Requirement
AC.L2-3.1.16 – Authorize wireless access prior to allowing such connections.
This control comes from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.
Understanding the Requirement
This control requires you to tightly restrict who and what can connect to your wireless networks. It expects you to identify all wireless access points, ensure wireless connections are authorized before a device connects, and use authentication to enforce those decisions. In practice, that means documenting your wireless environment and implementing controls so only approved users and devices can access corporate WiFi, while directing everyone else to a segregated guest network.
Policies and Procedures Needed
Establish a Wireless Access Policy that defines approved wireless networks (corporate and guest), who can approve access, how devices are authorized, and how credentials or certificates are issued, rotated, and revoked. Include procedures for device onboarding/offboarding, maintaining a hardware inventory of access points, change management for adding/modifying SSIDs, periodic access reviews, and rules for visitors and unmanaged/personal devices. Reference your overarching Information Security Policy and Acceptable Use Policy so employees understand that only company-managed devices are permitted on the corporate WiFi.
Technical Implementation
- Inventory and label your wireless infrastructure. Maintain a hardware list of every access point and controller with location, model, serial number, management IP, SSIDs broadcast, VLAN mappings, and firmware versions. Keep it current through change tickets when APs are added, moved, or retired.
- Enforce strong authentication and authorization for corporate WiFi. Use WPA3-Enterprise with 802.1X backed by a RADIUS server (e.g., NPS) integrated with your directory. Prefer certificate-based EAP-TLS issued via your MDM or PKI so only managed devices receive certificates; use AD group membership to grant or deny access.
- Segment corporate and guest access. Operate separate SSIDs and VLANs: corporate SSID for company-managed devices only; guest SSID isolated to internet-only with firewall rules blocking access to internal resources. Rotate the guest pre-shared key regularly or use a captive portal with time-limited vouchers.
- Implement a clean onboarding/offboarding flow. Require device enrollment in MDM to receive WiFi profiles and certificates, document who approved access, and revoke certificates automatically when users depart or devices are retired. Remove devices from authorized groups and disable stale accounts promptly.
- Harden and monitor the wireless environment. Disable WPS, remove default SSIDs, enforce modern ciphers, and set minimum authentication standards. Log wireless authentication events on the RADIUS server and review for anomalies. Perform periodic scans for rogue/unauthorized access points and remediate immediately.
- Control changes and exceptions. Require formal approval before creating new SSIDs, expanding coverage, or granting temporary corporate access to non-managed devices; document the business justification, scope, time limit, and compensating controls.
Example in a Small or Medium Business
A 60-person engineering firm operates two SSIDs: “Company-Corp” and “Company-Guest.” The IT manager keeps an inventory of six ceiling-mounted access points, their locations, and firmware levels, and changes go through a simple change request. “Company-Corp” uses WPA3-Enterprise with 802.1X; only laptops and phones enrolled in the firm’s MDM receive a device certificate and WiFi profile, so they can authenticate via RADIUS and are placed on the corporate VLAN. Visitors and contractors receive access to “Company-Guest,” which is rate-limited and firewalled to the internet only; the guest password rotates monthly. When a new hire joins, IT approves the request in the ticketing system, enrolls the laptop in MDM, and the device automatically connects to the corporate SSID. One day, an employee tries to connect a personal laptop to “Company-Corp,” but 802.1X rejects the attempt because the device lacks a valid certificate. The RADIUS log captures the denied connection, and the help desk reminds the employee that personal devices must use the guest network per the Acceptable Use Policy.
Summary
Meeting AC.L2-3.1.16 requires clear rules about who can use wireless and strong technical controls that enforce those rules. By documenting access points, separating corporate and guest WiFi, using certificate-based 802.1X for managed devices, and instituting defined onboarding/offboarding and change processes, an SMB ensures wireless access is authorized before any connection is allowed. Regular monitoring, logging, and periodic reviews keep the configuration accurate and effective, reducing the risk of unauthorized access while keeping staff and visitors productive.
