AMLS-NM-000430 - The Arista Multilayer Switch must employ AAA service to centrally manage authentication settings - show roles

Information

The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure AAA services via a remote AAA server for all nonlocal accounts.

Configuration:
aaa group server [radius/tacacs] [name]
[radius/tacacs]-server host [IP Address] vrf [name] key [key]
aaa authentication login default group [group name] [radius/tacacs] [local]
aaa authentication login console [group] [group name/radius/tacacs+] [local]
aaa authentication dot1x default group [group] [radius]
aaa authentication policy on-success log
aaa authentication policy on-failure log
aaa authorization console
aaa authorization exec default [radius/tacacs] local
aaa authorization commands all default local
aaa accounting exec default start-stop logging
aaa accounting system default start-stop logging
aaa accounting commands all default start-stop logging
no aaa root

Example RBAC roles:

role administrator
10 permit command .*

role operator
10 permit command show running-config [all|detail] sanitized
20 deny command >|>>|extension|\||session|do|delete|copy|rmdir|mkdir|python-shell|bash|platform|scp|append|redirect|tee|more|less|who|show run.*
25 deny command bash
30 deny mode config command (no |default ) (username|role|aaa|tcpdump|schedule|event.*)
40 permit command .*
30 deny mode config command (no |default ) (username|role|aaa|tcpdump|schedule|event.*)
40 permit command .*

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_DCS-7000_Series_Y24M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6(1), 800-53|CM-6b., CAT|I, CCI|CCI-000366, CCI|CCI-000370, Rule-ID|SV-217376r961863_rule, STIG-ID|AMLS-NM-000430, STIG-Legacy|SV-75343, STIG-Legacy|V-60885, Vuln-ID|V-217376

Plugin: Arista

Control ID: 4ede0200be74f0aac54da5605e82815d1fd03c419072a36404a942e1fb5e4ebb