Detections
Analytics

1.5.5 Per User Management Interface Enablement

Information

By default, authenticated users are enabled for accessing the switch through all these available managementinterfaces: ssh, telnet, https-server, console. Additionally fine-grained command authorization can beperformed using RBAC, but it is applicable only for the CLIs not for Web-UI/REST API requests . Henceit is recommended to enable the specific management interfaces for the users based on the usertype using below ways -

 - Local Per-User Management interface Enablement using CLI
 - Remote AAA Servers (Radius/ RadSec/ TACACS+) using VSA

Enabling a per-user management interface on Aruba AOS-CX switches allows network administrators to assign granular permissions and access rights to individual users. This tailored approach enhances the security posture of the network by restricting administrative privileges to only what is necessary for each user.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Local per-user management interface enablement is performed with CLI command . Example ofdisabling the SSH management interface for local user admin1 -

switch(config)# no user admin1 management-interface ssh

For remote TACACS+ and RADIUS/RadSec servers, per-user management interface enablement is performed byconfiguring the AOS-CX VSA Aruba-User-Mgmt-Interface (ID = 69, type = string). On the TACACS+ or RADIUS/RadSec server, the AOS-CX VSA Aruba-User-Mgmt-Interface must be set to a comma-separated list of management interface names for which login is permitted by the associated user. Management interfaces omitted from the list are disabled for the associated user. A maximum of four management interface names are allowed, with each management interface name given once. Permitted management interface names (always lowercase) are as follows:

 - ssh
 - telnet
 - https-server
 - consoleThe VSA has a maximum length of 32 characters. The VSA is ignored by the switch if longer than 32 characters. When a user login fails because of an attempt to use a management interface that is notallowed, an event log is available indicating the enabled management interfaces as received in theTACACS+ or RADIUS/RadSec VSA.

Example Remote server VSA value that enables the two named management interfaces (ssh, telnet) while disabling the two unnamed management interfaces (https-server, console):

Aruba-User-Mgmt-Interface = "ssh,telnet"

Example Remote server VSA value that enables all four management interfaces:

Aruba-User-Mgmt-Interface = "ssh,telnet,https-server,console"

Impact:

Implementing per-user management ensures compliance with organizational access control policies, reducing the risk of unauthorized changes to the switch configuration.

See Also

https://workbench.cisecurity.org/benchmarks/24202

Item Details

Category: ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-6(2), 800-53|AC-6(5), 800-53|AC-17(3), 800-53|SI-7, CSCv7|4.3, CSCv7|4.6

Plugin: ArubaOS

Control ID: 7b5b480f217f3b1847944c3f9b9f325d56e9aac2c29abf395701de610f882155