The RUCKUS ICX switch must uniquely identify all network-connected endpoint devices before establishing any connection.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273673 | RCKS-L2S-000020 | SV-273673r1110976_rule | High |
| Description |
| Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection. |
| STIG | Date |
| RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide | 2025-06-03 |
Details
| Check Text (C-77764r1110040_chk) |
| Review configuration for RADIUS server configuration, FlexAuth configuration, and applicable port configuration (optional). aaa authentication dot1x default radius radius-server host 192.168.1.24 auth-port 1812 acct-port 1813 default key 2 $UGlkRGktdG5v dot1x mac-auth no-login authentication auth-order mac-auth dot1x auth-default-vlan 100 restricted-vlan 666 re-authentication reauth-timeout 60 auth-fail-action restricted-vlan dot1x enable dot1x enable ethernet 1/1/14 to 1/1/15 dot1x port-control auto ethernet 1/1/14 to 1/1/15 mac-authentication enable mac-authentication enable ethernet 1/1/13 mac-authentication password-format xxxx.xxxx.xxxx mac-authentication dot1x-override mac-authentication dot1x-disable interface ethernet 1/1/14 port-name dot1x-test use-radius-server 192.168.1.24 no inline power ! Note: Port configuration is only necessary when specifying which RADIUS server is to be used. If user ports are not configured to control LAN access via 802.1X, this is a finding. |
| Fix Text (F-77669r1110041_fix) |
| Configure 802.1x to authenticate endpoint devices. 1. Configure RADIUS as the authentication method for 802.1x. ICX(config)#radius-server host x.x.x.x auth-port 1812 acct-port 1813 default key xxxxx dot1x mac-auth no-login 2. Configure the dot1x authentication. ICX(config)#authentication ICX(config-authen)# auth-default-vlan 100 ICX(config-authen)# re-authentication ICX(config-authen)# reauth-period 2000 ICX(config-authen)# dot1x enable ICX(config-authen)# dot1x enable ethernet 1/1/14 to 1/1/15 ICX(config-authen)# dot1x max-req 6 ICX(config-authen)# dot1x timeout tx-period 60 ICX(config-authen)# dot1x timeout quiet-period 30 |