Implement EAP-TLS for Secure Wireless Authentication
Use secure EAP-TLS with certificates to authenticate devices and disable other methods.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2021
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual authentication; with all other EAP methods disabled on supplicants and authentication servers.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure the devices on your wireless network are who they say they are by using digital certificates for authentication. It matters because if an unauthorised device gets access, it could lead to data breaches, financial loss, or even damage to your organisation's reputation.
Why it matters
Without EAP-TLS mutual authentication (X.509), rogue clients/APs can connect, enabling Wi‑Fi interception and unauthorised access to internal services.
Operational notes
Maintain PKI: renew/revoke X.509 certs, validate chain/expiry, and enforce 802.1X EAP-TLS only by disabling PEAP/other EAP types on clients and RADIUS.
Implementation tips
- The IT team should establish a certificate authority to issue digital certificates for each device that needs access to the network. They can do this by researching available services or software that meets their needs, setting it up, and ensuring it's secure.
- Once the certificate authority is set up, IT staff should configure each device to use these certificates for logging onto the network. This involves installing the issued certificate onto each device and configuring the network connection to use it.
- The IT team needs to disable other, less secure methods of wireless access on both the network equipment and the devices. This is done by accessing the settings in the network devices and, if needed, consulting user manuals or vendor support.
- System managers should ensure that staff are educated about the importance of using certificates and the risks of using insecure methods. This could be done through regular training sessions and clear written instructions.
- IT administrators should set up a schedule for regularly renewing and revoking certificates. Each certificate should have a clear expiration date, and there should be procedures in place to renew them before they expire or revoke them if a device is lost or compromised.
Audit / evidence tips
-
Ask: the network configuration documentation: This should detail how devices are authenticated using certificates
Good: is a document showing the use of certificates clearly described with settings covering the entire network
-
Good: is an up-to-date list that matches device records with active EAP-TLS certificates
-
Ask: training records or policy documents
Good: is detailed attendance records or policy documents outlining procedures for wireless access generation
-
Ask: certificate management logs: Review the logs for certificate issuances, renewals, and revocations
Good: is comprehensive logs showing regular updates and actions taken when certificates are due or when devices are lost
-
Good: is a dated review with specific references to EAP-TLS implementation and any remedial actions taken
Cross-framework mappings
How ISM-1321 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 8.5 | ISM-1321 requires 802.1X authentication using EAP-TLS with X.509 certificates for mutual authentication on wireless networks, and disabli... | |
| Annex A 8.20 | ISM-1321 addresses securing wireless network access by requiring 802.1X EAP-TLS mutual authentication with X.509 certificates and disabli... | |
| Supports (1) | ||
| Annex A 5.17 | ISM-1321 requires EAP-TLS using X.509 certificates for mutual authentication and disabling weaker EAP methods for wireless access | |