AOS, when used as a VPN Gateway, must limit the number of concurrent sessions for user accounts to one or to an organization-defined number.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266993 | ARBA-VN-000170 | SV-266993r1040745_rule | CCI-000054 | medium |
| Description | ||||
| VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to denial-of-service attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. The intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited. | ||||
| STIG | Date | |||
| HPE Aruba Networking AOS VPN Security Technical Implementation Guide | 2024-10-29 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
AC-10
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-000054
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-266993r1040745_chk)
Verify the AOS configuration with the following command:
show running-config | begin "user-role <vpn user role>"
If the vpn user role is not configured to max-sessions 1 (or an organization-defined number), this is a finding.
Fix Text (F-70820r1040744_fix)
Configure AOS with the following commands:
configure terminal
user-role <vpn user role>
max-sessions 1
exit
write memory