Free DISA STIG and SRG Library | Vaulted

V-74079

Administrative accounts for device management must be configured on the authentication server and not the Cisco IOS XE router itself (except for the emergency administration account).

Finding ID
CISR-ND-000134
Rule ID
SV-88753r2_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000516-NDM-000336
CCI
CCI-000370
Target Key
(None)
Documentable
No
Discussion

The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. Administrative accounts for network device management must be configured on the authentication server and not the network device itself. The only exception is for the emergency administration account (also known as the account of last resort), which is configured locally on each device. Note that more than one emergency administration account may be permitted if approved.

Fix Text

Configure the Cisco IOS XE router to use multiple authentication servers. The configuration should look similar to the example below: aaa authentication login default radius radius server RADIUS1 address ipv4 1.1.1.1 key <pre-shared key>

Check Content

Verify that administrative accounts are configured on the authentication server. The configuration should look similar to the example below: aaa authentication login default radius radius server RADIUS1 address ipv4 1.1.1.1 key <pre-shared key> If administrative accounts are not configured on the authentication server, this is a finding.