Applications managing network connectivity must have the capability to authenticate devices before establishing network connections by using bidirectional authentication that are cryptographic.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35601	SRG-APP-000161-AS-NA	SV-46888r1_rule		Medium

Description
Device authentication is a solution enabling an organization to manage both users and devices. The application typically uses either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for identification or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and/or wide area networks. Bidirectional authentication provides a means for both connecting parties to mutually authenticate one another, and cryptographic authentication provides a secure means of authenticating without the use of clear text passwords. This requirement is intended to address devices that manage or allow wireless devices to connect to the network. This does not apply to an AS.

Description

Device authentication is a solution enabling an organization to manage both users and devices. The application typically uses either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for identification or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and/or wide area networks. Bidirectional authentication provides a means for both connecting parties to mutually authenticate one another, and cryptographic authentication provides a secure means of authenticating without the use of clear text passwords. This requirement is intended to address devices that manage or allow wireless devices to connect to the network. This does not apply to an AS.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43944r1_chk )
This requirement is NA for the AS SRG.

Fix Text (F-40142r1_fix)
The requirement is NA. No fix is required.