The 802.1x authentication server must place VVoIP and VTC traffic in the correct VLAN when authorizing LAN access for VVoIP and VTC endpoints.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19654	VVoIP 5310	SV-21795r2_rule		Medium

Description
802.1x has the capability of configuring the network access switch port to assign a VLAN or apply filtering rules based upon the device that was just authenticated. This is done via the “success” message sent from the authentication server back to the authenticator. General VVoIP and VTC requirements dictate that traffic from these devices are to be separated from the general LAN traffic and workstations by VLAN and IP address separation or segregation. An implementation of 802.1x within the LAN must support this requirement. As such the authentication server must provide the LAN switch with the proper VLAN configuration depending upon the device that is authenticated. For example, if all LAN ports are configured to use 802.1x LAN access control, and (as the typical case would be) are configured as disabled until a device authenticates, each port must support the authentication of a general workstation (a data device) or a VVoIP endpoint, or a VTC endpoint. If a workstation authenticates, the switch port must be configured with the data VLAN. If a VVoIP endpoint authenticates, the switch port must be configured with the VVoIP VLAN. VTC endpoints must be similarly configured. If a VVoIP endpoint that contains a PC port authenticates, the switch port must be configured with the VVoIP VLAN to receive the VVoIP traffic AND must be configured with the data VLAN to receive traffic from the PC port. Alternately, the switch port must be preconfigured for whatever device is expected to connect while in standby and implement the configuration when activated. This latter, however, is not how this is typically configured.

Description

802.1x has the capability of configuring the network access switch port to assign a VLAN or apply filtering rules based upon the device that was just authenticated. This is done via the “success” message sent from the authentication server back to the authenticator. General VVoIP and VTC requirements dictate that traffic from these devices are to be separated from the general LAN traffic and workstations by VLAN and IP address separation or segregation. An implementation of 802.1x within the LAN must support this requirement. As such the authentication server must provide the LAN switch with the proper VLAN configuration depending upon the device that is authenticated. For example, if all LAN ports are configured to use 802.1x LAN access control, and (as the typical case would be) are configured as disabled until a device authenticates, each port must support the authentication of a general workstation (a data device) or a VVoIP endpoint, or a VTC endpoint. If a workstation authenticates, the switch port must be configured with the data VLAN. If a VVoIP endpoint authenticates, the switch port must be configured with the VVoIP VLAN. VTC endpoints must be similarly configured. If a VVoIP endpoint that contains a PC port authenticates, the switch port must be configured with the VVoIP VLAN to receive the VVoIP traffic AND must be configured with the data VLAN to receive traffic from the PC port. Alternately, the switch port must be preconfigured for whatever device is expected to connect while in standby and implement the configuration when activated. This latter, however, is not how this is typically configured.

STIG	Date
Voice/Video over Internet Protocol (VVoIP) STIG	2016-06-28

Details

Check Text ( C-24006r2_chk )
Review site documentation to confirm the 802.1x authentication server places VVoIP and VTC traffic in the correct VLAN when authorizing LAN access for VVoIP and VTC endpoints. When the network access control implementation uses 802.1x and the network access switch ports are configured as 802.1x authenticators, ensure the VVoIP and VTC endpoints integrate into the 802.1x access control system. If the 802.1x authentication server does not place data, VVoIP, and VTC traffic in the correct VLANs when authorizing LAN access for VVoIP and VTC endpoints, this is a finding. An example follows: If all LAN ports are configured to use 802.1x LAN access control (as the typical case would be), and are configured as disabled until a device authenticates, each port must support the authentication of a general workstation (a data device) or a VVoIP endpoint, or a VTC endpoint. If a work station authenticates, the switch port must be configured with the data VLAN. If a VVoIP endpoint authenticates, the switch port must be configured with the VVoIP VLAN. If a VTC endpoint authenticates, the switch port must be configured with the VTC VLAN. When a VVoIP endpoint that contains a PC port authenticates, the switch port must be configured with the VVoIP VLAN to receive the VVoIP traffic AND must be configured with the data VLAN to receive traffic from the PC port. When a VVoIP or VTC endpoint provides a PC port, and the PC port is disabled (as required) because the 802.1x implementation cannot control LAN access via the PC port once the endpoint is authorized, the required configuration for the network access switch ports is to configure the appropriate VLAN for the VVoIP or VTC traffic (as required) as well as configuring the “unused” VLAN for the disabled PC port (as required).

Check Text ( C-24006r2_chk )

Review site documentation to confirm the 802.1x authentication server places VVoIP and VTC traffic in the correct VLAN when authorizing LAN access for VVoIP and VTC endpoints. When the network access control implementation uses 802.1x and the network access switch ports are configured as 802.1x authenticators, ensure the VVoIP and VTC endpoints integrate into the 802.1x access control system. If the 802.1x authentication server does not place data, VVoIP, and VTC traffic in the correct VLANs when authorizing LAN access for VVoIP and VTC endpoints, this is a finding.

An example follows:
If all LAN ports are configured to use 802.1x LAN access control (as the typical case would be), and are configured as disabled until a device authenticates, each port must support the authentication of a general workstation (a data device) or a VVoIP endpoint, or a VTC endpoint. If a work station authenticates, the switch port must be configured with the data VLAN. If a VVoIP endpoint authenticates, the switch port must be configured with the VVoIP VLAN. If a VTC endpoint authenticates, the switch port must be configured with the VTC VLAN. When a VVoIP endpoint that contains a PC port authenticates, the switch port must be configured with the VVoIP VLAN to receive the VVoIP traffic AND must be configured with the data VLAN to receive traffic from the PC port.

When a VVoIP or VTC endpoint provides a PC port, and the PC port is disabled (as required) because the 802.1x implementation cannot control LAN access via the PC port once the endpoint is authorized, the required configuration for the network access switch ports is to configure the appropriate VLAN for the VVoIP or VTC traffic (as required) as well as configuring the “unused” VLAN for the disabled PC port (as required).

Fix Text (F-20358r2_fix)
Implement and document the 802.1x authentication server places data, VVoIP, and VTC traffic in the correct VLANs when authorizing LAN access for VVoIP and VTC endpoints.