Juniper EX Series Switches Network Device Management STIG Version Comparison

There are 6 differences between versions v2 r2 (Oct. 24, 2024) (the "left" version) and v2 r4 (Jan. 5, 2026) (the "right" version).

Check JUEX-NM-000240 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

The Juniper EX switch must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.

Check Content

1. Review the Juniper EX configuration to determine if an account of last resort is configured. 2. Verify the username and password for the root account, and the account of last resort is contained within sealed envelopes and kept in a safe. Junos categorizes user accounts as "local" or "template", with the difference being the presence of an authentication stanza. Accounts with an authentication stanza are local because the administrator can log in without the need for an external AAA service. Accounts without an authentication stanza are templates that require external authentication. Verify only authorized account(s) have an authentication stanza. user@host> show configuration system login ... user <name> { ... <<< No authentication stanza for externally authenticated accounts } user <account of last resort username> { ... authentication { encrypted-password <password hash>; } } The authentication order must be configured to prefer external AAA, and "password" authentication can be omitted if required. If "password" is present, Junos will attempt password authentication upon external AAA authentication failure. This feature is useful if the account of last resort is required while external AAA remains reachable but is misconfigured and prevents successful logon. If "password" is not present, Junos will not fail over to local authentication unless there is a loss of connectivity with the external AAA service (e.g., timeout). Verify the authentication order prefers external AAA (first in the order). user@host> show configuration system authentication-order authentication-order [ <external AAA> password ] --or-- authentication-order <external AAA>; Verify that direct root login logon is disabled until needed. [edit disabled. user@host> show configuration system services ssh <<< missing ssh] root-login root-login deny; 2. Verify directive inherits the default 'deny' protocol-version v2; ...<snip>... --or-- root-login deny; ...<snip>... If one console port is set to "insecure": [edit system ports] console { log-out-on-disconnect; insecure; } 3. Verify only the designated account of last resort has an authentication stanza. [edit system login] : : user <account of last resort name> { uid 2004; class <class name>; authentication { encrypted-password "$6$0/BgZc6n$BIY..<snip>..vLzjWpYq2D/"; ## SECRET-DATA } } user auditor { uid 2010; class <class name>; } If access is allowed using any local account other than does not exist for use as the account of last resort, this is a finding.

Discussion

Authentication for administrative (privileged level) access to the device is required at all times. An account is created on the device's local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary. The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should must be added to the envelope as a record. Administrators should must secure the credentials and disable access to the root account (if possible) when not needed for system administration functions. Junos does not have default passwords passwords, and the root account cannot be renamed or disabled. The root account password should must be saved in the same manner as the account of last resort. Setting the console port "insecure" prevents direct root login but also prevents password recovery without knowledge of the root password. Verify only a single local account has an authentication stanza. Local accounts without an authentication stanza are "template accounts" and must be externally authenticated. Template accounts must match the logging-in username or a returned Vendor Specific Attribute (VSA) and are used to map permissions (assigned in the login class) to the user. The example given in the Check and Fix assumes a working external authentication server and appropriate authentication order.

Fix

1. Disable direct root login: set system services ssh root-login deny set system ports console insecure 2. Configure the Juniper EX to only allow one local account for use as the account of last resort: set resort. 1. Enter configuration mode. 2. Configure the authorized account with an authentication stanza. 3. Configure the authentication order to prefer external AAA. 4. Configure SSH to deny root login. 5. Commit the configuration. user@host> configure user@host# set system login user <account of last resort name> class <class name> set username> authentication plain-text-password New password: <PW not echoed to screen> Retype new password: <PW confirmation not echoed to screen> user@host# delete system login user <not <account account of last resort username> authentication user@host# delete name> authentication plain-text-password New password: <password - not echoed to the screen> Retype new password: <password verification - not echoed to the screen> 3. Set all other template accounts: set system services ssh root-login --or-- user@host# set login user <template account 1> class <class 1> set system login user <template account 2> class <class 2> services ssh root-login deny user@host# set system authentication-order [ <external AAA> password ] --or-- user@host# set system authentication-order <external AAA> user@host# commit