| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-215854 | CAT I | MONTPOINTGTWYRTR | Cisco IOS XE Router NDM Security Technic... | The Cisco router must be configured to use at leas... | - | |||
Check TextReview the Cisco router configuration to verify the device is configured to use at least two authentication servers as primary source for authentication as shown in the following example: aaa new-model ! aaa authentication CONSOLE group radius local aaa authentication login LOGIN_AUTHENTICATION group radius local … … … ip http authentication aaa login-authentication LOGIN_AUTHENTICATION ip http secure-server … … … radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxxxx radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxxxx … … … line con 0 exec-timeout 5 0 login authentication CONSOLE line vty 0 1 exec-timeout 5 0 login authentication LOGIN_AUTHENTICATION If the Cisco router is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding. Fix TextStep 1: Configure the Cisco router to use at least two authentication servers as shown in the following example: R4(config)#radius host 10.1.48.2 key xxxxxx R4(config)#radius host 10.1.48.3 key xxxxxx Step 2: Configure the authentication order to use the authentication servers as primary source for authentication as shown in the following example: R4(config)#aaa authentication CONSOLE group radius local R4(config)#aaa authentication login LOGIN_AUTHENTICATION group radius local Step 3: Configure all network connections associated with a device management to use the authentication servers for the purpose of login authentication. R4(config)#line vty 0 1 R4(config-line)#login authentication LOGIN_AUTHENTICATION R4(config-line)#exit R4(config)#line con 0 R4(config-line)#login authentication CONSOLE R4(config-line)#exit R4(config)#ip http authentication aaa login-authentication LOGIN_AUTHENTICATION Finding Detailsaaa new-model ! ! aaa group server radius AR21-Radius server name AR21-DC003 server name AR21-DC004 ip radius source-interface BDI400 load-balance method least-outstanding ! aaa group server tacacs+ ISE server-private 164.231.72.99 key 7 060B1C22424F1F0044 server-private 164.231.111.4 key 7 060B1C22424F1F0044 ip tacacs source-interface BDI400 ! aaa authentication login default group ISE group AR21-Radius local aaa authentication enable default group ISE group AR21-Radius enable aaa authorization config-commands aaa authorization exec default group ISE group AR21-Radius local if-authenticated aaa authorization network ISE group AR21-Radius local if-authenticated aaa accounting exec default start-stop group ISE group AR21-Radius ! aaa common-criteria policy PASSWORD_POLICY min-length 15 max-length 127 numeric-count 1 upper-case 1 lower-case 1 special-case 1 char-changes 8 ! ! ! ! ! ! aaa session-id common call-home ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications. contact-email-addr sch-smart-licensing@cisco.com profile "CiscoTAC-1" active destination transport-method http no destination transport-method email no ip source-route ! ! ! ! ! ! ! no ip domain lookup ip domain name MONTPOINTGTWRTR.navy.mil ! ! ! login block-for 900 attempts 3 within 120 login on-failure log login on-success log ipv6 hop-limit 32 Commentsradius server AR21-DC003 address ipv4 164.231.187.34 auth-port 1812 acct-port 1813 retransmit 0 key 7 15222B59513D24362C7205024652010C135218 ! radius server AR21-DC004 address ipv4 164.231.187.35 auth-port 1812 acct-port 1813 retransmit 0 key 7 046B2B535A36435C0D583537475E1B0B382F65
Source: _Reviewed/MONTPOINTGTWYRTR/Checklist/MONTPOINTGTWYRTR_CiscoXERtrNDM_V3R5_20251023-150045.ckl
Scan Date: 2026-01-14T12:57:25.013310
Technology Area: Internal Network
|
||||||||