The network device must require authentication for console access.

From Infrastructure Router Security Technical Implementation Guide Juniper

Part of Authentication required for console access.

Associated with IA controls: IAIA-2, IAIA-1

SV-28747r3_rule The network device must require authentication for console access.

Vulnerability discussion

Network devices with no password for administrative access via the console provide the opportunity for anyone with physical access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage.

Check content

Review the network device's configuration and verify authentication is required for console access. With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class as shown in the following example: [edit system] authentication-order [ radius password ]; radius-server { 192.168.6.5 { secret "xxxxxxx"; } } login { /* login classes */ class tier1 { idle-timeout 10; permissions all; } class tier2 { idle-timeout 10; permissions [ configure interface network routing snmp system trace view firewall ]; } /* local emgergency account */ user admin { full-name Administrator; uid 2000; class tier1; authentication { encrypted-password "xxxx"; # SECRET-DATA } } /* RADIUS templates */ user tier1 { uid 2001; class tier1; } user tier2 { uid 2002; class tier2; } } Note: Since the root account does not belong to a class and you can access root via console, disable the ability to login at the console using the root account by making the console insecure as follows: [edit system] console { insecure; }

Fix text

Configure authentication for console access on the network device.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer