The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-266995	SRG-NET-000138-VPN-000490	ARBA-VN-000490	SV-266995r1040751_rule	2024-10-29	1

Description
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following. (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals' in-group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN or proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management). Satisfies: SRG-NET-000138-VPN-000490, SRG-NET-000166-VPN-000590, SRG-NET-000341-VPN-001350

Description

To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following. (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals' in-group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN or proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management). Satisfies: SRG-NET-000138-VPN-000490, SRG-NET-000166-VPN-000590, SRG-NET-000341-VPN-001350

ℹ️ Check
Verify the AOS configuration with the following commands: show aaa authentication via connection-profile Note each referenced VIA connection profile. For each referenced connection profile: show aaa authentication via connection-profile <name> \| include "IKEv2 Authentication method" If the authentication method is not set to "eap-tls", this is a finding.

✔️ Fix
Configure AOS with the following commands: 1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> show crypto pki csr 2. Use DOD PKI to generate a public certificate based on the CSR. 3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. 4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, select Certificate type: "ServerCert", and click "Submit". 5. Click Pending Changes >> Deploy Changes. Continue configuring with the CLI: configure terminal crypto-local isakmp ca-certificate <CA certificate name> crypto-local isakmp certificate-group server-certificate <EC certificate name> ca-certificate <CA certificate name> write memory crypto dynamic-map <name> <priority> version v2 set pfs group20 set transform-set default-gcm256 set security-association lifetime seconds 28800 exit write memory aaa authentication-server radius <name> host <A.B.C.D or X:X:X:X::X or hostname> key <preshared key> enable exit write memory aaa server-group <name> auth-server <name> exit write memory ip access-list session <name> any any any permit ipv6 any any any permit exit write memory user-role <name> access-list session <name> exit write memory aaa authentication via auth-profile <name> default-role <name> client-cert-enable server-group <name> exit write memory aaa authentication via connection-profile <name> auth-profile <name> enable-fips ikev2-policy 10009 ikev2-proto ikev2auth eap-tls ipsecv2-cryptomap map <name> number <priority> max-timeout value <0-65535> suiteb-crypto validate-server-cert exit write memory aaa authentication via web-auth default auth-profile <name> exit write memory user-role <name> via <name> exit write memory

✔️ Fix

Configure AOS with the following commands: 1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> show crypto pki csr 2. Use DOD PKI to generate a public certificate based on the CSR. 3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. 4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, select Certificate type: "ServerCert", and click "Submit". 5. Click Pending Changes >> Deploy Changes. Continue configuring with the CLI: configure terminal crypto-local isakmp ca-certificate <CA certificate name> crypto-local isakmp certificate-group server-certificate <EC certificate name> ca-certificate <CA certificate name> write memory crypto dynamic-map <name> <priority> version v2 set pfs group20 set transform-set default-gcm256 set security-association lifetime seconds 28800 exit write memory aaa authentication-server radius <name> host <A.B.C.D or X:X:X:X::X or hostname> key <preshared key> enable exit write memory aaa server-group <name> auth-server <name> exit write memory ip access-list session <name> any any any permit ipv6 any any any permit exit write memory user-role <name> access-list session <name> exit write memory aaa authentication via auth-profile <name> default-role <name> client-cert-enable server-group <name> exit write memory aaa authentication via connection-profile <name> auth-profile <name> enable-fips ikev2-policy 10009 ikev2-proto ikev2auth eap-tls ipsecv2-cryptomap map <name> number <priority> max-timeout value <0-65535> suiteb-crypto validate-server-cert exit write memory aaa authentication via web-auth default auth-profile <name> exit write memory user-role <name> via <name> exit write memory