JUEX-L2-000070 - The Juniper EX switch must be configured to authenticate all network-connected endpoint devices before establishing any connection.

Information

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.

For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions.

This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs). Gateways and SOA applications are examples of where this requirement would apply.

Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure 802.1 x authentication on all host-facing access interfaces. To authenticate those devices that do not support an 802.1x supplicant, Static MAC Bypass or MAC RADIUS must be configured.

Configure RADIUS if available:
set access radius-server <RADIUS IPv4 or IPv6 address (global)> secret '<PSK>'
set access profile dot1x_radius radius authentication-server <RADIUS IPv4 or IPv6 address (global)>
-or-
set access profile dot1x_radius radius-server <RADIUS IPv4 or IPv6 address> secret '<PSK>'

set access profile dot1x_radius authentication-order radius

To configure 802.1x on an access interface:
set protocols dot1x authenticator authentication-profile-name dot1x_radius
set protocols dot1x authenticator interface ge-0/0/0.0 supplicant single-secure
set protocols dot1x authenticator interface ge-0/0/1.0 supplicant multiple
set protocols dot1x authenticator interface ge-0/0/1.0 mac-radius
set protocols dot1x authenticator interface ge-0/0/2.0 mac-radius restrict

To configure Static MAC Bypass:
set protocols dot1x authenticator static <MAC address>/48 vlan-assignment <vlan name>
set protocols dot1x authenticator static <MAC address>/48 interface <interface name>.<logical unit>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M07_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-3, CAT|II, CCI|CCI-001958, Rule-ID|SV-253954r843895_rule, STIG-ID|JUEX-L2-000070, Vuln-ID|V-253954

Plugin: Juniper

Control ID: 53ac8ffcd383c3a643efa58f6d9c420fe26db89e48e0c9350cbccca78b99f92b