STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019: STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:SV-21793r4_rule
V-19652
VVoIP 5300
VVoIP 5300
CAT II
10
Implement and document the access switch only allows a maximum of one registered MAC address per access port, except when the Voice Video Endpoint has an enabled PC port.
When 802.1x is implemented on the access switch port, the configuration may be set to be single-host (the default), multi-domain (for Voice Video Endpoints with a PC port), or multi-auth (each PC connected to a hub must authenticate). However, host mode as multi-host, which allows only one, has to authenticate while other PCs connected to the same hub can piggyback is not permitted.
When static MAC addresses are used, configure the attached Voice Video Endpoint with the PC port disabled. See the Voice Video Endpoint SRG for additional information.
Review the site documentation to confirm the access switch only allows a maximum of one registered MAC address per access port, except when the Voice Video Endpoint has an enabled PC port.
Verify that each access switch port supporting Voice Video Endpoints is configured supporting 802.1x. The 802.1x configuration may be set to be single-host (the default), multi-domain (for Voice Video Endpoints with a PC port), or multi-auth (each PC connected to a hub must authenticate). However, host mode as multi-host, which allows only one has to authenticate while other PCs connected to the same hub can piggyback is not permitted.
If the 802.1x access port is configured host mode as multi-host, this is a finding.
If the 802.1x access port is configured single-host (the default), multi-domain (for Voice Video Endpoints with a PC port), or multi-auth (each PC connected to a hub must authenticate), this is not a finding.
If the static access port is connected to a Voice Video Endpoint with an enabled PC port, this is a finding.
If the static access port is connected to a Voice Video Endpoint with more than one registered MAC address, this is a finding.
V-19652
False
VVoIP 5300
Review the site documentation to confirm the access switch only allows a maximum of one registered MAC address per access port, except when the Voice Video Endpoint has an enabled PC port.
Verify that each access switch port supporting Voice Video Endpoints is configured supporting 802.1x. The 802.1x configuration may be set to be single-host (the default), multi-domain (for Voice Video Endpoints with a PC port), or multi-auth (each PC connected to a hub must authenticate). However, host mode as multi-host, which allows only one has to authenticate while other PCs connected to the same hub can piggyback is not permitted.
If the 802.1x access port is configured host mode as multi-host, this is a finding.
If the 802.1x access port is configured single-host (the default), multi-domain (for Voice Video Endpoints with a PC port), or multi-auth (each PC connected to a hub must authenticate), this is not a finding.
If the static access port is connected to a Voice Video Endpoint with an enabled PC port, this is a finding.
If the static access port is connected to a Voice Video Endpoint with more than one registered MAC address, this is a finding.
M
594