Free DISA STIG and SRG Library | Vaulted


The switch must be configured to use 802.1x authentication on host facing access switch ports.

Finding ID
Rule ID
Cat I
Group Title
Target Key

The IEEE 802.1x standard is a client-server based access control and authentication protocol that restricts unauthorized clients from connecting to a local area network through host facing switch ports. The authentication server authenticates each client connected to to a switch port before making any services available to the client from the LAN. Unless the client is successfully authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port. Without the use of 802.1x, a malicious user could use the switch port to connect an unauthorized piece of computer or other network device to inject or steal data from the network without detection.

Fix Text

Configure 802.1x1 x authentication on all hostaccess facingswitch accessports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. Configure MAB on those switch ports connected to devices that do not support an 802.1x supplicant.

Check Content

Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e.., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. IfMAC 802.1xAuthentication authenticationBypass is(MAB) notmust be configured on thesethose host-facing access switch ports, thisconnected isto adevices CATthat 1do finding.not Ifsupport MACan address filtering is implemented in lieu of 802.1x authentication, this finding will be downgraded to a CAT 3supplicant. NOTE:If The section below is intended for classified networks802.1x Ifauthentication it’sor determinedMAB that 802.1x is not implementedconfigured on aall classifiedaccess network,switch theports Traditionalconnecting review team must be notified to determineLAN ifoutlets the physical requirements are implemented. For a site to be downgraded to a CAT III open finding, the physical security requirements must be implemented in addition to static MAC or stickydevices secure MAC port security. If both physical and logical downgrades are not implemented, a CAT I open finding will be issued. If classified LAN drops are not authenticated by an 802.1x implementation, they must be located withinin spacesthe properlytelecom established as Secret vaultsroom, Secretwiring Secure Rooms (AKA: Collateral Classified Open Storage Areas)closets, TS secure room, or Otherwiserooms, one of the following supplemental physical security controls must be implemented. 1. Wall jacks must be secured when unattended by persons with Secret or higher clearance with a properly constructed lock box (Hoffman or similar commercial product or locally fabricated). The lock box must have no exposed or removable hinges. The hasp hardware must be riveted to the box or otherwise installed so that removal will require physical breaking of the box; thereby leaving evidence of actual or attempted entry. The lock box must be secured with a 3-position high security combination padlock (IAW the NSTISSI 7003). The S&G 8077 combination padlock is the only existing padlock meeting this standard. 2. If lock boxes are not used, the alternative is toa physically disconnect the SIPRNet link at the SIPRNet point of presence (PoP) after normal duty hoursfinding. The PoP must be located within a proper Secret or higher secure room.

Security Override Guidance

At this time, NET-NAC-009 can be downgraded to a CAT III finding if Static MAC filter is used in lieu of 802.1x authentication on host facing switch ports.


Information Assurance Officer

IA Controls