Check: CSCO-NM-000270
Cisco ISE NDM STIG:
CSCO-NM-000270
(in versions v2 r2 through v1 r1)
Title
The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access. (Cat II impact)
Discussion
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Cisco ISE can connect with external identity sources such as Active Directory, LDAP, RADIUS Token, and RSA SecurID servers to obtain user information for authentication and authorization. External identity sources also include certificate authentication profiles needed for certificate-based authentications. Configure external authentication to a central AAA identity source. For accounts defined in the external identity, create a password policy for the external administrator account stores. Then apply this policy to the external administrator groups that eventually become a part of the external administrator RBAC policy. In addition to providing authentication via an external identity store, the network may also require the use of a Common Access Card (CAC) authentication device. To configure external authentication: - Configure password-based authentication using an external identity store. - Create an external administrator group. - Configure menu access and data access permissions for the external administrator group. - Create an RBAC policy for external administrator authentication.
Check Content
Verify an external authentication identity source is configured. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups. 2. View the External Group configuration. If the Cisco ISE is not configured to use an external authentication server to authenticate administrators prior to granting administrative access, this is a finding.
Fix Text
Configure external authentication to a central AAA identity source. Configure password-based authentication for administrators who authenticate using an external identity store such as Active Directory or LDAP. 1. Choose Administration >> System >> Admin Access >> Authentication. 2. On the Authentication Method tab, select Password Based and choose one of the external identity sources that was previously configured (for example, the Active Directory instance that was created). 3. Configure any other specific password policy settings for administrators who authenticate using an external identity store. 4. Click "Save". Create an external Active Directory or LDAP administrator group. This ensures that Cisco ISE uses the username that is defined in the external Active Directory or LDAP identity store to validate the administrator username and password that was entered upon login. Cisco ISE imports the Active Directory or LDAP group information from the external resource and stores it as a dictionary attribute. Specify that attribute as one of the policy elements when it is time to configure the RBAC policy for this external administrator authentication method. 1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups. 2. Click "Add". 3. Enter a name and optional description. 4. Choose the "External" radio button. 5. From the External Groups drop-down list box, choose the Active Directory group to map for this external administrator group. Click the "+" sign to map additional Active Directory groups to this external administrator group. 6. Click "Save". Configure menu access and data access permissions that can be assigned to the external administrator group. 1. Choose Administration >> System >> Admin Access >> Permissions. 2. Click one of the following: - Menu Access - All administrators who belong to the external administrator group can be granted permission at the menu or submenu level. The menu access permission determines the menus or submenus that they can access. - Data Access - All administrators who belong to the external administrator group can be granted permission at the data level. The data access permission determines the data that they can access. 3. Specify menu access or data access permissions for the external administrator group. 4. Click "Save". In order to configure Cisco ISE to authenticate the administrator using an external identity store and to specify custom menu and data access permissions at the same time, configure a new RBAC policy. This policy must have the external administrator group for authentication and the Cisco ISE menu and data access permissions to manage the external authentication and authorization. 1. Choose Administration >> System >> Admin Access >> Authorization >> Policy. 2. Specify the rule name, external administrator group, and permissions. Remember that the appropriate external administrator group must be assigned to the correct administrator user IDs. Ensure the administrator in question is associated with the correct external administrator group. 3. Click "Save".
Additional Identifiers
Rule ID: SV-242633r997485_rule
Vulnerability ID: V-242633
Group Title: SRG-APP-000516-NDM-000336
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
Implement the security configuration settings. |
| CCI-000370 |
Manage configuration settings for organization-defined system components using organization-defined automated mechanisms. |
| CCI-003627 |
Disable accounts when the accounts have expired. |
| CCI-003628 |
Disable accounts when the accounts are no longer associated to a user. |
| CCI-003831 |
Alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. |
| CCI-004046 |
Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
| CCI-004047 |
Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that the device meets organization-defined strength of mechanism requirements. |
| CCI-004058 |
For password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency. |
| CCI-004059 |
For password-based authentication, update the list of passwords on an organization-defined frequency. |
| CCI-004060 |
For password-based authentication, update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly. |
| CCI-004061 |
For password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a). |
| CCI-004063 |
For password-based authentication, require immediate selection of a new password upon account recovery. |
| CCI-004064 |
For password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters. |
| CCI-004065 |
For password-based authentication, employ automated tools to assist the user in selecting strong password authenticators. |
| CCI-004068 |
For public key-based authentication, implement a local cache of revocation data to support path discovery and validation. |