The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266995 | ARBA-VN-000490 | SV-266995r1040751_rule | CCI-000764 | medium |
| Description | ||||
| To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following. (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals' in-group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN or proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management). Satisfies: SRG-NET-000138-VPN-000490, SRG-NET-000166-VPN-000590, SRG-NET-000341-VPN-001350 | ||||
| STIG | Date | |||
| HPE Aruba Networking AOS VPN Security Technical Implementation Guide | 2024-10-29 | |||
Details
Check Text (C-266995r1040751_chk)
Verify the AOS configuration with the following commands:
show aaa authentication via connection-profile
Note each referenced VIA connection profile.
For each referenced connection profile:
show aaa authentication via connection-profile <name> | include "IKEv2 Authentication method"
If the authentication method is not set to "eap-tls", this is a finding.
Fix Text (F-70822r1040750_fix)
Configure AOS with the following commands:
1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email>
show crypto pki csr
2. Use DOD PKI to generate a public certificate based on the CSR.
3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates.
4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, select Certificate type: "ServerCert", and click "Submit".
5. Click Pending Changes >> Deploy Changes.
Continue configuring with the CLI:
configure terminal
crypto-local isakmp ca-certificate <CA certificate name>
crypto-local isakmp certificate-group server-certificate <EC certificate name> ca-certificate <CA certificate name>
write memory
crypto dynamic-map <name> <priority>
version v2
set pfs group20
set transform-set default-gcm256
set security-association lifetime seconds 28800
exit
write memory
aaa authentication-server radius <name>
host <A.B.C.D or X:X:X:X::X or hostname>
key <preshared key>
enable
exit
write memory
aaa server-group <name>
auth-server <name>
exit
write memory
ip access-list session <name>
any any any permit
ipv6 any any any permit
exit
write memory
user-role <name>
access-list session <name>
exit
write memory
aaa authentication via auth-profile <name>
default-role <name>
client-cert-enable
server-group <name>
exit
write memory
aaa authentication via connection-profile <name>
auth-profile <name>
enable-fips
ikev2-policy 10009
ikev2-proto
ikev2auth eap-tls
ipsecv2-cryptomap map <name> number <priority>
max-timeout value <0-65535>
suiteb-crypto
validate-server-cert
exit
write memory
aaa authentication via web-auth default
auth-profile <name>
exit
write memory
user-role <name>
via <name>
exit
write memory