Rule ID
SV-284441r1244816_rule
Version
V1R1
CCIs
Several methods exist to secure 802.1x communications. EAP is a framework supporting multiple methods (e.g., EAP-TLS, EAP-TTLS, LEAP). PEAP is a specific, widely used EAP method that encapsulates other methods within a TLS tunnel. EAP methods, like EAP-TLS, use digital certificates for authentication while PEAP typically uses username/password credentials (PEAP-MSCHAPv2). EAP-TLS is considered superior because it eliminates password-based risks like phishing. PEAP is easier to deploy as it only requires a certificate on the server side. EAP-TLS requires a PKI to manage certificates for every device. Lightweight EAP (LEAP) is a Cisco proprietary protocol providing an easy-to-deploy, one-password authentication. LEAP is vulnerable to dictionary attacks. A "man in the middle" can capture traffic, identify a password, and then use it to access a network. LEAP is inappropriate and does not provide sufficient security for use on DoW networks. EAP-MD5 is functionally similar to CHAP and is susceptible to eavesdropping because the password credentials are sent as a hash (not encrypted). In addition, server administrators would be required to store unencrypted passwords on their servers, thus violating other security policies. EAP-MD5 is inappropriate and does not provide sufficient security for use on DoW networks. EAP-TLS is the most secure, and the preferred method in the DoW. EAP-TTLS only uses certificates on the server side and should be avoided. PEAP was previously the preferred EAP type used in DoW for its ability to support a greater number of operating systems but should also be avoided in favor of EAP-TLS.
1. In the Web UI, navigate to Signing In >> Authentication Protocol Sets. 2. View the protocol sets for 802.1X and Cert Auth. If an EAP method is listed other than EAP-TLS, this is a finding.
1. In the Web UI, navigate to Signing In >> Authentication Protocol Sets. 2. From the global view, view the protocol sets for 802.1X and Cert Auth. 3. Configure EAP-TLS.