1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctly - server

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Specifies the AAA server-group and each individual server using the TACACS+ or RADIUS protocol

Rationale:

Authentication, authorization and accounting (AAA) scheme provide an authoritative source for managing and monitoring access for devices. Many protocols are supported for the communication between the systems and the AAA servers: http-form, kerberos, ldap, nt, radius, sdi, tacacs+.

Solution

* Step 1: Acquire the enterprise standard protocol (protocol_name) for authentication (TACACS+ or RADIUS)
* Step 2: Run the following to configure the AAA server-group for the required protocol

hostname(config)#aaa-server _<server-group_name_> protocol _<protocol_name> _

* Step 3: Run the following to configure the AAA server:

hostname(config)#aaa-server _<server-group_name>_ (_<interface_name>_) host _<aaa-server_ip>_ _<shared_key>_

_server-group_name: _the above server-group configured

_interface_name: _the network interface from which the AAA server will be accessed

_aaa-server_ip: _the IP address of the AAA server

_shared_key: _the TACACS+ or RADIUS shared key

See Also

https://benchmarks.cisecurity.org/tools2/cisco/CIS_Cisco_Firewall_Benchmark_v4.0.0.pdf

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2

Plugin: Cisco

Control ID: 4c869c0f561f892dff9058e3469f3eea2c37df7160760099e64e4c75dc783b06