WLAN must use EAP-TLS.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-243234 | WLAN-NW-000500 | SV-243234r720157_rule | CCI-001444 | medium |
| Description | ||||
| EAP-TLS provides strong cryptographic mutual authentication and key distribution services not found in other EAP methods, and thus provides significantly more protection against attacks than other methods. Additionally, EAP-TLS supports two-factor user authentication on the WLAN client, which provides significantly more protection than methods that rely on a password or certificate alone. EAP-TLS also can leverage the DoD Common Access Card (CAC) in its authentication services, providing additional security and convenience. | ||||
| STIG | Date | |||
| Network WLAN Controller Platform Security Technical Implementation Guide | 2023-02-13 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-18(1)
1.00
- DISA · V7R3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.17
1.00
- DISA · V7R3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001444
1.00
- DISA · V7R3 · disa_xccdf · related
Details
Check Text (C-243234r720157_chk)
Note: If the equipment is WPA2/WPA3 certified by the Wi-Fi Alliance, it is capable of supporting this requirement.
Review the WLAN equipment configuration to verify that EAP-TLS is actively used and no other methods are enabled.
If EAP-TLS is not used or if the WLAN system allows users to connect with other methods, this is a finding.
Fix Text (F-46466r720156_fix)
Change the WLAN configuration so it supports EAP-TLS, implementing supporting PKI and AAA infrastructure as necessary. If the WLAN equipment is not capable of supporting EAP-TLS, procure new equipment capable of such support.