Check: WLAN-NW-000900
Network WLAN AP-IG Platform STIG:
WLAN-NW-000900
(in versions v7 r3 through v7 r1)
Title
The WLAN access point must be configured for Wi-Fi Alliance WPA2 or WPA3 security. (Cat II impact)
Discussion
The Wi-Fi Alliance's WPA2/WPA3 certification provides assurance that the device has adequate security functionality and can implement the IEEE 802.11i standard for robust security networks. The previous version of the Wi-Fi Alliance certification, WPA, did not require AES encryption, which must be supported for DoD WLAN implementations. Devices without any WPA certification likely do not support required security functionality and could be vulnerable to a wide range of attacks.
Check Content
Verify the access point is configured for either WPA2/WPA3 (Enterprise) or WPA2/WPA3 (Personal) authentication. The procedure for performing this review will vary depending on the AP model. Have the SA show the configuration setting. If the access point is not configured with either WPA2 or WPA3 security, this is finding.
Fix Text
Configure the access point for WPA2 (or WPA3) authentication, confidentiality, and integrity services. In the case of WPA2 (Personal), this action will require the selection of a strong passcode or passphrase. In the case of WPA2 (Enterprise), this action will require the organization to deploy RADIUS or equivalent authentication services on a separate server. In cases in which the access point does not support WPA2/WPA3, the organization will need to procure new equipment.
Additional Identifiers
Rule ID: SV-243212r720091_rule
Vulnerability ID: V-243212
Group Title: SRG-NET-000063
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001453 |
Implement cryptographic mechanisms to protect the integrity of remote access sessions. |
Controls
Number | Title |
---|---|
AC-17(2) |
Protection of Confidentiality / Integrity Using Encryption |