UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks.


Overview

Finding ID Version Rule ID IA Controls Severity
V-243222 WLAN-NW-000700 SV-243222r720121_rule Medium
Description
DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. For example, an implementation that uses a client certificate on laptop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the certificate-based PKI are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS. Certificate-based PKI authentication must be used to connect WLAN client devices to DoD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation. At least one layer of user authentication must enforce network authentication requirements (e.g., CAC authentication) before the user is able to access DoD information resources.
STIG Date
Network WLAN AP-NIPR Platform Security Technical Implementation Guide 2023-02-13

Details

Check Text ( C-46497r720119_chk )
Interview the site ISSO and SA. Determine if the site's network is configured to require certificate-based PKI authentication before a WLAN user is connected to the network.

If certificate-based PKI authentication is not required prior to a DoD WLAN user accessing the DoD network, this is a finding.

Note: This check does not apply to medical devices. Medical devices are permitted to connect to the WLAN using pre-shared keys.
Fix Text (F-46454r720120_fix)
Integrate certificate-based PKI authentication into the WLAN authentication process.