Title

The RUCKUS ICX device must be configured to assign appropriate user roles or access levels to authenticated users. (Cat I impact)

Discussion

Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise of and unauthorized access to sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Some network devices are preconfigured with security groups. Other network devices enable operators to create custom security groups with custom permissions. For example, an information system security manager (ISSM) may require read-only access to audit the network device. Operators may create an audit security group, define permissions and access levels for members of the group, and then assign the ISSM's user persona to the audit security group. This is still considered privileged access, but the ISSM's security group is more restrictive than the network administrator's security group. Network devices that rely on AAA brokers for authentication and authorization services may need to identify the available security groups or access levels available on the network devices and convey that information to the AAA operator. Once the AAA broker identifies the user persona on the centralized directory service, the user's security group memberships can be retrieved. The AAA operator may need to create a mapping that links target security groups from the directory service to the appropriate security groups or access levels on the network device. Once these mappings are configured, authorizations can happen dynamically, based on each user's directory service group membership.

Check Content

Verify the network device is configured to assign appropriate user roles or access levels to authenticated users. 1. Confirm login authentication is configured for a AAA server followed by local authentication. SSH@ICX(config)# show running-config | include (aaa.*login|aaa.*exec) aaa authentication login default radius local aaa authorization exec default radius 2. Verify local accounts have desired privilege levels. SSH@ICX# show user Username Password Encrypt Priv Status Expire Time ====================================================================================================================== local $1$b6Mn/o0q$/HIqAT.num4n80Pyd0um7 enabled 0 enabled Never If using a AAA for authentication and "aaa authorization exec" line is not present, this is a finding. If the local user account does not have the correct privilege level assigned, this is a finding.

Fix Text

Configure the network device to assign appropriate user roles or access levels to authenticated users. 1. Configure local account: username [user] privilege [priv_lvl] password [password] ... where priv_lvl equals: 0 – Super User level (full read-write access) 4 – Port Configuration level 5 – Read Only level 2. Configure a RADIUS (or TACACS+) server: radius-server host x.x.x.x auth-port 1812 acct-port 1813 default key [shared_secret] 3. Configure AAA authentication: aaa authentication login default radius local aaa authorization exec default radius

Additional Identifiers

Rule ID: SV-273784r1111052_rule

Vulnerability ID: V-273784

Group Title: SRG-APP-000033-NDM-000212

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.