The Dell OS10 Switch must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-270643	SRG-APP-000516	OS10-NDM-000930	SV-270643r1052343_rule	2024-12-11	1

Description
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

Description

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

ℹ️ Check
Review the OS10 switch configuration to verify the device is configured to use at least two authentication servers as primary source for authentication. Verify that multiple radius servers are configured and that AAA login authentication is configured to use remote authentication. OS10# OS10# show running-configuration radius-server radius-server host 10.120.60.23 tls security-profile PROFILE-1 key 9 ** radius-server host 10.120.80.82 tls security-profile PROFILE1 key 9 ** OS10# OS10# show running-configuration aaa ! aaa authentication login default group radius local aaa authentication login console local group radius OS10# If the OS10 switch is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.

ℹ️ Check

Review the OS10 switch configuration to verify the device is configured to use at least two authentication servers as primary source for authentication. Verify that multiple radius servers are configured and that AAA login authentication is configured to use remote authentication. OS10# OS10# show running-configuration radius-server radius-server host 10.120.60.23 tls security-profile PROFILE-1 key 9 **** radius-server host 10.120.80.82 tls security-profile PROFILE1 key 9 **** OS10# OS10# show running-configuration aaa ! aaa authentication login default group radius local aaa authentication login console local group radius OS10# If the OS10 switch is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.

✔️ Fix
Configure the network device to use at least two authentication servers. The authentication order is determined by the order in which the radius-server entries are configured. OS10(config)# OS10(config)# radius-server host 10.120.60.23 tls security-profile PROFILE1 key **************** OS10(config)# radius-server host 10.120.80.82 tls security-profile PROFILE1 key **************** OS10(config)# OS10(config)# aaa authentication login default group radius local OS10(config)# aaa authentication login console group radius local OS10(config)# Configure all network connections associated with a device management to use the authentication servers for the purpose of login authentication. OS10(config)# aaa authentication login default group radius local Optionally, configure the local console access to try local authentication before attempting remote authentication servers. OS10(config)# aaa authentication login console local group radius

✔️ Fix

Configure the network device to use at least two authentication servers. The authentication order is determined by the order in which the radius-server entries are configured. OS10(config)# OS10(config)# radius-server host 10.120.60.23 tls security-profile PROFILE1 key ****************** OS10(config)# radius-server host 10.120.80.82 tls security-profile PROFILE1 key ****************** OS10(config)# OS10(config)# aaa authentication login default group radius local OS10(config)# aaa authentication login console group radius local OS10(config)# Configure all network connections associated with a device management to use the authentication servers for the purpose of login authentication. OS10(config)# aaa authentication login default group radius local Optionally, configure the local console access to try local authentication before attempting remote authentication servers. OS10(config)# aaa authentication login console local group radius