STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Cisco IOS XE Switch NDM Security Technical Implementation Guide

V-220565

CAT I (High)

The Cisco switch must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

Rule ID

SV-220565r1195273_rule

STIG

Cisco IOS XE Switch NDM Security Technical Implementation Guide

Version

V3R6

CCIs

CCI-000370

Discussion

Centralized management of user accounts and authentication increases the administrative access to the switch. This control is a particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

Check Content

Review the Cisco switch configuration to verify the device is configured to use at least two authentication servers as the primary source for authentication as shown in the following example:

aaa new-model
!
aaa group server radius RADIUS_GROUP
 server name RADIUS1
 server name RADIUS2
!
aaa authentication login CONSOLE group RADIUS_GROUP local
aaa authentication login LOGIN_AUTHENTICATION group RADIUS_GROUP local
…
…
…
ip http authentication aaa login-authentication LOGIN_AUTHENTICATION
ip http secure-server
…
…
…
radius server RADIUS1
 address ipv4 x.x.x.x  auth-port 1812 acct-port 1813
 key xxxxxxx
!
radius server RADIUS2
 address ipv4 x.x.x.x  auth-port 1812 acct-port 1813
 key xxxxxxx
…
…
…
line con 0
 exec-timeout 5 0
 login authentication CONSOLE
line vty 0 1
 exec-timeout 5 0
 login authentication LOGIN_AUTHENTICATION

If the Cisco switch is not configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access, this is a finding.

Fix Text

Step 1: Configure the Cisco switch to use at least two authentication servers as shown in the following example:

R4(config)#radius server RADIUS1
R4(config-radius-server)#address ipv4 x.x.x.x auth-port 1812 acct-port 1813
R4(config-radius-server)#key xxxxxxx
R4(config-radius-server)#radius server RADIUS2
R4(config-radius-server)#address ipv4 x.x.x.x auth-port 1812 acct-port 1813
R4(config-radius-server)#key xxxxxxx

Step 2: Configure the authentication order to use the authentication servers as the primary source for authentication as shown in the following example:

R4(config)#aaa group server radius RADIUS_GROUP
R4(config)#server name RADIUS1
R4(config)#server name RADIUS2

R4(config)#aaa authentication login CONSOLE group RADIUS_GROUP local

R4(config)#aaa authentication login LOGIN_AUTHENTICATION group RADIUS_GROUP local

Step 3: Configure all network connections associated with a device management to use the authentication servers for the purpose of login authentication.

R4(config)#line vty 0 1
R4(config-line)#login authentication LOGIN_AUTHENTICATION
R4(config-line)#exit
R4(config)#line con 0
R4(config-line)#login authentication CONSOLE
R4(config-line)#exit 
R4(config)#ip http authentication aaa login-authentication LOGIN_AUTHENTICATION