STIGQter STIGQter: STIG Summary: Juniper SRX SG NDM Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 26 Jul 2019: The Juniper SRX Services Gateway must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.

DISA Rule

SV-80939r1_rule

Vulnerability Number

V-66449

Group Title

SRG-APP-000516-NDM-000338

Rule Version

JUSX-DM-000097

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the Juniper SRX to forward logon requests to a RADIUS or TACACS+. Remove local users configured on the device (CCI-000213) so the AAA server cannot default to using a local account.

[edit]
set system tacplus-server address <server ipaddress> port 1812 secret <shared secret>

or

[edit]
set system radius-server address <server ipaddress> port 1812 secret <shared secret>

Note: DoD policy is that redundant AAA servers are required to mitigate the risk of a failure of the primary AAA device.

Check Contents

Verify the Juniper SRX is configured to forward logon requests to a RADIUS or TACACS+.

From the CLI operational mode enter:
show system radius-server
or
show system tacplus-server

If the Juniper SRX is not configured to use at least one RADIUS or TACACS+ server, this is a finding.

Vulnerability Number

V-66449

Documentable

False

Rule Version

JUSX-DM-000097

Severity Override Guidance

Verify the Juniper SRX is configured to forward logon requests to a RADIUS or TACACS+.

From the CLI operational mode enter:
show system radius-server
or
show system tacplus-server

If the Juniper SRX is not configured to use at least one RADIUS or TACACS+ server, this is a finding.

Check Content Reference

M

Target Key

3039

Comments