Detections
Analytics
JUEX-L2-000070 - The Juniper EX switch must be configured to authenticate all network-connected endpoint devices before establishing any connection.
Information
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.Device authentication is a solution enabling an organization to manage devices. It is an additional layer of authentication ensuring only specific pre-authorized devices can access the system. This requirement applies to applications that connect either locally, remotely, or through a network to an endpoint device (including, but not limited to, workstations, printers, servers (outside a datacenter), VoIP Phones, and VTC CODECs. Gateways and SOA applications are examples of where this requirement would apply.
For Juniper EX, configure 802.1 x authentication on all host-facing access interfaces. To authenticate those devices that do not support an 802.1x supplicant, Static MAC Bypass or MAC RADIUS must be configured. Junos supports three supplicant types: single-secure (authenticate and permit only a single device), multiple (separately authenticate and permit multiple devices), and single (authenticate the first supplicant and permit all others). The authentication order must be appropriate for the target environment. Authentication must be configured on all access interfaces connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure RADIUS if available on all host-facing access interfaces:set access radius-server <RADIUS IPv4 or IPv6 address (global)> secret '<PSK>'
set access profile dot1x_radius authentication-order radius
set access profile dot1x_radius radius authentication-server <RADIUS IPv4 or IPv6
address (global)>
-or set access profile dot1x_radius radius-server <RADIUS IPv4 or IPv6 address> secret '<PSK>'
To configure 802.1x on an access interface using the default authentication order:
set protocols dot1x authenticator authentication-profile-name dot1x_radius
set protocols dot1x authenticator interface <int-01> supplicant single-secure
To configure 802.1x and MAC RADIUS on an access interface and prefer MAC RADIUS in the authentication order:
set protocols dot1x authenticator interface <int-02> authentication-order mac-radius
set protocols dot1x authenticator interface <int-02> authentication-order dot1x
set protocols dot1x authenticator interface <int-02> authentication-order captive-portal
set protocols dot1x authenticator interface <int-02> supplicant multiple
set protocols dot1x authenticator interface <int-02> mac-radius
To configure only MAC RADIUS on an access interface (authentication order cannot be set):
set protocols dot1x authenticator interface <int-03> mac-radius restrict
To configure Static MAC Bypass:
set protocols dot1x authenticator static <MAC address>/48 vlan-assignment <vlan name>
set protocols dot1x authenticator static <MAC address>/48 interface <interface name>.<logical unit>
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M10_STIG.zip
Item Details
Audit Name: DISA Juniper EX Series Layer 2 Switch v2r2
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-3, CAT|II, CCI|CCI-001958, Rule-ID|SV-253954r1028752_rule, STIG-ID|JUEX-L2-000070, Vuln-ID|V-253954
Plugin: Juniper
Control ID: a568a2bc874afb74992378ea0bf249f50526d17d589770d02050498c8719fb20