The Remote Access VPN Gateway must use a separate authentication server (e.g., Lightweight Directory Access Protocol [LDAP], Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access-Control System+ [TACACS+] to perform user authentication.

An XCCDF Rule

Description

The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. Authentication, Authorization, and Accounting (AAA) network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers. It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised.

ID: SV-266994r1040748_rule
Version: ARBA-VN-000580
Severity: Medium
References: CCI-000187
Updated: about 2 months ago

Remediation Templates

Configure AOS with the following commands:

1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email>
show crypto pki csr
2. Use DOD PKI to generate a public certificate based on the CSR.
3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. 4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, select Certificate type: "ServerCert", and click "Submit".
5. Click Pending Changes >> Deploy Changes.

Continue configuring with the CLI:
configure terminal
crypto-local isakmp ca-certificate <CA certificate name>
crypto-local isakmp certificate-group server-certificate <EC certificate name> ca-certificate <CA certificate name>
write memory

crypto dynamic-map <name> <priority>
version v2
set pfs group20
set transform-set default-gcm256
set security-association lifetime seconds 28800
exit
write memory

aaa authentication-server radius <name>
host <A.B.C.D or X:X:X:X::X or hostname>
key <preshared key>
enable
exit
write memory

aaa server-group <name>
auth-server <name>
exit
write memory

ip access-list session <name>
any any any permit 
ipv6 any any any permit
exit
write memory

user-role <name>
access-list session <name>
exit
write memory

aaa authentication via auth-profile <name>
default-role <name>
client-cert-enable
server-group <name>
exit
write memory

aaa authentication via connection-profile <name>
auth-profile <name>
enable-fips
ikev2-policy 10009
ikev2-proto
ikev2auth eap-tls
ipsecv2-cryptomap map <name> number <priority>
max-timeout value <0-65535>
suiteb-crypto
validate-server-cert
exit
write memory

aaa authentication via web-auth default
auth-profile <name>
exit
write memory

user-role <name>
via <name>
exit
write memory

The Remote Access VPN Gateway must use a separate authentication server (e.g., Lightweight Directory Access Protocol [LDAP], Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access-Control System+ [TACACS+] to perform user authentication.

Description

Remediation Templates

A Manual Procedure