UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

WLAN EAP-TLS implementation must use CAC authentication to connect to DoD networks.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30257 WIR0116 SV-39895r1_rule ECSC-1 ECWN-1 Medium
Description
DoD CAC authentication is strong, two-factor authentication that relies on on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with DoD CAC could have security vulnerabilities. For example, an implementation that uses a client certificate on latop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the DoD CAC are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS.
STIG Date
WLAN Access Point (Enclave-NIPRNet Connected) Security Technical Implementation Guide 2011-10-07

Details

Check Text ( C-38915r1_chk )
Detailed Policy Requirements:

A DoD CAC must be used to authenticate users to DoD networks. The DoD CAC should directly support the WLAN EAP-TLS implementation. If this is not technically feasible, a second layer of authentication using the DoD CAC must occur after the EAP-TLS authentication is completed.

At least one layer of user authentication must enforce network authentication requirements found in JTF-GNO CTO 07-15Rev1
(e.g., CAC authentication) before the user is able to access DoD information resources.

Check Procedures:

Interview the site IAO and SA. Determine if the site’s network is configured to require CAC authentication before a WLAN user is connected to the network. If feasible, have a SA set up a WLAN connection and verify the user is required to CAC authenticate before gaining access to the local network. Mark as a finding if a WLAN user is not required to CAC authenticate to the network prior to gaining network access.
Fix Text (F-34052r1_fix)
Integrate DoD CAC authentication into the WLAN authentication process.