The HPE Alletra Storage ArcusOS device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000156-NDM-000250, SRG-APP-000177-NDM-000263

Determine if the system is configured to use a primary and secondary authentication server with the following command: cli% showauthparam ldap-type MSAD accounts-dn <accounts dn configuration> super-map <super-map configuration> edit-map <edit-map configuration> browse-map <browse-map configuration> service-map <service-map configuration> ldap-StartTLS require kerberos-realm <Kerberos-realm configuration> ldap-2FA-cert-field subjectAlt:rfc822Name ldap-2FA-object-attr mail ldap-server <server hostname> ldap-server <server hostname> ldap-ssl-cacert: -----BEGIN CERTIFICATE----- If the command output does not list authparams for ldap-type, kerberos-realm, accounts-dn, ldap-ssl-cacert, and at least one role map (e.g., super-map), this is a finding. If there are not two ldap-server lines, this is a finding. ldap-StartTLS must be set to require, if not, this is a finding. If the ldap-reqcert authparam is not set to "1", this is a finding.

Use the following commands to configure the primary and secondary authentication servers. cli% setauthparam -f ldap-type <type> where type is MSAD, RHDS or OPEN. cli% setauthparam ldap-server <primary hostname> <secondary hostname> cli% setauthparam -f accounts-dn <base of the ad subtree, such as CN=Users,DC=win2k12forest,DC=thisdomain,DC=com> cli% setauthparam -f kerberos-realm <Kerberos-realm configuration> cli% setauthparam -f ldap-reqcert 1 Set up a super role such as the super role: cli% setauthparam -f super-map <customer-assigned name of "super" group> Enable TLS with: cli% setauthparam -f ldap-StartTLS require or cli% setauthparam -f ldap-ssl 1 Import a TLS certificate: cli% importcert ldap -f stdin