SV-220617r521267_rule
V-220617
SRG-APP-000516-NDM-000336
CISC-ND-001370
CAT I
10
Step 1: Configure the Cisco switch to use an authentication server as shown in the example below:
SW4(config)#radius host 10.1.48.2 key xxxxxx
Step 2: Configure the authentication order to use the authentication server as the primary source for authentication as shown in the example below:
SW4(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local
Step 3: Configure all network connections associated with device management to use an authentication server for login authentication:
SW4(config)#line vty 0 4
SW4(config-line)#login authentication LOGIN_AUTHENTICATION
SW4(config-line)#exit
SW4(config)#line con 0
SW4(config-line)#login authentication LOGIN_AUTHENTICATION
SW4(config-line)#exit
SW4(config)#ip http authentication aaa login-authentication LOGIN_AUTHENTICATION
Review the Cisco switch configuration to verify that the device is configured to use an authentication server as the primary source for authentication as shown in the example below:
aaa new-model
!
aaa authentication login LOGIN_AUTHENTICATION group radius local
…
…
…
ip http authentication aaa login-authentication LOGIN_AUTHENTICATION
ip http secure-server
…
…
…
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxxxxx
…
…
…
line con 0
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION
line vty 0 4
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION
If the Cisco switch is not configured to use an authentication server to authenticate users prior to granting administrative access, this is a finding.
V-220617
False
CISC-ND-001370
Review the Cisco switch configuration to verify that the device is configured to use an authentication server as the primary source for authentication as shown in the example below:
aaa new-model
!
aaa authentication login LOGIN_AUTHENTICATION group radius local
…
…
…
ip http authentication aaa login-authentication LOGIN_AUTHENTICATION
ip http secure-server
…
…
…
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxxxxx
…
…
…
line con 0
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION
line vty 0 4
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION
If the Cisco switch is not configured to use an authentication server to authenticate users prior to granting administrative access, this is a finding.
M
4069