CISC-L2-000080 - The Cisco switch must authenticate all endpoint devices before establishing any connection - radius server

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.

For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions.

This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply.

Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system.

Solution

Configure 802.1 x authentications on all host-facing access switch ports. To authenticate those devices that do not support 802.1x, MAC Authentication Bypass must be configured.

Step 1: Configure the radius servers as shown in the example below:

SW1(config)#radius server RADIUS_1
SW1(config-radius-server)#address ipv4 10.1.22.3
SW1(config-radius-server)#key xxxxxx
SW1(config-radius-server)#exit
SW1(config)#radius server RADIUS_2
SW1(config-radius-server)#address ipv4 10.1.14.5
SW1(config-radius-server)#key xxxxxx
SW1(config-radius-server)#exit

Step 2: Enable 802.1x authentication on the switch.

SW1(config)#aaa new-model
SW1(config)#aaa group server radius RADIUS_SERVERS
SW1(config-sg-radius)#server name RADIUS_1
SW1(config-sg-radius)#server name RADIUS_2
SW1(config-sg-radius)#exit
SW1(config)#aaa authentication dot1x default group RADIUS_SERVERS
SW1(config)#dot1x system-auth-control

Step 3: Enable 802.1x on all host-facing interfaces as shown in the example below:

SW1(config)#int range g1/0 - 8
SW1(config-if-range)#switchport mode access
SW1(config-if-range)#authentication host-mode single-host
SW1(config-if-range)#dot1x pae authenticator
SW1(config-if-range)#authentication port-control auto
SW1(config-if-range)#end

Note: Single-host is the default. Host-mode multi-domain (for VoIP phone + PC) or multi-auth (multiple PCs connected to a hub) can be configured as alternatives.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_XE_Switch_Y22M07_STIG.zip

Item Details

References: CAT|II, CCI|CCI-001958, Rule-ID|SV-220654r539671_rule, STIG-ID|CISC-L2-000080, STIG-Legacy|SV-110279, STIG-Legacy|V-101175, Vuln-ID|V-220654

Plugin: Cisco

Control ID: 2fb643fe0eaf1923a1ea6fd540fa9f056339b524bf0f54d5a5de522f2b5f5ca3