DISA STIGS Viewer

AOS must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

Overview

Finding ID Version Rule ID IA Controls Severity
V-266970 ARBA-ND-000336 SV-266970r1039931_rule   High
Description
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.
STIG Date
HPE Aruba Networking AOS NDM Security Technical Implementation Guide 2024-10-29

Details

Check Text (C-70894r1039929_chk)
Verify the AOS configuration using the web interface:

1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Options".
2. Verify what "Server group" is handling admin authentication.
3. Expand "Admin Authentication Servers".
4. Select the Server Group identified from the "Options" section.
5. Verify that at least two authentication servers are configured in the Server Group.

If the admin authentication server group does not have at least two configured authentication servers, this is a finding.
Fix Text (F-70797r1039930_fix)
Configure AOS using the web interface:

1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Servers".
2. Click on the plus sign (+) under "All Servers" and configure the type of authentication server. Provide the Name, Type, and IP address. Click "Submit".
3. Select the created authentication server and configure the required attributes for LDAP:

Admin-dn <username>
Admin-passwd <password>
Re-type admin-passwd <password>
Auth port: 636
Base-dn: cn/ou=<container>,dc=<level>,dc=<mil>
Key-attribute: userPrincipalName

4. Click "Submit".
5. Repeat this process and configure a second authentication server.
6. Click Pending Changes >> Deploy Changes.
7. Click on the plus sign (+) under "Server Groups" and add a server group. Click "Submit".
8. Select the created server group and click the plus sign (+) in the Server Group <server group name> box.
9. Add the first configured authentication server.
10. Reselect the created server group and click the plus sign (+) in the Server Group <server group name> box. Click "Submit".
11. Expand "Admin Authentication Options" and select the created server group under "Server group:".
12. Click Submit >> Pending Changes >> Deploy Changes.