The Nokia router must be configured to assign appropriate user roles or access levels to authenticated users.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283761 | NOKI-ND-000100 | SV-283761r1223367_rule | CCI-000213 | high |
| Description | ||||
| Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise of, and unauthorized access to, sensitive information. All DoW systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Some network devices are preconfigured with security groups. Other network devices enable operators to create custom security groups with custom permissions. For example, an information system security manager (ISSM) may require read-only access to audit the network device. Operators may create an audit security group, define permissions and access levels for members of the group, and then assign the ISSM's user persona to the audit security group. This is still considered privileged access, but the ISSM's security group is more restrictive than the network administrator's security group. Network devices that rely on Authentication, Authorization, and Accounting (AAA) brokers for authentication and authorization services may need to identify the available security groups or access levels available on the network devices and convey that information to the AAA operator. Once the AAA broker identifies the user persona on the centralized directory service, the user's security group memberships can be retrieved. The AAA operator may need to create a mapping that links target security groups from the directory service to the appropriate security groups or access levels on the network device. Once these mappings are configured, authorizations can happen dynamically based on each user's directory service group membership. Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000120-NDM-000237, SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240, SRG-APP-000231-NDM-000271, SRG-APP-000329-NDM-000287, SRG-APP-000378-NDM-000302, SRG-APP-000380-NDM-000304, SRG-APP-000516-NDM-000335 | ||||
| STIG | Date | |||
| Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide | 2026-06-15 | |||
Details
Check Text (C-283761r1223367_chk)
For local accounts, role-based access control is configured through the user profile.
Verify the "profile" assigned to each user using the command below:
- show system security user <user name> detail
- show system security user "admin" detail | match profile
profile : administrative
In this example, user "admin" is configured with user profile "administrative".
Verify the user-assigned profile matches the user roles and responsibilities:
- show system security profile <profile name>
- show system security profile "administrative"
User Profile : administrative
Def. Action : permit-all
LI : no
NETCONF RPC
NETCONF Kill RPC Authorization : yes
NETCONF Lock RPC Authorization : yes
NETCONF Close-Session RPC Authorization : yes
NETCONF Get RPC Authorization : yes
NETCONF Get-Config RPC Authorization : yes
NETCONF Get-Data RPC Authorization : yes
NETCONF Edit-Config RPC Authorization : yes
NETCONF Copy-Config RPC Authorization : yes
NETCONF Delete-Config RPC Authorization : yes
NETCONF Discard-Changes RPC Authorization : yes
NETCONF Validate RPC Authorization : yes
NETCONF Commit RPC Authorization : yes
....
For external AAA servers, access levels are available per command. Nokia routers support TACACS+ and RADIUS authentication servers.
If the Nokia router does not enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level, this is a finding.
Fix Text (F-88231r1203327_fix)
Administrative profiles exist by default. Other profiles should be created based on user roles and access levels.
Create a new profile and add as many entries as needed:
- configure system security profile <profile name>
- default-action <deny-all or permit-all or none or read-only-all>
- entry <entry id>
- match <command string>
- action < permit or deny or read-only or none>
Apply the correct profile to each user:
- configure system security user <user name> console member <profile name>