STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 3 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Ivanti Policy Secure AAA Services Security Technical Implementation Guide

V-284441

CAT II (Medium)

The Ivanti Policy Secure must be configured to use secure Extensible Authentication Protocol (EAP).

Rule ID

SV-284441r1244816_rule

STIG

Ivanti Policy Secure AAA Services Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

Several methods exist to secure 802.1x communications. EAP is a framework supporting multiple methods (e.g., EAP-TLS, EAP-TTLS, LEAP). PEAP is a specific, widely used EAP method that encapsulates other methods within a TLS tunnel. EAP methods, like EAP-TLS, use digital certificates for authentication while PEAP typically uses username/password credentials (PEAP-MSCHAPv2). EAP-TLS is considered superior because it eliminates password-based risks like phishing. PEAP is easier to deploy as it only requires a certificate on the server side. EAP-TLS requires a PKI to manage certificates for every device. Lightweight EAP (LEAP) is a Cisco proprietary protocol providing an easy-to-deploy, one-password authentication. LEAP is vulnerable to dictionary attacks. A "man in the middle" can capture traffic, identify a password, and then use it to access a network. LEAP is inappropriate and does not provide sufficient security for use on DoW networks. EAP-MD5 is functionally similar to CHAP and is susceptible to eavesdropping because the password credentials are sent as a hash (not encrypted). In addition, server administrators would be required to store unencrypted passwords on their servers, thus violating other security policies. EAP-MD5 is inappropriate and does not provide sufficient security for use on DoW networks. EAP-TLS is the most secure, and the preferred method in the DoW. EAP-TTLS only uses certificates on the server side and should be avoided. PEAP was previously the preferred EAP type used in DoW for its ability to support a greater number of operating systems but should also be avoided in favor of EAP-TLS.

Check Content

1. In the Web UI, navigate to Signing In >> Authentication Protocol Sets.
2. View the protocol sets for 802.1X and Cert Auth.

If an EAP method is listed other than EAP-TLS, this is a finding.

Fix Text

1. In the Web UI, navigate to Signing In >> Authentication Protocol Sets.
2. From the global view, view the protocol sets for 802.1X and Cert Auth.
3. Configure EAP-TLS.