3.1.2 Ensure access profile is set to use CHAP


CHAP Authentication MUST be used when Incoming calls are permitted.


Some JUNOS routers support the use of a dial in modem connection for Telnet/SSH administration of the router from a remote connection over the telephone network.

This can provide a useful out of band management channel, allowing access to a customer router at a remote site when the primary circuit has failed for example, but also creates a new route for attack, allowing a malicious user to bypass firewalls and other defenses.

Even when the phone number for the modem is kept secret, attackers may still discover it through war dialing, possibly narrowing targets by researching the number ranges used by your organization.

To limit the scope for such an attack, the dialer interface should be configured to use Challenge Handshake Authentication Protocol (CHAP) before allowing calls to connect. Using CHAP, a username and password can be configured for each user that needs to connect to the router via the modem. The password should not be the same as that used by to login to the routers CLI itself.

NOTE: A dialer interface was not found. This check is not applicable.


If you have configured a dialer interface to accept incoming calls, you should configure CHAPS authentication using the following commands from the indicated hierarchy (where n is the interface number);

[edit access]
user@host#set profile <profile name> client <username> chap-secret <password>

user@host#edit interface dl <n> unit 0

[edit interfaces dl <n> unit 0]
user@host#set ppp-options chap access-profile <profile name>

Repeat the first command for each user that is required.

See Also


Item Details


References: 800-53|SC-7(15), CSCv7|11.7

Plugin: Juniper

Control ID: 095f3d052f05bb8d5dca993729b03ae2670526609d6018d248133e396bc510e4