WLAN EAP-TLS implementation must use CAC authentication to connect to DoD networks.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30257	WIR0116	SV-39895r1_rule	ECSC-1 ECWN-1	Medium

Description
DoD CAC authentication is strong, two-factor authentication that relies on on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with DoD CAC could have security vulnerabilities. For example, an implementation that uses a client certificate on latop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the DoD CAC are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS.

Description

DoD CAC authentication is strong, two-factor authentication that relies on on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with DoD CAC could have security vulnerabilities. For example, an implementation that uses a client certificate on latop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the DoD CAC are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS.

STIG	Date
WLAN Authentication Server Security Technical Implementation Guide (STIG)	2013-03-14

Details

Check Text ( C-38915r1_chk )
Detailed Policy Requirements: A DoD CAC must be used to authenticate users to DoD networks. The DoD CAC should directly support the WLAN EAP-TLS implementation. If this is not technically feasible, a second layer of authentication using the DoD CAC must occur after the EAP-TLS authentication is completed. At least one layer of user authentication must enforce network authentication requirements found in JTF-GNO CTO 07-15Rev1 (e.g., CAC authentication) before the user is able to access DoD information resources. Check Procedures: Interview the site IAO and SA. Determine if the site’s network is configured to require CAC authentication before a WLAN user is connected to the network. If feasible, have a SA set up a WLAN connection and verify the user is required to CAC authenticate before gaining access to the local network. Mark as a finding if a WLAN user is not required to CAC authenticate to the network prior to gaining network access.

Check Text ( C-38915r1_chk )

Detailed Policy Requirements:

A DoD CAC must be used to authenticate users to DoD networks. The DoD CAC should directly support the WLAN EAP-TLS implementation. If this is not technically feasible, a second layer of authentication using the DoD CAC must occur after the EAP-TLS authentication is completed.

At least one layer of user authentication must enforce network authentication requirements found in JTF-GNO CTO 07-15Rev1
(e.g., CAC authentication) before the user is able to access DoD information resources.

Check Procedures:

Interview the site IAO and SA. Determine if the site’s network is configured to require CAC authentication before a WLAN user is connected to the network. If feasible, have a SA set up a WLAN connection and verify the user is required to CAC authenticate before gaining access to the local network. Mark as a finding if a WLAN user is not required to CAC authenticate to the network prior to gaining network access.

Fix Text (F-34052r1_fix)
Integrate DoD CAC authentication into the WLAN authentication process.