Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the AOS configuration with the following command: show crypto-local ipsec-map If each active IPsec map does not show PFS enabled, this is a finding.
Configure AOS with the following commands: configure terminal crypto-local ipsec-map <map name> <priority #> set pfs group 19 exit write memory
1. Verify the AOS configuration with the following command: show crypto-local ipsec-map Note the IKEv2 Policy number for each configured map. 2. For each configured policy number, run the following command: show crypto isakmp policy <IKEv2 Policy #> If each configured IKEv2 policy hash algorithm is not configured with SHA-2 at 384 bit, this is a finding.
Configure AOS with the following commands: configure terminal crypto isakmp policy <priority> hash sha2-384-192 exit write memory
1. Verify the AOS configuration with the following command: show crypto-local pki trusted CA 2. Note the name(s) of each trust CA. show crypto-local pki trustedCA <name> 3. Verify that each trusted CA is a valid DOD PKI CA. If the trusted CAs are not DOD PKI or no DOD PKI CAs are present, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Certificates tab. 2. Under "Import Certificates", click the plus sign (+) and upload the trusted root CA. Provide the certificate name, upload the certificate file, and select the matching certificate format. 3. Choose the TrustedCA Certificate type. 4. Click Submit >> Pending Changes >> and Deploy Changes.
1. Verify the AOS configuration with the following commands: show crypto-local ipsec-map Note the IKEv2 Policy number for each configured map. 2. For each configured policy number, run the following command: show crypto isakmp policy <IKEv2 Policy #> If each configured IKEv2 policy is not configured with AES256 or greater encryption, this is a finding.
Configure AOS with the following commands for each IKEv2 Policy number noted: configure terminal crypto isakmp policy <priority> encryption aes256 exit write memory
If AOS is not being used for CSFC, this requirement is not applicable. 1. Verify the AOS configuration with the following command: show crypto-local ipsec-map Note the IKEv2 Policy number for each configured map. 2. For each configured policy number, run the following command: show crypto isakmp policy <IKEv2 Policy #> 3. Verify each configured transform-set by running the following command: show crypto ipsec transform-set If the configured IPsec map, ISAKMP policy, and transform-set do not contain the following, this is a finding: ECDCA 384 certificate IKEv2 policy with AES256, SHA-384, ECDSA-384, Group 20 Transform set with AES-256-GCM
Configure AOS with the following commands: 1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> show crypto pki csr 2. Use DOD PKI to generate a public certificate based on the CSR. 3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. 4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, "ServerCert" type, and click "Submit". 5. Navigate to Configuration >> System >> Admin and choose the imported certificate under "Server Certificate" and click "Submit". 6. Click Pending Changes >> Deploy Changes. configure terminal crypto ipsec transform-set <name> esp-aes256-gcm crypto isakmp policy <#> authentication ecdsa-384 encryption aes256 group 20 hash sha2-384-192 prf prf-hmac-sha384 version v2 exit crypto-local ipsec-map <name> <priority> set transform-set <set created earlier name> <configure VPN settings as needed> exit write memory
Verify the AOS configuration with the following command: 1. Site-to-site VPN: Using the CLI: show crypto isakmp sa If the IPsec security association is not operating with certificates ("-c"), this is a finding. 2. Hardware client VPN: Using the web GUI, navigate to Configuration >> Access Points >> Remote APs. Review each provisioned Remote Access Point (RAP) and verify that each AP has "c" in the FLAGS column. If certificate authentication is not configured for each RAP, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> Services >> VPN and expand "Site-to-Site". 2. Select the configured site-to-site VPN IPsec maps. Select the applicable Server certificate. Select the applicable trusted DOD root CA under "CA certificate:". 3. Click Submit >> Pending Changes >> Deploy Changes. 4. Navigate to Configuration >> Access Points >> Remote APs tab. 5. Select the check box next to the AP Name in the Remote AP table and click "Provision". 6. In the "General" tab, select "Certificate" from the "Authentication method:" drop-down list. 7. Click "Submit" to apply the configuration and reboot the AP as a certificate Remote AP. 8. Click Pending Changes >> Deploy Changes.
Verify the AOS configuration with the following command: 1. Site-to-site VPN: Using the CLI: show crypto isakmp sa If the IPsec security association is not operating with certificates ("-c"), this is a finding. 2. Hardware client VPN: Using the web GUI, navigate to Configuration >> Access Points >> Remote APs. Review each provisioned RAP and verify that each AP has "c" in the FLAGS column. If certificate authentication is not configured for each RAP, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> Services >> VPN and expand "Site-to-Site". 2. Select the configured site-to-site VPN IPsec maps. Select the applicable Server certificate. Select the applicable trusted DOD root CA under "CA certificate:". 3. Click Submit >> Pending Changes >> Deploy Changes. 4. Navigate to Configuration >> Access Points >> Remote APs tab. 5. Select the check box next to the AP Name in the Remote AP table and click "Provision". 6. In the "General" tab, select "Certificate" from the "Authentication method:" drop-down list. 7. Click "Submit" to apply the configuration and reboot the AP as a certificate Remote AP. 8. Click Pending Changes >> Deploy Changes.
Verify the AOS configuration with the following command: show bannervia If the Standard Mandatory DOD Notice and Consent Banner is not set, this is a finding.
Configure AOS with the following commands: configure terminal banner via # You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.# write memory
Verify the AOS configuration with the following command: show configuration effective | include dpd If DPD is not configured, this is a finding.
Configure AOS with the following commands: configure terminal crypto-local isakmp dpd idle-timeout <idle_sec> retry-timeout <retry_sec> retry-attempts <retry_number> write memory
Verify the AOS configuration with the following command: show ip access-list vpnlogon show firewall-cp If L2TP or UDP 1701 are permitted, this is a finding.
Configure AOS with the following commands: configure terminal cd /mm ip access-list session vpnlogon any any svc-l2tp deny exit write memory cd /mynode vpdn group l2tp disable exit write memory
Verify the AOS configuration with the following command: show running-config | begin "interface gigabit" Note the configured IP access-group session ACL for each active interface. For each configured ACL: show ip access-list <ACL name> If each ACL does not end in an "any any deny log" for both IPv4 and IPv6, this is a finding.
Configure AOS with the following commands: configure terminal ip access-list session <name> network <A.B.C.D> <netmask A.B.C.D> any any permit any any any deny log ipv6 network <X:X:X:X::X/<0-128> any any permit ipv6 any any any deny log exit write memory interface gigabit <#/#/#> ip access-group session <ACL name> exit write mem
Verify the AOS configuration with the following command: show running-config | begin "user-role <vpn user role>" If the vpn user role is not configured to max-sessions 1 (or an organization-defined number), this is a finding.
Configure AOS with the following commands: configure terminal user-role <vpn user role> max-sessions 1 exit write memory
Verify the AOS configuration with the following commands: show aaa authentication via auth-profile Note each referenced VIA authentication profile. For each referenced VIA authentication profile: show aaa authentication via auth-profile <name> Note the server-group. For each server-group: show aaa server-group <name> If the remote access authentication profile is not set to use a separate authentication server, this is a finding.
Configure AOS with the following commands: 1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> show crypto pki csr 2. Use DOD PKI to generate a public certificate based on the CSR. 3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. 4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, select Certificate type: "ServerCert", and click "Submit". 5. Click Pending Changes >> Deploy Changes. Continue configuring with the CLI: configure terminal crypto-local isakmp ca-certificate <CA certificate name> crypto-local isakmp certificate-group server-certificate <EC certificate name> ca-certificate <CA certificate name> write memory crypto dynamic-map <name> <priority> version v2 set pfs group20 set transform-set default-gcm256 set security-association lifetime seconds 28800 exit write memory aaa authentication-server radius <name> host <A.B.C.D or X:X:X:X::X or hostname> key <preshared key> enable exit write memory aaa server-group <name> auth-server <name> exit write memory ip access-list session <name> any any any permit ipv6 any any any permit exit write memory user-role <name> access-list session <name> exit write memory aaa authentication via auth-profile <name> default-role <name> client-cert-enable server-group <name> exit write memory aaa authentication via connection-profile <name> auth-profile <name> enable-fips ikev2-policy 10009 ikev2-proto ikev2auth eap-tls ipsecv2-cryptomap map <name> number <priority> max-timeout value <0-65535> suiteb-crypto validate-server-cert exit write memory aaa authentication via web-auth default auth-profile <name> exit write memory user-role <name> via <name> exit write memory
Verify the AOS configuration with the following commands: show aaa authentication via connection-profile Note each referenced VIA connection profile. For each referenced connection profile: show aaa authentication via connection-profile <name> | include "IKEv2 Authentication method" If the authentication method is not set to "eap-tls", this is a finding.
Configure AOS with the following commands: 1. crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> show crypto pki csr 2. Use DOD PKI to generate a public certificate based on the CSR. 3. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. 4. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, select Certificate type: "ServerCert", and click "Submit". 5. Click Pending Changes >> Deploy Changes. Continue configuring with the CLI: configure terminal crypto-local isakmp ca-certificate <CA certificate name> crypto-local isakmp certificate-group server-certificate <EC certificate name> ca-certificate <CA certificate name> write memory crypto dynamic-map <name> <priority> version v2 set pfs group20 set transform-set default-gcm256 set security-association lifetime seconds 28800 exit write memory aaa authentication-server radius <name> host <A.B.C.D or X:X:X:X::X or hostname> key <preshared key> enable exit write memory aaa server-group <name> auth-server <name> exit write memory ip access-list session <name> any any any permit ipv6 any any any permit exit write memory user-role <name> access-list session <name> exit write memory aaa authentication via auth-profile <name> default-role <name> client-cert-enable server-group <name> exit write memory aaa authentication via connection-profile <name> auth-profile <name> enable-fips ikev2-policy 10009 ikev2-proto ikev2auth eap-tls ipsecv2-cryptomap map <name> number <priority> max-timeout value <0-65535> suiteb-crypto validate-server-cert exit write memory aaa authentication via web-auth default auth-profile <name> exit write memory user-role <name> via <name> exit write memory
Verify the AOS configuration with the following commands: show aaa authentication via connection-profile Note each referenced VIA connection profile. For each referenced connection profile: show aaa authentication via connection-profile <name> | include "VIA max session timeout" If the max session timeout is not set to the organization-defined time, this is a finding.
Configure AOS with the following commands: For each VIA authentication profile: aaa authentication via connection-profile configure terminal aaa authentication via connection-profile<name> max-timeout value <0-65535> exit write memory
Verify the AOS configuration with the following commands: show crypto-local ipsec-map show crypto dynamic-map If the configured IPSec maps are not configured to support a security association lifetime of 28,800 seconds (8 hours), this is a finding.
Configure AOS with the following commands: configure terminal crypto-local ipsec-map <name> <priority> set security-association lifetime seconds 28800 exit write memory crypto dynamic-map <name> <priority> set security-association lifetime seconds 28800 exit write memory
Verify the AOS configuration with the following commands: show ip access-list vpnlogon show firewall-cp If PPTP or TCP 1723 are permitted, this is a finding.
Configure AOS with the following commands: configure terminal cd /mm ip access-list session vpnlogon any any svc-pptp deny exit write memory cd /mynode firewall cp ipv4 deny any proto 6 ports 1723 1723 ipv6 deny any proto 6 ports 1723 1723 exit write memory
Verify the AOS configuration with the following commands: show running-config | include default-gateway show running-config | include "ipv4 route" show running-config | include "ipv6 route" If any routes exist that do not route sessions to an IDPS for inspection, this is a finding.
Configure AOS with the following commands: configure terminal ip default-gateway <ipv4> ipv6 default-gateway <ipv6> ip route <A.B.C.D IPv4 network> <A.B.C.D netmask> <A.B.C.D nexthop> <cost> ipv6 route <X:X:X:X::X IPv6 network/prefix> <X:X:X:X::X nexthop> <cost> write memory
Verify the AOS configuration with the following commands: show wlan virtual-ap For each active WLAN virtual-ap profile: show wlan virtual-ap <name> | include "Forward mode" show ap system-profile For each active AP system-profile: show ap system-profile <name> | include "Double Encrypt" show aaa authentication via connection-profile For each referenced profile: show aaa authentication via connection-profile <name> | include "Enable split tunneling" If any instances of remote access or virtual-ap profile forward mode of split-tunnel are found or if double-encrypt is not enabled per active AP system profile, this is a finding.
Configure AOS using the following commands: configure terminal wlan virtual-ap <profile name> forward-mode tunnel exit write memory ap system-profile <profile name> double-encrypt exit write memory For each VIA connection profile: vaaa authentication via connection-profile <name> no split-tunneling exit write memory
Verify the AOS configuration with the following command: show crypto-local ipsec-map If each configured IPsec map is not configured with IKE, this is a finding.
Configure AOS with the following commands: configure terminal crypto-local ipsec-map <name> <priority> version v2 exit write memory
Verify the AOS configuration with the following command: show crypto-local pki rcp If any configured trusted root certificate authorities are not configured to use OCSP, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Certificates tab. Under "Import Certificates", upload the trust root CA. 2. Choose the TrustCA Certificate type. Click "Submit". 3. Upload the same certificate and select the OCSPResponderCert Certificate type (provide a different friendly name). Click "Submit". 4. Click Pending Changes >> Deploy Changes. 5. Expand "Revocation Checkpoint". Select the configured trusted root CA. 6. Select "ocsp" for Revocation method 1. Enter the OCSP server URL in the OCSP URL field (remove "http://"). 7. Choose the configured certificate under OCSP responder cert. Click "Submit". 8. Click Pending Changes >> Deploy Changes.