CASA-VN-000390 - The Cisco ASA remote access VPN server must be configured to use a separate authentication server than that used for administrative access.

Information

The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. AAA network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers. It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised.

Solution

Configure the ASA to use a separate authentication server as shown in the example below.

ASA2(config)# aaa-server LDAP protocol ldap
ASA2(config)# aaa-server LDAP (INSIDE) host 10.1.1.1

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_Y24M10_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(c), CAT|II, CCI|CCI-000187, Rule-ID|SV-239965r666301_rule, STIG-ID|CASA-VN-000390, Vuln-ID|V-239965

Plugin: Cisco

Control ID: e6afb79d77d750025495ea1976a2c1ce5a49bac1e836b8d62bcd2fe29b5049d3