STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated just now
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Nokia Service Router OS 25.x Layer 2 Switch Security Technical Implementation Guide

V-283678

CAT I (High)

The Nokia layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.

Rule ID

SV-283678r1204062_rule

STIG

Nokia Service Router OS 25.x Layer 2 Switch Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000778CCI-001958

Discussion

Controlling local area network (LAN) access via 802.1x authentication can help prevent a malicious user from connecting an unauthorized personal computer to a switch port to inject or receive data from the network without detection. Satisfies: SRG-NET-000148-L2S-000015, SRG-NET-000343-L2S-000016

Check Content

Verify Nokia router configuration has 802.1x authentication implemented for all access switch ports connecting to LAN outlets (i.e., RJ-45 wall plates) or devices not located in the telecom room, wiring closets, or equipment rooms. The 802.1x authentication is not required for switch ports connected to devices that do not support an 802.1x supplicant.

For 7750 nodes, use the command below to verify dot1x "Authentication" status and list of "Allowed hosts" and "Disallowed hosts" is correct:

- show system security dot1x

Verify dot1x is enabled and configured for each port:

- show port 1/1/c3/10 dot1x

802.1x Port Status

Port control            : auto
Port status             : authorized
Authenticator PAE state : authenticated
Backend state           : idle
Reauth enabled          : no           Reauth period         : N/A
Max auth requests       : 2            Transmit period       : 30
Supplicant timeout      : 30           Server timeout        : 30
Quiet period            : 60
Radius policy           : test
Radius server plcy auth : N/A
Radius server plcy acct : N/A
Untagged tunneling      : false
Dot1q tunneling         : true
Qinq tunneling          : true
Per-host authentication : enabled
MAC-based authentication: disabled
Authenticator Initiation: true
Allowed hosts           : 1 (max 100)
Disallowed hosts        : 1
Admin-state             : enabled

If 802.1x authentication is not configured on all access switch ports connecting to LAN outlets or devices not located in the telecom room, wiring closets, or equipment rooms, this is a finding.

Fix Text

Configure 802.1 x authentications on all host-facing access switch ports. To authenticate devices that do not support 802.1x, Media Access Control (MAC) Authentication Bypass must be configured.

Configure dot1x radius policy:

- exit all
- configure system security dot1x radius-plcy <policy name> create
- server <server index> address <server ip address> secret <secret key>
- source-address <source address of the radius packet>
- no shutdown

Configure port dot1x authentication parameters:

- configure port <port id> ethernet dot1x 
- radius-plcy <policy name>
- port-control auto
- per-host-authentication 
- allowed-source-macs <mac address>
- no shutdown