The Remote Access VPN Gateway must use a separate authentication server (e.g., Lightweight Directory Access Protocol [LDAP], Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access-Control System+ [TACACS+] to perform user authentication.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-266994	SRG-NET-000166-VPN-000580	ARBA-VN-000580	SV-266994r1040748_rule	2024-10-29	1

Description
The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. Authentication, Authorization, and Accounting (AAA) network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers. It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised.

Description

The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. Authentication, Authorization, and Accounting (AAA) network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers. It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised.

ℹ️ Check
Verify the AOS configuration with the following commands: show aaa authentication via auth-profile Note each referenced VIA authentication profile. For each referenced VIA authentication profile: show aaa authentication via auth-profile <name> Note the server-group. For each server-group: show aaa server-group <name> If the remote access authentication profile is not set to use a separate authentication server, this is a finding.

ℹ️ Check

Verify the AOS configuration with the following commands: show aaa authentication via auth-profile Note each referenced VIA authentication profile. For each referenced VIA authentication profile: show aaa authentication via auth-profile <name> Note the server-group. For each server-group: show aaa server-group <name> If the remote access authentication profile is not set to use a separate authentication server, this is a finding.

✔️ Fix
Configure AOS with the following commands: 1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> show crypto pki csr 2. Use DOD PKI to generate a public certificate based on the CSR. 3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. 4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, select Certificate type: "ServerCert", and click "Submit". 5. Click Pending Changes >> Deploy Changes. Continue configuring with the CLI: configure terminal crypto-local isakmp ca-certificate <CA certificate name> crypto-local isakmp certificate-group server-certificate <EC certificate name> ca-certificate <CA certificate name> write memory crypto dynamic-map <name> <priority> version v2 set pfs group20 set transform-set default-gcm256 set security-association lifetime seconds 28800 exit write memory aaa authentication-server radius <name> host <A.B.C.D or X:X:X:X::X or hostname> key <preshared key> enable exit write memory aaa server-group <name> auth-server <name> exit write memory ip access-list session <name> any any any permit ipv6 any any any permit exit write memory user-role <name> access-list session <name> exit write memory aaa authentication via auth-profile <name> default-role <name> client-cert-enable server-group <name> exit write memory aaa authentication via connection-profile <name> auth-profile <name> enable-fips ikev2-policy 10009 ikev2-proto ikev2auth eap-tls ipsecv2-cryptomap map <name> number <priority> max-timeout value <0-65535> suiteb-crypto validate-server-cert exit write memory aaa authentication via web-auth default auth-profile <name> exit write memory user-role <name> via <name> exit write memory

✔️ Fix

Configure AOS with the following commands: 1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> show crypto pki csr 2. Use DOD PKI to generate a public certificate based on the CSR. 3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. 4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, select Certificate type: "ServerCert", and click "Submit". 5. Click Pending Changes >> Deploy Changes. Continue configuring with the CLI: configure terminal crypto-local isakmp ca-certificate <CA certificate name> crypto-local isakmp certificate-group server-certificate <EC certificate name> ca-certificate <CA certificate name> write memory crypto dynamic-map <name> <priority> version v2 set pfs group20 set transform-set default-gcm256 set security-association lifetime seconds 28800 exit write memory aaa authentication-server radius <name> host <A.B.C.D or X:X:X:X::X or hostname> key <preshared key> enable exit write memory aaa server-group <name> auth-server <name> exit write memory ip access-list session <name> any any any permit ipv6 any any any permit exit write memory user-role <name> access-list session <name> exit write memory aaa authentication via auth-profile <name> default-role <name> client-cert-enable server-group <name> exit write memory aaa authentication via connection-profile <name> auth-profile <name> enable-fips ikev2-policy 10009 ikev2-proto ikev2auth eap-tls ipsecv2-cryptomap map <name> number <priority> max-timeout value <0-65535> suiteb-crypto validate-server-cert exit write memory aaa authentication via web-auth default auth-profile <name> exit write memory user-role <name> via <name> exit write memory