Free DISA STIG and SRG Library | Vaulted

V-66051

HP FlexFabric Switch must authenticate all network-connected endpoint devices before establishing any connection.

Finding ID
HFFS-L2-000002
Rule ID
SV-80541r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-NET-000343-L2S-000016
CCI
CCI-001958
Target Key
(None)
Documentable
No
Discussion

Controlling LAN access via 802.1x authentication or MAC authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.

Fix Text

Configure 802.1 x authentications on all host-facing access switch ports. To authenticate those devices that do not support 802.1x, MAC Authentication Bypass must be configured. [HP] dot1x [HP] dot1x authentication-method eap [HP] domain radius jitc [HP] radius scheme jitc [HP-radius-jitc]radius scheme jitc [HP-radius-jitc]primary authentication 15.252.76.124 [HP-radius-jitc]primary accounting 15.252.76.124 [HP-radius-jitc]accounting-on enable [HP-radius-jitc]key authentication simple test123 [HP-radius-jitc]user-name-format without-domain [HP-radius-jitc]nas-ip 15.252.78.99 [HP]domain jitc [HP-isp-jitc]domain jitc [HP-isp-jitc]authentication lan-access radius-scheme jitc [HP-isp-jitc]authorization lan-access radius-scheme jitc [HP] interface gigbitethernet 1/0/1 [HP-Gigabitethernet1/0/1] undo dot1x handshake dot1x mandatory-domain jitc undo dot1x multicast-trigger

Check Content

Verify all access switch ports connecting to LAN outlets are configured for 802.1x or MAC authentication as shown in these configuration examples. 802.1x example: interface Ten-GigabitEthernet1/0/4 port link-mode bridge port access vlan 200 dot1x MAC authentication example: interface Ten-GigabitEthernet1/0/5 port link-mode bridge port access vlan 200 mac-authentication If all access switch ports connecting to LAN outlets are not configured for 802.1x or MAC authentication, this is a finding.