WLAN EAP-TLS implementation must use certificate-based PKI authentication to connect to DoD networks.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30257	WIR0116	SV-39895r2_rule	ECSC-1 ECWN-1	Medium

Description
DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. For example, an implementation that uses a client certificate on laptop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the certificate-based PKI are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS.

Description

DoD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. For example, an implementation that uses a client certificate on laptop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the certificate-based PKI are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS.

STIG	Date
WLAN Client Security Technical Implementation Guide (STIG)	2014-08-26

Details

Check Text ( C-38915r3_chk )
Detailed Policy Requirements: Certificate-based PKI authentication must be used to connect WLAN client devices to DoD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation. At least one layer of user authentication must enforce network authentication requirements found in JTF-GNO CTO 07-15Rev1 (e.g., CAC authentication) before the user is able to access DoD information resources. Check Procedures: Interview the site IAO and SA. Determine if the site’s network is configured to require certificate-based PKI authentication before a WLAN user is connected to the network. Mark as a finding if certificate-based PKI authentication is not required prior to a DoD WLAN user accessing the DoD network.

Check Text ( C-38915r3_chk )

Detailed Policy Requirements:

Certificate-based PKI authentication must be used to connect WLAN client devices to DoD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation.
At least one layer of user authentication must enforce network authentication requirements found in JTF-GNO CTO 07-15Rev1 (e.g., CAC authentication) before the user is able to access DoD information resources.

Check Procedures:

Interview the site IAO and SA. Determine if the site’s network is configured to require certificate-based PKI authentication before a WLAN user is connected to the network. Mark as a finding if certificate-based PKI authentication is not required prior to a DoD WLAN user accessing the DoD network.

Fix Text (F-34052r2_fix)
Integrate certificate-based PKI authentication into the WLAN authentication process.