Title

The Cisco ACI layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection. (Cat I impact)

Discussion

Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection. In ACI, VLANs are used for traffic segmentation and identification, but their primary function is for identifying traffic, not directly configuring the leaf switch ports.

Check Content

Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. MAC Authentication Bypass (MAB) must be configured on those switch ports connected to devices that do not support an 802.1x supplicant. 1. Navigate to Fabric >> Port Profiles. 2. Select the port profile that is used for host-facing access ports. 3. Within the port profile configuration, locate the 802.1x settings and verify 802.1x is and MAB are enabled. 4. Navigate to the Endpoints section. 5. Choose the leaf nodes that host the host-facing ports and verify the port profile is applied. If 802.1x authentication or MAB is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.

Fix Text

Enable 802.1X authentication on host-facing access ports in Cisco APIC and accommodate devices lacking 802.1X support, configure MAB (MAC Authentication Bypass). The following is an example. Enable 802.1x on Port Profiles: 1. Navigate to Fabric >> Port Profiles. 2. Select the port profile that is used for host-facing access ports. 3. Within the port profile configuration, locate the 802.1x settings and enable it. 4. Specify the 802.1x authentication parameters are set. 5. Enable MAB and specify the MAC address range and relevant settings. 6. For Host Mode, select Single Host. 7. The MAC Auth should be EAP_FALLBACK_MAB. 8. In the Failed-auth VLAN field, select the VLAN to deploy to if authentication failed. 9. In the Failed-auth EPG field, choose the tenant, application profile, or EPG to deploy to if authentication failed. 10. Go to the Endpoints section. 11. Choose the leaf nodes that host the host-facing ports. 12. Apply the configured port profile to the host-facing ports.

Additional Identifiers

Rule ID: SV-272029r1114259_rule

Vulnerability ID: V-272029

Group Title: SRG-NET-000148-L2S-000015

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.