AMLS-NM-000430 - Arista MLS must employ AAA service to centrally manage authentication settings - aaa console

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.

Solution

Configure AAA services via a remote AAA server for all nonlocal accounts.

Configuration:
aaa group server [radius/tacacs] [name]
[radius/tacacs]-server host [IP Address] vrf [name] key [key]
aaa authentication login default group [group name] [radius/tacacs] [local]
aaa authentication login console [group] [group name/radius/tacacs+] [local]
aaa authentication dot1x default group [group] [radius]
aaa authentication policy on-success log
aaa authentication policy on-failure log
aaa authorization console
aaa authorization exec default local
aaa authorization commands all default local
aaa accounting exec default start-stop logging
aaa accounting system default start-stop logging
aaa accounting commands all default start-stop logging
no aaa root

Example RBAC roles:

role administrator
10 permit command .*

role operator
10 permit command show running-config [all|detail] sanitized
20 deny command >|>>|extension|\||session|do|delete|copy|rmdir|mkdir|python-shell|bash|platform|scp|append|redirect|tee|more|less|who|show run.*
25 deny command bash
30 deny mode config command (no |default ) (username|role|aaa|tcpdump|schedule|event.*)
40 permit command .*
30 deny mode config command (no |default ) (username|role|aaa|tcpdump|schedule|event.*)
40 permit command .*

See Also

http://iasecontent.disa.mil/stigs/zip/Apr2016/U_Arista_MLS_DCS-7000_Series_NDM_V1R2_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2, CAT|I, CCI|CCI-000366, CCI|CCI-000370, Group-ID|V-60885, Rule-ID|SV-75343r1_rule, STIG-ID|AMLS-NM-000430

Plugin: Arista

Control ID: 6fe311a45bd29cea700d97b69f58be1a8ac4d89c02fd336eec18fc2bfc52395e