WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-243222	WLAN-NW-000700	SV-243222r720121_rule		Medium

Description
DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. For example, an implementation that uses a client certificate on laptop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the certificate-based PKI are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS. Certificate-based PKI authentication must be used to connect WLAN client devices to DoD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation. At least one layer of user authentication must enforce network authentication requirements (e.g., CAC authentication) before the user is able to access DoD information resources.

Description

DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. For example, an implementation that uses a client certificate on laptop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the certificate-based PKI are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS. Certificate-based PKI authentication must be used to connect WLAN client devices to DoD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation. At least one layer of user authentication must enforce network authentication requirements (e.g., CAC authentication) before the user is able to access DoD information resources.

STIG	Date
Network WLAN AP-NIPR Platform Security Technical Implementation Guide	2021-04-16

Details

Check Text ( C-46497r720119_chk )
Interview the site ISSO and SA. Determine if the site's network is configured to require certificate-based PKI authentication before a WLAN user is connected to the network. If certificate-based PKI authentication is not required prior to a DoD WLAN user accessing the DoD network, this is a finding. Note: This check does not apply to medical devices. Medical devices are permitted to connect to the WLAN using pre-shared keys.

Check Text ( C-46497r720119_chk )

Interview the site ISSO and SA. Determine if the site's network is configured to require certificate-based PKI authentication before a WLAN user is connected to the network.

If certificate-based PKI authentication is not required prior to a DoD WLAN user accessing the DoD network, this is a finding.

Note: This check does not apply to medical devices. Medical devices are permitted to connect to the WLAN using pre-shared keys.

Fix Text (F-46454r720120_fix)
Integrate certificate-based PKI authentication into the WLAN authentication process.