The Cisco ACI must implement replay-resistant authentication mechanisms for network access to privileged accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-271936 | CACI-ND-000021 | SV-271936r1113837_rule | Medium |
| Description |
| A replay attack may enable an unauthorized user to gain access to the application. authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators. |
| STIG | Date |
| Cisco ACI NDM Security Technical Implementation Guide | 2025-06-13 |
Details
| Check Text (C-75986r1063988_chk) |
| Verify the default fabric TLS Protocol: 1. On the menu bar, choose Fabric >> Fabric Policies. 2. In the Navigation pane, select Policies >> Pod >> Management Access >> default. 3. In the Work pane, find the HTTPS section. 4. For SSL Protocols, verify the box for TLS 1.2 or higher is checked. Verify other SSL or TLS versions are not checked. If the Cisco ACI fabric does not implement TLS 1.2 or higher for authentication for network access to privileged accounts, this is a finding. |
| Fix Text (F-75893r1063989_fix) |
| Configure the default fabric TLS Protocol: 1. On the menu bar, choose Fabric >> Fabric Policies. 2. In the Navigation pane, choose Policies >> Pod >> Management Access >> default. 3. In the Work pane, find the HTTPS section. 4. For SSL Protocols, check the boxes for TLS 1.2 or higher. Uncheck or leave unchecked for any other SSL or TLS version. |