OpenControls Logo

STIG Viewer

The RUCKUS ICX device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-273835RCKS-NDM-000920SV-273835r1110833_ruleCCI-000370high
Description
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's RUCKUS ICX devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each RUCKUS ICX device. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000700-NDM-000100, SRG-APP-000705-NDM-000110
STIGDate
RUCKUS ICX NDM Security Technical Implementation Guide2025-05-28

Details

Check Text (C-273835r1110833_chk)

Verify that AAA authentication and authorization are configured along with RADIUS/TACACS+ servers. SSH@ICX#show running-config | include (aaa|radius) aaa authentication dot1x default radius radius-server host x.x.x.x auth-port 1812 acct-port 1813 default key 2 $VWlkRGkt dot1x mac-auth radius-server host y.y.y.y auth-port 1812 acct-port 1813 default key 2 $UGlkRGktdG5v dot1x mac-auth radius-server key 2 $UGlkRGktdG5v aaa authentication login default radius local aaa authorization commands 0 default radius aaa authorization exec default radius If two central authentication servers are not configured, this is a finding.

Fix Text (F-77831r1110685_fix)

Configure AAA as needed: radius-server host x.x.x.x auth-port 1812 acct-port 1813 default key [shared_secret] radius-server host y.y.y.y auth-port 1812 acct-port 1813 default key [shared_secret] aaa authentication login default radius local aaa authorization commands 0 default radius aaa authorization exec default radius