CISC-L2-000080 - The Cisco switch must authenticate all endpoint devices before establishing any connection - aaa new-model

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.

For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions.

This requirement applies to applications that connect locally, remotely, or through a network to an endpoint device (including but not limited to, workstations, printers, servers [outside a datacenter], VoIP phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply.

Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring that only specific preauthorized devices can access the system.


Configure 802.1 x authentications on all host-facing access switch ports. To authenticate devices that do not support 802.1x, MAB must be configured.

Step 1: Configure the radius servers as shown in the example below:

SW1(config)#radius server RADIUS_1
SW1(config-radius-server)#address ipv4
SW1(config-radius-server)#key xxxxxx
SW1(config)#radius server RADIUS_2
SW1(config-radius-server)#address ipv4
SW1(config-radius-server)#key xxxxxx

Step 2: Enable 802.1x authentication on the switch:

SW1(config)#aaa new-model
SW1(config)#aaa group server radius RADIUS_SERVERS
SW1(config-sg-radius)#server name RADIUS_1
SW1(config-sg-radius)#server name RADIUS_2
SW1(config)#aaa authentication dot1x default group RADIUS_SERVERS
SW1(config)#dot1x system-auth-control

Step 3: Enable 802.1x on all host-facing interfaces as shown in the example below:

SW1(config)#int range g1/0 - 8
SW1(config-if-range)#switchport mode access
SW1(config-if-range)#authentication host-mode single-host
SW1(config-if-range)#dot1x pae authenticator
SW1(config-if-range)#authentication port-control auto

Note: Single-host is the default. Host-mode multi-domain (for VoIP phone plus PC) or multi-auth (multiple PCs connected to a hub) can be configured as alternatives.

See Also

Item Details

References: CAT|II, CCI|CCI-001958, Rule-ID|SV-220628r539671_rule, STIG-ID|CISC-L2-000080, STIG-Legacy|SV-110227, STIG-Legacy|V-101123, Vuln-ID|V-220628

Plugin: Cisco

Control ID: 1aecd15873de2fd4931956900025d5a960d18650c452685391e0af3de01f51e0