When AOS is used as a wireless local area network (WLAN) controller, WLAN Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) implementation must use certificate-based public key infrastructure (PKI) authentication to connect to DOD networks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266703 | ARBA-NT-001590 | SV-266703r1040640_rule | CCI-001444 | medium |
| Description | ||||
| DOD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. For example, an implementation that uses a client certificate on a laptop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the certificate-based PKI are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS. Certificate-based PKI authentication must be used to connect WLAN client devices to DOD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation. At least one layer of user authentication must enforce network authentication requirements (e.g., CAC authentication) before the user is able to access DOD information resources. | ||||
| STIG | Date | |||
| HPE Aruba Networking AOS Wireless Security Technical Implementation Guide | 2024-10-29 | |||
Details
Check Text (C-266703r1040640_chk)
Verify the AOS configuration using the web interface:
1. Navigate to Configuration >> WLANs and select the desired WLAN in the WLANs field.
2. Under the selected WLAN, select "Security". Note which Auth servers are configured.
3. Navigate to Configuration >> Authentication.
4. In the "All Servers" field, select each WLAN authentication server noted earlier.
5. Verify each configured authentication server is configured to support EAP-TLS with DOD PKI.
If each WLAN authentication server is not configured to support EAP-TLS with DOD PKI, this is a finding.
Fix Text (F-70530r1040598_fix)
Configure AOS using the web interface:
1. Navigate to Configuration >> Authentication.
2. Click the plus sign (+) under the "All Servers" field.
3. Add enterprise RADIUS servers by providing the Name and IP address/hostname.
4. Click on the added RADIUS server. Configure the Shared key.
5. Click Submit >> Pending Changes >> Deploy Changes.
6. Navigate to Configuration >> WLANs and select the desired WLAN in the "WLANs" field.
7. Under the selected WLAN, select "Security".
8. Click the plus sign (+) in the "Auth servers:" field and add the previously created enterprise RADIUS servers.
9. Click Submit >> Pending Changes >> Deploy Changes.