STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated just now
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Ivanti Policy Secure NAC Security Technical Implementation Guide

V-284587

CAT II (Medium)

The Ivanti Policy Secure NAC must be configured to apply dynamic ACLs that restrict the use of resources when nonentity endpoints are connected using MAC Authentication Bypass (MAB).

Rule ID

SV-284587r1244874_rule

STIG

Ivanti Policy Secure NAC Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001958

Discussion

MAB can be defeated by spoofing the MAC address of a valid device. MAB enables port-based access control using the MAC address of the endpoint. A MAB-enabled port can be dynamically enabled or disabled based on the MAC address of the device that connects to it. NPE devices that support PKI or an allowed authentication type must use PKI. MAB may be used for NPE that cannot support an approved device authentication. Nonentity endpoints include IoT devices, VoIP phones, and printers. To support MAC authentication, add a MAC authentication server to Ivanti Policy Secure. Direct configuration of authenticators on the Ivanti Policy server, including MAC addresses, is not permitted; thus, NPE MACs must be associated with a MAC authentication server with an LDAP server.

Check Content

If nonentity endpoints using MAB are not connected, this is not applicable.

1. Select Endpoint Policy >> MAC Address Realm.
2. View the configuration of at least one MAC Address Authentication realm and Role Mapping rule.

If the MAC address realm is not configured and associated with role mappings, rules and a separate NPE VLAN, this is a finding.

Fix Text

Configure the MAC address authentication server for an authorized and separated NPE VLAN.
1. Select Authentication >> Auth. Servers.
2. Select "MAC Address Authentication" and click "New Server". Configure the MAC address authentication server configuration page and then click "Save".

Configure the MAC Address Authentication Realm and Role Mapping Rules.
1. Select Endpoint Policy >> MAC Address Realm.
2. Complete the configuration page and then click "Save".

Note: This realm can now be associated with roles, location groups, RADIUS client, etc. as any other realm. Direct configuration of authenticators on the Ivanti Policy server, including MAC addresses, is not permitted; thus, NPE MACs must be associated with a MAC authentication server with an LDAP server.