The AAA Service must be configured to use protocols that encrypt passwords when authenticating clients, as defined in the PPSM CAL and vulnerability assessments.

From Authentication Authorization and Accounting Service Security Requirements Guide

Part of SRG-APP-000142-AAA-000002

Associated with: CCI-000382

SRG-APP-000142-AAA-000002_rule The AAA Service must be configured to use protocols that encrypt passwords when authenticating clients, as defined in the PPSM CAL and vulnerability assessments.

Vulnerability discussion

Authentication protection of the client password or shared secret prevents unauthorized access to resources. The RADIUS protocol encrypts only the password in the access-request packet, from the client to the AAA server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third-party. TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. Other protocols have similar protections. When unencrypted passwords are passed, adversaries can gain access to resources.

Check content

Verify the AAA Service is configured to use protocols that encrypt passwords when authenticating clients. Both the RADIUS and TACACS+ protocols are acceptable when configured to perform encryption. For any protocol implemented, the PPSM CAL and vulnerability assessments must be reviewed to ensure the protocols are properly configured. If the AAA Service is not configured to use protocols that encrypt passwords when authenticating clients, as defined in the PPSM CAL and vulnerability assessments, this is a finding.

Fix text

Configure the AAA Service to use protocols that encrypt passwords when authenticating clients. Both the RADIUS and TACACS+ protocols are acceptable when configured to perform encryption. For any protocol implemented, the PPSM CAL and vulnerability assessments must be reviewed to ensure the protocols are properly configured.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer