STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to HPE Aruba Networking AOS NDM Security Technical Implementation Guide

V-266970

CAT I (High)

AOS must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

Rule ID

SV-266970r1039931_rule

STIG

HPE Aruba Networking AOS NDM Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000370

Discussion

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

Check Content

Verify the AOS configuration using the web interface: 
  
1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Options".  
2. Verify what "Server group" is handling admin authentication.  
3. Expand "Admin Authentication Servers".  
4. Select the Server Group identified from the "Options" section.  
5. Verify that at least two authentication servers are configured in the Server Group.  
 
If the admin authentication server group does not have at least two configured authentication servers, this is a finding.

Fix Text

Configure AOS using the web interface:  
 
1. Navigate to Configuration >> System >> Admin and expand "Admin Authentication Servers".  
2. Click on the plus sign (+) under "All Servers" and configure the type of authentication server. Provide the Name, Type, and IP address. Click "Submit".  
3. Select the created authentication server and configure the required attributes for LDAP: 
 
Admin-dn <username> 
Admin-passwd <password> 
Re-type admin-passwd <password> 
Auth port: 636 
Base-dn: cn/ou=<container>,dc=<level>,dc=<mil> 
Key-attribute: userPrincipalName 
 
4. Click "Submit".  
5. Repeat this process and configure a second authentication server.  
6. Click Pending Changes >> Deploy Changes.  
7. Click on the plus sign (+) under "Server Groups" and add a server group. Click "Submit".  
8. Select the created server group and click the plus sign (+) in the Server Group <server group name> box.  
9. Add the first configured authentication server.  
10. Reselect the created server group and click the plus sign (+) in the Server Group <server group name> box. Click "Submit".  
11. Expand "Admin Authentication Options" and select the created server group under "Server group:".  
12. Click Submit >> Pending Changes >> Deploy Changes.