STIGQter: STIG Summary: Cisco NX-OS Switch NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

DISA Rule

SV-220513r604141_rule

Vulnerability Number

V-220513

Group Title

SRG-APP-000516-NDM-000336

Rule Version

CISC-ND-001370

Severity

CAT I

CCI(s)

• CCI-000370 - The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the Cisco switch to use an authentication server as shown in the following example:

Step 1: Define the authentication server.

SW1(config)# radius-server host 10.1.48.10 key xxxxxx

Step 2: Configure the AAA group.

SW1(config)# aaa group server radius RADIUS_SERVERS
SW1(config-radius)# server 10.1.48.10

Step 3: Use the AAA server for login authentication for both in-band and console access methods.

SW1(config)# aaa authentication login default group RADIUS_SERVERS
SW1(config)# aaa authentication login console group RADIUS_SERVERS

Check Contents

Review the Cisco switch configuration to verify that the device is configured to use an authentication server as primary source for authentication.

Step 1: Verify that an AAA server group is configured for login authentication for both in-band and console access methods.

aaa authentication login default group RADIUS_SERVERS
aaa authentication login console group RADIUS_SERVERS

Step 2: Verify that an AAA server has been defined for the server group as shown in the example below:

radius-server host 10.1.48.10 key 7 "xxxxxx" authentication accounting
aaa group server radius RADIUS_SERVERS
server 10.1.48.10

If the Cisco switch is not configured to use an authentication server for the purpose of authenticating users prior to granting administrative access, this is a finding.

Vulnerability Number

V-220513

Documentable

False

Rule Version

CISC-ND-001370

Severity Override Guidance

Review the Cisco switch configuration to verify that the device is configured to use an authentication server as primary source for authentication.

Step 1: Verify that an AAA server group is configured for login authentication for both in-band and console access methods.

aaa authentication login default group RADIUS_SERVERS
aaa authentication login console group RADIUS_SERVERS

Step 2: Verify that an AAA server has been defined for the server group as shown in the example below:

radius-server host 10.1.48.10 key 7 "xxxxxx" authentication accounting
aaa group server radius RADIUS_SERVERS
server 10.1.48.10

If the Cisco switch is not configured to use an authentication server for the purpose of authenticating users prior to granting administrative access, this is a finding.

Check Content Reference

M

Target Key

4066

Comments