STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to HPE Aruba Networking AOS NDM Security Technical Implementation Guide

V-266930

CAT II (Medium)

AOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.

Rule ID

SV-266930r1039811_rule

STIG

HPE Aruba Networking AOS NDM Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001941

Discussion

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., Transport Layer Security [TLS], Web Services Security [WS_Security]). Additional techniques include time-synchronous or challenge-response one-time authenticators.

Check Content

Verify the AOS configuration using the web interface: 
  
1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Options".  
2. Verify what "Server group" is handling admin authentication.  
3. Expand "Admin Authentication Servers".  
4. Select the Server Group identified from the "Options" section.  
5. Verify that each authentication server configured in Server Group <server group name> is configured with secure LDAP using port 636 and connection type ldap-s.  
 
If each management authentication server is not configured to use secure LDAP, this is a finding.

Fix Text

Configure AOS using the web interface:  
 
1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Servers".  
2. Click on the plus sign (+) under "All Servers" and configure the type of authentication server. Provide the Name, Type, and IP address. Click "Submit".  
3. Select the created authentication server and configure the required attributes for LDAP: 
  
Admin-dn <username> 
Admin-passwd <password> 
Re-type admin-passwd <password> 
Auth port: 636 
Base-dn: cn/ou=<container>,dc=<level>,dc=<mil> 
Key-attribute: userPrincipalName 
 
4. Click "Submit".  
5. Repeat this process and configure a second authentication server.  
6. Click Pending Changes >> Deploy Changes.  
7. Click on the plus sign (+) under "Server Groups" and add a server group. Click "Submit".  
8. Select the created server group and click the plus sign (+) in the Server Group <server group name> box.  
9. Add the first configured authentication server.  
10. Reselect the created server group and click the plus sign (+) in the Server Group <server group name> box.  
11. Click Submit >> Pending Changes >> Deploy Changes. 
12. Expand "Admin Authentication Options". Select the Server group created earlier.  
13. Click Submit >> Pending Changes >> Deploy Changes.