STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated just now
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide

V-283785

CAT I (High)

The Nokia router must be configured to use at least two authentication servers for authenticating users prior to granting administrative access.

Rule ID

SV-283785r1203604_rule

STIG

Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000370

Discussion

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each device.

Check Content

Review the Nokia router configuration to verify the device is configured to use at least two authentication servers as the primary source for authentication.

Verify multiple authentication servers are configured and status is "up", as shown in the example below:

- show system security authentication statistics
show system security authentication statistics

Authentication sequence : radius tacplus ldap local

type status timeout (secs) retry count
 server address retry timeout
 server name (secs)

radius up 3 3
 192.168.0.10:1812 n/a
tacplus up 3 n/a
 192.168.1.10:49 300
ldap up 3 3
 10.1.1.1:389 n/a
 Corporate LDAP Server

radius admin/oper status : up/up
 UDP port : 1812
 TCP port : 2083
tacplus admin/oper status : up/up
ldap admin/oper status : up/up
health check : enabled (interval 30 secs)

No. of Servers: 3

If the Nokia router is not configured to use at least two authentication servers for authenticating users prior to granting administrative access, this is a finding.

Fix Text

1. Configure the Nokia router to use at least two authentication servers.

Nokia router supports RADIUS, TACACS+, and LDAP for user authentication. Multiple authentication servers can be configured. The example below is for the TACACS configuration:

- configure system security tacplus server <index> address <tacacs+ server ip address>

2. Configure the authentication order to use the authentication servers as the primary source for authentication. Up to four methods of authentication order can be configured:

- configure system security password authentication-order <first order can be: local, radius, tacplus or ldap> <2nd order can be: local, radius, tacplus or ldap> <3rd order can be: local, radius, tacplus or ldap> <4th order can be: local, radius, tacplus or ldap> 

3. Configure all network connections associated with a device management to use the authentication servers for login authentication.