AOS must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-266627	SRG-NET-000338	ARBA-NT-000800	SV-266627r1040371_rule	2024-10-29	1

Description
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity on the network. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of devices, including (but not limited to), the following other situations: (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) After a fixed period of time; or (v) Periodically. This requirement only applies to components where this is specific to the function of the device or has the concept of device authentication.

Description

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity on the network. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of devices, including (but not limited to), the following other situations: (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) After a fixed period of time; or (v) Periodically. This requirement only applies to components where this is specific to the function of the device or has the concept of device authentication.

ℹ️ Check
Verify the AOS configuration with the following command: show crypto-local ipsec-map If the configured IPSec maps are not configured to support a security association lifetime of 28,800 seconds (8 hours), this is a finding.

✔️ Fix
Configure AOS with the following commands: configure terminal crypto-local ipsec-map <name> <priority> set security-association lifetime seconds 28800 exit write memory