AOS must protect wireless access to the network using authentication of users and/or devices.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266559 | ARBA-NT-000120 | SV-266559r1040167_rule | CCI-001443 | medium |
| Description | ||||
| Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack. The security boundary of a wireless local area network (WLAN) extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most vulnerable to attack and must be protected. Within this boundary there must be two distinct, but related, security protection mechanisms: authentication and data-in-transit encryption. These protections ensure access control and protection from eavesdropping for both the WLAN system and the DOD network enclave. Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., Extensible Authentication Protocol (EAP)/Transport Layer Security (TLS) and Protected EAP [PEAP]), which provide credential protection and mutual authentication. Satisfies: SRG-NET-000069, SRG-NET-000070 | ||||
| STIG | Date | |||
| HPE Aruba Networking AOS Wireless Security Technical Implementation Guide | 2024-10-29 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-18(1)
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.17
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001443
1.00
- DISA · 1 · disa_xccdf · related
Details
Check Text (C-266559r1040167_chk)
Verify the AOS configuration with the following command:
show wlan ssid-profile
For each WLAN SSID:
show wlan ssid-profile <SSID profile name>
If a WPA Passphrase is set or if Encryption is not set with wpa2-aes or wpa3-cnsa, this is a finding.
Fix Text (F-70386r1040166_fix)
Configure AOS with the following commands:
configure terminal
wlan ssid-profile <profile name>
opmode <wpa2-aes or wpa3-cnsa>
exit
write memory