That all looks pretty good to me. I would add one thing, however, and that is a recommendation (not requirement) for the console to have some form of fall-back authentication that does not require functioning IP or depend on external servers. something like this:
Requirement: The Non-IP console interface SHOULD support an authentication
mechanism which does not require functional IP or depend on external
services. This authentication mechanism MAY be disabled until a
failure of other preferred mechanisms is detected. In the event of
fallback AUTHENTICATION, the interface MUST either implement a locally
defined AUTHORIZATION profile or consider all commands to be AUTHORIZED. Justification: It does little good to have a non-IP dependent console interface
on a device if you cannot get into the device with it when the network
is not working. Warnings: There are many ways to implement this which would provide reduced
security for the device. This mechanism SHOULD be implemented as a
fallback if the preferred authentication method is not "LOCAL". Example: Some devices which use TACACS or RADIUS for authentication will
fall back to a local account if the TACACS or RADIUS server does not
reply to an authentication request.Attachment:
pgp00002.pgp
Description: PGP signature