Detections
Analytics
JUEX-L2-000070 - The Juniper EX switch must be configured to authenticate all network-connected endpoint devices before establishing any connection.
Information
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions.
This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply.
Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure 802.1 x authentication on all host-facing access interfaces. To authenticate those devices that do not support an 802.1x supplicant, Static MAC Bypass or MAC RADIUS must be configured.Configure RADIUS if available:
set access radius-server <RADIUS IPv4 or IPv6 address (global)> secret '<PSK>'
set access profile dot1x_radius radius authentication-server <RADIUS IPv4 or IPv6 address (global)>
-or-
set access profile dot1x_radius radius-server <RADIUS IPv4 or IPv6 address> secret '<PSK>'
set access profile dot1x_radius authentication-order radius
To configure 802.1x on an access interface:
set protocols dot1x authenticator authentication-profile-name dot1x_radius
set protocols dot1x authenticator interface ge-0/0/0.0 supplicant single-secure
set protocols dot1x authenticator interface ge-0/0/1.0 supplicant multiple
set protocols dot1x authenticator interface ge-0/0/1.0 mac-radius
set protocols dot1x authenticator interface ge-0/0/2.0 mac-radius restrict
To configure Static MAC Bypass:
set protocols dot1x authenticator static <MAC address>/48 vlan-assignment <vlan name>
set protocols dot1x authenticator static <MAC address>/48 interface <interface name>.<logical unit>
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M01_STIG.zip
Item Details
Audit Name: DISA Juniper EX Series Layer 2 Switch v1r2
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-3, CAT|II, CCI|CCI-001958, Rule-ID|SV-253954r843895_rule, STIG-ID|JUEX-L2-000070, Vuln-ID|V-253954
Plugin: Juniper
Control ID: 4b0dda3b2cc4af3d4851857fe07b258442e2e07a84f16a8238903c4b5ca26564