Rule ID
SV-283799r1203603_rule
Version
V1R1
Requiring a device separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication reduces the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process. Satisfies: SRG-APP-000825-NDM-000180, SRG-APP-000156-NDM-000250, SRG-APP-000820-NDM-000170
Verify the Nokia router is configured for interactive authentication mode.
For TACACS+, use the example shown below:
- configure system security tacplus
>config>system>security>tacplus# info
----------------------------------------------
interactive-authentication
----------------------------------------------
For RADIUS, use the example shown below:
- configure system security radius
>config>system>security>radius# info
----------------------------------------------
interactive-authentication
----------------------------------------------
If interactive-authentication is not present in this scenario, this is a finding.Configure the Nokia router to enable message/response multifactor authentication for RADIUS and TACACS+. For TACACS+, use the command shown below: - configure system security tacplus interactive-authentication For RADIUS, use the command shown below: - configure system security radius interactive-authentication