The Dell OS10 Switch must uniquely identify all network-connected endpoint devices before establishing any connection.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-269953	OS10-L2S-000020	SV-269953r1052245_rule		High

Description

Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection. Satisfies: SRG-NET-000148-L2S-000015, SRG-NET-000343-L2S-000016

STIG	Date
Dell OS10 Switch Layer 2 Switch Security Technical Implementation Guide	2024-12-11

Details

Check Text (C-73986r1052243_chk)

Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms.

Verify that 802.1x authentication is enabled globally by reviewing the configuration for the presence of:

dot1x system-auth-control

Verify that 802.1x authentication is enabled on the host-facing access interfaces by looking for the following two dot1x settings:
!
interface ethernet1/1/3
dot1x port-control auto
dot1x re-authentication

If 802.1x authentication is not on configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.

Fix Text (F-73887r1052244_fix)

Configure 802.1 x authentications on all host-facing access switch ports.

Configure RADIUS for 802.1x authentication:

OS10(config)# radius-server host 10.10.1.200 key my-shared-secret
OS10(config)# radius-server retransmit 10
OS10(config)# radius-server timeout 10

Enable 802.1X globally in CONFIGURATION mode:

OS10(config)# dot1x system-auth-control

Enable 802.1x on the host-facing access interfaces:

OS10(config)# interface range ethernet 1/1/2-1/1/48
OS10(conf-rangeeth1/1/2-1/1/48)# dot1x port-control auto
OS10(conf-rangeeth1/1/2-1/1/48)# dot1x re-authentication