RFC 3871           Operational Security Requirements      September 2004

   Justification.

      Support for centralized authentication is particularly important

      in large environments where the network devices are widely

      distributed and where many people have access to them.  This

      reduces the effort needed to effectively restrict and track access

      to the system by authorized personnel.

   Examples.

      This requirement can be satisfied through the use of DIAMETER

      [RFC3588], TACACS+ [RFC1492], RADIUS [RFC2865], or Kerberos

      [RFC1510].

      The secure management requirements (Section 2.1.1) apply to AAA.

      See [RFC3579] for a discussion security issues related to RADIUS.

   Warnings.

      None.

2.12.6.  Support Local User Authentication Method

   Requirement.

      The device SHOULD support a local authentication method.  If

      implemented, the method MUST NOT require interaction with anything

      external to the device (such as remote AAA servers),  and MUST

      work in conjunction with Section 2.3.1 (Support a 'Console'

      Interface) and Section 2.12.7 (Support Configuration of Order of

      Authentication Methods).

   Justification.

      Support for local authentication may be required in smaller

      environments where there may be only a few devices and a limited

      number of people with access.  The overhead of maintaining

      centralized authentication servers may not be justified.

   Examples.

      The use of local, per device usernames and passwords provides one

      way to implement this requirement.

Jones                        Informational                     [Page 58]