Check: CISR-ND-000134
Cisco ISR 4000 Series NDM STIG:
CISR-ND-000134
(in version v1 r1)
Title
Administrative accounts for device management must be configured on the authentication server and not the Cisco ISR 4000 Series router itself (except for the emergency administration account). (Cat II impact)
Discussion
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. Administrative accounts for network device management must be configured on the authentication server and not the network device itself. The only exception is for the emergency administration account (also known as the account of last resort), which is configured locally on each device. Note that more than one emergency administration account may be permitted if approved.
Check Content
Verify that administrative accounts are configured on the authentication server. The configuration should look similar to the example below: aaa authentication login default radius radius server RADIUS1 address ipv4 1.1.1.1 key <pre-shared key> If administrative accounts are not configured on the authentication server, this is a finding.
Fix Text
Configure the Cisco ISR 4000 Series router to use multiple authentication servers. The configuration should look similar to the example below: aaa authentication login default radius radius server RADIUS1 address ipv4 1.1.1.1 key <pre-shared key>
Additional Identifiers
Rule ID:
Vulnerability ID: V-74079
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-000370 |
The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components. |