Check: CISR-ND-000134
Cisco IOS XE Release 3 NDM STIG:
CISR-ND-000134
(in versions v1 r5 through v1 r2)
Title
Administrative accounts for device management must be configured on the authentication server and not the Cisco IOS XE router itself (except for the emergency administration account). (Cat II impact)
Discussion
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. Administrative accounts for network device management must be configured on the authentication server and not the network device itself. The only exception is for the emergency administration account (also known as the account of last resort), which is configured locally on each device. Note that more than one emergency administration account may be permitted if approved.
Check Content
Verify that administrative accounts are configured on the authentication server. The configuration should look similar to the example below: aaa authentication login default radius radius server RADIUS1 address ipv4 1.1.1.1 key <pre-shared key> If administrative accounts are not configured on the authentication server, this is a finding.
Fix Text
Configure the Cisco IOS XE router to use multiple authentication servers. The configuration should look similar to the example below: aaa authentication login default radius radius server RADIUS1 address ipv4 1.1.1.1 key <pre-shared key>
Additional Identifiers
Rule ID: SV-88753r2_rule
Vulnerability ID: V-74079
Group Title: SRG-APP-000516-NDM-000336
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-000370 |
The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components. |