CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - aaa authentication

Information

Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.

Solution

Configure 802.1 x authentications on all host-facing access switch ports. To authenticate those devices that do not support 802.1x, MAC Authentication Bypass must be configured.

Step 1: Configure the radius servers as shown in the example below:

SW1(config)# radius-server host 10.1.1.1 key xxxx
SW1(config)# radius-server host 10.2.1.1 key xxxx

Step 2: Enable 802.1x authentication on the switch.

SW1(config)# aaa group server radius RADIUS_GROUP
SW1(config-radius)# server 10.1.1.1
SW1(config-radius)# server 10.2.1.1
SW1(config-radius)# exit
SW1(config)# aaa authentication dot1x default group RADIUS_GROUP
SW1(config)# exit

Step 3: Enable 802.1x on all host-facing interfaces as shown in the example below:

SW1(config)# int e1/1 - 80
SW1(config-if-range)# dot1x port-control auto
SW1(config-if-range)# dot1x host-mode single-host
SW1(config-if-range)# end

Note: Host-mode must be set to single-host, multi-domain (for VoIP phone + PC), or multi-auth (multiple PCs connected to a hub). Host-mode multi-host is not compliant with this requirement.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_NX-OS_Switch_Y21M10_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-3, CAT|I, CCI|CCI-000778, Rule-ID|SV-110325r1_rule, STIG-ID|CISC-L2-000020, Vuln-ID|V-101221

Plugin: Cisco

Control ID: c82b455cae23195eafcb44d40225d94e99bedaa918c880ba8fbc43bb90d491f1