NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports - 'aaa authentication'

Details

The IEEE 802.1x standard is a client-server based access control and authentication protocol that restricts unauthorized clients from connecting to a local area network through host facing switch ports. The authentication server authenticates each client connected to to a switch port before making any services available to the client from the LAN. Unless the client is successfully authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port. Without the use of 802.1x, a malicious user could use the switch port to connect an unauthorized piece of computer or other network device to inject or steal data from the network without detection.


Solution

Configure 802.1 x authentication on all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. Configure MAB on those switch ports connected to devices that do not support an 802.1x supplicant.


Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Cisco.


References


Source