The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

An XCCDF Rule

Description

To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following. (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals' in-group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN or proxy capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management). Satisfies: SRG-NET-000138-VPN-000490, SRG-NET-000166-VPN-000590, SRG-NET-000341-VPN-001350

ID: SV-266995r1040751_rule
Version: ARBA-VN-000490
Severity: Medium
References: CCI-000187 CCI-000764 CCI-001953
Updated: about 2 months ago

Remediation Templates

Configure AOS with the following commands:

1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email>
show crypto pki csr
2. Use DOD PKI to generate a public certificate based on the CSR.
3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. 4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, select Certificate type: "ServerCert", and click "Submit".
5. Click Pending Changes >> Deploy Changes.

Continue configuring with the CLI:
configure terminal
crypto-local isakmp ca-certificate <CA certificate name>
crypto-local isakmp certificate-group server-certificate <EC certificate name> ca-certificate <CA certificate name>
write memory

crypto dynamic-map <name> <priority>
version v2
set pfs group20
set transform-set default-gcm256
set security-association lifetime seconds 28800
exit
write memory

aaa authentication-server radius <name>
host <A.B.C.D or X:X:X:X::X or hostname>
key <preshared key>
enable
exit
write memory

aaa server-group <name>
auth-server <name>
exit
write memory

ip access-list session <name>
any any any permit 
ipv6 any any any permit
exit
write memory

user-role <name>
access-list session <name>
exit
write memory

aaa authentication via auth-profile <name>
default-role <name>
client-cert-enable
server-group <name>
exit
write memory

aaa authentication via connection-profile <name>
auth-profile <name>
enable-fips
ikev2-policy 10009
ikev2-proto
ikev2auth eap-tls
ipsecv2-cryptomap map <name> number <priority>
max-timeout value <0-65535>
suiteb-crypto
validate-server-cert
exit
write memory

aaa authentication via web-auth default
auth-profile <name>
exit
write memory

user-role <name>
via <name>
exit
write memory

The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

Description

Remediation Templates

A Manual Procedure