Rule ID
SV-284931r1212136_rule
Version
V1R1
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000175-NDM-000262, SRG-APP-000177-NDM-000263, SRG-APP-000400-NDM-000313
Review the Cisco SNA appliance configuration to verify the device is configured to use at least two authentication servers or a single sign-on (SSO) service as primary source for authentication. Navigate to SNA Dashboard >> Configure >> User Management >> Authentication and Authorization Tab >> Select a Service >> Actions... >> Edit. Observe whether multiple addresses have been configured. Note: It is expected that an SSO using SAML will employ redundant/load-balanced servers on the service side. There is no configuration for multiple SSO services. If the Cisco SNA appliance is not configured to use at least two authentication servers or an SSO service for the purpose of authenticating users prior to granting administrative access, this is a finding.
Configure the SNA appliance to use at least two authentication servers or an SSO service. TACACS+/RADIUS/LDAP Configuration: Navigate to SNA Dashboard >> Configure >> User Management >> Authentication and Authorization Tab >> Create (dropdown) >> Authentication Service. Select Type (e.g., TACACS+, RADIUS, LDAP). Input "Name" for service and "Add New" Server Information for each server of that service type. Save. Navigate to Create (dropdown) >> User. Input User Name, Authentication service (previously created), Role Settings. Save. Apply Configuration. OR SSO Configuration: A. Prepare for Configuration. 1. The following information is required to configure SSO: -The Identity Provider (IdP) URL must use the fully qualified domain name or IPv4 address. - If the IdP URL starts with HTTPS, download the certificate authority (CA) certificate. 2. Certificate Requirements: If the URL for downloading the IDP URL starts with HTTPS, confirm the certificate is added to the appliance Trust Stores. B. Configure the Service Provider. 1. Navigate to the management console webpage (SMC). 2. Log in as an admin with sufficient privileges. 3. Select Configure >> User Management. 4. Select Create (Dropdown) >> Authentication Service >> SSO. 5. Select IdP Type (Dropdown) >> Microsoft ADFS. 6. Enter the URL to download the IdP's configuration file. Requirements: Enter the fully qualified domain name or IP address. Alternatively, upload an Identity Provider Metadata XML File. 7. Select "Disable Requested Authentication Context". 8. Select Name Identifier Format >> Transient (if following schema note below). Otherwise configure according to local format. 9. Add a Login Screen Label relevant to local configurations. 10. Select "Save". 11. When redirected to the Authentication and Authorization tab, it may take up to five minutes to apply changes and SSO Status to become "Ready". 12. Select Actions >> Enable SSO. C. Configure ADFS according to local procedure to add the Relying Party Trust. Note: For ADFS configuration, create and modify the following Claim Issuance Policy Custom Rule: c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://YOURADFSFQDN./adfs/com/adfs/service/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://YOURSNAFQDN/fedlet"); D. Add an SSO User. 1. Log in to the SMC Web UI. 2. Select Configure >> User Management >> Users >> Create User. 3. Complete the fields to create a new user. -Authentication Service: Select SSO. - User Name: Enter the first part of the email address for the IdP account. Ensure the ID is identical to the one that will be used for SSO at login. For example, for name@email.com, enter name in this field. 4. Click "Save". 5. Confirm the SSO User is shown in User Management.