Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-243222 | WLAN-NW-000700 | SV-243222r720121_rule | Medium |
Description |
---|
DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. For example, an implementation that uses a client certificate on laptop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the certificate-based PKI are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS. Certificate-based PKI authentication must be used to connect WLAN client devices to DoD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation. At least one layer of user authentication must enforce network authentication requirements (e.g., CAC authentication) before the user is able to access DoD information resources. |
STIG | Date |
---|---|
Network WLAN AP-NIPR Platform Security Technical Implementation Guide | 2023-02-13 |
Check Text ( C-46497r720119_chk ) |
---|
Interview the site ISSO and SA. Determine if the site's network is configured to require certificate-based PKI authentication before a WLAN user is connected to the network. If certificate-based PKI authentication is not required prior to a DoD WLAN user accessing the DoD network, this is a finding. Note: This check does not apply to medical devices. Medical devices are permitted to connect to the WLAN using pre-shared keys. |
Fix Text (F-46454r720120_fix) |
---|
Integrate certificate-based PKI authentication into the WLAN authentication process. |