The AAA Service used for 802.1x must be configured to use secure Extensible Authentication Protocol (EAP), such as EAP-TLS, EAP-TTLS, and PEAP.

From Authentication Authorization and Accounting Service Security Requirements Guide

Part of SRG-APP-000516-AAA-000044

Associated with: CCI-000366

SRG-APP-000516-AAA-000044_rule The AAA Service used for 802.1x must be configured to use secure Extensible Authentication Protocol (EAP), such as EAP-TLS, EAP-TTLS, and PEAP.

Vulnerability discussion

Additional new EAP methods/types are still being proposed. However, the three being considered secure are EAP-TLS, EAP-TTLS, and PEAP. PEAP is the preferred EAP type to be used in DoD for its ability to support a greater number of operating systems and its capability to transmit statement of health information, per NSA NAC study.Lightweight EAP (LEAP) is a CISCO proprietary protocol providing an easy-to-deploy one password authentication. LEAP is vulnerable to dictionary attacks. A "man in the middle" can capture traffic, identify a password, and then use it to access a WLAN. LEAP is inappropriate and does not provide sufficient security for use on DOD networks.EAP-MD5 is functionally similar to CHAP and is susceptible to eavesdropping because the password credentials are sent as a hash (not encrypted). In addition, server administrators would be required to store unencrypted passwords on their servers violating other security policies. EAP-MD5 is inappropriate and does not provide sufficient security for use on DOD networks.

Check content

Verify the AAA Service used for 802.1x is configured to use secure EAP. Currently acceptable secure protocols are EAP-TLS, EAP-TTLS, and PEAP. If the AAA Service used for 802.1x is not configured to use secure EAP, this is a finding.

Fix text

Configure the AAA Service used for 802.1x to use secure EAP, such as EAP-TLS, EAP-TTLS, and PEAP.

Pro Tips

Powered by sagemincer