STIGQter: STIG Summary: Forescout Network Access Control Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

Forescout must deny network connection for endpoints that cannot be authenticated using an approved method.

DISA Rule

SV-233338r611394_rule

Vulnerability Number

V-233338

Group Title

SRG-NET-000148-NAC-000620

Rule Version

FORE-NC-000450

Severity

CAT II

CCI(s)

• CCI-000778 - The information system uniquely identifies an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection.

Weight

10

Fix Recommendation

Log on to Forescout UI.

1. From the Policy tab, select the Authentication and Authorization policy.
2. Find the 802.1x Authorization policy and click Edit.

From the Sub-Rules section, check that all of the options for authentication are selected including the following:
-Machine Authenticated
-User+Machine Authenticated
-User+Managed Machine
-User+NotMachine Authenticated

If these are all configured, check that the final step is not authorized by one of the previous steps, and block traffic in accordance with the SSP by selecting "Add>".
1. Give the policy a name like "Deny Access".
2. In the Condition box, click "Add" and select "802.1x RADIUS Authentication State".
3. Check the box labeled "RADIUS-Rejected", and then click "OK".
4. In the Actions box, click "Add" and select a block action in accordance with the SSP.

Check Contents

Verify the NAC denies network connection for endpoints that cannot be authenticated using an approved method and log authentication failures.

1. Log on to Forescout UI.
2. From the Policy tab, select the Authentication and Authorization policy.
3. Find the 802.1x Authorization policy.

If NAC does not have an authorization policy that denies network connection for endpoints that cannot be authenticated using an approved method and log authentication failures, this is a finding.

Vulnerability Number

V-233338

Documentable

False

Rule Version

FORE-NC-000450

Severity Override Guidance

Verify the NAC denies network connection for endpoints that cannot be authenticated using an approved method and log authentication failures.

1. Log on to Forescout UI.
2. From the Policy tab, select the Authentication and Authorization policy.
3. Find the 802.1x Authorization policy.

If NAC does not have an authorization policy that denies network connection for endpoints that cannot be authenticated using an approved method and log authentication failures, this is a finding.

Check Content Reference

M

Target Key

5250

Comments