STIGQter STIGQter: STIG Summary: Layer 2 Switch Security Technical Implementation Guide - Cisco Version: 8 Release: 27 Benchmark Date: 25 Jan 2019: The switch must be configured to use 802.1x authentication on host facing access switch ports.

DISA Rule

SV-42190r5_rule

Vulnerability Number

V-5626

Group Title

ET-NAC-009

Rule Version

NET-NAC-009

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure 802.1 x authentication on all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. Configure MAB on those switch ports connected to devices that do not support an 802.1x supplicant.

Check Contents

Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms using the following procedure:

Step 1: Verify that an 802.1x authentication server has been configured similar to the following example:

radius-server host x.x.x.x auth-port 1813 key xxxxxxxxxxxxx
aaa new-model
aaa authentication dot1x default group radius

Step 2: Verify 802.1x authentication has been enabled globally on the network device similar to the following example:

dot1x system-auth-control

Step 3: Verify that all host-facing access switchports are configured to use 802.1x similar to the examples below:

interface fastethernet0/2
switchport mode access
dot1x port-control auto

Note: The “force-authorized” attribute must not be configured in leu of “auto” on the “dot1x port-control” command as this will bypass authentication and enable the switchport in an authorized state.

Note: MAC Authentication Bypass (MAB) must be configured on those switch ports connected to devices that do not support an 802.1x supplicant as shown in the following example:

interface fastethernet0/2
switchport mode access
dot1x mac-auth-bypass

If 802.1x authentication or MAB is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.

Vulnerability Number

V-5626

Documentable

False

Rule Version

NET-NAC-009

Severity Override Guidance

Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms using the following procedure:

Step 1: Verify that an 802.1x authentication server has been configured similar to the following example:

radius-server host x.x.x.x auth-port 1813 key xxxxxxxxxxxxx
aaa new-model
aaa authentication dot1x default group radius

Step 2: Verify 802.1x authentication has been enabled globally on the network device similar to the following example:

dot1x system-auth-control

Step 3: Verify that all host-facing access switchports are configured to use 802.1x similar to the examples below:

interface fastethernet0/2
switchport mode access
dot1x port-control auto

Note: The “force-authorized” attribute must not be configured in leu of “auto” on the “dot1x port-control” command as this will bypass authentication and enable the switchport in an authorized state.

Note: MAC Authentication Bypass (MAB) must be configured on those switch ports connected to devices that do not support an 802.1x supplicant as shown in the following example:

interface fastethernet0/2
switchport mode access
dot1x mac-auth-bypass

If 802.1x authentication or MAB is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.

Check Content Reference

M

Responsibility

Network Security Officer

Target Key

512

Comments