Title

The Cisco ACI layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection. (Cat I impact)

Discussion

Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.

Check Content

Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. MAC Authentication Bypass (MAB) must be configured on those switch ports connected to devices that do not support an 802.1x supplicant. Verify the 802.1X Port Authentication policy is configured correctly: 1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Interface >> 802.1X Port Authentication. 2. Right-click "802.1X Port Authentication" and review each 802.1X Port Authentication Policy. - In the Host Mode field, verify "Single Host" is selected. - In the MAC Auth field, verify "EAP_FALLBACK_MAB" is selected. Verify 802.1X Node Authentication is associated with the 802.1X Port Authentication Policy to a Fabric Access Group: 1. On the menu bar, click Fabric >> External Access Policies >> Policies >> Switch >> 802.1X Node Authentication. 2. Right-click 802.1X Node Authentication and review each 802.1X Node Authentication Policy. - In the Failed-auth EPG field, verify the tenant, application profile, and EPG to deploy to if failed authentication is configured. - In the Failed-auth VLAN field, verify the VLAN to deploy to if failed authentication is selected. Verify the 802.1X Node Authentication Policy is applied to each Leaf Switch Policy Group: 1. Navigate to Fabric >> External Access Policies >> Switches >> Leaf Switches >> Policy Groups. 2. Right-click "Policy Groups" to inspect each Access Switch Policy Group. Verify the 802.1X Node Authentication Policy to a Leaf Interface Profile: 1. Navigate to Fabric >> External Access Policies >> Interfaces >> Leaf Interfaces >> Profiles. 2. Right-click "Profiles" and select "Leaf Interface Profile". 3. Expand the Interface Selectors table, to review the Access Port Selector(s). If 802.1x authentication or MAB is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.

Fix Text

Configure 802.1 x authentications on all host-facing access switch ports. To authenticate those devices that do not support 802.1x, MAB must be configured. The following is an example. Step 1: Configure a Policy Group. apic1(config)# template policy-group <mygroup policy name> apic1(config-pol-grp-if)# switchport port-authentication <mydot1x> apic1(config-port-authentication)# host-mode multi-host apic1(config-port-authentication)# dot1x port-control mab apic1(config-port-authentication)# no shutdown Step 2: Configure the leaf interface profile. apic1(config)#leaf-interface-profile <myleafprofile_name> apic1(config-leaf-if-profile)#leaf-interface-group <myinterfacegroup_name> apic1(config-leaf-if-group)# interface g1/0 - 8 apic1(config-leaf-if-group)# policy-group <mygroup policy name> Step 3: Configure the leaf profile. apic1(config)# leaf-profile <myleafprofile_name> apic1(config-leaf-profile)# leaf-group <myleafgrp_name> apic1(config-leaf-group)# leaf <myleaf_ID#) Step 4: Apply an interface policy on the leaf switch profile. apic1(config-leaf-profile)# leaf-interface-profile <myprofile_name> Step 5: Configure 802.1x with MAC bypass on an interface. apic1(config)# interface Ethernet1/1 apic1(config-if)# dot1x port-control mab

Additional Identifiers

Rule ID: SV-272029r1064432_rule

Vulnerability ID: V-272029

Group Title: SRG-NET-000148-L2S-000015

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.