The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.

An XCCDF Rule

Description

<VulnDiscussion>The lack of role-based access control could result in the immediate compromise of and unauthorized access to sensitive information. Additionally, without mapping the PKI certificate to a unique user account, the ability to determine the identities of individuals or assert nonrepudiation is lost. Individual accountability mandates that each administrator is uniquely identified. For public key infrastructure (PKI)-based authentication, the device must be configured to map validated certificates to unique user accounts. This requirement applies to accounts or roles created and managed on or by the network device. Satisfies: SRG-APP-000153-NDM-000249, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240, SRG-APP-000329-NDM-000287, SRG-APP-000177-NDM-000263, SRG-APP-000033-NDM-000212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-256079r882745_rule
Severity: High
References: CCI-000163 CCI-000164 CCI-000166 CCI-000187 CCI-000213 CCI-000366 CCI-000370 CCI-000764 CCI-000770 CCI-001493 CCI-001494 CCI-001495 CCI-002169
Updated: about 1 year ago

Although all individual admin accounts must be configured on an authentication server, the NetProfiler must be configured to point to a PKI-based authentication server and the NetProfiler roles must be mapped to the authorization attributes on the authentication server.

The following is an example using RADIUS. Refer to the user's guide for instructions for TACACS+ or SAML. 

Users who do not have a NetProfiler or NetExpress account must have both their authentication information (login name, password) and authorization information (user role indicated by the value of the Class attribute or the Cascade-User-Role attribute) specified on the RADIUS server. The values of the RADIUS authorization attributes must be mapped to their corresponding user roles on NetProfiler or NetExpress.
The values on the RADIUS server and the values on NetProfiler or NetExpress must match for the user to be logged on. To map the NetProfiler or NetExpress user roles to RADIUS authorization attributes:

1. Click "Edit" in the Roles-Attributes Mapping section of the RADIUS tab of the Configuration >> Account Management >> Remote Authentication page. 
2. For the first user role, click "Add new attribute" to display an edit box.
3. Select the RADIUS authorization attribute (Class or Cascade-User-Role). (If assigning the Restricted user account role, use the Restricted-Filter attribute to limit the account to traffic specified by traffic expressions. Refer to the in-product help system for additional information about Restricted user accounts.)
4. Enter the value of the attribute that is required for a RADIUS-authorized user to be logged on in this user role.
5. If applicable, click "Add new attribute" to add another mapping.
6. Continue with the next user role that is to be authorized by RADIUS.
7. When the RADIUS authorization attributes have been mapped to their corresponding NetProfiler user roles, click "Save".

The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.

Description

Remediation - Manual Procedure