Details
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity on the network. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk (e.g., remote connections).
Bidirectional authentication solutions include, but are not limited to, IEEE 802.1x and Extensible Authentication Protocol (EAP) and Radius server with EAP-Transport Layer Security (TLS) authentication.
A network connection is any connection with a device that communicates through a network (e.g., local area network, wide area network, or the Internet).
Authentication must use a form of cryptography to ensure a high level of trust and authenticity.
Solution
Configure 802.1X on the switch, using the following mandatory parameters for all applicable interfaces. Replace the bracketed variable with the applicable value.
config
interface Ethernet[X]
switchport access vlan [Y]
dot1x pae authenticator
dot1x reauthentication
dot1x port-control auto
dot1x host-mode single-host
dot1x timeout quiet-period [value]
dot1x timeout reauth-period [value]
dot1x max-reauth-req [value]
For the global configuration, include the following command statements from the global configuration mode interface:
logging level DOT1X informational
aaa authentication dot1x default group radius
dot1x system-auth-control
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Arista.
References
- 800-53|IA-3(1)
- CAT|II
- CCI|CCI-001967
- Group-ID|V-60825
- Rule-ID|SV-75281r1_rule
- STIG-ID|AMLS-L2-000130
- Vuln-ID|V-60825