An error occurred:

Check: RCKS-NDM-000920

RUCKUS ICX NDM STIG: RCKS-NDM-000920 (in version v1 r1)

Title

The RUCKUS ICX device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access. (Cat I impact)

Discussion

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's RUCKUS ICX devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each RUCKUS ICX device. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000700-NDM-000100, SRG-APP-000705-NDM-000110

Check Content

Verify that AAA authentication and authorization are configured along with RADIUS/TACACS+ servers. SSH@ICX#show running-config | include (aaa|radius) aaa authentication dot1x default radius radius-server host x.x.x.x auth-port 1812 acct-port 1813 default key 2 $VWlkRGkt dot1x mac-auth radius-server host y.y.y.y auth-port 1812 acct-port 1813 default key 2 $UGlkRGktdG5v dot1x mac-auth radius-server key 2 $UGlkRGktdG5v aaa authentication login default radius local aaa authorization commands 0 default radius aaa authorization exec default radius If two central authentication servers are not configured, this is a finding.

Fix Text

Configure AAA as needed: radius-server host x.x.x.x auth-port 1812 acct-port 1813 default key [shared_secret] radius-server host y.y.y.y auth-port 1812 acct-port 1813 default key [shared_secret] aaa authentication login default radius local aaa authorization commands 0 default radius aaa authorization exec default radius

Additional Identifiers

Rule ID: SV-273835r1110833_rule

Vulnerability ID: V-273835

Group Title: SRG-APP-000516-NDM-000336

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000370

Manage configuration settings for organization-defined system components using organization-defined automated mechanisms.
CCI-003627

Disable accounts when the accounts have expired.
CCI-003628

Disable accounts when the accounts are no longer associated to a user.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6(1)

Automated Central Management / Application / Verification