STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 3 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Ivanti Policy Secure NAC Security Technical Implementation Guide

V-284586

CAT II (Medium)

The Ivanti Policy Secure NAC must be configured to redirect endpoints to a logically separate VLAN for remediation services for endpoints that require automated remediation.

Rule ID

SV-284586r1244873_rule

STIG

Ivanti Policy Secure NAC Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000213CCI-002190

Discussion

Automated and manual procedures for remediation for critical security updates are managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network could impact network usage for all users. This isolation prevents traffic from flowing with traffic from endpoints that have been fully assessed and authorized. This solution provides a mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. Security attributes may be used to manage information flow control. Unauthenticated devices must not be allowed to connect to remediation services. The Ivanti IPS and client does not need to provide IP transport for evaluation and remediation. However, using this Check and Fix text works as well. This requirement also applies to Zero Trust initiatives. Satisfies: SRG-NET-000015-NAC-000040, SRG-NET-000323-NAC-001233

Check Content

If automated remediation is not used, this is not applicable.

1. In the Ivanti Policy Secure Web UI, navigate to Endpoint Policy >> Network Access >> Radius Attributes >> Radius Return Attributes.
2. Inspect the policy to ensure it is configured with an assigned location group, roles, and remediation VLAN ID.

If the remediation VLAN that is separated from trusted resources is not configured for use, this is a finding.

Fix Text

1. In the Ivanti Policy Secure Web UI, navigate to Endpoint Policy >> Network Access >> Radius Attributes >> Radius Return Attributes.
2. Click "New Policy".
3. Type a Name and Description.
4. Assign Location Groups to which the policy applies.
5. Expand the "Access Control Policy Settings" menu.
6. Click the "Control" radio button.
7. Click the check box for "Control Using VLAN id []" and specify the remediation or redirect VLAN. 
8. Select the PPS interface to which endpoints will connect while they are assigned to the above VLAN. 
9. Expand "Roles".
10. Select the role to which this policy is applicable and set it for selected below and specify designated role. 
11. Click "Save Changes".