Free DISA STIG and SRG Library | Vaulted

V-5626

The switch must be configured to use 802.1x authentication on host facing access switch ports.

Finding ID
NET-NAC-009
Rule ID
SV-42190r5_rule42190r2_rule
Severity
Cat I
CCE
(None)
Group Title
ETNET-NAC-009
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The IEEE 802.1x standard is a client-server based access control and authentication protocol that restricts unauthorized clients from connecting to a local area network through host facing switch ports. The authentication server authenticates each client connected to to a switch port before making any services available to the client from the LAN. Unless the client is successfully authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port. Without the use of 802.1x, a malicious user could use the switch port to connect an unauthorized piece of computer or other network device to inject or steal data from the network without detection.

Fix Text

Configure 802.11x x authentication on all accesshost switchfacing portsaccess connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. Configure MAB on those switch ports connected to devices that do not support an 802.1x supplicant.

Check Content

Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e.,. RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. usingIf 802.1x authentication is not configured on these host-facing access switch ports, this is a CAT 1 finding. If MAC address filtering is implemented in lieu of 802.1x authentication, this finding will be downgraded to a CAT 3. Verify 802.1x authentication is enabled on the followingswitch procedureand host facing switch ports: Step 1: Verify that an 802.1x authentication server has been configured similar to the following example: Switch(config)# radius-server host x.x.x.x auth-port 1813 key xxxxxxxxxxxxx!R4d1u$K3y! Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius Step 2: Verify 802.1x authentication has been enabled globally on the network device similar to the following example: Switch(config)# dot1x system-auth-control Step 3: Verify that all host-facing access switchports are configured to use 802.1x similar to the examples below: Switch(config)# interface fastethernet0/2 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# dot1x port-control auto Note:OR TheSwitch(config)# “forceinterface fastethernet0/2 Switch(config-authorized”if)# attributeswitchport mustmode notaccess beSwitch(config-if)# configuredswitchport inport-security leuSwitch(config-if)# ofauthentication port-control auto If 802.1x is not being used, determine if MAC filtering is used on theeach “dot1xhost-facing access switch port-control” command as thisshown willin bypassthe authenticationfollowing andexample: enableSwitch(config)# theinterface fastethernet0/3 Switch(config-if)# switchport inmode anaccess authorizedSwitch(config-if)# state.switchport Note:port-security MACSwitch(config-if)# Authenticationswitchport Bypassport-security maximum 1 Switch(MABconfig-if)# switchport port-security mac-address 1000.2000.3000 NOTE: The section below is intended for classified networks. If it’s determined that 802.1x is not implemented on a classified network, the Traditional review team must be configurednotified onto thosedetermine switchif portsthe connectedphysical requirements are implemented. For a site to devicesbe thatdowngraded doto a CAT III open finding, the physical security requirements must be implemented in addition to static MAC or sticky secure MAC port security. If both physical and logical downgrades are not supportimplemented, a CAT I open finding will be issued. If classified LAN drops are not authenticated by an 802.1x supplicantimplementation, they must be located within spaces properly established as shownSecret invaults, theSecret followingSecure exampleRooms (AKA: interfaceCollateral fastethernet0/2Classified switchportOpen modeStorage accessAreas), dot1xTS mac-auth-bypasssecure Ifroom, 802or SCIF.1x authenticationOtherwise, one of the following supplemental physical security controls must be implemented. 1. Wall jacks must be secured when unattended by persons with Secret or MABhigher isclearance notwith configureda onproperly allconstructed accesslock switchbox ports(Hoffman connectingor similar commercial product or locally fabricated). The lock box must have no exposed or removable hinges. The hasp hardware must be riveted to LANthe outletsbox or devicesotherwise notinstalled locatedso inthat removal will require physical breaking of the telecombox; room,thereby wiringleaving closets,evidence of actual or equipmentattempted rooms,entry. The lock box must be secured with a 3-position high security combination padlock (IAW the NSTISSI 7003). The S&G 8077 combination padlock is the only existing padlock meeting this standard. 2. If lock boxes are not used, the alternative is to physically disconnect the SIPRNet link at the SIPRNet point of presence (PoP) after normal duty hours. The PoP must be located within a findingproper Secret or higher secure room.

Security Override Guidance

At this time, NET-NAC-009 can be downgraded to a CAT III finding if Static MAC filter is used in lieu of 802.1x authentication on host facing switch ports.

Responsibility

Information Assurance Officer