acceptedWLAN Authentication Server Security Technical Implementation Guide (STIG)This STIG contains the technical security controls for the operation of a WLAN Authentication Server in the DoD environment. DISA, Field Security OperationsSTIG.DOD.MILRelease: 6 Benchmark Date: 12 Mar 20136I - Mission Critial Classified<ProfileDescription></ProfileDescription>I - Mission Critial Public<ProfileDescription></ProfileDescription>I - Mission Critial Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>WLAN EAP authentication<GroupDescription></GroupDescription>WIR0115-01WLAN must use EAP-TLS.<VulnDiscussion>EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significantly more protection against attacks than other methods. Additionally, EAP-TLS supports two-factor user authentication on the WLAN client, which provides significantly more protection than methods that rely on a password or certificate alone. EAP-TLS also can leverage DoD CAC in its authentication services, providing additional security and convenience.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1, ECWN-1</IAControls>VMS Target WLAN Authentication ServerDISA FSOVMS TargetWLAN Authentication Server1537Change the WLAN configuration so it supports EAP-TLS, implementing supporting PKI and AAA infrastructure as necessary. If the WLAN equipment is not capable of supporting EAP-TLS, procure new equipment capable of such support.NOTE: If the equipment is WPA2 certified, then it is capable of supporting this requirement.
Review the WLAN equipment configuration to check EAP-TLS is actively used and no other methods are enabled.
Mark as a finding if either EAP-TLS is not used or if the WLAN system allows users to connect with other methods.WLAN EAP-TLS FIPS 140-2 validation<GroupDescription></GroupDescription>WIR0115-02The WLAN implementation of EAP-TLS must be FIPS 140-2 validated.<VulnDiscussion>Most known security breaches of cryptography result from improper implementation of the cryptography, not flaws in the cryptographic algorithms themselves. FIPS 140-2 validation provides assurance that cryptography is implemented correctly, and is required for Federal Government uses of cryptography in non-classified applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1, ECWN-1</IAControls>VMS Target WLAN Authentication ServerDISA FSOVMS TargetWLAN Authentication Server1537Procure WLAN equipment whose implementation of TLS has been FIPS 140-2 validated. Review the WLAN system product documentation (specification sheet, administration manual,
etc.), which should include the FIPS 140-2 certificate for the WLAN system. Verify the certificate specifically covers the implementation of TLS. If there are any concerns about the currency or veracity of the certificate in the product documentation, the reviewer should check the NIST Internet web site (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm) and find the certificate.
WLAN DoD authentication<GroupDescription></GroupDescription>WIR0116WLAN EAP-TLS implementation must use CAC authentication to connect to DoD networks.<VulnDiscussion>DoD CAC authentication is strong, two-factor authentication that relies on on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with DoD CAC could have security vulnerabilities. For example, an implementation that uses a client certificate on latop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the DoD CAC are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1, ECWN-1</IAControls>VMS Target WLAN Authentication ServerDISA FSOVMS TargetWLAN Authentication Server1537Integrate DoD CAC authentication into the WLAN authentication process.Detailed Policy Requirements:
A DoD CAC must be used to authenticate users to DoD networks. The DoD CAC should directly support the WLAN EAP-TLS implementation. If this is not technically feasible, a second layer of authentication using the DoD CAC must occur after the EAP-TLS authentication is completed.
At least one layer of user authentication must enforce network authentication requirements found in JTF-GNO CTO 07-15Rev1
(e.g., CAC authentication) before the user is able to access DoD information resources.
Check Procedures:
Interview the site IAO and SA. Determine if the site’s network is configured to require CAC authentication before a WLAN user is connected to the network. If feasible, have a SA set up a WLAN connection and verify the user is required to CAC authenticate before gaining access to the local network. Mark as a finding if a WLAN user is not required to CAC authenticate to the network prior to gaining network access.