The Arista MLS layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.

An XCCDF Rule

Description

Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection. Satisfies: SRG-NET-000148-L2S-000015, SRG-NET-000343-L2S-000016

ID: SV-255968r882246_rule
Version: ARST-L2-000020
Severity: High
References: CCI-000778 CCI-001958
Updated: 5 days ago

Remediation Templates

Configure Arista MLS switch for 802.1X globally with the following mandatory parameters, and then configure non-data center access ports and all applicable interfaces.

Step 1: Configure the Arista MLS switch for 802.1X globally using the following commands:

! 
logging level DOT1X informational aaa authentication dot1x default group radius 
dot1x system-auth-control
!

Step 2: Configure the Arista switch for all non-data center access ports with 802.1X VLAN to an access/trunk port and set the 802.1X port access entity (PAE) to authenticator with the following commands:

interface Ethernet4
description 802.1X Host-Mode Access Port
   switchport access vlan 100
   dot1x pae authenticator
   dot1x reauthentication
   dot1x port-control auto
   dot1x host-mode single-host
   dot1x timeout quiet-period 10
!

Step 3: The Arista switch can be also configured for MAC-based authentication. Configuring MAB requires that every supplicant trying to gain access to the switch authenticator port is individually authenticated by MAC address as opposed to authenticating just one supplicant on a given VLAN or port with 802.1X, and then using the MAC address of these devices as username and password in the RADIUS request packets.

!
interface Ethernet7
 description MAC-Based Authentication
   speed 100full
   dot1x pae authenticator
   dot1x port-control auto
   dot1x mac based authentication
!

The Arista MLS layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.

Description

Remediation Templates

A Manual Procedure