The Cisco switch must uniquely identify and authenticate all network-connected endpoint devices before establishing any connection.

An XCCDF Rule

Description

<VulnDiscussion>Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-220623r863275_rule
Severity: High
References: CCI-000778 CCI-001958
Updated: 17 days ago

Configure 802.1 x authentications on all host-facing access switch ports. To authenticate devices that do not support 802.1x, MAC Authentication Bypass must be configured.

Step 1: Configure the radius servers as shown in the example below:

SW1(config)#radius server RADIUS_1
SW1(config-radius-server)#address ipv4 10.1.22.3SW1(config-radius-server)#key xxxxxx
SW1(config-radius-server)#exit
SW1(config)#radius server RADIUS_2
SW1(config-radius-server)#address ipv4 10.1.14.5
SW1(config-radius-server)#key xxxxxx
SW1(config-radius-server)#exit

Step 2: Enable 802.1x authentication on the switch:

SW1(config)#aaa new-model 
SW1(config)#aaa group server radius RADIUS_SERVERS
SW1(config-sg-radius)#server name RADIUS_1
SW1(config-sg-radius)#server name RADIUS_2
SW1(config-sg-radius)#exit
SW1(config)#aaa authentication dot1x default group RADIUS_SERVERS
SW1(config)#dot1x system-auth-control

Step 3: Enable 802.1x on all host-facing interfaces as shown in the example below:

SW1(config)#int range g1/0 - 8
SW1(config-if-range)#switchport mode access 
SW1(config-if-range)#authentication host-mode single-host 
SW1(config-if-range)#dot1x pae authenticator 
SW1(config-if-range)#authentication port-control auto
SW1(config-if-range)#end 

Note: Single-host is the default. Host-mode multi-domain (for VoIP phone plus PC) or multi-auth (multiple PCs connected to a hub) can be configured as alternatives.

The Cisco switch must uniquely identify and authenticate all network-connected endpoint devices before establishing any connection.

Description

Remediation - Manual Procedure