The Nokia router must be configured to use at least two authentication servers for authenticating users prior to granting administrative access.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283785 | NOKI-ND-000890 | SV-283785r1203604_rule | CCI-000370 | high |
| Description | ||||
| Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each device. | ||||
| STIG | Date | |||
| Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide | 2026-06-15 | |||
Details
Check Text (C-283785r1203604_chk)
Review the Nokia router configuration to verify the device is configured to use at least two authentication servers as the primary source for authentication.
Verify multiple authentication servers are configured and status is "up", as shown in the example below:
- show system security authentication statistics
show system security authentication statistics
Authentication sequence : radius tacplus ldap local
type status timeout (secs) retry count
server address retry timeout
server name (secs)
radius up 3 3
192.168.0.10:1812 n/a
tacplus up 3 n/a
192.168.1.10:49 300
ldap up 3 3
10.1.1.1:389 n/a
Corporate LDAP Server
radius admin/oper status : up/up
UDP port : 1812
TCP port : 2083
tacplus admin/oper status : up/up
ldap admin/oper status : up/up
health check : enabled (interval 30 secs)
No. of Servers: 3
If the Nokia router is not configured to use at least two authentication servers for authenticating users prior to granting administrative access, this is a finding.
Fix Text (F-88255r1203599_fix)
1. Configure the Nokia router to use at least two authentication servers.
Nokia router supports RADIUS, TACACS+, and LDAP for user authentication. Multiple authentication servers can be configured. The example below is for the TACACS configuration:
- configure system security tacplus server <index> address <tacacs+ server ip address>
2. Configure the authentication order to use the authentication servers as the primary source for authentication. Up to four methods of authentication order can be configured:
- configure system security password authentication-order <first order can be: local, radius, tacplus or ldap> <2nd order can be: local, radius, tacplus or ldap> <3rd order can be: local, radius, tacplus or ldap> <4th order can be: local, radius, tacplus or ldap>
3. Configure all network connections associated with a device management to use the authentication servers for login authentication.