UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

HP FlexFabric Switch must authenticate all network-connected endpoint devices before establishing any connection.


Overview

Finding ID Version Rule ID IA Controls Severity
V-66051 HFFS-L2-000002 SV-80541r1_rule High
Description
Controlling LAN access via 802.1x authentication or MAC authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.
STIG Date
HP FlexFabric Switch L2S Security Technical Implementation Guide 2020-06-03

Details

Check Text ( C-66695r1_chk )
Verify all access switch ports connecting to LAN outlets are configured for 802.1x or MAC authentication as shown in these configuration examples.

802.1x example:

interface Ten-GigabitEthernet1/0/4
port link-mode bridge
port access vlan 200
dot1x

MAC authentication example:

interface Ten-GigabitEthernet1/0/5
port link-mode bridge
port access vlan 200
mac-authentication

If all access switch ports connecting to LAN outlets are not configured for 802.1x or MAC authentication, this is a finding.
Fix Text (F-72127r1_fix)
Configure 802.1 x authentications on all host-facing access switch ports. To authenticate those devices that do not support 802.1x, MAC Authentication Bypass must be configured.

[HP] dot1x
[HP] dot1x authentication-method eap
[HP] domain radius jitc
[HP] radius scheme jitc
[HP-radius-jitc]radius scheme jitc
[HP-radius-jitc]primary authentication 15.252.76.124
[HP-radius-jitc]primary accounting 15.252.76.124
[HP-radius-jitc]accounting-on enable
[HP-radius-jitc]key authentication simple test123
[HP-radius-jitc]user-name-format without-domain
[HP-radius-jitc]nas-ip 15.252.78.99
[HP]domain jitc
[HP-isp-jitc]domain jitc
[HP-isp-jitc]authentication lan-access radius-scheme jitc
[HP-isp-jitc]authorization lan-access radius-scheme jitc
[HP] interface gigbitethernet 1/0/1
[HP-Gigabitethernet1/0/1] undo dot1x handshake
dot1x mandatory-domain jitc
undo dot1x multicast-trigger