The Nokia router must be configured to implement multifactor authentication for local, network, and/or remote access to privileged and nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283799 | NOKI-ND-000970 | SV-283799r1203603_rule | CCI-004047 | medium |
| Description | ||||
| Requiring a device separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication reduces the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process. Satisfies: SRG-APP-000825-NDM-000180, SRG-APP-000156-NDM-000250, SRG-APP-000820-NDM-000170 | ||||
| STIG | Date | |||
| Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide | 2026-06-15 | |||
Details
Check Text (C-283799r1203603_chk)
Verify the Nokia router is configured for interactive authentication mode.
For TACACS+, use the example shown below:
- configure system security tacplus
>config>system>security>tacplus# info
----------------------------------------------
interactive-authentication
----------------------------------------------
For RADIUS, use the example shown below:
- configure system security radius
>config>system>security>radius# info
----------------------------------------------
interactive-authentication
----------------------------------------------
If interactive-authentication is not present in this scenario, this is a finding.
Fix Text (F-88269r1203602_fix)
Configure the Nokia router to enable message/response multifactor authentication for RADIUS and TACACS+.
For TACACS+, use the command shown below:
- configure system security tacplus interactive-authentication
For RADIUS, use the command shown below:
- configure system security radius interactive-authentication