AOS must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-266970	SRG-APP-000516-NDM-000336	ARBA-ND-000336	SV-266970r1039931_rule	2024-10-29	1

Description
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

Description

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

ℹ️ Check
Verify the AOS configuration using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Options". 2. Verify what "Server group" is handling admin authentication. 3. Expand "Admin Authentication Servers". 4. Select the Server Group identified from the "Options" section. 5. Verify that at least two authentication servers are configured in the Server Group. If the admin authentication server group does not have at least two configured authentication servers, this is a finding.

ℹ️ Check

Verify the AOS configuration using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Options". 2. Verify what "Server group" is handling admin authentication. 3. Expand "Admin Authentication Servers". 4. Select the Server Group identified from the "Options" section. 5. Verify that at least two authentication servers are configured in the Server Group. If the admin authentication server group does not have at least two configured authentication servers, this is a finding.

✔️ Fix
Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Servers". 2. Click on the plus sign (+) under "All Servers" and configure the type of authentication server. Provide the Name, Type, and IP address. Click "Submit". 3. Select the created authentication server and configure the required attributes for LDAP: Admin-dn <username> Admin-passwd <password> Re-type admin-passwd <password> Auth port: 636 Base-dn: cn/ou=<container>,dc=<level>,dc=<mil> Key-attribute: userPrincipalName 4. Click "Submit". 5. Repeat this process and configure a second authentication server. 6. Click Pending Changes >> Deploy Changes. 7. Click on the plus sign (+) under "Server Groups" and add a server group. Click "Submit". 8. Select the created server group and click the plus sign (+) in the Server Group <server group name> box. 9. Add the first configured authentication server. 10. Reselect the created server group and click the plus sign (+) in the Server Group <server group name> box. Click "Submit". 11. Expand "Admin Authentication Options" and select the created server group under "Server group:". 12. Click Submit >> Pending Changes >> Deploy Changes.

✔️ Fix

Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Servers". 2. Click on the plus sign (+) under "All Servers" and configure the type of authentication server. Provide the Name, Type, and IP address. Click "Submit". 3. Select the created authentication server and configure the required attributes for LDAP: Admin-dn <username> Admin-passwd <password> Re-type admin-passwd <password> Auth port: 636 Base-dn: cn/ou=<container>,dc=<level>,dc=<mil> Key-attribute: userPrincipalName 4. Click "Submit". 5. Repeat this process and configure a second authentication server. 6. Click Pending Changes >> Deploy Changes. 7. Click on the plus sign (+) under "Server Groups" and add a server group. Click "Submit". 8. Select the created server group and click the plus sign (+) in the Server Group <server group name> box. 9. Add the first configured authentication server. 10. Reselect the created server group and click the plus sign (+) in the Server Group <server group name> box. Click "Submit". 11. Expand "Admin Authentication Options" and select the created server group under "Server group:". 12. Click Submit >> Pending Changes >> Deploy Changes.