STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Cisco Secure Network Analytics (SNA) Security Technical Implementation Guide

V-284931

CAT I (High)

The Cisco SNA appliance must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

Rule ID

SV-284931r1212136_rule

STIG

Cisco Secure Network Analytics (SNA) Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000370CCI-000185CCI-000187CCI-000764CCI-000166CCI-002007

Discussion

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000175-NDM-000262, SRG-APP-000177-NDM-000263, SRG-APP-000400-NDM-000313

Check Content

Review the Cisco SNA appliance configuration to verify the device is configured to use at least two authentication servers or a single sign-on (SSO) service as primary source for authentication.

Navigate to SNA Dashboard >> Configure >> User Management >> Authentication and Authorization Tab >> Select a Service >> Actions... >> Edit. Observe whether multiple addresses have been configured.

Note: It is expected that an SSO using SAML will employ redundant/load-balanced servers on the service side. There is no configuration for multiple SSO services.

If the Cisco SNA appliance is not configured to use at least two authentication servers or an SSO service for the purpose of authenticating users prior to granting administrative access, this is a finding.

Fix Text

Configure the SNA appliance to use at least two authentication servers or an SSO service.

TACACS+/RADIUS/LDAP Configuration:

Navigate to SNA Dashboard >> Configure >> User Management >> Authentication and Authorization Tab >> Create (dropdown) >> Authentication Service. 

Select Type (e.g., TACACS+, RADIUS, LDAP).

Input "Name" for service and "Add New" Server Information for each server of that service type. 

Save.

Navigate to Create (dropdown) >> User. 

Input User Name, Authentication service (previously created), Role Settings.

Save.

Apply Configuration.

OR

SSO Configuration: 

A. Prepare for Configuration.
1. The following information is required to configure SSO: 
-The Identity Provider (IdP) URL must use the fully qualified domain name or IPv4 address. 
- If the IdP URL starts with HTTPS, download the certificate authority (CA) certificate.
2. Certificate Requirements: If the URL for downloading the IDP URL starts with HTTPS, confirm the certificate is added to the appliance Trust Stores.

B. Configure the Service Provider.
1. Navigate to the management console webpage (SMC).
2. Log in as an admin with sufficient privileges.
3. Select Configure >> User Management.
4. Select Create (Dropdown) >> Authentication Service >> SSO.
5. Select IdP Type (Dropdown) >> Microsoft ADFS. 
6. Enter the URL to download the IdP's configuration file. Requirements: Enter the fully qualified domain name or IP address. Alternatively, upload an Identity Provider Metadata XML File.
7. Select "Disable Requested Authentication Context".
8. Select Name Identifier Format >> Transient (if following schema note below). Otherwise configure according to local format.
9. Add a Login Screen Label relevant to local configurations.
10. Select "Save".
11. When redirected to the Authentication and Authorization tab, it may take up to five minutes to apply changes and SSO Status to become "Ready".
12. Select Actions >> Enable SSO.

C. Configure ADFS according to local procedure to add the Relying Party Trust.

Note: For ADFS configuration, create and modify the following Claim Issuance Policy Custom Rule:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://YOURADFSFQDN./adfs/com/adfs/service/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://YOURSNAFQDN/fedlet");


D. Add an SSO User.
1. Log in to the SMC Web UI.
2. Select Configure >> User Management >> Users >> Create User.
3. Complete the fields to create a new user. 
-Authentication Service: Select SSO.
- User Name: Enter the first part of the email address for the IdP account. Ensure the ID is identical to the one that will be used for SSO at login. For example, for name@email.com, enter name in this field.
4. Click "Save".
5. Confirm the SSO User is shown in User Management.