STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to HPE Aruba Networking AOS VPN Security Technical Implementation Guide

V-266994

CAT II (Medium)

The Remote Access VPN Gateway must use a separate authentication server (e.g., Lightweight Directory Access Protocol [LDAP], Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access-Control System+ [TACACS+] to perform user authentication.

Rule ID

SV-266994r1040748_rule

STIG

HPE Aruba Networking AOS VPN Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000187

Discussion

The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. Authentication, Authorization, and Accounting (AAA) network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers. It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised.

Check Content

Verify the AOS configuration with the following commands:
show aaa authentication via auth-profile

Note each referenced VIA authentication profile. 

For each referenced VIA authentication profile:
show aaa authentication via auth-profile <name>

Note the server-group. 

For each server-group:
show aaa server-group <name>

If the remote access authentication profile is not set to use a separate authentication server, this is a finding.

Fix Text

Configure AOS with the following commands:

1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email>
show crypto pki csr
2. Use DOD PKI to generate a public certificate based on the CSR.
3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. 
4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, select Certificate type: "ServerCert", and click "Submit".
5. Click Pending Changes >> Deploy Changes.

Continue configuring with the CLI:
configure terminal
crypto-local isakmp ca-certificate <CA certificate name>
crypto-local isakmp certificate-group server-certificate <EC certificate name> ca-certificate <CA certificate name>
write memory

crypto dynamic-map <name> <priority>
version v2
set pfs group20
set transform-set default-gcm256
set security-association lifetime seconds 28800
exit
write memory

aaa authentication-server radius <name>
host <A.B.C.D or X:X:X:X::X or hostname>
key <preshared key>
enable
exit
write memory

aaa server-group <name>
auth-server <name>
exit
write memory

ip access-list session <name>
any any any permit 
ipv6 any any any permit
exit
write memory

user-role <name>
access-list session <name>
exit
write memory

aaa authentication via auth-profile <name>
default-role <name>
client-cert-enable
server-group <name>
exit
write memory

aaa authentication via connection-profile <name>
auth-profile <name>
enable-fips
ikev2-policy 10009
ikev2-proto
ikev2auth eap-tls
ipsecv2-cryptomap map <name> number <priority>
max-timeout value <0-65535>
suiteb-crypto
validate-server-cert
exit
write memory

aaa authentication via web-auth default
auth-profile <name>
exit
write memory

user-role <name>
via <name>
exit
write memory