AOS must prohibit the use of cached authenticators after an organization-defined time period.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-266959	SRG-APP-000400-NDM-000313	ARBA-ND-000313	SV-266959r1039898_rule	2024-10-29	1

Description
Some authentication implementations can be configured to use cached authenticators. If cached authentication information is out of date, the validity of the authentication information may be questionable. The organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.

Description

Some authentication implementations can be configured to use cached authenticators. If cached authentication information is out of date, the validity of the authentication information may be questionable. The organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.

ℹ️ Check
Verify the AOS configuration with the following command: show configuration effective \| include auth-survivability If "aaa auth-survivability enable" is returned and "auth-survivability" is enabled, this is a finding.

✔️ Fix
Configure AOS with the following commands: configure terminal no aaa auth-survivability enable write memory