The Riverbed NetIM must be configured to use an authentication server configured for multifactor authentication (MFA) using DOD PKI for the purpose of authenticating users prior to granting administrative access.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-275461	SRG-APP-000516-NDM-000336	RIIM-DM-000015	SV-275461r1148276_rule	2025-09-29	1

Description
MFA is the requirement that two or more factors be used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include something the individual knows (e.g., username and password), something the individual has (e.g., a smartcard or token), or something the individual is (e.g., a fingerprint or biometric). Legacy information system environments only use a single factor for authentication, typically a username and password combination. Although two pieces of data are used in a username and password combination, this is still considered single factor because an attacker can obtain access simply by learning what the user knows. Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. MFA, along with strong user account hygiene, helps mitigate against the threat of having account passwords discovered by an attacker. Even in the event of a password compromise, with MFA implemented and required for interactive login, the attacker still needs to acquire something the user has or replicate a piece of user's biometric digital presence. Private industry recognizes and uses a variety of MFA solutions. However, DOD public key infrastructure (PKI) is the only prescribed method approved for DOD organizations to implement MFA. For authentication purposes, centralized DOD certificate authorities (CA) issue PKI certificate key pairs (public and private) to individuals using the prescribed x.509 format. The private certificates generated by the issuing CA are downloaded and saved to smartcards, referred to as common access cards (CAC) or personal identity verification (PIV) cards within the DOD. This happens at designated DOD badge facilities. The CA maintains a record of the corresponding public keys for use with PKI-enabled environments. Privileged user smartcards, or "alternate tokens", function in the same manner, so this requirement applies to all interactive user sessions (authorized and privileged users). Note: This requirement is used in conjunction with the use of a centralized authentication server (e.g., AAA, RADIUS, LDAP), a separate but equally important requirement. The MFA configuration of this requirement provides identification and the first phase of authentication (the challenge and validated response, thereby confirming the PKI certificate presented by the user). The centralized authentication server will provide the second phase of authentication (the digital presence of the PKI ID as a valid user in the requested security domain) and authorization. The centralized authentication server will map validated PKI identities to valid user accounts and determine access levels for authenticated users based on security group membership and role. In cases where the centralized authentication server is not utilized by the network device for user authorization, the network device must map the authenticated identity to the user account for PKI-based authentication. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000820-NDM-000170, SRG-APP-000825-NDM-000180

Description

MFA is the requirement that two or more factors be used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include something the individual knows (e.g., username and password), something the individual has (e.g., a smartcard or token), or something the individual is (e.g., a fingerprint or biometric). Legacy information system environments only use a single factor for authentication, typically a username and password combination. Although two pieces of data are used in a username and password combination, this is still considered single factor because an attacker can obtain access simply by learning what the user knows. Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. MFA, along with strong user account hygiene, helps mitigate against the threat of having account passwords discovered by an attacker. Even in the event of a password compromise, with MFA implemented and required for interactive login, the attacker still needs to acquire something the user has or replicate a piece of user's biometric digital presence. Private industry recognizes and uses a variety of MFA solutions. However, DOD public key infrastructure (PKI) is the only prescribed method approved for DOD organizations to implement MFA. For authentication purposes, centralized DOD certificate authorities (CA) issue PKI certificate key pairs (public and private) to individuals using the prescribed x.509 format. The private certificates generated by the issuing CA are downloaded and saved to smartcards, referred to as common access cards (CAC) or personal identity verification (PIV) cards within the DOD. This happens at designated DOD badge facilities. The CA maintains a record of the corresponding public keys for use with PKI-enabled environments. Privileged user smartcards, or "alternate tokens", function in the same manner, so this requirement applies to all interactive user sessions (authorized and privileged users). Note: This requirement is used in conjunction with the use of a centralized authentication server (e.g., AAA, RADIUS, LDAP), a separate but equally important requirement. The MFA configuration of this requirement provides identification and the first phase of authentication (the challenge and validated response, thereby confirming the PKI certificate presented by the user). The centralized authentication server will provide the second phase of authentication (the digital presence of the PKI ID as a valid user in the requested security domain) and authorization. The centralized authentication server will map validated PKI identities to valid user accounts and determine access levels for authenticated users based on security group membership and role. In cases where the centralized authentication server is not utilized by the network device for user authorization, the network device must map the authenticated identity to the user account for PKI-based authentication. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000820-NDM-000170, SRG-APP-000825-NDM-000180

ℹ️ Check
Review the AAA configuration. Navigate to the GUI portal admin user login screen. If TACACS+ is configured, the NetIM login screen presents only the option to use TACACS. If TACACS+ is not configured, this is a finding.

✔️ Fix
Although all individual admin accounts must be configured on an authentication server, the NetIM must be configured to point to a DOD PKI-based authentication server and roles must be mapped to the authorization attributes on the authentication server. Check the SSP to see which roles are required to be defined for remote user. 1. Navigate to the installation directory typically located at /data1/riverbed/NetIM/<install_dir > and run the following command: $ app.sh /TACACS_STATE enabled 2. From the GUI, navigate to Configure >> All Settings >> Integrate >> TACACS+. 3. On the TACACS+ Configurations page, fill out all required information. Add the IP address for the authentication server, add a role for the remote user, and check "Require Authentication". 4. Select "Require Authorization" and provide the authorization attributes and role attributes. To add, modify, or delete a user account or log off a user, follow these steps: 1. Navigate to Configure >> All Settings >> Administer >> User Management. 2. To add a TACACS+ user, click the "+" icon next to "Create TACACS+ user". 3. Select a valid TACACS+ username, assign a role from the dropdown list, then click "Save". For audit administrator, assign the role of USER_AUDITOR. For the default GUI "admin" account, the name must be changed. Note: The TACACS+ server must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.

✔️ Fix

Although all individual admin accounts must be configured on an authentication server, the NetIM must be configured to point to a DOD PKI-based authentication server and roles must be mapped to the authorization attributes on the authentication server. Check the SSP to see which roles are required to be defined for remote user. 1. Navigate to the installation directory typically located at /data1/riverbed/NetIM/<install_dir > and run the following command: $ app.sh /TACACS_STATE enabled 2. From the GUI, navigate to Configure >> All Settings >> Integrate >> TACACS+. 3. On the TACACS+ Configurations page, fill out all required information. Add the IP address for the authentication server, add a role for the remote user, and check "Require Authentication". 4. Select "Require Authorization" and provide the authorization attributes and role attributes. To add, modify, or delete a user account or log off a user, follow these steps: 1. Navigate to Configure >> All Settings >> Administer >> User Management. 2. To add a TACACS+ user, click the "+" icon next to "Create TACACS+ user". 3. Select a valid TACACS+ username, assign a role from the dropdown list, then click "Save". For audit administrator, assign the role of USER_AUDITOR. For the default GUI "admin" account, the name must be changed. Note: The TACACS+ server must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.