The 802.1x authentication server does not configure the LAN access switchport to place the VVoIP or VTC traffic (and data traffic if applicable) in the correct VLAN when authorizing LAN access for VVoIP or VTC endpoints OR the LAN access switchport is NOT configured to do so by default.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19654	VVoIP 5310 (LAN)	SV-21795r1_rule	ECSC-1	Medium

Description
802.1x has the capability of configuring the LAN access switchport to assign a VLAN or apply filtering rules based upon the device that was just authenticated. This is done via the “success” message sent from the authentication server back to the authenticator (LAN switch). General VVoIP and VTC requirements dictate that traffic from these devices are to be separated from the general LAN traffic and workstations by VLAN and IP address separation or segregation. An implementation of 802.1x within the LAN must support this requirement. As such the authentication server must provide the LAN switch with the proper VLAN configuration depending upon the device that is authenticated. For example, if all LAN ports are configured to use 802.1x LAN access control, and (as the typical case would be) are configured as disabled until a device authenticates, each port must support the authentication of a general workstation (a data device) or a VVoIP endpoint, or a VTC endpoint. If a workstation authenticates, the switchport must be configured with the data VLAN. If a VVoIP endpoint authenticates, the switchport must be configured with the VVoIP VLAN. Similarly for a VTC endpoint. If a VVoIP endpoint t hat contains a PC port authenticates, the switchport must be configured with the VVoIP VLAN to receive the VVoIP traffic AND must be configured with the data VLAN to receive traffic from the PC port. Alternately, the switchport must be preconfigured for whatever device is expected to connect while in standby and implement the configuration when activated. This latter, however, is not how this is typically configured.

Description

802.1x has the capability of configuring the LAN access switchport to assign a VLAN or apply filtering rules based upon the device that was just authenticated. This is done via the “success” message sent from the authentication server back to the authenticator (LAN switch). General VVoIP and VTC requirements dictate that traffic from these devices are to be separated from the general LAN traffic and workstations by VLAN and IP address separation or segregation. An implementation of 802.1x within the LAN must support this requirement. As such the authentication server must provide the LAN switch with the proper VLAN configuration depending upon the device that is authenticated. For example, if all LAN ports are configured to use 802.1x LAN access control, and (as the typical case would be) are configured as disabled until a device authenticates, each port must support the authentication of a general workstation (a data device) or a VVoIP endpoint, or a VTC endpoint. If a workstation authenticates, the switchport must be configured with the data VLAN. If a VVoIP endpoint authenticates, the switchport must be configured with the VVoIP VLAN. Similarly for a VTC endpoint. If a VVoIP endpoint t hat contains a PC port authenticates, the switchport must be configured with the VVoIP VLAN to receive the VVoIP traffic AND must be configured with the data VLAN to receive traffic from the PC port. Alternately, the switchport must be preconfigured for whatever device is expected to connect while in standby and implement the configuration when activated. This latter, however, is not how this is typically configured.

STIG	Date
Voice/Video over Internet Protocol STIG	2015-01-05

Details

Check Text ( C-24006r1_chk )
Interview the IAO to confirm compliance with the following requirement: In the event the VVoIP or VTC endpoints and LAN access switchports are configured to use 802.1x, ensure the authentication server configures the LAN access switchport to place the VVoIP or VTC traffic (and data traffic if applicable) in the correct VLAN for the service unless the LAN access switchport is configured to do so by default. NOTE: While other requirements may preclude the use of a VVoIP or VTC endpoint with an available and usable PC port, this requirement includes placing data traffic in the “untagged traffic” (data) VLAN defined on the switch along with placing VVoIP traffic in the VVoIP VLAN or VTC traffic in the VTC (or VVoIP) VLAN as applicable. This is a finding in the event the 802.1x implementation is not configured to properly support the required VVoIP / VTC/ Data VLAN separation.

Check Text ( C-24006r1_chk )

Interview the IAO to confirm compliance with the following requirement:
In the event the VVoIP or VTC endpoints and LAN access switchports are configured to use 802.1x, ensure the authentication server configures the LAN access switchport to place the VVoIP or VTC traffic (and data traffic if applicable) in the correct VLAN for the service unless the LAN access switchport is configured to do so by default.

NOTE: While other requirements may preclude the use of a VVoIP or VTC endpoint with an available and usable PC port, this requirement includes placing data traffic in the “untagged traffic” (data) VLAN defined on the switch along with placing VVoIP traffic in the VVoIP VLAN or VTC traffic in the VTC (or VVoIP) VLAN as applicable.

This is a finding in the event the 802.1x implementation is not configured to properly support the required VVoIP / VTC/ Data VLAN separation.

Fix Text (F-20358r1_fix)
In the event the VVoIP or VTC endpoints and LAN access switchports are configured to use 802.1x, ensure the authentication server configures the LAN access switchport to place the VVoIP or VTC traffic (and data traffic if applicable) in the correct VLAN for the service or ensure the LAN access switchport is configured to do so by default when it is activated. An example follows: If all LAN ports are configured to use 802.1x LAN access control (as the typical case would be), and are configured as disabled until a device authenticates, each port must support the authentication of a general workstation (a data device) or a VVoIP endpoint, or a VTC endpoint. If a work station authenticates, the switchport must be configured with the data VLAN. If a VVoIP endpoint authenticates, the switchport must be configured with the VVoIP VLAN. Similarly for a VTC endpoint. Similarly, if a VVoIP endpoint that contains a PC port authenticates, the switchport must be configured with the VVoIP VLAN to receive the VVoIP traffic AND must be configured with the data VLAN to receive traffic from the PC port. NOTE: If a VVoIP or VTC endpoint provides a PC port, and the PC port is disabled (as required) because the 802.1x implementation cannot control LAN access via the PC port once the endpoint is authorized, the required configuration for the LAN access switchports is to configure the appropriate VLAN for the VVoIP or VTC traffic (as required) as well as configuring the “unused” VLAN for the disabled PC port (as required).

Fix Text (F-20358r1_fix)

In the event the VVoIP or VTC endpoints and LAN access switchports are configured to use 802.1x, ensure the authentication server configures the LAN access switchport to place the VVoIP or VTC traffic (and data traffic if applicable) in the correct VLAN for the service or ensure the LAN access switchport is configured to do so by default when it is activated.

An example follows:
If all LAN ports are configured to use 802.1x LAN access control (as the typical case would be), and are configured as disabled until a device authenticates, each port must support the authentication of a general workstation (a data device) or a VVoIP endpoint, or a VTC endpoint. If a work station authenticates, the switchport must be configured with the data VLAN. If a VVoIP endpoint authenticates, the switchport must be configured with the VVoIP VLAN. Similarly for a VTC endpoint. Similarly, if a VVoIP endpoint that contains a PC port authenticates, the switchport must be configured with the VVoIP VLAN to receive the VVoIP traffic AND must be configured with the data VLAN to receive traffic from the PC port.

NOTE: If a VVoIP or VTC endpoint provides a PC port, and the PC port is disabled (as required) because the 802.1x implementation cannot control LAN access via the PC port once the endpoint is authorized, the required configuration for the LAN access switchports is to configure the appropriate VLAN for the VVoIP or VTC traffic (as required) as well as configuring the “unused” VLAN for the disabled PC port (as required).