RFC 3871           Operational Security Requirements      September 2004

   Warnings.

      Authentication information must be protected wherever it resides.

      Having, for instance, local usernames and passwords stored on 100

      network devices means that there are 100 potential points of

      failure where the information could be compromised vs. storing

      authentication data centralized server(s), which would reduce the

      potential points of failure to the number of servers and allow

      protection efforts (system hardening, audits, etc.) to be focused

      on, at most, a few servers.

2.12.7.  Support Configuration of Order of Authentication Methods

   Requirement.

      The device MUST support the ability to configure the order in

      which supported authentication methods are attempted.

      Authentication SHOULD "fail closed", i.e., access should be denied

      if none of the listed authentication methods succeeds.

   Justification.

      This allows the operator flexibility in implementing appropriate

      security policies that balance operational and security needs.

   Examples.

      If, for example, a device supports RADIUS authentication and local

      usernames and passwords, it should be possible to specify that

      RADIUS authentication should be attempted if the servers are

      available, and that local usernames and passwords should be used

      for authentication only if the RADIUS servers are not available.

      Similarly, it should be possible to specify that only RADIUS or

      only local authentication be used.

   Warnings.

      None.

2.12.8.  Ability To Authenticate Without Plaintext Passwords

   Requirement.

      The device MUST support mechanisms that do not require the

      transmission of plaintext passwords in all cases that require the

      transmission of authentication information across networks.

Jones                        Informational                     [Page 59]