OpenControls Logo

STIG Viewer

The RUCKUS ICX switch must uniquely identify all network-connected endpoint devices before establishing any connection.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-273673RCKS-L2S-000020SV-273673r1110976_ruleCCI-000778high
Description
Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection.
STIGDate
RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide2025-06-03

Details

Check Text (C-273673r1110976_chk)

Review configuration for RADIUS server configuration, FlexAuth configuration, and applicable port configuration (optional). aaa authentication dot1x default radius radius-server host 192.168.1.24 auth-port 1812 acct-port 1813 default key 2 $UGlkRGktdG5v dot1x mac-auth no-login authentication auth-order mac-auth dot1x auth-default-vlan 100 restricted-vlan 666 re-authentication reauth-timeout 60 auth-fail-action restricted-vlan dot1x enable dot1x enable ethernet 1/1/14 to 1/1/15 dot1x port-control auto ethernet 1/1/14 to 1/1/15 mac-authentication enable mac-authentication enable ethernet 1/1/13 mac-authentication password-format xxxx.xxxx.xxxx mac-authentication dot1x-override mac-authentication dot1x-disable interface ethernet 1/1/14 port-name dot1x-test use-radius-server 192.168.1.24 no inline power ! Note: Port configuration is only necessary when specifying which RADIUS server is to be used. If user ports are not configured to control LAN access via 802.1X, this is a finding.

Fix Text (F-77669r1110041_fix)

Configure 802.1x to authenticate endpoint devices. 1. Configure RADIUS as the authentication method for 802.1x. ICX(config)#radius-server host x.x.x.x auth-port 1812 acct-port 1813 default key xxxxx dot1x mac-auth no-login 2. Configure the dot1x authentication. ICX(config)#authentication ICX(config-authen)# auth-default-vlan 100 ICX(config-authen)# re-authentication ICX(config-authen)# reauth-period 2000 ICX(config-authen)# dot1x enable ICX(config-authen)# dot1x enable ethernet 1/1/14 to 1/1/15 ICX(config-authen)# dot1x max-req 6 ICX(config-authen)# dot1x timeout tx-period 60 ICX(config-authen)# dot1x timeout quiet-period 30