SV-86057r1_rule
V-71433
SRG-NET-000340-ALG-000091
CAGW-GW-000620
CAT II
10
Open the CA API Gateway - Policy Manager.
Double-click the Registered Services requiring multifactor authentication.
For example, within the policy, configure the policy to leverage an RSA SecurID hardware token along with X.509 by adding a "Require SSL/TLS with Client Certificate" Assertion, which will validate the certificate according to organizational requirements, then using that certificate to authenticate against LDAP or Active Directory, add an "Authenticate Against Identity Provider" Assertion, and then include the value from the hardware token in a request to the RSA SecurID RADIUS service by adding the "Authenticate Against RADIUS Server" Assertion.
Configure additional Registered Services in a similar fashion in accordance with organizational requirements.
Open the CA API Gateway - Policy Manager.
Double-click the Registered Services requiring multifactor authentication.
For example, within the policy that leverages an RSA SecurID hardware token along with X.509, verify the policy includes a "Require SSL/TLS with Client Certificate" Assertion, which will validate the certificate according to organizational requirements, then use that certificate to authenticate against LDAP or Active Directory using the "Authenticate Against Identity Provider" Assertion, and then include the value from the hardware token in a request to the RSA SecurID RADIUS service via the" Authenticate Against RADIUS Server" Assertion.
If the policy is not configured with multiple factors for authentication in a similar fashion, this is a finding.
V-71433
False
CAGW-GW-000620
Open the CA API Gateway - Policy Manager.
Double-click the Registered Services requiring multifactor authentication.
For example, within the policy that leverages an RSA SecurID hardware token along with X.509, verify the policy includes a "Require SSL/TLS with Client Certificate" Assertion, which will validate the certificate according to organizational requirements, then use that certificate to authenticate against LDAP or Active Directory using the "Authenticate Against Identity Provider" Assertion, and then include the value from the hardware token in a request to the RSA SecurID RADIUS service via the" Authenticate Against RADIUS Server" Assertion.
If the policy is not configured with multiple factors for authentication in a similar fashion, this is a finding.
M
3049