STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Arista MLS EOS 4.X L2S Security Technical Implementation Guide

V-255968

CAT I (High)

The Arista MLS layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.

Rule ID

SV-255968r882246_rule

STIG

Arista MLS EOS 4.X L2S Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000778CCI-001958

Discussion

Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection. Satisfies: SRG-NET-000148-L2S-000015, SRG-NET-000343-L2S-000016

Check Content

Verify the Arista MLS switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. MAC Authentication Bypass (MAB) must be configured on  switch ports connected to devices that do not provide an 802.1x supplicant.

Verify the Arista MLS switch configuration for 802.1x is configured globally and, on the required host-based access ports or MAB, is configured on ports that require RADIUS and MAC-based supplicants.

switch# show run | section dot1x
logging level DOT1X informational 
aaa authentication dot1x default group radius 
dot1x system-auth-control
!
interface Ethernet6
   description 802.1X Access Network
   switchport access vlan 100
   dot1x pae authenticator
   dot1x reauthentication
   dot1x port-control auto
   dot1x host-mode single-host
   dot1x timeout quiet-period 10
!
interface Ethernet7
   description STIG MAC-Based Authentication
   speed 100full
   dot1x pae authenticator
   dot1x port-control auto
   dot1x mac based authentication
!

If 802.1x authentication or MAB is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.

Fix Text

Configure Arista MLS switch for 802.1X globally with the following mandatory parameters, and then configure non-data center access ports and all applicable interfaces.

Step 1: Configure the Arista MLS switch for 802.1X globally using the following commands:

! 
logging level DOT1X informational 
aaa authentication dot1x default group radius 
dot1x system-auth-control
!

Step 2: Configure the Arista switch for all non-data center access ports with 802.1X VLAN to an access/trunk port and set the 802.1X port access entity (PAE) to authenticator with the following commands:

interface Ethernet4
description 802.1X Host-Mode Access Port
   switchport access vlan 100
   dot1x pae authenticator
   dot1x reauthentication
   dot1x port-control auto
   dot1x host-mode single-host
   dot1x timeout quiet-period 10
!

Step 3: The Arista switch can be also configured for MAC-based authentication. Configuring MAB requires that every supplicant trying to gain access to the switch authenticator port is individually authenticated by MAC address as opposed to authenticating just one supplicant on a given VLAN or port with 802.1X, and then using the MAC address of these devices as username and password in the RADIUS request packets.

!
interface Ethernet7
 description MAC-Based Authentication
   speed 100full
   dot1x pae authenticator
   dot1x port-control auto
   dot1x mac based authentication
!