Title

The Cisco Application Policy Infrastructure Controller (APIC) must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access. (Cat I impact)

Discussion

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's Cisco ACIs can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each Cisco ACI. APIC policies manage the authentication, authorization, and accounting (AAA) functions of the Cisco Application Centric Infrastructure (ACI) fabric. The combination of user privileges, roles, and domains with access rights inheritance enables administrators to configure AAA functions at the managed object level in a granular fashion. Creating a user and assigning a role to that user does not enable access rights. It is necessary to also assign the user to one or more security domains. By default, the ACI fabric includes two special precreated domains: "All" allows access to the entire MIT. "Infra" allows access to fabric infrastructure objects/subtrees, such as fabric access policies. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000149-NDM-000247

Check Content

Review the AAA configuration: 1. In the GUI, on the menu bar, choose Admin >> AAA. 2. In the Navigation pane, click "Authentication" and then click the "RADIUS" tab. 3. Review the configuration for the AAA server. 4. Review the configuration of the Login Domain(s) used by the site. Note: The above configuration is an example using the RADIUS protocol. However, DOD sites may configure the options for LDAP, RADIUS, or TACACS+. If the Cisco ACI is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.

Fix Text

In the APIC, configure redundant RADIUS providers: 1. On the menu bar, choose Admin >> AAA. 2. In the Navigation pane, click "Authentication" and then click the "RADIUS" tab. 3. In the Work pane, choose Actions >> Create RADIUS Provider. 4. Specify the RADIUS host name (or IP address), port, protocol, and management endpoint group. 5. In the Navigation pane, choose System >> System Settings >> APIC Connectivity Preferences. In the Work pane, select "ooband". 6. Repeat the above steps for at least one other AAA server. Create the login domain for RADIUS: 1. In the Navigation pane, choose AAA Authentication >> Login Domains. 2. In the Work pane, choose Actions >> Create Login Domain. 3. Specify the login domain name, description, realm, and provider group as appropriate. Note: The above configuration is an example using the RADIUS protocol. However, DOD sites may configure the options for LDAP, RADIUS, or TACACS+.

Additional Identifiers

Rule ID: SV-271924r1067359_rule

Vulnerability ID: V-271924

Group Title: SRG-APP-000516-NDM-000336

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.