Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-5626 | NET-NAC-009 | SV-42190r5_rule | High |
Description |
---|
The IEEE 802.1x standard is a client-server based access control and authentication protocol that restricts unauthorized clients from connecting to a local area network through host facing switch ports. The authentication server authenticates each client connected to to a switch port before making any services available to the client from the LAN. Unless the client is successfully authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port. Without the use of 802.1x, a malicious user could use the switch port to connect an unauthorized piece of computer or other network device to inject or steal data from the network without detection. |
STIG | Date |
---|---|
Perimeter L3 Switch Security Technical Implementation Guide - Cisco | 2018-11-28 |
Check Text ( C-40570r7_chk ) |
---|
Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms using the following procedure: Step 1: Verify that an 802.1x authentication server has been configured similar to the following example: radius-server host x.x.x.x auth-port 1813 key xxxxxxxxxxxxx aaa new-model aaa authentication dot1x default group radius Step 2: Verify 802.1x authentication has been enabled globally on the network device similar to the following example: dot1x system-auth-control Step 3: Verify that all host-facing access switchports are configured to use 802.1x similar to the examples below: interface fastethernet0/2 switchport mode access dot1x port-control auto Note: The “force-authorized” attribute must not be configured in leu of “auto” on the “dot1x port-control” command as this will bypass authentication and enable the switchport in an authorized state. Note: MAC Authentication Bypass (MAB) must be configured on those switch ports connected to devices that do not support an 802.1x supplicant as shown in the following example: interface fastethernet0/2 switchport mode access dot1x mac-auth-bypass If 802.1x authentication or MAB is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding. |
Fix Text (F-5537r5_fix) |
---|
Configure 802.1 x authentication on all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. Configure MAB on those switch ports connected to devices that do not support an 802.1x supplicant. |