CASA-VN-000390 – The Cisco ASA remote access VPN server must be configured to use a separate authentication server than that used for administrative access.

Details

The VPN interacts directly with public networks and devices and should not contain user authentication information for all users. AAA network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers. It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised.

Solution

Configure the ASA to use a separate authentication server as shown in the example below.

ASA2(config)# aaa-server LDAP protocol ldap
ASA2(config)# aaa-server LDAP (INSIDE) host 10.1.1.1

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Cisco.

References

800-53|IA-5(2)(c)
CAT|II
CCI|CCI-000187
Rule-ID|SV-239965r666301_rule
STIG-ID|CASA-VN-000390
Vuln-ID|V-239965

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles