The Nokia router must be configured to use at least two authentication servers for authenticating users prior to granting administrative access.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-283785NOKI-ND-000890SV-283785r1203604_ruleCCI-000370high
Description
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each device.
STIGDate
Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide2026-06-15

Details

Check Text (C-283785r1203604_chk)

Review the Nokia router configuration to verify the device is configured to use at least two authentication servers as the primary source for authentication. Verify multiple authentication servers are configured and status is "up", as shown in the example below: - show system security authentication statistics show system security authentication statistics Authentication sequence : radius tacplus ldap local type status timeout (secs) retry count server address retry timeout server name (secs) radius up 3 3 192.168.0.10:1812 n/a tacplus up 3 n/a 192.168.1.10:49 300 ldap up 3 3 10.1.1.1:389 n/a Corporate LDAP Server radius admin/oper status : up/up UDP port : 1812 TCP port : 2083 tacplus admin/oper status : up/up ldap admin/oper status : up/up health check : enabled (interval 30 secs) No. of Servers: 3 If the Nokia router is not configured to use at least two authentication servers for authenticating users prior to granting administrative access, this is a finding.

Fix Text (F-88255r1203599_fix)

1. Configure the Nokia router to use at least two authentication servers. Nokia router supports RADIUS, TACACS+, and LDAP for user authentication. Multiple authentication servers can be configured. The example below is for the TACACS configuration: - configure system security tacplus server <index> address <tacacs+ server ip address> 2. Configure the authentication order to use the authentication servers as the primary source for authentication. Up to four methods of authentication order can be configured: - configure system security password authentication-order <first order can be: local, radius, tacplus or ldap> <2nd order can be: local, radius, tacplus or ldap> <3rd order can be: local, radius, tacplus or ldap> <4th order can be: local, radius, tacplus or ldap> 3. Configure all network connections associated with a device management to use the authentication servers for login authentication.