Rule ID
SV-284886r1227140_rule
Version
V1R1
MFA is when two or more factors are used to confirm the identity of an individual requesting access to digital information resources. Valid factors include something the individual knows (e.g., username and password), something the individual has (e.g., a smartcard or token), or something the individual is (e.g., a fingerprint or biometric). Legacy information system environments only use a single factor for authentication, typically a username and password combination. Although two pieces of data are used in a username and password combination, this is still considered single factor because an attacker can obtain access simply by learning what the user knows. Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. MFA, along with strong user account hygiene, helps mitigate against the threat of having account passwords discovered by an attacker. Even in the event of a password compromise, with MFA implemented and required for interactive login, the attacker still needs to acquire something the user has or replicate a piece of user's biometric digital presence. Private industry recognizes and uses a wide variety of MFA solutions. However, DoW PKI is the only prescribed method approved for DoW organizations to implement MFA. For authentication purposes, centralized DoW certificate authorities (CA) issue PKI certificate key pairs (public and private) to individuals using the prescribed x.509 format. The private certificates that have been generated by the issuing CA are downloaded and saved to smartcards which, within DoW, are referred to as common access cards (CAC) or personal identity verification (PIV) cards. This happens at designated DoW badge facilities. The CA maintains a record of the corresponding public keys for use with PKI-enabled environments. Privileged user smartcards, or "alternate tokens", function in the same manner, so this requirement applies to all interactive user sessions (authorized and privileged users). Note: This requirement is used in conjunction with the use of a centralized authentication server (e.g., AAA, RADIUS, LDAP), a separate but equally important requirement. The MFA configuration of this requirement provides identification and the first phase of authentication (the challenge and validated response, thereby confirming the PKI certificate that was presented by the user). The centralized authentication server will provide the second phase of authentication (the digital presence of the PKI ID as a valid user in the requested security domain) and authorization. The centralized authentication server will map validated PKI identities to valid user accounts and determine access levels for authenticated users based on security group membership and role. In cases where the centralized authentication server is not used by the network device for user authorization, the network device must map the authenticated identity to the user account for PKI-based authentication. Satisfies: SRG-APP-000149-NDM-000247, SRG-APP-000156-NDM-000250
Verify the Cisco SNA appliance is configured to use DoW PKI as MFA for interactive logins. Navigate to the login page and select Single Sign-on (SSO). At the SAML Identity Provider (IdP) login page, enter the certificate with PIN as managed by middleware, (e.g., ActivClient). Note: The MFA requirement is met by the SSO server and will require coordination with the server's administrator. If the Cisco SNA appliance is not configured to use SSO with DoW PKI as MFA for interactive logins, this is a finding. If the PKI authenticated user is not mapped to the effective local user account this is a finding.
Configure the network device to use SSO with DoW PKI as MFA for interactive logins. A. Prepare for Configuration. 1. The following information is required to configure SSO: - The IdP URL must use the fully qualified domain name or IPv4 address. - If the IdP URL starts with HTTPS, download the CA certificate. 2. Certificate Requirements: If the URL for downloading the IdP URL starts with HTTPS, confirm the certificate was added to the appliance Trust Stores. B. Configure the Service Provider. 1. Navigate to the management console webpage (SMC). 2. Log in as an admin with sufficient privileges. 3. Select Configure >> User Management. 4. Select Create (Dropdown) >> Authentication Service >> SSO. 5. Select IdP Type (Dropdown) >> Microsoft ADFS. 6. Enter the URL to download the IdP's configuration file. Requirements: Enter the fully qualified domain name or IP address. Alternatively, upload an Identity Provider Metadata XML File. 7. Select "Disable Requested Authentication Context". 8. Select Name Identifier Format >> Transient (if following schema note below). Otherwise, configure according to local format. 9. Add a Login Screen Label relevant to local configurations. 10. Select "Save". 11. When redirected to the Authentication and Authorization tab, it may take up to five minutes to apply changes and SSO Status to become "Ready". 12. Select Actions >> Enable SSO. C. Configure ADFS according to local procedure to add the Relying Party Trust. Note: For ADFS configuration, create and modify the following Claim Issuance Policy Custom Rule: c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://YOURADFSFQDN./adfs/com/adfs/service/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://YOURSNAFQDN/fedlet"); D. Add an SSO User. 1. Log in to the SMC Web UI. 2. Select Configure >> User Management >> Users >> Create User. 3. Complete the fields to create a new user. - Authentication Service: Select SSO. - User Name: Enter the first part of the email address for the IdP account. Ensure the ID is identical to the one that will be used for SSO at login. For example, for name@email.com, enter name in this field. 4. Click "Save". 5. Confirm the SSO User is shown in User Management.