1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctly - protocol

Information

Specifies the AAA server-group and each individual server using the TACACS+ or RADIUS protocol

Rationale:

Authentication, authorization and accounting (AAA) scheme provide an authoritative source for managing and monitoring access for devices. Many protocols are supported for the communication between the systems and the AAA servers: http-form, kerberos, ldap, nt, radius, sdi, tacacs+.

Solution

Step 1: Acquire the enterprise standard protocol (protocol_name) for authentication (TACACS+ or RADIUS)

Step 2: Run the following to configure the AAA server-group for the required protocol

hostname(config)#aaa-server <server-group_name> protocol <protocol_name>

Step 3: Run the following to configure the AAA server:

hostname(config)#aaa-server <server-group_name> (<interface_name>) host <aaa-server_ip> <shared_key>

server-group_name: the above server-group configured
interface_name: the network interface from which the AAA server will be accessed
aaa-server_ip: the IP address of the AAA server
shared_key: the TACACS+ or RADIUS shared key

Default Value:

The AAA server configuraton is by default disabled

See Also

https://workbench.cisecurity.org/files/3246

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(9), CSCv7|4.3

Plugin: Cisco

Control ID: 7dd9045dede5f2f9f833265fc2f92902a4dab96bc7adf59a46189d49af0d0736