STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 3 hours ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Ivanti Policy Secure AAA Services Security Technical Implementation Guide

V-284443

CAT II (Medium)

The Ivanti Policy Secure must be configured to use IP segments separate from the production VLAN when NAC policy assessment and remediation are used.

Rule ID

SV-284443r1244819_rule

STIG

Ivanti Policy Secure AAA Services Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

When policy assessment and remediation have been implemented and the advanced AAA server dynamic VLAN is misconfigured, logical separation of the production VLAN may not be ensured. Nontrusted resources are not authenticated in a NAC solution and only implement the authentication component of NAC. Nontrusted resources could become resources that have been authenticated but have not had a successful policy assessment when the automated policy assessment component has been implemented.

Check Content

1. In the Web UI, navigate to Network >> Internal >> Settings.
2. Verify the IP address for the "Internal Interface" is set to an IP address of a separate network segment rather than the production network.

If Ivanti Policy Secure is not configured for network separation from the trusted network segments, this is a finding.

Fix Text

1. In the Web UI, navigate to Network >> Internal >> Settings.
2. Set the IP address for the "Internal Interface" to the address of a network segment separate from the production network (this network may have services such as AD, web servers, etc.).