The layer 2 switch must authenticate all endpoint devices before establishing a network connection using bidirectional authentication that is cryptographically based.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-62157 | SRG-NET-000151-L2S-000017 | SV-76647r1_rule | Medium |
| Description |
|---|
| Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection. |
| STIG | Date |
|---|---|
| Layer 2 Switch Security Requirements Guide | 2019-01-07 |
Details
| Check Text ( C-62961r2_chk ) |
|---|
| Review the switch configuration and verify that the 802.1x implementation is using bidirectional authentication between the supplicant and the authentication server that is cryptographically based such as EAP-TLS or PEAP-MSCHAPv2. If the switch is not using bidirectional authentication between the supplicant and the authentication server that is cryptographically based, this is a finding. |
| Fix Text (F-68077r1_fix) |
|---|
| Configure the switch to implement 802.1.x using EAP-TLS or PEAP-MSCHAPv2. Both implementations will encapsulate the EAP packets within a TLS tunnel and provide bidirectional authentication between supplicant and a RADIUS server. |