6.8.2 Ensure Share-Secret is set for External AAA Servers

Information

External AAA Servers should be configured with a Shared Secret.

Rationale:

RADIUS and TACACS+ are centralized Authentication, Authorization and Accounting (AAA) services.

Both protocols provide services to authenticate users on routers, switches and other systems. Because these servers are being trusted to authenticate and authorized your administrative users, it is vital to ensure the identity of the RADIUS or TACACS+ server.

Each configured External AAA Server must be configured with a Shared Secret to ensure mutual authentication of the Client (the JUNOS Device) and Server.

Impact:

Ensure that External AAA Servers are tested prior to deploying in a live environment.

It is generally recommended to configure a single 'Rescue' or 'Emergency' account locally under the [edit system login] hierarchy to provide access in the event of a AAA failure or mis-configuration prior to deploying External AAA.

Solution

Configure a Shared Secret for all External Authentication Server using the following commands under the [edit system] hierarchy; For RADIUS Servers:

[edit system]
user@host#set radius-server <server ip> secret <shared secret>

For TACACS+ Servers:

[edit system]
user@host#set tacplus-server <server ip> secret <shared secret>

Default Value:

No External AAA is configured by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2, CSCv7|16.2

Plugin: Juniper

Control ID: 20d825127db5e17f73bdeb9dffe052e146bcacc760fac7268f921545d80fdaf3