Rule ID
SV-266559r1040167_rule
Version
V1R2
CCIs
CCI-001443, CCI-001444
Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack. The security boundary of a wireless local area network (WLAN) extends from the client device to the network boundary where network access is controlled. This boundary represents the portion of the network most vulnerable to attack and must be protected. Within this boundary there must be two distinct, but related, security protection mechanisms: authentication and data-in-transit encryption. These protections ensure access control and protection from eavesdropping for both the WLAN system and the DOD network enclave. Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., Extensible Authentication Protocol (EAP)/Transport Layer Security (TLS) and Protected EAP [PEAP]), which provide credential protection and mutual authentication. Satisfies: SRG-NET-000069, SRG-NET-000070
Verify the AOS configuration with the following command: show wlan ssid-profile For each WLAN SSID: show wlan ssid-profile <SSID profile name> If a WPA Passphrase is set or if Encryption is not set with wpa2-aes or wpa3-cnsa, this is a finding.
Configure AOS with the following commands: configure terminal wlan ssid-profile <profile name> opmode <wpa2-aes or wpa3-cnsa> exit write memory