The layer 2 switch must authenticate all endpoint devices before establishing a network connection using bidirectional authentication that is cryptographically based.

From Layer 2 Switch Security Requirements Guide

Associated with: CCI-001967

SV-76647r1_rule The layer 2 switch must authenticate all endpoint devices before establishing a network connection using bidirectional authentication that is cryptographically based.

Vulnerability discussion

Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.

Check content

Review the switch configuration and verify that the 802.1x implementation is using bidirectional authentication between the supplicant and the authentication server that is cryptographically based such as EAP-TLS or PEAP-MSCHAPv2. If the switch is not using bidirectional authentication between the supplicant and the authentication server that is cryptographically based, this is a finding.

Fix text

Configure the switch to implement 802.1.x using EAP-TLS or PEAP-MSCHAPv2. Both implementations will encapsulate the EAP packets within a TLS tunnel and provide bidirectional authentication between supplicant and a RADIUS server.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.