An error occurred:

Check: CASA-ND-001310

Cisco ASA NDM STIG: CASA-ND-001310 (in versions v1 r6 through v1 r5)

Title

The Cisco ASA must be configured to use at least two authentication servers to authenticate users prior to granting administrative access. (Cat I impact)

Discussion

Centralized management of authentication settings increases the security of remote and non-local access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

Check Content

Review the Cisco ASA configuration to verify the device is configured to use at least two authentication servers as primary source for authentication. Step 1: Verify that an AAA group is configured for login authentication for both in-band and console access methods. aaa authentication serial console RADIUS_GROUP LOCAL aaa authentication ssh console RADIUS_GROUP LOCAL Step 2: Verify that an AAA group and server has been defined for the group referenced in the above example. aaa-server RADIUS_GROUP protocol radius aaa-server RADIUS_GROUP (NDM_INTERFACE) host 10.1.48.10 key ***** aaa-server RADIUS_GROUP (NDM_INTERFACE) host 10.1.48.11 key ***** If the Cisco ASA is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.

Fix Text

Configure the Cisco ASA to use at least two authentication servers as shown in the following example. Step 1: Define the authentication group and protocol. ASA(config)# aaa-server RADIUS_GROUP protocol radius Step 2: Define the authentication servers. ASA(config)# aaa-server RADIUS_GROUP (NDM_INTERFACE) host 10.1.48.10 ASA(config-aaa-server-host)# key bobby ASA(config-aaa-server-host)# exit ASA(config)# aaa-server RADIUS_GROUP (NDM_INTERFACE) host 10.1.48.11 ASA(config-aaa-server-host)# key bobby2 ASA(config-aaa-server-host)# exit Step 3: Use the AAA server for login authentication for both in-band and console access methods. ASA(config)# aaa authentication serial console RADIUS_GROUP LOCAL ASA(config)# aaa authentication ssh console RADIUS_GROUP LOCAL ASA(config)# end

Additional Identifiers

Rule ID: SV-239940r916111_rule

Vulnerability ID: V-239940

Group Title: SRG-APP-000516-NDM-000336

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000370

The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6 (1)

Automated Central Management / Application / Verification