Rule ID
SV-284443r1244819_rule
Version
V1R1
CCIs
When policy assessment and remediation have been implemented and the advanced AAA server dynamic VLAN is misconfigured, logical separation of the production VLAN may not be ensured. Nontrusted resources are not authenticated in a NAC solution and only implement the authentication component of NAC. Nontrusted resources could become resources that have been authenticated but have not had a successful policy assessment when the automated policy assessment component has been implemented.
1. In the Web UI, navigate to Network >> Internal >> Settings. 2. Verify the IP address for the "Internal Interface" is set to an IP address of a separate network segment rather than the production network. If Ivanti Policy Secure is not configured for network separation from the trusted network segments, this is a finding.
1. In the Web UI, navigate to Network >> Internal >> Settings. 2. Set the IP address for the "Internal Interface" to the address of a network segment separate from the production network (this network may have services such as AD, web servers, etc.).