AOS must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266627 | ARBA-NT-000800 | SV-266627r1040371_rule | CCI-002039 | medium |
| Description | ||||
| Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity on the network. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of devices, including (but not limited to), the following other situations: (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) After a fixed period of time; or (v) Periodically. This requirement only applies to components where this is specific to the function of the device or has the concept of device authentication. | ||||
| STIG | Date | |||
| HPE Aruba Networking AOS Wireless Security Technical Implementation Guide | 2024-10-29 | |||
Details
Check Text (C-266627r1040371_chk)
Verify the AOS configuration with the following command:
show crypto-local ipsec-map
If the configured IPSec maps are not configured to support a security association lifetime of 28,800 seconds (8 hours), this is a finding.
Fix Text (F-70454r1040370_fix)
Configure AOS with the following commands:
configure terminal
crypto-local ipsec-map <name> <priority>
set security-association lifetime seconds 28800
exit
write memory