When AOS is used as a wireless local area network (WLAN) controller, WLAN Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) implementation must use certificate-based public key infrastructure (PKI) authentication to connect to DOD networks.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-266703	SRG-NET-000070	ARBA-NT-001590	SV-266703r1040640_rule	2024-10-29	1

Description
DOD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. For example, an implementation that uses a client certificate on a laptop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the certificate-based PKI are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS. Certificate-based PKI authentication must be used to connect WLAN client devices to DOD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation. At least one layer of user authentication must enforce network authentication requirements (e.g., CAC authentication) before the user is able to access DOD information resources.

Description

DOD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. For example, an implementation that uses a client certificate on a laptop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the certificate-based PKI are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS. Certificate-based PKI authentication must be used to connect WLAN client devices to DOD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation. At least one layer of user authentication must enforce network authentication requirements (e.g., CAC authentication) before the user is able to access DOD information resources.

ℹ️ Check
Verify the AOS configuration using the web interface: 1. Navigate to Configuration >> WLANs and select the desired WLAN in the WLANs field. 2. Under the selected WLAN, select "Security". Note which Auth servers are configured. 3. Navigate to Configuration >> Authentication. 4. In the "All Servers" field, select each WLAN authentication server noted earlier. 5. Verify each configured authentication server is configured to support EAP-TLS with DOD PKI. If each WLAN authentication server is not configured to support EAP-TLS with DOD PKI, this is a finding.

ℹ️ Check

Verify the AOS configuration using the web interface: 1. Navigate to Configuration >> WLANs and select the desired WLAN in the WLANs field. 2. Under the selected WLAN, select "Security". Note which Auth servers are configured. 3. Navigate to Configuration >> Authentication. 4. In the "All Servers" field, select each WLAN authentication server noted earlier. 5. Verify each configured authentication server is configured to support EAP-TLS with DOD PKI. If each WLAN authentication server is not configured to support EAP-TLS with DOD PKI, this is a finding.

✔️ Fix
Configure AOS using the web interface: 1. Navigate to Configuration >> Authentication. 2. Click the plus sign (+) under the "All Servers" field. 3. Add enterprise RADIUS servers by providing the Name and IP address/hostname. 4. Click on the added RADIUS server. Configure the Shared key. 5. Click Submit >> Pending Changes >> Deploy Changes. 6. Navigate to Configuration >> WLANs and select the desired WLAN in the "WLANs" field. 7. Under the selected WLAN, select "Security". 8. Click the plus sign (+) in the "Auth servers:" field and add the previously created enterprise RADIUS servers. 9. Click Submit >> Pending Changes >> Deploy Changes.

✔️ Fix

Configure AOS using the web interface: 1. Navigate to Configuration >> Authentication. 2. Click the plus sign (+) under the "All Servers" field. 3. Add enterprise RADIUS servers by providing the Name and IP address/hostname. 4. Click on the added RADIUS server. Configure the Shared key. 5. Click Submit >> Pending Changes >> Deploy Changes. 6. Navigate to Configuration >> WLANs and select the desired WLAN in the "WLANs" field. 7. Under the selected WLAN, select "Security". 8. Click the plus sign (+) in the "Auth servers:" field and add the previously created enterprise RADIUS servers. 9. Click Submit >> Pending Changes >> Deploy Changes.