The RUCKUS ICX device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-273835	SRG-APP-000516-NDM-000336	RCKS-NDM-000920	SV-273835r1110833_rule	2025-05-28	1

Description
Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's RUCKUS ICX devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each RUCKUS ICX device. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000700-NDM-000100, SRG-APP-000705-NDM-000110

Description

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's RUCKUS ICX devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each RUCKUS ICX device. Satisfies: SRG-APP-000516-NDM-000336, SRG-APP-000700-NDM-000100, SRG-APP-000705-NDM-000110

ℹ️ Check
Verify that AAA authentication and authorization are configured along with RADIUS/TACACS+ servers. SSH@ICX#show running-config \| include (aaa\|radius) aaa authentication dot1x default radius radius-server host x.x.x.x auth-port 1812 acct-port 1813 default key 2 $VWlkRGkt dot1x mac-auth radius-server host y.y.y.y auth-port 1812 acct-port 1813 default key 2 $UGlkRGktdG5v dot1x mac-auth radius-server key 2 $UGlkRGktdG5v aaa authentication login default radius local aaa authorization commands 0 default radius aaa authorization exec default radius If two central authentication servers are not configured, this is a finding.

ℹ️ Check

Verify that AAA authentication and authorization are configured along with RADIUS/TACACS+ servers. SSH@ICX#show running-config | include (aaa|radius) aaa authentication dot1x default radius radius-server host x.x.x.x auth-port 1812 acct-port 1813 default key 2 $VWlkRGkt dot1x mac-auth radius-server host y.y.y.y auth-port 1812 acct-port 1813 default key 2 $UGlkRGktdG5v dot1x mac-auth radius-server key 2 $UGlkRGktdG5v aaa authentication login default radius local aaa authorization commands 0 default radius aaa authorization exec default radius If two central authentication servers are not configured, this is a finding.

✔️ Fix
Configure AAA as needed: radius-server host x.x.x.x auth-port 1812 acct-port 1813 default key [shared_secret] radius-server host y.y.y.y auth-port 1812 acct-port 1813 default key [shared_secret] aaa authentication login default radius local aaa authorization commands 0 default radius aaa authorization exec default radius