ARST-L2-000020 - The Arista MLS layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.

Information

Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.

Satisfies: SRG-NET-000148-L2S-000015, SRG-NET-000343-L2S-000016

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure Arista MLS switch for 802.1X globally with the following mandatory parameters, and then configure non-data center access ports and all applicable interfaces.

Step 1: Configure the Arista MLS switch for 802.1X globally using the following commands:

!
logging level DOT1X informational
aaa authentication dot1x default group radius
dot1x system-auth-control
!

Step 2: Configure the Arista switch for all non-data center access ports with 802.1X VLAN to an access/trunk port and set the 802.1X port access entity (PAE) to authenticator with the following commands:

interface Ethernet4
description 802.1X Host-Mode Access Port
switchport access vlan 100
dot1x pae authenticator
dot1x reauthentication
dot1x port-control auto
dot1x host-mode single-host
dot1x timeout quiet-period 10
!

Step 3: The Arista switch can be also configured for MAC-based authentication. Configuring MAB requires that every supplicant trying to gain access to the switch authenticator port is individually authenticated by MAC address as opposed to authenticating just one supplicant on a given VLAN or port with 802.1X, and then using the MAC address of these devices as username and password in the RADIUS request packets.

!
interface Ethernet7
description MAC-Based Authentication
speed 100full
dot1x pae authenticator
dot1x port-control auto
dot1x mac based authentication
!

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Arista_MLS_EOS_4-2x_Y24M07_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-3, CAT|I, CCI|CCI-000778, CCI|CCI-001958, Rule-ID|SV-255968r882246_rule, STIG-ID|ARST-L2-000020, Vuln-ID|V-255968

Plugin: Arista

Control ID: 19f99b957d06f668d11c5668033daa3997a01927b89d9e48bf8689c105924fca