JUEX-L2-000020 - The Juniper EX switch must be configured to uniquely identify all network-connected endpoint devices before establishing any connection.

Information

Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to an access interface to inject or receive data from the network without detection.

802.1x includes Static MAC Bypass and MAC RADIUS for those devices that do not offer a supplicant.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure 802.1 x authentication on all host-facing access interfaces. To authenticate those devices that do not support an 802.1x supplicant, Static MAC Bypass or MAC RADIUS must be configured.

Configure RADIUS if available:
set access radius-server <RADIUS IPv4 or IPv6 address> secret '<PSK>'
set access profile dot1x_radius radius authentication-server <RADIUS IPv4 or IPv6 address>
-or-
set access profile dot1x_radius radius-server <RADIUS IPv4 or IPv6 address> secret '<PSK>'

set access profile dot1x_radius authentication-order radius

To configure 802.1x on an access interface:
set protocols dot1x authenticator authentication-profile-name dot1x_radius
set protocols dot1x authenticator interface <name>.<logical unit> supplicant single-secure
--or--
set protocols dot1x authenticator interface <name>.<logical unit> supplicant multiple
--or--
set protocols dot1x authenticator interface <name>.<logical unit> supplicant multiple
set protocols dot1x authenticator interface <name>.<logical unit> mac-radius
set protocols dot1x authenticator interface <name>.<logical unit> mac-radius restrict
Note: Configure the 'restrict' keyword if the connected device does not support a supplicant. Although a non 802.1x aware client will use MAC RADIUS if configured, without the 'restrict' keyword 802.1x authentication is attempted before attempting MAC RADIUS, which increases the time the device must wait before gaining network access.

To configure Static MAC Bypass:
set protocols dot1x authenticator static <MAC address>/48 vlan-assignment <vlan name>
set protocols dot1x authenticator static <MAC address>/48 interface <interface name>.<logical unit>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M07_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-3, CAT|I, CCI|CCI-000778, Rule-ID|SV-253949r843880_rule, STIG-ID|JUEX-L2-000020, Vuln-ID|V-253949

Plugin: Juniper

Control ID: 3c13f9edc9afdfdfdcf6061182d2185d15bcea5c7403bdfc18fac271c56acdc0