LAN access control is implemented using 802.1x AND one or more VVoIP or VTC endpoints provide a PC port, however the PC port is NOT disabled; AND/OR the LAN access switchport is NOT configured as required to support a disabled PC port (i.e., having the “unused” VLAN configured for PC port traffic); OR the VVoIP or VTC endpoint (or LAN access switchport) does not extend 802.1x port activation/deactivation to the PC port.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19655	VVoIP 5315 (LAN)	SV-21796r1_rule	ECSC-1	Medium

Description
A VVoIP or VTC endpoint that provides a PC port typically breaks 802.1x LAN access control mechanisms. The reason is that the LAN access switchport is turned on or authorized (and configured) when the VVoIP or VTC endpoint authenticates to the network and is authorized to operate. This typically permits whatever is connected to the PC port to have access to the LAN whether it is authorized or not or whether the device uses 802.1x or not. As such, the practice of daisy chaining devices on a single LAN drop that is “protected” by 802.1x must be prohibited unless certain mitigating circumstances exist, or are configured. The normal mitigation for this situation is to not implement VVoIP or VTC endpoints that provides a PC port if 802.1x is implemented as the LAN access control method. In the event a PC port is provided, the mitigation is to disable the port. However, the 802.1x implementation must install the configuration on the LAN access switchport that is required to support a VVoIP or VTC endpoint with a disabled PC port. This means that the required configuration for the LAN access switchports is to configure the appropriate VLAN for the VVoIP or VTC traffic (as required) as well as configuring the “unused” VLAN for the disabled PC port (as required). NOTE: the prohibition discussed here could be lifted (eliminated) in the event one of the following occurs: 1 - The LAN switchport can authorize access at the VLAN level and be reconfigured as additional devices are connected. That is, the switchport is activated and the VVoIP or VTC VLAN is configured/activated when the endpoint is authenticated/authorized but the data VLAN for the PC port is set to the “unused” VLAN until the PC or other device is connected. When a device is connected to the PC port, it must then use 802.1x to gain access to the LAN. Once authenticated and authorized, the LAN switchport is reconfigured with the active e data VLAN if a PC is connected. This process could, in theory, also support a VVoIP, VTC endpoint, and PC daisy chained on one LAN port if each was authenticated to the LAN one at a time in sequence from the LAN drop out. 2 - The VVoIP or VTC endpoint’s embedded switch and the PC port fully supports 802.1x as an authenticator. That is the PC port works like an 802.1x capable LAN access switchport and can be activated and deactivated (configured) by the 802.1x authentication server.

Description

A VVoIP or VTC endpoint that provides a PC port typically breaks 802.1x LAN access control mechanisms. The reason is that the LAN access switchport is turned on or authorized (and configured) when the VVoIP or VTC endpoint authenticates to the network and is authorized to operate. This typically permits whatever is connected to the PC port to have access to the LAN whether it is authorized or not or whether the device uses 802.1x or not. As such, the practice of daisy chaining devices on a single LAN drop that is “protected” by 802.1x must be prohibited unless certain mitigating circumstances exist, or are configured. The normal mitigation for this situation is to not implement VVoIP or VTC endpoints that provides a PC port if 802.1x is implemented as the LAN access control method. In the event a PC port is provided, the mitigation is to disable the port. However, the 802.1x implementation must install the configuration on the LAN access switchport that is required to support a VVoIP or VTC endpoint with a disabled PC port. This means that the required configuration for the LAN access switchports is to configure the appropriate VLAN for the VVoIP or VTC traffic (as required) as well as configuring the “unused” VLAN for the disabled PC port (as required). NOTE: the prohibition discussed here could be lifted (eliminated) in the event one of the following occurs: 1 - The LAN switchport can authorize access at the VLAN level and be reconfigured as additional devices are connected. That is, the switchport is activated and the VVoIP or VTC VLAN is configured/activated when the endpoint is authenticated/authorized but the data VLAN for the PC port is set to the “unused” VLAN until the PC or other device is connected. When a device is connected to the PC port, it must then use 802.1x to gain access to the LAN. Once authenticated and authorized, the LAN switchport is reconfigured with the active e data VLAN if a PC is connected. This process could, in theory, also support a VVoIP, VTC endpoint, and PC daisy chained on one LAN port if each was authenticated to the LAN one at a time in sequence from the LAN drop out. 2 - The VVoIP or VTC endpoint’s embedded switch and the PC port fully supports 802.1x as an authenticator. That is the PC port works like an 802.1x capable LAN access switchport and can be activated and deactivated (configured) by the 802.1x authentication server.

STIG	Date
Voice/Video over Internet Protocol (VVoIP) STIG	2015-07-01

Details

Check Text ( C-24008r1_chk )
Interview the IAO to confirm compliance with the following requirement: In the event the required LAN access control implementation uses 802.1x, AND the VVoIP or VTC endpoint provides a PC port, ensure the PC port is disabled; AND the LAN access switchport is configured as required to support a disabled PC port (i.e., having the “unused” VLAN configured for PC port traffic); OR ensure the endpoint provides automated 802.1x controlled activation/deactivation of its PC port based on the 802.1x authentication and authorization of the device connecting to it; OR ensure the 802.1x implementation and LAN access switchport can effectively control access to LAN services via the PC port based upon the 802.1x authentication and authorization of the device connecting to it. NOTE: This is not applicable (NA) if the VVoIP or VTC endpoints do not contain a PC port. Determine if 802.1x is the implemented LAN access control or “switchport security” method. If so, determine if any VVoIP or VTC endpoints are permitted access to the LAN. If so, determine if any VVoIP or VTC endpoints contains a PC port. If so, continue to the next check.

Check Text ( C-24008r1_chk )

Interview the IAO to confirm compliance with the following requirement:

In the event the required LAN access control implementation uses 802.1x, AND the VVoIP or VTC endpoint provides a PC port, ensure the PC port is disabled; AND the LAN access switchport is configured as required to support a disabled PC port (i.e., having the “unused” VLAN configured for PC port traffic); OR ensure the endpoint provides automated 802.1x controlled activation/deactivation of its PC port based on the 802.1x authentication and authorization of the device connecting to it; OR ensure the 802.1x implementation and LAN access switchport can effectively control access to LAN services via the PC port based upon the 802.1x authentication and authorization of the device connecting to it.

NOTE: This is not applicable (NA) if the VVoIP or VTC endpoints do not contain a PC port.

Determine if 802.1x is the implemented LAN access control or “switchport security” method. If so, determine if any VVoIP or VTC endpoints are permitted access to the LAN. If so, determine if any VVoIP or VTC endpoints contains a PC port. If so, continue to the next check.

Fix Text (F-20359r1_fix)
In the event the required LAN access control implementation uses 802.1x, AND the VVoIP or VTC endpoint provides a PC port, ensure the PC port is disabled; AND configure the 802.1x authentication server to configure the LAN access switchport as required to support a disabled PC port (i.e., having the “unused” VLAN configured for PC port traffic along with the appropriate VVoIP or VTC VLAN for tagged VVoIP or VTC traffic); OR ensure the endpoint is configured to provide automated 802.1x controlled activation/deactivation of its PC port based on the 802.1x authentication and authorization of the device connecting to it; OR ensure the 802.1x implementation and LAN access switchport are configured to effectively control access to LAN services via the PC port based upon the 802.1x authentication and authorization of the device connecting to it

Fix Text (F-20359r1_fix)

In the event the required LAN access control implementation uses 802.1x, AND the VVoIP or VTC endpoint provides a PC port, ensure the PC port is disabled; AND configure the 802.1x authentication server to configure the LAN access switchport as required to support a disabled PC port (i.e., having the “unused” VLAN configured for PC port traffic along with the appropriate VVoIP or VTC VLAN for tagged VVoIP or VTC traffic); OR ensure the endpoint is configured to provide automated 802.1x controlled activation/deactivation of its PC port based on the 802.1x authentication and authorization of the device connecting to it; OR ensure the 802.1x implementation and LAN access switchport are configured to effectively control access to LAN services via the PC port based upon the 802.1x authentication and authorization of the device connecting to it