Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the AOS configuration with the following command: show web-server profile If "tlsv1.2" is not returned for "SSL/TLS Protocol Config", this is a finding.
Configure AOS with the following commands: configure terminal web-server profile ssl-protocol tlsv1.2 exit write memory
Verify the AOS configuration with the following command: show wlan ssid-profile For each WLAN SSID: show wlan ssid-profile <SSID profile name> If a WPA Passphrase is set or if Encryption is not set with wpa2-aes or wpa3-cnsa, this is a finding.
Configure AOS with the following commands: configure terminal wlan ssid-profile <profile name> opmode <wpa2-aes or wpa3-cnsa> exit write memory
Verify the AOS configuration with the following commands: show fips show ap system-profile For each configured ap system profile: show ap system-profile <profile-name> | include FIPS If FIPS is not enabled, this is a finding.
Configure AOS with the following command: configure terminal For each ap system-profile, run the following commands: ap system-profile <profile-name> fips-enable exit fips enable write memory reload
Verify the AOS configuration with the following command: show firewall-cp Verify that nonessential capabilities, functions, ports, protocols, and/or services are denied. If any nonessential capabilities, functions, ports, protocols, and/or services are allowed, this is a finding.
Configure AOS with the following commands: configure terminal firewall cp ipv4 deny any proto 6 ports 17 17 ipv4 deny any proto 6 ports 8080 8080 ipv4 deny any proto 6 ports 8081 8081 ipv4 deny any proto 6 ports 8082 8082 ipv4 deny any proto 6 ports 8088 8088 ipv6 deny any proto 6 ports 17 17 ipv6 deny any proto 6 ports 8080 8080 ipv6 deny any proto 6 ports 8081 8081 ipv6 deny any proto 6 ports 8082 8082 ipv6 deny any proto 6 ports 8088 8088 exit write memory Block any other ports as desired using the following example: <ipv4/ipv6> deny any proto <ftp, http, telnet, tftp, protocol #> ports <start port 0-65535> <end port 0-65535>
Verify the AOS configuration using the web interface: Navigate to Configuration >> Services >> Firewall. If the organization-defined safeguards are not enabled to protect against known DoS attacks, this is a finding.
Configure AOS using the web interface: Navigate to Configuration >> Services >> Firewall and enable DoS protection in accordance with organization-defined policy. Click Submit >> Pending Changes >> Deploy Changes.
Verify the AOS configuration with the following command: show crypto-local ipsec-map If the configured IPSec maps are not configured to support a security association lifetime of 28,800 seconds (8 hours), this is a finding.
Configure AOS with the following commands: configure terminal crypto-local ipsec-map <name> <priority> set security-association lifetime seconds 28800 exit write memory
If the AP is not being used as a Remote AP, this check is not applicable. Verify the AOS configuration with the following commands: 1. Site-to-site VPN: show crypto-local ipsec-map If a CA certificate and Server certificate are not configured for each IPsec map, this is a finding. 2. Hardware client VPN: show "remote ap profile" If certificate authentication is not configured for each RAP profile, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> Services >> VPN and expand "Site-to-Site". 2. Select the configured site-to-site VPN IPsec maps. Select the applicable Server certificate. Select the applicable trusted DOD root CA under "CA certificate:". 3. Click Submit >> Pending Changes >> Deploy Changes. 4. Navigate to Configuration >> Access Points >> Remote APs tab. 5. Select the check box next to the AP Name in the Remote AP table and click "Provision". 6. In the "General" tab, select "Certificate" from the "Authentication method:" drop-down list. 7. Click "Submit" to apply the configuration and reboot the AP as a certificate Remote AP. 8. Click Pending Changes >> Deploy Changes.
If AOS is not being used for CSFC, this requirement is not applicable. 1. Verify the AOS configuration with the following command: show crypto-local ipsec-map Note the IKEv2 Policy number for each configured map. 2. For each configured policy number, run the following command: show crypto isakmp policy <IKEv2 Policy #> 3. Verify each configured transform-set with the following command: show crypto ipsec transform-set If the configured IPsec map, ISAKMP policy, and transform-set do not contain the following, this is a finding: ECDCA 384 certificate IKEv2 policy with AES256, SHA-384, ECDSA-384, Group 20 Transform set with AES-256-GCM
Configure AOS with the following commands: crypto pki csr ec curve_name secp384r1 common_name <common_name> country <US> state_or_province <state> city <city> organization <org> unit <unit> email <email> show crypto pki csr 1. Use DOD PKI to generate a public certificate based on the CSR. 2. Using the web GUI, navigate to Configuration >> System >> Certificates >> Import Certificates. 3. Click the plus sign (+) and enter "Certificate name:", browse to the public certificate file, choose the appropriate format, "ServerCert" type, and click "Submit". 4. Navigate to Configuration >> System >> Admin, choose the imported certificate under "Server Certificate", and click "Submit". 5. Click Pending Changes >> Deploy Changes. configure terminal crypto ipsec transform-set <name> esp-aes256-gcm crypto isakmp policy <#> authentication ecdsa-384 encryption aes256 group 20 hash sha2-384-192 prf prf-hmac-sha384 version v2 exit crypto-local ipsec-map <name> <priority> set transform-set <set created earlier name> <configure VPN settings as needed> exit write memory
Verify the AOS configuration with the following commands: show running-configuration | include split-tunnel show running-config | include double-encrypt If any instances of forward-mode split-tunnel are found or if double-encrypt is not enabled, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> System >> Profiles. 2. Under "All Profiles", expand "Virtual AP". 3. Select each Virtual AP profile. Under "General", select tunnel as the Forward mode. 4. Click Submit >> Pending Changes >> Deploy Changes. 5. In configuration mode (CLI), for each ap system-profile, run the following commands: ap system-profile <profile-name> double-encrypt exit write memory
Verify the AOS configuration using the web interface: 1. Navigate to Configuration >> WLANs and select the desired WLAN in the WLANs field. 2. Under the selected WLAN, select "Security". Note which Auth servers are configured. 3. Navigate to Configuration >> Authentication. 4. In the "All Servers" field, select each WLAN authentication server noted earlier. 5. Verify each configured authentication server is configured to support EAP-TLS with DOD PKI. If each WLAN authentication server is not configured to support EAP-TLS with DOD PKI, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> Authentication. 2. Click the plus sign (+) under the "All Servers" field. 3. Add enterprise RADIUS servers by providing the Name and IP address/hostname. 4. Click on the added RADIUS server. Configure the Shared key. 5. Click Submit >> Pending Changes >> Deploy Changes. 6. Navigate to Configuration >> WLANs and select the desired WLAN in the "WLANs" field. 7. Under the selected WLAN, select "Security". 8. Click the plus sign (+) in the "Auth servers:" field and add the previously created enterprise RADIUS servers. 9. Click Submit >> Pending Changes >> Deploy Changes.
Interview the site information system security officer (ISSO). Determine if scanning by a WIDS is being conducted and if it is continuous or periodic. If a continuous scanning WIDS is used, there is no finding. If periodic scanning is used, verify the exception to policy is documented and signed by the AO. Verify the exception meets one of the required criteria. If periodic scanning is being performed but requirements have not been met, this is a finding. If no WIDS scanning is being performed at the site, this is a finding.
Configure AOS using the web interface: 1. To provision access points as dedicated air monitors to perform continuous WIDS scanning, navigate to Configuration >> AP Groups. 2. Click on the "+" sign to add a new AP group. 3. Name the group. 4. Select the created group. 5. Click on "Radio". Change each Radio mode to "am-mode". 6. Click Submit >> Pending Changes >> Deploy Changes. 7. Navigate to "Access Points". 8. Select "Allowlist". 9. Configure the desired access points as air monitors by provisioning them to the AP group created earlier. 10. Click Submit >> Pending Changes >> Deploy Changes. Note: Access points in ap-mode perform WIDS scanning between processing client data packets. Air monitors do not advertise WLANs or handle client data.
Verify the AOS configuration using the web interface: 1. Navigate to Configuration >> System >> More tab. 2. Expand "Phone Home ". If "Phone Home" is enabled, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> System >> More tab. 2. Expand "Phone Home". 3. Click the toggle button to disable "Phone Home". 4. Click Submit >> Pending Changes >> Deploy Changes.
Verify the AOS configuration with the following command: show ip route verbose If any the management traffic network is not configured with a route to the OOBM gateway, this is a finding.
Configure AOS with the following commands: configure terminal ip default-gateway mgmt <A.B.C.D IPv4 address> ipv6 default-gateway mgmt <X:X:X:X::X IPv6 address> write memory
Review AOS WLAN configuration by navigating to Configuration >> WLANs. If the WLAN SSIDs listed in the "NAME (SSID)" column are not pseudo random words, this is a finding.
Configure AOS using the web interface: 1. Navigate to Configuration >> WLANs and click on the "+" sign to create a guest WLAN. 2. Configure the SSID with a pseudo random word. 3. Finish configuring the WLAN. 4. Click Pending Changes >> Deploy Changes.