Rule ID
SV-273673r1110976_rule
Version
V1R1
CCIs
Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.
Review configuration for RADIUS server configuration, FlexAuth configuration, and applicable port configuration (optional). aaa authentication dot1x default radius radius-server host 192.168.1.24 auth-port 1812 acct-port 1813 default key 2 $UGlkRGktdG5v dot1x mac-auth no-login authentication auth-order mac-auth dot1x auth-default-vlan 100 restricted-vlan 666 re-authentication reauth-timeout 60 auth-fail-action restricted-vlan dot1x enable dot1x enable ethernet 1/1/14 to 1/1/15 dot1x port-control auto ethernet 1/1/14 to 1/1/15 mac-authentication enable mac-authentication enable ethernet 1/1/13 mac-authentication password-format xxxx.xxxx.xxxx mac-authentication dot1x-override mac-authentication dot1x-disable interface ethernet 1/1/14 port-name dot1x-test use-radius-server 192.168.1.24 no inline power ! Note: Port configuration is only necessary when specifying which RADIUS server is to be used. If user ports are not configured to control LAN access via 802.1X, this is a finding.
Configure 802.1x to authenticate endpoint devices. 1. Configure RADIUS as the authentication method for 802.1x. ICX(config)#radius-server host x.x.x.x auth-port 1812 acct-port 1813 default key xxxxx dot1x mac-auth no-login 2. Configure the dot1x authentication. ICX(config)#authentication ICX(config-authen)# auth-default-vlan 100 ICX(config-authen)# re-authentication ICX(config-authen)# reauth-period 2000 ICX(config-authen)# dot1x enable ICX(config-authen)# dot1x enable ethernet 1/1/14 to 1/1/15 ICX(config-authen)# dot1x max-req 6 ICX(config-authen)# dot1x timeout tx-period 60 ICX(config-authen)# dot1x timeout quiet-period 30