The F5 BIG-IP appliance must be configured to use at least two authentication servers to authenticate administrative users.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266079 | F5BI-DM-300040 | SV-266079r1024884_rule | High |
| Description |
| Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. |
| STIG | Date |
| F5 BIG-IP TMOS NDM Security Technical Implementation Guide | 2025-06-12 |
Details
| Check Text (C-70002r1024882_chk) |
| From the BIG-IP GUI: RADIUS: 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - RADIUS", verify different Primary and Secondary Hosts exist in the configuration. Note: To view Primary and Secondary Hosts, the "Server Configuration" must be set to "Primary & Secondary". TACACS+ 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - TACACS+", verify multiple servers exist in the configuration. 5. Verify "Authentication" is set to "Authenticate to each server until success". If the BIG-IP appliance is not configured to use at least two authentication servers to authenticate administrative users, this is a finding. |
| Fix Text (F-69905r1024883_fix) |
| From the BIG-IP GUI: RADIUS: 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - RADIUS", click "Change" at the bottom. 5. Configure values for Primary and Secondary servers. Note: To view Primary and Secondary Hosts, the "Server Configuration" must be set to "Primary & Secondary". 6. Click "Finished". TACACS+ 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - TACACS+", click "Change" at the bottom 5. Add multiple IP Addresses to the "Servers" field. 6. Set "Authentication" to "Authenticate to each server until success". 7. Click "Finished". |