Check: ARST-L2-000020
Arista MLS EOS 4.2x L2S STIG:
ARST-L2-000020
(in version v1 r1)
Title
The Arista MLS layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection. (Cat I impact)
Discussion
Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection. Satisfies: SRG-NET-000148-L2S-000015, SRG-NET-000343-L2S-000016
Check Content
Verify the Arista MLS switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. MAC Authentication Bypass (MAB) must be configured on switch ports connected to devices that do not provide an 802.1x supplicant. Verify the Arista MLS switch configuration for 802.1x is configured globally and, on the required host-based access ports or MAB, is configured on ports that require RADIUS and MAC-based supplicants. switch# show run | section dot1x logging level DOT1X informational aaa authentication dot1x default group radius dot1x system-auth-control ! interface Ethernet6 description 802.1X Access Network switchport access vlan 100 dot1x pae authenticator dot1x reauthentication dot1x port-control auto dot1x host-mode single-host dot1x timeout quiet-period 10 ! interface Ethernet7 description STIG MAC-Based Authentication speed 100full dot1x pae authenticator dot1x port-control auto dot1x mac based authentication ! If 802.1x authentication or MAB is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.
Fix Text
Configure Arista MLS switch for 802.1X globally with the following mandatory parameters, and then configure non-data center access ports and all applicable interfaces. Step 1: Configure the Arista MLS switch for 802.1X globally using the following commands: ! logging level DOT1X informational aaa authentication dot1x default group radius dot1x system-auth-control ! Step 2: Configure the Arista switch for all non-data center access ports with 802.1X VLAN to an access/trunk port and set the 802.1X port access entity (PAE) to authenticator with the following commands: interface Ethernet4 description 802.1X Host-Mode Access Port switchport access vlan 100 dot1x pae authenticator dot1x reauthentication dot1x port-control auto dot1x host-mode single-host dot1x timeout quiet-period 10 ! Step 3: The Arista switch can be also configured for MAC-based authentication. Configuring MAB requires that every supplicant trying to gain access to the switch authenticator port is individually authenticated by MAC address as opposed to authenticating just one supplicant on a given VLAN or port with 802.1X, and then using the MAC address of these devices as username and password in the RADIUS request packets. ! interface Ethernet7 description MAC-Based Authentication speed 100full dot1x pae authenticator dot1x port-control auto dot1x mac based authentication !
Additional Identifiers
Rule ID: SV-255968r882246_rule
Vulnerability ID: V-255968
Group Title: SRG-NET-000148-L2S-000015
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000778 |
The information system uniquely identifies an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection. |
CCI-001958 |
The information system authenticates an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection. |
Controls
Number | Title |
---|---|
IA-3 |
Device Identification And Authentication |