-APP-000516-NDM-000336

Rule Version

CISC-ND-001370

Severity

CAT I

CCI(s)

• CCI-000370 - The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Step 1: Configure the router to use an authentication server as shown in the following example:

RP/0/0/CPU0:R3(config)#radius-server host 10.1.3.16 key xxxxxxxx

Step 2: Configure the authentication order to use the authentication server as primary source for authentication as shown in the following example:

RP/0/0/CPU0:R3(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local

Step 3: Configure all network connections associated with a device management to use an authentication server for the purpose of login authentication as shown in the following example:

RP/0/0/CPU0:R3(config)#line default
RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION
RP/0/0/CPU0:R3(config-line)#exit
RP/0/0/CPU0:R3(config)#line console
RP/0/0/CPU0:R3(config-line)#login authentication LOGIN_AUTHENTICATION

Check Contents

Review the Cisco router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example:

radius-server host 10.1.3.16 auth-port 1645 acct-port 1646
key xxxxxxxxxx
…
…
…
aaa authentication login LOGIN_AUTHENTICATION group radius local
line console
login authentication LOGIN_AUTHENTICATION
!
line default
login authentication LOGIN_AUTHENTICATION
transport input ssh

If the Cisco router is not configured to use an authentication server for the purpose of authenticating users prior to granting administrative access, this is a finding.

Vulnerability Number

V-216544

Documentable

False

Rule Version

CISC-ND-001370

Severity Override Guidance

Review the Cisco router configuration to verify that the device is configured to use an authentication server as primary source for authentication as shown in the following example:

radius-server host 10.1.3.16 auth-port 1645 acct-port 1646
key xxxxxxxxxx
…
…
…
aaa authentication login LOGIN_AUTHENTICATION group radius local
line console
login authentication LOGIN_AUTHENTICATION
!
line default
login authentication LOGIN_AUTHENTICATION
transport input ssh

If the Cisco router is not configured to use an authentication server for the purpose of authenticating users prior to granting administrative access, this is a finding.

Check Content Reference

M

Target Key

4023

Comments