V-266703

Discussion

DOD certificate-based PKI authentication is strong, two-factor authentication that relies on carefully evaluated cryptographic modules. Implementations of EAP-TLS that are not integrated with certificate-based PKI could have security vulnerabilities. For example, an implementation that uses a client certificate on a laptop without a second factor could enable an adversary with access to the laptop to connect to the WLAN without a PIN or password. Systems that do not use the certificate-based PKI are also much more likely to be vulnerable to weaknesses in the underlying public key infrastructure (PKI) that supports EAP-TLS. Certificate-based PKI authentication must be used to connect WLAN client devices to DOD networks. The certificate-based PKI authentication should directly support the WLAN EAP-TLS implementation. At least one layer of user authentication must enforce network authentication requirements (e.g., CAC authentication) before the user is able to access DOD information resources.

Check Content

Verify the AOS configuration using the web interface:
 
1. Navigate to Configuration >> WLANs and select the desired WLAN in the WLANs field. 
2. Under the selected WLAN, select "Security". Note which Auth servers are configured. 
3. Navigate to Configuration >> Authentication. 
4. In the "All Servers" field, select each WLAN authentication server noted earlier. 
5. Verify each configured authentication server is configured to support EAP-TLS with DOD PKI. 

If each WLAN authentication server is not configured to support EAP-TLS with DOD PKI, this is a finding.