The IAO will ensure that 802.1x is implemented using a secure EAP such as EAP-TLS, EAP-TTLS or PEAP.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-7542	NET-NAC-010	SV-8011r1_rule		Medium

Description
EAP methods/types are continually being proposed, however, the three being considered secure are EAP-TLS, EAP-TTLS, and PEAP. PEAP is the preferred EAP type to be used in DoD because of its ability to support a greater number of operating systems and its capability to transmit statement of health information, per NSA NAC study. Lightweight EAP (LEAP) is a CISCO proprietary protocol providing an easy-to-deploy one password authentication. LEAP is vulnerable to dictionary attacks. A "man in the middle" can capture traffic, identify a password, and then use it to access a WLAN. LEAP is inappropriate and does not provide sufficient security for use on DOD networks. EAP-MD5 is functionally similar to CHAP and is susceptible to eavesdropping because the password credentials are sent as a hash (not encrypted). In addition, server administrators would be required to store unencrypted passwords on their servers violating other security policies. EAP-MD5 is inappropriate and does not provide sufficient security for use on DOD networks.

Description

EAP methods/types are continually being proposed, however, the three being considered secure are EAP-TLS, EAP-TTLS, and PEAP. PEAP is the preferred EAP type to be used in DoD because of its ability to support a greater number of operating systems and its capability to transmit statement of health information, per NSA NAC study. Lightweight EAP (LEAP) is a CISCO proprietary protocol providing an easy-to-deploy one password authentication. LEAP is vulnerable to dictionary attacks. A "man in the middle" can capture traffic, identify a password, and then use it to access a WLAN. LEAP is inappropriate and does not provide sufficient security for use on DOD networks. EAP-MD5 is functionally similar to CHAP and is susceptible to eavesdropping because the password credentials are sent as a hash (not encrypted). In addition, server administrators would be required to store unencrypted passwords on their servers violating other security policies. EAP-MD5 is inappropriate and does not provide sufficient security for use on DOD networks.

STIG	Date
Network Devices Security Technical Implementation Guide	2017-12-07

Details

Check Text ( C-5960r1_chk )
Verify that the authentication server is configured to use a strong EAP such as EAP-TLS, EAP-TTLS or PEAP

Fix Text (F-6892r1_fix)
Confiugre the authentication server to use a strong EAP such as EAP-TLS, EAP-TTLS or PEAP.