Corporate SSID uses 802.1X (EAP-TLS / PEAP)
Demonstrate that the corporate wireless SSID enforces 802.1X authentication using EAP-TLS or PEAP, ensuring only authenticated users and devices can access the network.
Description
What this control does
This control requires that the corporate wireless network uses 802.1X authentication with strong Extensible Authentication Protocol (EAP) methods—specifically EAP-TLS (certificate-based) or PEAP (Protected EAP with username/password over TLS tunnel). 802.1X provides per-user or per-device authentication before granting network access, replacing weak pre-shared keys (PSK) with centralized identity verification through a RADIUS server. This prevents unauthorized devices from connecting to the corporate SSID and ensures individual accountability for wireless network access.
Control objective
What auditing this proves
Demonstrate that the corporate wireless SSID enforces 802.1X authentication using EAP-TLS or PEAP, ensuring only authenticated users and devices can access the network.
Associated risks
Risks this control addresses
- Unauthorized devices gain corporate network access by obtaining or cracking a shared Wi-Fi password (PSK)
- Attackers perform credential stuffing or password spraying attacks when weak or no authentication is enforced on wireless access
- Insider threats share Wi-Fi credentials with unauthorized guests or contractors without revocation capability
- Lack of individual user accountability enables malicious activity to evade attribution and forensic investigation
- Rogue devices bypass network access controls by exploiting weak WPA2-PSK encryption vulnerabilities (e.g., KRACK attacks)
- Compromised credentials cannot be individually revoked without changing the entire network password and re-keying all legitimate devices
- Man-in-the-middle attacks succeed when mutual authentication between client and network is not enforced
Testing procedure
How an auditor verifies this control
- Obtain the wireless network architecture diagram and identify all corporate SSIDs designated for employee and internal system use.
- Review the wireless controller or access point configuration files to confirm 802.1X is enabled as the authentication method for the corporate SSID.
- Verify that the RADIUS server configuration specifies EAP-TLS or PEAP as permitted authentication protocols and that weaker methods (EAP-MD5, LEAP) are disabled.
- Examine RADIUS server logs for a sample of recent successful authentications to confirm EAP-TLS or PEAP methods are in use and no fallback to PSK occurs.
- Attempt to connect a test device to the corporate SSID without valid 802.1X credentials to confirm access is denied and the connection fails at the authentication phase.
- Inspect certificate management procedures for EAP-TLS deployments, verifying that client certificates are issued, tracked, and subject to revocation processes.
- Review user provisioning and deprovisioning procedures to confirm wireless access credentials are tied to identity lifecycle management and revoked upon termination.
- Test a sample of endpoint devices (laptops, mobile devices) to verify their supplicant configurations are set to use 802.1X with EAP-TLS or PEAP for the corporate SSID.
Where this control is tested