Rule ID
SV-284583r1244872_rule
Version
V1R1
CCIs
Automated policy assessments must reflect the organization's current security policy so entry control decisions will happen only where remote endpoints meet the organization's security requirements. If the remote endpoints are allowed to connect to the organization's network without passing minimum-security controls, they become a threat to the entire network. Organizational policy must be established for what the NAC will check on the host for the agent and agentless. Use a NAC system security plan (SSP) to assess compliance with the requirement since each SSP item must be configured.
In the Ivanti Policy Secure Web UI, navigate to Users >> User Realms >> User Authentication Realms. Under the "Certificate" tab, verify the radio button for "Only allow users with a client-side certificate signed by Trusted Client CAs to sign in" is on. If the system is not configured to confirm endpoint policy assessment proceeds only after the endpoint attempting access has been identified using an approved identification method, this is a finding.
Configure the Host Checker: 1. In the Ivanti Policy Secure Web UI, navigate to Authentication >> Endpoint Security >>Host Checker. 2. Under the "Certificate" tab, select "Only allow users with a client-side certificate signed by Trusted Client CAs to sign in". Configure the User Authentication Realm: 1. In the Ivanti Policy Secure Web UI, navigate to Users >> User Realms >> User Authentication Realms. Note: By default, there are default Authentication Realms to include Users and various Guest realms. 2. Under the "General" tab, create a new user realm or modify the default "User" to use certificate login for authentication with a User/Directory/Attribute. 3. Under the "Certificate" tab, select the radio button for "Only allow sign-in by users with a client-side certificate signed by Trusted Client CAs". 4. Click the "Host checker" tab, then associate a policy and set as "Required & Enforced". 5. Select the "Role mapping" tab and create a rule assessing condition and assign a specific role.