AOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-266930	SRG-APP-000156-NDM-000250	ARBA-ND-000250	SV-266930r1039811_rule	2024-10-29	1

Description
A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., Transport Layer Security [TLS], Web Services Security [WS_Security]). Additional techniques include time-synchronous or challenge-response one-time authenticators.

Description

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., Transport Layer Security [TLS], Web Services Security [WS_Security]). Additional techniques include time-synchronous or challenge-response one-time authenticators.

ℹ️ Check
Verify the AOS configuration using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Options". 2. Verify what "Server group" is handling admin authentication. 3. Expand "Admin Authentication Servers". 4. Select the Server Group identified from the "Options" section. 5. Verify that each authentication server configured in Server Group <server group name> is configured with secure LDAP using port 636 and connection type ldap-s. If each management authentication server is not configured to use secure LDAP, this is a finding.

ℹ️ Check

Verify the AOS configuration using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Options". 2. Verify what "Server group" is handling admin authentication. 3. Expand "Admin Authentication Servers". 4. Select the Server Group identified from the "Options" section. 5. Verify that each authentication server configured in Server Group <server group name> is configured with secure LDAP using port 636 and connection type ldap-s. If each management authentication server is not configured to use secure LDAP, this is a finding.

✔️ Fix
Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Servers". 2. Click on the plus sign (+) under "All Servers" and configure the type of authentication server. Provide the Name, Type, and IP address. Click "Submit". 3. Select the created authentication server and configure the required attributes for LDAP: Admin-dn <username> Admin-passwd <password> Re-type admin-passwd <password> Auth port: 636 Base-dn: cn/ou=<container>,dc=<level>,dc=<mil> Key-attribute: userPrincipalName 4. Click "Submit". 5. Repeat this process and configure a second authentication server. 6. Click Pending Changes >> Deploy Changes. 7. Click on the plus sign (+) under "Server Groups" and add a server group. Click "Submit". 8. Select the created server group and click the plus sign (+) in the Server Group <server group name> box. 9. Add the first configured authentication server. 10. Reselect the created server group and click the plus sign (+) in the Server Group <server group name> box. 11. Click Submit >> Pending Changes >> Deploy Changes. 12. Expand "Admin Authentication Options". Select the Server group created earlier. 13. Click Submit >> Pending Changes >> Deploy Changes.

✔️ Fix

Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Servers". 2. Click on the plus sign (+) under "All Servers" and configure the type of authentication server. Provide the Name, Type, and IP address. Click "Submit". 3. Select the created authentication server and configure the required attributes for LDAP: Admin-dn <username> Admin-passwd <password> Re-type admin-passwd <password> Auth port: 636 Base-dn: cn/ou=<container>,dc=<level>,dc=<mil> Key-attribute: userPrincipalName 4. Click "Submit". 5. Repeat this process and configure a second authentication server. 6. Click Pending Changes >> Deploy Changes. 7. Click on the plus sign (+) under "Server Groups" and add a server group. Click "Submit". 8. Select the created server group and click the plus sign (+) in the Server Group <server group name> box. 9. Add the first configured authentication server. 10. Reselect the created server group and click the plus sign (+) in the Server Group <server group name> box. 11. Click Submit >> Pending Changes >> Deploy Changes. 12. Expand "Admin Authentication Options". Select the Server group created earlier. 13. Click Submit >> Pending Changes >> Deploy Changes.