The network device must be configured to use an authentication server to authenticate users prior to granting administrative access.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-255963	SRG-APP-000516-NDM-000336	ARST-ND-000810	SV-255963r961863_rule	2025-02-20	2

Description
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

Description

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

ℹ️ Check
Verify the Arista network device is configured to use an authentication server as primary source for authentication. Verify the Arista network device configuration for RADIUS server IP, aaa group server, and defined encryption key using the following example command: switch#show running-config \|section radius radius-server host 192.168.10.101 key 7 106D1A182224E12AZ ! aaa group server radius RADIUS_1 server 192.168.10.101 ! switch#show running-config \| section aaa aaa authentication login default group radius local aaa authentication login console group radius local aaa authentication dot1x default group radius aaa authentication policy on-success log aaa authentication policy on-failure log aaa authorization console aaa authorization commands all default local aaa accounting exec default start-stop group radius logging aaa accounting system default start-stop group radius logging aaa accounting commands all default start-stop logging group radius If the Arista network device is not configured to use an authentication server to authenticate users prior to granting administrative access, this is a finding.

ℹ️ Check

Verify the Arista network device is configured to use an authentication server as primary source for authentication. Verify the Arista network device configuration for RADIUS server IP, aaa group server, and defined encryption key using the following example command: switch#show running-config |section radius radius-server host 192.168.10.101 key 7 106D1A182224E12AZ ! aaa group server radius RADIUS_1 server 192.168.10.101 ! switch#show running-config | section aaa aaa authentication login default group radius local aaa authentication login console group radius local aaa authentication dot1x default group radius aaa authentication policy on-success log aaa authentication policy on-failure log aaa authorization console aaa authorization commands all default local aaa accounting exec default start-stop group radius logging aaa accounting system default start-stop group radius logging aaa accounting commands all default start-stop logging group radius If the Arista network device is not configured to use an authentication server to authenticate users prior to granting administrative access, this is a finding.

✔️ Fix
Configure the Arista network device to use an authentication server. Step 1: Configure the Arista network device to use RADIUS server using the following commands: switch#config switch(config)#radius-server host 192.168.10.101 key 7 106D1A182224E12AZ aaa group server radius RADIUS_1 server 192.168.10.101 Step 2: Configure all network connections associated with device management to use an authentication server for login authentication. switch(config)#aaa authentication login default group radius local aaa authentication login console group radius local aaa authentication dot1x default group radius aaa authentication policy on-success log aaa authentication policy on-failure log aaa authorization console aaa authorization commands all default local aaa accounting exec default start-stop group radius logging aaa accounting system default start-stop group radius logging aaa accounting commands all default start-stop logging group radius switch(config)#exit

✔️ Fix

Configure the Arista network device to use an authentication server. Step 1: Configure the Arista network device to use RADIUS server using the following commands: switch#config switch(config)#radius-server host 192.168.10.101 key 7 106D1A182224E12AZ aaa group server radius RADIUS_1 server 192.168.10.101 Step 2: Configure all network connections associated with device management to use an authentication server for login authentication. switch(config)#aaa authentication login default group radius local aaa authentication login console group radius local aaa authentication dot1x default group radius aaa authentication policy on-success log aaa authentication policy on-failure log aaa authorization console aaa authorization commands all default local aaa accounting exec default start-stop group radius logging aaa accounting system default start-stop group radius logging aaa accounting commands all default start-stop logging group radius switch(config)#exit