STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated just now
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Cisco Secure Network Analytics (SNA) Security Technical Implementation Guide

V-284937

CAT II (Medium)

The Cisco SNA appliance must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Rule ID

SV-284937r1212207_rule

STIG

Cisco Secure Network Analytics (SNA) Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-004046CCI-004047

Discussion

The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication (MFA) is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process. Satisfies: SRG-APP-000820-NDM-000170, SRG-APP-000825-NDM-000180

Check Content

Verify the network device is configured to implement MFA for local, network, and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Navigate to the login page, then select Single Sign-on (SSO). At the SAML IdP login page, enter a certificate and pin (as managed by middleware such as ActivClient) when prompted.

Note: The MFA requirement is met by the SSO server and will require coordination with that server's administrator.

If the Cisco SNA appliance is not configured to implement multifactor authentication for local, network, and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access, this is a finding.

Fix Text

Configure the Cisco SNA appliance to implement multifactor authentication for local, network, and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

A. Prepare for Configuration.
1. The following information is required to configure SSO: 
-The Identity Provider (IdP) URL must use the fully qualified domain name or IPv4 address. 
- If the IdP URL starts with HTTPS, download the certificate authority (CA) certificate.
2. Certificate Requirements: If the URL for downloading the IDP URL starts with HTTPS, confirm the certificate is added to the appliance Trust Stores.

B. Configure the Service Provider.
1. Navigate to the SMC.
2. Log in as an admin with sufficient privileges.
3. Select Configure >> User Management.
4. Select Create (Dropdown) >> Authentication Service >> SSO.
5. Select IdentityProvider (IdP) Type (Dropdown) >> Microsoft ADFS. 
6. Enter the URL where the Identity Provider's configuration file can be downloaded. Requirements: Enter the fully qualified domain name or IP address. Alternatively, upload an Identity Provider Metadata XML File.
7. Select "Disable Requested Authentication Context".
8. Select Name Identifier Format >> Transient (if following schema note below). Otherwise, configure according to local format.
9. Add a Login Screen Label relevant to local configurations.
10. Select "Save".
11. When redirected to the Authentication and Authorization tab, it may take up to five minutes to apply changes and SSO Status to become "Ready".
12. Select Actions >> Enable SSO.

C. Configure ADFS according to local procedure to add the Relying Party Trust.

Note: For ADFS configuration, create and modify the following Claim Issuance Policy Custom Rule:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://YOURADFSFQDN./adfs/com/adfs/service/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://YOURSNAFQDN/fedlet");

D. Add an SSO User.
1. Log in to the SMC Web UI.
2. Select Configure >> User Management >> Users >> Create User.
3. Complete the fields to create a new user. For compliance, configure the user as follows: 
Authentication Service: Select SSO.
User Name: Enter the first part of the email address for the IdP account. Make sure the ID is identical to the one that will be used for SSO at login. For example, for name@email.com, enter "name" in this field.
4. Click "Save".
5. Confirm the SSO User is shown in User Management.