The Nokia layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.

Severity
Group ID
Group Title
Version
Rule ID
Date
STIG Version
highV-283678SRG-NET-000148-L2S-000015NOKI-L2-000020SV-283678r1204062_rule2026-06-151

Description

Controlling local area network (LAN) access via 802.1x authentication can help prevent a malicious user from connecting an unauthorized personal computer to a switch port to inject or receive data from the network without detection. Satisfies: SRG-NET-000148-L2S-000015, SRG-NET-000343-L2S-000016

ℹ️ Check

Verify Nokia router configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. The 802.1x authentication is not required for switch ports connected to devices that do not support an 802.1x supplicant. For 7750 nodes, use the command below to verify dot1x "Authentication" status and list of "Allowed hosts" and "Disallowed hosts" is correct: - show system security dot1x Verify dot1x is enabled and configured for each port: - show port 1/1/c3/10 dot1x 802.1x Port Status Port control : auto Port status : authorized Authenticator PAE state : authenticated Backend state : idle Reauth enabled : no Reauth period : N/A Max auth requests : 2 Transmit period : 30 Supplicant timeout : 30 Server timeout : 30 Quiet period : 60 Radius policy : test Radius server plcy auth : N/A Radius server plcy acct : N/A Untagged tunneling : false Dot1q tunneling : true Qinq tunneling : true Per-host authentication : enabled MAC-based authentication: disabled Authenticator Initiation: true Allowed hosts : 1 (max 100) Disallowed hosts : 1 Admin-state : enabled If 802.1x authentication is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.

✔️ Fix

Configure 802.1 x authentications on all host-facing access switch ports. To authenticate devices that do not support 802.1x, Media Access Control (MAC) Authentication Bypass must be configured. Configure dot1x radius policy: - exit all - configure system security dot1x radius-plcy <policy name> create - server <server index> address <server ip address> secret <secret key> - source-address <source address of the radius packet> - no shutdown Configure port dot1x authentication parameters: - configure port <port id> ethernet dot1x - radius-plcy <policy name> - port-control auto - per-host-authentication - allowed-source-macs <mac address> - no shutdown