STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 3 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Ivanti Policy Secure NAC Security Technical Implementation Guide

V-284583

CAT II (Medium)

The Ivanti Policy Secure NAC must be configured to only allow users with a client-side certificate signed by Trusted Client Certificate Authorities (CAs) to sign in.

Rule ID

SV-284583r1244872_rule

STIG

Ivanti Policy Secure NAC Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000213

Discussion

Automated policy assessments must reflect the organization's current security policy so entry control decisions will happen only where remote endpoints meet the organization's security requirements. If the remote endpoints are allowed to connect to the organization's network without passing minimum-security controls, they become a threat to the entire network. Organizational policy must be established for what the NAC will check on the host for the agent and agentless. Use a NAC system security plan (SSP) to assess compliance with the requirement since each SSP item must be configured.

Check Content

In the Ivanti Policy Secure Web UI, navigate to Users >> User Realms >> User Authentication Realms.

Under the "Certificate" tab, verify the radio button for "Only allow users with a client-side certificate signed by Trusted Client CAs to sign in" is on.

If the system is not configured to confirm endpoint policy assessment proceeds only after the endpoint attempting access has been identified using an approved identification method, this is a finding.

Fix Text

Configure the Host Checker: 
1. In the Ivanti Policy Secure Web UI, navigate to Authentication >> Endpoint Security >>Host Checker.
2. Under the "Certificate" tab, select "Only allow users with a client-side certificate signed by Trusted Client CAs to sign in".

Configure the User Authentication Realm:
1. In the Ivanti Policy Secure Web UI, navigate to Users >> User Realms >> User Authentication Realms.
Note: By default, there are default Authentication Realms to include Users and various Guest realms.
2. Under the "General" tab, create a new user realm or modify the default "User" to use certificate login for authentication with a User/Directory/Attribute.
3. Under the "Certificate" tab, select the radio button for "Only allow sign-in by users with a client-side certificate signed by Trusted Client CAs".
4. Click the "Host checker" tab, then associate a policy and set as "Required & Enforced".
5. Select the "Role mapping" tab and create a rule assessing condition and assign a specific role.