STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated just now
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Ivanti Policy Secure AAA Services Security Technical Implementation Guide

V-284444

CAT I (High)

The Ivanti Policy Secure must be configured to uniquely identify and authenticate organizational users.

Rule ID

SV-284444r1244802_rule

STIG

Ivanti Policy Secure AAA Services Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000764

Discussion

To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following. (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.

Check Content

1. Navigate the URL(s) used for users to login.
2. Verify users are prompted for their credentials upon signing in and cannot bypass the sign-in process.

If the device does not require users be individually authenticated, this is a finding.

Fix Text

Create the User Role to define what actions the user can perform once logged in. 
1. Navigate to Users >> User Roles.
2. Click "New Role" and give it a name.
3. Under "Access Features", check the boxes for the services needed (e.g., VPN Tunneling or Web).

Configure the Authentication Server so the credentials can be verified.
1. Navigate to Authentication >> Auth. Servers.
2. Select the server type from the dropdown and click "New Server".
3. Enter the server details and click "Save".

Create the User Realm to connect the user to the authentication server and the role.
1. Navigate to Users >> User Realms.
2. Click "New Realm" and give it a name.
3. Authentication: Select the server created previously.
4. Directory/Attribute: Select the same server to look up group memberships for role mapping.
5. Click "Save Changes".

Set up Role Mapping Rules to map the user to a group in the LDAP server.
1. While still in the new Realm, click the "Role Mapping" tab.
2. Click "New Rule".
3. Rule based on: Select Group Membership (if using AD) or Custom Expression.
4. Condition: Select the AD group the nonadministrative users belong to.
5. Assign Role: Select the role created in a previous step.
6. Click "Save Changes".

Create a Sign-In Policy to provide a URL for the users to log in.
1. Navigate to Authentication >> Signing In >> Sign-in Policies.
2. Click "New URL".
3. User type: Select Users (not Administrators).
4. Sign-in URL: Specify a path (e.g., */staff-login).
5. Authentication Realm: Select "Corporate_Network_Realm".
6. Click "Save Changes".