STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019: STIGQter: STIG Summary: Voice Video Services Policy Security Technical Implementation Guide Version: 3 Release: 17 Benchmark Date: 25 Oct 2019:SV-21795r3_rule
V-19654
VVoIP 5310
VVoIP 5310
CAT II
10
Implement and document that the 802.1x authentication server places data and voice video traffic in the correct VLANs when authorizing LAN access for voice video endpoints.
Review site documentation to confirm the 802.1x authentication server places voice video traffic in the correct VLAN when authorizing LAN access for voice video endpoints. When the network access control implementation uses 802.1x and the network access switch ports are configured as 802.1x authenticators, ensure the voice video endpoints integrate into the 802.1x access control system.
If the 802.1x authentication server does not place data and voice video traffic in the correct VLANs when authorizing LAN access for voice video endpoints, this is a finding.
An example follows:
If all LAN ports are configured to use 802.1x LAN access control (as the typical case would be), and are configured as disabled until a device authenticates, each port must support the authentication of a general workstation (a data device) or voice video endpoints.
If a workstation authenticates, the switch port must be configured with the data VLAN. If a VVoIP endpoint authenticates, the switch port must be configured with the VVoIP VLAN. If a video conference endpoint authenticates, the switch port must be configured with the video conference VLAN. When a VVoIP endpoint that contains a PC port authenticates, the switch port must be configured with the VVoIP VLAN to receive the VVoIP traffic AND must be configured with the data VLAN to receive traffic from the PC port.
When a voice video endpoint provides a PC port, and the PC port is disabled (as required) because the 802.1x implementation cannot control LAN access via the PC port once the endpoint is authorized, the required configuration for the network access switch ports is to configure the appropriate VLAN for the voice video traffic (as required) as well as configuring the “unused” VLAN for the disabled PC port (as required).
V-19654
False
VVoIP 5310
Review site documentation to confirm the 802.1x authentication server places voice video traffic in the correct VLAN when authorizing LAN access for voice video endpoints. When the network access control implementation uses 802.1x and the network access switch ports are configured as 802.1x authenticators, ensure the voice video endpoints integrate into the 802.1x access control system.
If the 802.1x authentication server does not place data and voice video traffic in the correct VLANs when authorizing LAN access for voice video endpoints, this is a finding.
An example follows:
If all LAN ports are configured to use 802.1x LAN access control (as the typical case would be), and are configured as disabled until a device authenticates, each port must support the authentication of a general workstation (a data device) or voice video endpoints.
If a workstation authenticates, the switch port must be configured with the data VLAN. If a VVoIP endpoint authenticates, the switch port must be configured with the VVoIP VLAN. If a video conference endpoint authenticates, the switch port must be configured with the video conference VLAN. When a VVoIP endpoint that contains a PC port authenticates, the switch port must be configured with the VVoIP VLAN to receive the VVoIP traffic AND must be configured with the data VLAN to receive traffic from the PC port.
When a voice video endpoint provides a PC port, and the PC port is disabled (as required) because the 802.1x implementation cannot control LAN access via the PC port once the endpoint is authorized, the required configuration for the network access switch ports is to configure the appropriate VLAN for the voice video traffic (as required) as well as configuring the “unused” VLAN for the disabled PC port (as required).
M
Information Assurance Officer
594