An error occurred:

Check: RCKS-L2S-000020

RUCKUS ICX Layer 2 Switch STIG: RCKS-L2S-000020 (in version v1 r1)

Title

The RUCKUS ICX switch must uniquely identify all network-connected endpoint devices before establishing any connection. (Cat I impact)

Discussion

Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.

Check Content

Review configuration for RADIUS server configuration, FlexAuth configuration, and applicable port configuration (optional). aaa authentication dot1x default radius radius-server host 192.168.1.24 auth-port 1812 acct-port 1813 default key 2 $UGlkRGktdG5v dot1x mac-auth no-login authentication auth-order mac-auth dot1x auth-default-vlan 100 restricted-vlan 666 re-authentication reauth-timeout 60 auth-fail-action restricted-vlan dot1x enable dot1x enable ethernet 1/1/14 to 1/1/15 dot1x port-control auto ethernet 1/1/14 to 1/1/15 mac-authentication enable mac-authentication enable ethernet 1/1/13 mac-authentication password-format xxxx.xxxx.xxxx mac-authentication dot1x-override mac-authentication dot1x-disable interface ethernet 1/1/14 port-name dot1x-test use-radius-server 192.168.1.24 no inline power ! Note: Port configuration is only necessary when specifying which RADIUS server is to be used. If user ports are not configured to control LAN access via 802.1X, this is a finding.

Fix Text

Configure 802.1x to authenticate endpoint devices. 1. Configure RADIUS as the authentication method for 802.1x. ICX(config)#radius-server host x.x.x.x auth-port 1812 acct-port 1813 default key xxxxx dot1x mac-auth no-login 2. Configure the dot1x authentication. ICX(config)#authentication ICX(config-authen)# auth-default-vlan 100 ICX(config-authen)# re-authentication ICX(config-authen)# reauth-period 2000 ICX(config-authen)# dot1x enable ICX(config-authen)# dot1x enable ethernet 1/1/14 to 1/1/15 ICX(config-authen)# dot1x max-req 6 ICX(config-authen)# dot1x timeout tx-period 60 ICX(config-authen)# dot1x timeout quiet-period 30

Additional Identifiers

Rule ID: SV-273673r1110976_rule

Vulnerability ID: V-273673

Group Title: SRG-NET-000148-L2S-000015

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000778

Uniquely identify organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-3

Device Identification and Authentication