3.1.17 — Protect Wireless Access Using Authentication and Encryption

Your wireless network must use real authentication (not just a shared password) and strong encryption. A simple pre-shared key posted on a whiteboard in the break room is not going to cut it for a CUI environment.

Example 1: Configure your wireless infrastructure for WPA3-Enterprise or, at minimum, WPA2-Enterprise using 802.1X. On your RADIUS server (e.g., Windows NPS), go to NPS → RADIUS Clients and Servers → RADIUS Clients to add your access points, then create a Connection Request Policy that requires PEAP-MSCHAPv2 with machine certificates.

Example 2: On the wireless controller, disable all legacy protocols. In Aruba Central, go to Configuration → WLANs → Security and ensure TKIP is disabled, only AES-CCMP (or AES-GCMP for WPA3) is enabled. Also disable the WPS (Wi-Fi Protected Setup) feature, which is a known vulnerability.