Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide
SRG-NET-000343-L2S-000016
The Juniper EX switch must be configured to authenticate all network-connected endpoint devices before establishing any connection.
The Juniper EX switch must be configured to authenticate all network-connected endpoint devices before establishing any connection.
An XCCDF Rule
Details
Profiles
Prose
The Juniper EX switch must be configured to authenticate all network-connected endpoint devices before establishing any connection.
Medium Severity
<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system. This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs. Gateways and SOA applications are examples of where this requirement would apply. For Juniper EX, configure 802.1 x authentication on all host-facing access interfaces. To authenticate those devices that do not support an 802.1x supplicant, Static MAC Bypass or MAC RADIUS must be configured. Junos supports three supplicant types: single-secure (authenticate and permit only a single device), multiple (separately authenticate and permit multiple devices), and single (authenticate the first supplicant and permit all others). The authentication order must be appropriate for the target environment. Authentication must be configured on all access interfaces connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>