The Nokia layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-283678 | SRG-NET-000148-L2S-000015 | NOKI-L2-000020 | SV-283678r1204062_rule | 2026-06-15 | 1 |
Description
Controlling local area network (LAN) access via 802.1x authentication can help prevent a malicious user from connecting an unauthorized personal computer to a switch port to inject or receive data from the network without detection.
Satisfies: SRG-NET-000148-L2S-000015, SRG-NET-000343-L2S-000016
ℹ️ Check
Verify Nokia router configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. The 802.1x authentication is not required for switch ports connected to devices that do not support an 802.1x supplicant.
For 7750 nodes, use the command below to verify dot1x "Authentication" status and list of "Allowed hosts" and "Disallowed hosts" is correct:
- show system security dot1x
Verify dot1x is enabled and configured for each port:
- show port 1/1/c3/10 dot1x
802.1x Port Status
Port control : auto
Port status : authorized
Authenticator PAE state : authenticated
Backend state : idle
Reauth enabled : no Reauth period : N/A
Max auth requests : 2 Transmit period : 30
Supplicant timeout : 30 Server timeout : 30
Quiet period : 60
Radius policy : test
Radius server plcy auth : N/A
Radius server plcy acct : N/A
Untagged tunneling : false
Dot1q tunneling : true
Qinq tunneling : true
Per-host authentication : enabled
MAC-based authentication: disabled
Authenticator Initiation: true
Allowed hosts : 1 (max 100)
Disallowed hosts : 1
Admin-state : enabled
If 802.1x authentication is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.
✔️ Fix
Configure 802.1 x authentications on all host-facing access switch ports. To authenticate devices that do not support 802.1x, Media Access Control (MAC) Authentication Bypass must be configured.
Configure dot1x radius policy:
- exit all
- configure system security dot1x radius-plcy <policy name> create
- server <server index> address <server ip address> secret <secret key>
- source-address <source address of the radius packet>
- no shutdown
Configure port dot1x authentication parameters:
- configure port <port id> ethernet dot1x
- radius-plcy <policy name>
- port-control auto
- per-host-authentication
- allowed-source-macs <mac address>
- no shutdown