Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-18555 | NET-NAC-001 | SV-20099r1_rule | Medium |
Description |
---|
When policy assessment and remediation have been implemented and the advanced AAA server dynamic VLAN is mis-configured, logical separation of the production VLAN may not be assured. Non-trusted resources are resources that are not authenticated in a NAC solution implementing only the authentication component of NAC. Non-trusted resources could become resources that have been authenticated but have not had a successful policy assessment when the automated policy assessment component has been implemented. |
STIG | Date |
---|---|
Network Devices Security Technical Implementation Guide | 2017-12-07 |
Check Text ( C-21582r1_chk ) |
---|
Review the AAA server configuration. Have the SA display the policy groups. Have the SA display the vlan configuration. VLANs will be defined under Tunnel-Pvt-Group-ID with a tunnel type of VLAN. The dynamic VLAN definitions will have a IP pool assignment. Ensure the Production VLAN does not share the same AAA IP pool . Then verify the subnets used in other pools are not the same as the production. |
Fix Text (F-19171r1_fix) |
---|
Build different IP pools. Use different IP subnets for each pool. |