Title

A MAC Authentication Bypass policy must be implemented for 802.1x unsupported devices that connect to the Enterprise Voice, Video, and Messaging system. (Cat II impact)

Discussion

MAC Authentication Bypass (MAB) is not a sufficient stand-alone authentication mechanism for non-802.1x supplicant endpoints. Additional policy-based validation techniques must be developed to ensure that 802.1x exempted devices are properly tracked and controlled to prevent compromise of the underlying 802.1x system and allow unapproved devices to access the Enterprise Voice, Video, and Messaging system.

Check Content

Verify a policy and procedure is in place and enforced that addresses the operation of MAC Authentication Bypass exceptions to 802.1x requirements. If a MAC Authentication Bypass policy is not in place and enforced, this is a finding.

Fix Text

Ensure a policy and procedure is in place and enforced that addresses the operation of MAC Authentication Bypass exceptions to 802.1x requirements.

Additional Identifiers

Rule ID: SV-259939r948786_rule

Vulnerability ID: V-259939

Group Title: SRG-VOIP-000590

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.