AMLS-L2-000120 - The Arista Multilayer Switch must uniquely identify all network-connected endpoint devices before establishing any connection - aaa auth dot1x default group


Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.

For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of identification claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide the identification decisions (as opposed to the actual identifiers) to the services that need to act on those decisions.

This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply.


Configure 802.1X on the switch, using the following mandatory parameters for all applicable interfaces. Replace the bracketed variable with the applicable value.

interface Ethernet[X]
switchport access vlan [Y]
dot1x pae authenticator
dot1x reauthentication
dot1x port-control auto
dot1x host-mode single-host
dot1x timeout quiet-period [value]
dot1x timeout reauth-period [value]
dot1x max-reauth-req [value]

For the global configuration, include the following command statements from the global configuration mode interface:

logging level DOT1X informational
aaa authentication dot1x default group radius
dot1x system-auth-control

See Also

Item Details


References: 800-53|IA-3, CAT|II, CCI|CCI-000778, Group-ID|V-60823, Rule-ID|SV-75279r1_rule, STIG-ID|AMLS-L2-000120, Vuln-ID|V-60823

Plugin: Arista

Control ID: a179447dd5cc410510768cac8e68e28ca7a04d2c604096c73342affcec26196f