The F5 BIG-IP appliance must be configured to use at least two authentication servers to authenticate administrative users.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-266079	SRG-APP-000516-NDM-000336	F5BI-DM-300040	SV-266079r1024884_rule	2024-09-20	1

Description
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

Description

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

ℹ️ Check
From the BIG-IP GUI: RADIUS: 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - RADIUS", verify different Primary and Secondary Hosts exist in the configuration. Note: To view Primary and Secondary Hosts, the "Server Configuration" must be set to "Primary & Secondary". TACACS+ 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - TACACS+", verify multiple servers exist in the configuration. 5. Verify "Authentication" is set to "Authenticate to each server until success". If the BIG-IP appliance is not configured to use at least two authentication servers to authenticate administrative users, this is a finding.

ℹ️ Check

From the BIG-IP GUI: RADIUS: 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - RADIUS", verify different Primary and Secondary Hosts exist in the configuration. Note: To view Primary and Secondary Hosts, the "Server Configuration" must be set to "Primary & Secondary". TACACS+ 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - TACACS+", verify multiple servers exist in the configuration. 5. Verify "Authentication" is set to "Authenticate to each server until success". If the BIG-IP appliance is not configured to use at least two authentication servers to authenticate administrative users, this is a finding.

✔️ Fix
From the BIG-IP GUI: RADIUS: 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - RADIUS", click "Change" at the bottom. 5. Configure values for Primary and Secondary servers. Note: To view Primary and Secondary Hosts, the "Server Configuration" must be set to "Primary & Secondary". 6. Click "Finished". TACACS+ 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - TACACS+", click "Change" at the bottom 5. Add multiple IP Addresses to the "Servers" field. 6. Set "Authentication" to "Authenticate to each server until success". 7. Click "Finished".

✔️ Fix

From the BIG-IP GUI: RADIUS: 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - RADIUS", click "Change" at the bottom. 5. Configure values for Primary and Secondary servers. Note: To view Primary and Secondary Hosts, the "Server Configuration" must be set to "Primary & Secondary". 6. Click "Finished". TACACS+ 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - TACACS+", click "Change" at the bottom 5. Add multiple IP Addresses to the "Servers" field. 6. Set "Authentication" to "Authenticate to each server until success". 7. Click "Finished".