Title

WLAN must use EAP-TLS. (Cat II impact)

Discussion

EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significantly more protection against attacks than other methods. Additionally, EAP-TLS supports two-factor user authentication on the WLAN client, which provides significantly more protection than methods that rely on a password or certificate alone. EAP-TLS also can leverage DoD CAC in its authentication services, providing additional security and convenience.

Check Content

NOTE: If the equipment is WPA2 certified, then it is capable of supporting this requirement. Review the WLAN equipment configuration to check EAP-TLS is actively used and no other methods are enabled. Mark as a finding if either EAP-TLS is not used or if the WLAN system allows users to connect with other methods. Note: DoDI 8420.01 provides the capability for the DAA to grant limited exceptions to this requirement.

Fix Text

Change the WLAN configuration so it supports EAP-TLS, implementing supporting PKI and AAA infrastructure as necessary. If the WLAN equipment is not capable of supporting EAP-TLS, procure new equipment capable of such support.

Additional Identifiers

Rule ID: SV-3692r2_rule

Vulnerability ID: V-3692

Group Title: WLAN EAP authentication

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.