The Cisco switch must be configured to automatically audit account disabling actions.
Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account disabling actions will support account management procedures. When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.
Configure the switch to log account disabling using the following steps: Step 1: Configure the AAA servers as shown in the example below: SW1(config)# radius-server host 10.1.48.10 SW1(config)# radius-server host 10.1.48.12 Step 2: Configure an AAA server group as shown in the example below: SW1(config)# aaa group server radius RADIUS_SERVERS SW1(config-radius)# server 10.1.48.10 SW1(config-radius)# server 10.1.48.12 SW1(config-radius)# exit Step 3: Enable AAA accounting as shown in the example below: SW1(config)# aaa accounting default group RADIUS_SERVERS SW1(config)# end
Review the switch configuration to determine if it automatically audits account disabling. Step 1: Verify that account records will be sent to an AAA server as shown in the example below: aaa accounting default group RADIUS_SERVERS Step 2: Verify that the referenced group name has defined AAA servers that are online. aaa group server radius RADIUS_SERVERS server 10.1.48.10 server 10.1.48.12 Note: Cisco NX-OS devices report configuration activity to TACACS+ or RADIUS servers in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the AAA server. If account disabling is not automatically audited, this is a finding.