STIGQter STIGQter: STIG Summary: HP FlexFabric Switch L2S Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 25 Jan 2019: HP FlexFabric Switch must authenticate all endpoint devices before establishing a network connection using bidirectional authentication that is cryptographically based.

DISA Rule

SV-80543r1_rule

Vulnerability Number

V-66053

Group Title

SRG-NET-000151-L2S-000017

Rule Version

HFFS-L2-000003

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure 802.1 x authentications on all host-facing access switch ports. To authenticate those devices that do not support 802.1x, MAC Authentication Bypass must be configured.

[HP] dot1x
[HP] dot1x authentication-method eap
[HP] domain radius jitc
[HP] radius scheme jitc
[HP-radius-jitc]radius scheme jitc
[HP-radius-jitc]primary authentication 15.252.76.124
[HP-radius-jitc]primary accounting 15.252.76.124
[HP-radius-jitc]accounting-on enable
[HP-radius-jitc]key authentication simple test123
[HP-radius-jitc]user-name-format without-domain
[HP-radius-jitc]nas-ip 15.252.78.99
[HP]domain jitc
[HP-isp-jitc]domain jitc
[HP-isp-jitc]authentication lan-access radius-scheme jitc
[HP-isp-jitc]authorization lan-access radius-scheme jitc
[HP] interface gigbitethernet 1/0/1
[HP-Gigabitethernet1/0/1] undo dot1x handshake
[HP-Ten-GigabitEthernet1/0/7]dot1x mandatory-domain jitc
[HP-Ten-GigabitEthernet1/0/7]undo dot1x multicast-trigger
[HP-Ten-GigabitEthernet1/0/7]dot1x re-authenticate

Check Contents

Verify all access switch ports connecting to LAN outlets are configured for 802.1x or MAC authentication as shown in this configuration example.

802.1x example:

interface Ten-GigabitEthernet1/0/4
port link-mode bridge
port access vlan 200
dot1x

If all access switch ports connecting to LAN outlets are not configured for 802.1x, this is a finding.

Vulnerability Number

V-66053

Documentable

False

Rule Version

HFFS-L2-000003

Severity Override Guidance

Verify all access switch ports connecting to LAN outlets are configured for 802.1x or MAC authentication as shown in this configuration example.

802.1x example:

interface Ten-GigabitEthernet1/0/4
port link-mode bridge
port access vlan 200
dot1x

If all access switch ports connecting to LAN outlets are not configured for 802.1x, this is a finding.

Check Content Reference

M

Target Key

2977

Comments