STIGQter: STIG Summary: Cisco ISE NAC Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

Before establishing a connection with a Network Time Protocol (NTP) server, the Cisco ISE must authenticate using a bidirectional, cryptographically based authentication method that uses a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the NTP server.

DISA Rule

SV-242603r714119_rule

Vulnerability Number

V-242603

Group Title

SRG-NET-000550-NAC-002470

Rule Version

CSCO-NC-000290

Severity

CAT II

CCI(s)

• CCI-001967 - The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Weight

10

Fix Recommendation

Configure the NTP server to be authenticated.

From the CLI:
1. Type "configure terminal".
2. Define an NTP authentication key "ntp authentication-key <KEY Number> md5 plain <NTP KEY>.
3. Define an NTP server and associate it with the configured NTP key "ntp server <IP> key <KEY Number>".
4. Type "exit" and press enter.
5. Type "write memory" and press "Enter".

If a domain controller is used for NTP, then a key cannot be used as Windows servers do not support NTP keys.

Note: Each ISE node must be individually checked as NTP settings are local to each appliance.
Note: There are NTP settings in the GUI; however, it is recommended to use the NTP setting solely in CLI to prevent issues.

Check Contents

Verify NTP setting to ensure NTP will be authenticated.

From the CLI:
1. Type "show running-config | in ntp".
2. Verify that each defined NTP server has a key on the same line defining the server and make a note of the key number.
3. Verify that each NTP Key number used is created.

If there is an NTP source without an NTP key defined and it is a domain controller, this is not a finding as Windows server does not support NTP keys.

If there are any other NTP sources that do not use a defined key, this is a finding.

Note: Each ISE node must be individually checked as NTP settings are local to each appliance.
Note: There are NTP settings in the GUI; however, it is recommended to use the NTP setting solely in CLI to prevent issues.

Vulnerability Number

V-242603

Documentable

False

Rule Version

CSCO-NC-000290

Severity Override Guidance

Verify NTP setting to ensure NTP will be authenticated.

From the CLI:
1. Type "show running-config | in ntp".
2. Verify that each defined NTP server has a key on the same line defining the server and make a note of the key number.
3. Verify that each NTP Key number used is created.

If there is an NTP source without an NTP key defined and it is a domain controller, this is not a finding as Windows server does not support NTP keys.

If there are any other NTP sources that do not use a defined key, this is a finding.

Note: Each ISE node must be individually checked as NTP settings are local to each appliance.
Note: There are NTP settings in the GUI; however, it is recommended to use the NTP setting solely in CLI to prevent issues.

Check Content Reference

M

Target Key

5383

Comments