1.1.1.3 Configure AAA Authentication - RADIUS if applicable

Information

RADIUS is an authentication protocol that Cisco NX-OS devices can use for authentication of management users against a remote AAA server. These management users can access the Cisco NX-OS device through any protocol and use this back-end authentication. Using a central authentication store (such as Active Directory) ensures that all administrative actions are tied to named users, making the tracking of changes much easier. It also makes tracking compromised accounts and malicious activities much easier.

Rationale:

Central authentication is key as it minimizes the effort in managing named user accounts. Keeping local admin accounts opens the door to all the issues inherent in shared accounts, namely:

Errors in implementation being done by generic admin accounts, which can then be denied by all.

Shared credentials staying unchanged when administrative staff leave the organization or change roles.

Giving malicious actors the ability to recover shared credentials from saved device backups

RADIUS is the most widely used protocol for this purpose, since it is a requirement for secure wireless authentication (EAP-TLS). Just as important, RADIUS is much better supported by most non-Cisco vendors for back-end authentication.

Impact:

Implementing RADIUS (or any central authentication solution) ensures that only named users are allowed to gain an administrative session to the device. This allows:

Tracking of all changes to named users

Simplification of reconciling changes to a change management process

Off-loading password change cycles and password complexity requirements to that central authentication store

Simplification of removing admin access as administrators leave the organization or change their roles in the organization

Solution

First define two or more RADIUS Servers

switch(config)#radius-server host 3.4.5.6 key somekey authentication accounting
switch(config)#radius-server host 4.5.6.7 key someotherkey authentication accounting

Then create an AAA group for RADIUS

switch(config)# aaa group server radius RADIUSGROUP
server 3.4.5.6
server 4.5.6.7

Finally, create the authentication lists in the correct order - to be effective the RADIUS group needs to appear first in the list. Both the default and console access should be secured in the same way:

switch(config)# aaa authentication login default group RADIUSGROUP local
switch(config)# aaa authentication login console group RADIUSGROUP local

It is common to include 'local' as the last entry in the list, to allow access to administer the device even if the RADIUS server is offline. Note that while this ensures access in the case of the device or the RADIUS server being offline, it also means that if an attacker can DOS the RADIUS Servers, they can authenticate locally as well.

Default Value:

By default RADIUS is not implemented

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(1), CSCv7|16.2

Plugin: Cisco

Control ID: 1a1305279bdfb1847b28fb27f4ee13e1d15b38353537cdec5cc5ac2bd6585f01