Information
External AAA Servers should be configured with a Shared Secret.
Rationale:
RADIUS and TACACS+ are centralized Authentication, Authorization and Accounting (AAA) services.
Both protocols provide services to Authenticate and Authorization of users on routers, switches and other systems. Because these servers are being trusted to authenticate your administrative users, it is vital to ensure the identity of the RADIUS or TACACS+ server. With both protocols this is achieved by using a Shared Secret.
To ensure resilience and that compromise of a single AAA Server does not result in all AAA Servers being compromised, it is recommended that a different Secret Key be used for each AAA Server. This way, any server suspected of compromise can be taken offline and the remaining servers can remain trusted to provide AAA services.
Because the Shared Secrets are stored as salted hashed values in the JUNOS configuration, it is not possible to readily audit this Recommendation from the JUNOS device, so this Recommendation is not Scored.
Impact:
Ensure that External AAA Servers are tested prior to deploying in a live environment.
It is generally recommended to configure a single 'Rescue' or 'Emergency' account locally under the [edit system login] hierarchy to provide access in the event of a AAA failure or mis-configuration prior to deploying External AAA.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure a Shared Secret for all External Authentication Server using the following commands under the [edit system] hierarchy; For RADIUS
[edit system]
user@host#set radius-server <server ip> secret <shared secret> source-address <loopback IP>
For TACACS+
[edit system]
user@host#set tacplus-server <server ip> secret <shared secret> source-address <Loopback IP>
Default Value:
No External AAA is configured by default.