When 802.1x is implemented and VVoIP or VTC endpoints provide a PC port, the PC port must be an 802.1x authenticator, or be disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19655	VVoIP 5315	SV-21796r2_rule		Medium

Description
A VVoIP or VTC endpoint that provides a PC port typically breaks 802.1x LAN access control mechanisms. The cause is the network access switch port is enabled or authorized (and configured) when the VVoIP or VTC endpoint authenticates to the network and is authorized to operate. This may permit whatever is connected to the PC port to have access to the LAN even if it is not authorized or uses 802.1x. Therefore, the practice of daisy chaining devices on a single LAN drop protected by 802.1x must be prohibited unless certain mitigating circumstances exist, or are configured. In the event a PC port is provided, the mitigation is to disable the port. However, the 802.1x implementation must install the configuration on the network access switch port required to support a VVoIP or VTC endpoint with a disabled PC port. This means the required configuration for the network access switch ports is to configure the appropriate VLAN for the VVoIP or VTC traffic and configuring the unused VLAN for the disabled PC port.

Description

A VVoIP or VTC endpoint that provides a PC port typically breaks 802.1x LAN access control mechanisms. The cause is the network access switch port is enabled or authorized (and configured) when the VVoIP or VTC endpoint authenticates to the network and is authorized to operate. This may permit whatever is connected to the PC port to have access to the LAN even if it is not authorized or uses 802.1x. Therefore, the practice of daisy chaining devices on a single LAN drop protected by 802.1x must be prohibited unless certain mitigating circumstances exist, or are configured. In the event a PC port is provided, the mitigation is to disable the port. However, the 802.1x implementation must install the configuration on the network access switch port required to support a VVoIP or VTC endpoint with a disabled PC port. This means the required configuration for the network access switch ports is to configure the appropriate VLAN for the VVoIP or VTC traffic and configuring the unused VLAN for the disabled PC port.

STIG	Date
Voice/Video over Internet Protocol (VVoIP) STIG	2016-06-28

Details

Check Text ( C-24008r2_chk )
If the VVoIP or VTC endpoints do not contain a PC port, this is not applicable. Review site documentation to confirm that when 802.1x is implemented on the LAN and the VVoIP or VTC endpoints provide a PC port, the PC port is an 802.1x authenticator, or be disabled. If when 802.1x is implemented on the LAN and the VVoIP or VTC endpoints provide a PC port and the PC port is an 802.1x authenticator, this is not a finding. If the PC port is disabled, this is not a finding. If the VVoIP or VTC endpoint PC port and the network access switch port in combination act as an 802.1x authenticator and the 802.1x system provides control over the LAN access gained through the endpoint’s PC port, this is not a finding. Otherwise, this is a finding.

Check Text ( C-24008r2_chk )

If the VVoIP or VTC endpoints do not contain a PC port, this is not applicable.

Review site documentation to confirm that when 802.1x is implemented on the LAN and the VVoIP or VTC endpoints provide a PC port, the PC port is an 802.1x authenticator, or be disabled. If when 802.1x is implemented on the LAN and the VVoIP or VTC endpoints provide a PC port and the PC port is an 802.1x authenticator, this is not a finding. If the PC port is disabled, this is not a finding. If the VVoIP or VTC endpoint PC port and the network access switch port in combination act as an 802.1x authenticator and the 802.1x system provides control over the LAN access gained through the endpoint’s PC port, this is not a finding. Otherwise, this is a finding.

Fix Text (F-20359r2_fix)
Implement and document that when 802.1x is implemented and VVoIP or VTC endpoints provide a PC port, one of the following options must be in place: - The PC port is configured as an 802.1x authenticator - The PC port and the network access switch port in combination act as an 802.1x authenticator - The PC port is disabled