Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
1. Review the relevant configuration screen of the WLAN controller or access point. 2. Verify the inactive/idle session timeout setting is set for 30 minutes or less. If the inactive/idle session timeout is not set to 30 minutes or less for the entire WLAN, or the WLAN does not have the capability to enable the session timeout feature, this is a finding.
Set the WLAN inactive/idle session timeout to 30 minutes or less.
Note: If the equipment is WPA2/WPA3 certified by the Wi-Fi Alliance, it is capable of supporting this requirement. Review the WLAN equipment configuration to verify that EAP-TLS is actively used and no other methods are enabled. If EAP-TLS is not used or if the WLAN system allows users to connect with other methods, this is a finding.
Change the WLAN configuration so it supports EAP-TLS, implementing supporting PKI and AAA infrastructure as necessary. If the WLAN equipment is not capable of supporting EAP-TLS, procure new equipment capable of such support.
Review the WLAN equipment specification and verify it is FIPS 140-2/3 (CMVP) certified for data in transit, including authentication credentials. Verify the component is configured to operate in FIPS mode. If the WLAN equipment is not is FIPS 140-2/3 (CMVP) certified or is not configured to operate in FIPS mode, this is a finding.
Use WLAN equipment that is FIPS 140-2/3 (CMVP) certified. Configure the component to operate in FIPS mode.
Interview the site ISSO and SA. Determine if the site's network is configured to require certificate-based PKI authentication before a WLAN user is connected to the network. If certificate-based PKI authentication is not required prior to a DoD WLAN user accessing the DoD network, this is a finding. Note: This check does not apply to medical devices. Medical devices are permitted to connect to the WLAN using pre-shared keys.
Integrate certificate-based PKI authentication into the WLAN authentication process.
Review the device configuration to determine if the OOB management interface is assigned an appropriate IP address from the authorized OOB management network. If an IP address assigned to the interface is not from an authorized OOB management network, this is a finding.
Configure the network device so that only management traffic that ingresses and egresses the OOBM interface is permitted.
Review the device configuration to determine if the call home service or feature is disabled on the device. If the call home service is enabled on the device, this is a finding. Note: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.
Configure the network device to disable the call home service or feature. Note: This feature can be enabled if the communication is only to a server residing in the local area network or enclave.