Details

Where external Authentication, Authorization and Accounting services using either RADIUS or TACACS+ are used, accounting data should be sent to at least one AAA server destination.

Rationale:

RADIUS and TACACS+ are centralized Authentication, Authorization and Accounting (AAA) services.

Both protocols provide services to receive and record information about what users and processes on a router are doing.

Where RADIUS or TACACS+ are configured for AAA, at least one accounting RADIUS or TACACS+ server should be configured to record accounting data for the JUNOS device. Generally, it is recommended that more than one server is used to ensure resilience of this vital service.

Solution

Configure one or more RADIUS or TACACS+ servers as Accounting Destinations use the following commands under the [edit system accounting destination] hierarchy; For RADIUS

[edit system accounting destination]
[email protected]#set radius server secret

For TACACS+

[edit system accounting destination]
[email protected]#set tacplus server secret

Default Value:

Accounting is not configured by default.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3069

This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Juniper.

References

• 800-53|AU-3
• 800-53|AU-9(2)
• 800-53|AU-12
• CSCv7|6.2
• CSCv7|6.5

Source

• Tenable.com/audits