Rule ID
SV-269953r1052245_rule
Version
V1R1
CCIs
CCI-000778, CCI-001958
Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection. Satisfies: SRG-NET-000148-L2S-000015, SRG-NET-000343-L2S-000016
Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. Verify that 802.1x authentication is enabled globally by reviewing the configuration for the presence of: dot1x system-auth-control Verify that 802.1x authentication is enabled on the host-facing access interfaces by looking for the following two dot1x settings: ! interface ethernet1/1/3 dot1x port-control auto dot1x re-authentication If 802.1x authentication is not on configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.
Configure 802.1 x authentications on all host-facing access switch ports. Configure RADIUS for 802.1x authentication: OS10(config)# radius-server host 10.10.1.200 key my-shared-secret OS10(config)# radius-server retransmit 10 OS10(config)# radius-server timeout 10 Enable 802.1X globally in CONFIGURATION mode: OS10(config)# dot1x system-auth-control Enable 802.1x on the host-facing access interfaces: OS10(config)# interface range ethernet 1/1/2-1/1/48 OS10(conf-rangeeth1/1/2-1/1/48)# dot1x port-control auto OS10(conf-rangeeth1/1/2-1/1/48)# dot1x re-authentication