The production VLAN assigned from the AAA server contains IP segments not intended for untrusted resources.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-18555 | NET-NAC-001 | SV-20099r1_rule | Medium |
| Description |
|---|
| When policy assessment and remediation have been implemented and the advanced AAA server dynamic VLAN is mis-configured, logical separation of the production VLAN may not be assured. Non-trusted resources are resources that are not authenticated in a NAC solution implementing only the authentication component of NAC. Non-trusted resources could become resources that have been authenticated but have not had a successful policy assessment when the automated policy assessment component has been implemented. |
| STIG | Date |
|---|---|
| Network Devices Security Technical Implementation Guide | 2018-11-27 |
Details
| Check Text ( C-21582r1_chk ) |
|---|
| Review the AAA server configuration. Have the SA display the policy groups. Have the SA display the vlan configuration. VLANs will be defined under Tunnel-Pvt-Group-ID with a tunnel type of VLAN. The dynamic VLAN definitions will have a IP pool assignment. Ensure the Production VLAN does not share the same AAA IP pool . Then verify the subnets used in other pools are not the same as the production. |
| Fix Text (F-19171r1_fix) |
|---|
| Build different IP pools. Use different IP subnets for each pool. |