STIGQter STIGQter: STIG Summary: Network Devices Security Technical Implementation Guide Version: 8 Release: 23 Benchmark Date: 25 Jan 2019: The production VLAN assigned from the AAA server contains IP segments not intended for untrusted resources.

DISA Rule

SV-20099r1_rule

Vulnerability Number

V-18555

Group Title

NET-NAC-001

Rule Version

NET-NAC-001

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Build different IP pools. Use different IP subnets for each pool.

Check Contents

Review the AAA server configuration. Have the SA display the policy groups. Have the SA display the vlan configuration. VLANs will be defined under Tunnel-Pvt-Group-ID with a tunnel type of VLAN. The dynamic VLAN definitions will have a IP pool assignment. Ensure the Production VLAN does not share the same AAA IP pool . Then verify the subnets used in other pools are not the same as the production.

Vulnerability Number

V-18555

Documentable

False

Rule Version

NET-NAC-001

Severity Override Guidance

Review the AAA server configuration. Have the SA display the policy groups. Have the SA display the vlan configuration. VLANs will be defined under Tunnel-Pvt-Group-ID with a tunnel type of VLAN. The dynamic VLAN definitions will have a IP pool assignment. Ensure the Production VLAN does not share the same AAA IP pool . Then verify the subnets used in other pools are not the same as the production.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

535

Comments