STIGQter: STIG Summary: Cisco IOS Switch NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to use an authentication server to authenticate users prior to granting administrative access.

DISA Rule

SV-220617r521267_rule

Vulnerability Number

V-220617

Group Title

SRG-APP-000516-NDM-000336

Rule Version

CISC-ND-001370

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-000370 - The organization employs automated mechanisms to centrally manage configuration settings for organization-defined information system components.

Weight

10

Fix Recommendation

Step 1: Configure the Cisco switch to use an authentication server as shown in the example below:

SW4(config)#radius host 10.1.48.2 key xxxxxx

Step 2: Configure the authentication order to use the authentication server as the primary source for authentication as shown in the example below:

SW4(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local

Step 3: Configure all network connections associated with device management to use an authentication server for login authentication:

SW4(config)#line vty 0 4
SW4(config-line)#login authentication LOGIN_AUTHENTICATION
SW4(config-line)#exit
SW4(config)#line con 0
SW4(config-line)#login authentication LOGIN_AUTHENTICATION
SW4(config-line)#exit
SW4(config)#ip http authentication aaa login-authentication LOGIN_AUTHENTICATION

Check Contents

Review the Cisco switch configuration to verify that the device is configured to use an authentication server as the primary source for authentication as shown in the example below:

aaa new-model
!
aaa authentication login LOGIN_AUTHENTICATION group radius local
…
…
…
ip http authentication aaa login-authentication LOGIN_AUTHENTICATION
ip http secure-server
…
…
…
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxxxxx
…
…
…
line con 0
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION
line vty 0 4
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION

If the Cisco switch is not configured to use an authentication server to authenticate users prior to granting administrative access, this is a finding.

Vulnerability Number

V-220617

Documentable

False

Rule Version

CISC-ND-001370

Severity Override Guidance

Review the Cisco switch configuration to verify that the device is configured to use an authentication server as the primary source for authentication as shown in the example below:

aaa new-model
!
aaa authentication login LOGIN_AUTHENTICATION group radius local
…
…
…
ip http authentication aaa login-authentication LOGIN_AUTHENTICATION
ip http secure-server
…
…
…
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxxxxx
…
…
…
line con 0
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION
line vty 0 4
exec-timeout 10 0
login authentication LOGIN_AUTHENTICATION

If the Cisco switch is not configured to use an authentication server to authenticate users prior to granting administrative access, this is a finding.

Check Content Reference

M

Target Key

4069

Comments