The Dell OS10 Switch must uniquely identify all network-connected endpoint devices before establishing any connection.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-269953	SRG-NET-000148-L2S-000015	OS10-L2S-000020	SV-269953r1052245_rule	2024-12-11	1

Description
Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to a switch port to inject or receive data from the network without detection. Satisfies: SRG-NET-000148-L2S-000015, SRG-NET-000343-L2S-000016

ℹ️ Check
Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. Verify that 802.1x authentication is enabled globally by reviewing the configuration for the presence of: dot1x system-auth-control Verify that 802.1x authentication is enabled on the host-facing access interfaces by looking for the following two dot1x settings: ! interface ethernet1/1/3 dot1x port-control auto dot1x re-authentication If 802.1x authentication is not on configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.

ℹ️ Check

Verify if the switch configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. Verify that 802.1x authentication is enabled globally by reviewing the configuration for the presence of: dot1x system-auth-control Verify that 802.1x authentication is enabled on the host-facing access interfaces by looking for the following two dot1x settings: ! interface ethernet1/1/3 dot1x port-control auto dot1x re-authentication If 802.1x authentication is not on configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.

✔️ Fix
Configure 802.1 x authentications on all host-facing access switch ports. Configure RADIUS for 802.1x authentication: OS10(config)# radius-server host 10.10.1.200 key my-shared-secret OS10(config)# radius-server retransmit 10 OS10(config)# radius-server timeout 10 Enable 802.1X globally in CONFIGURATION mode: OS10(config)# dot1x system-auth-control Enable 802.1x on the host-facing access interfaces: OS10(config)# interface range ethernet 1/1/2-1/1/48 OS10(conf-rangeeth1/1/2-1/1/48)# dot1x port-control auto OS10(conf-rangeeth1/1/2-1/1/48)# dot1x re-authentication

✔️ Fix

Configure 802.1 x authentications on all host-facing access switch ports. Configure RADIUS for 802.1x authentication: OS10(config)# radius-server host 10.10.1.200 key my-shared-secret OS10(config)# radius-server retransmit 10 OS10(config)# radius-server timeout 10 Enable 802.1X globally in CONFIGURATION mode: OS10(config)# dot1x system-auth-control Enable 802.1x on the host-facing access interfaces: OS10(config)# interface range ethernet 1/1/2-1/1/48 OS10(conf-rangeeth1/1/2-1/1/48)# dot1x port-control auto OS10(conf-rangeeth1/1/2-1/1/48)# dot1x re-authentication