Specifications
Security Target Version 1.0 9/29/2014
43
5.2.4 Identification and authentication (FIA)
5.2.4.1 Extended: 802.1X Port Access Entity (Authenticator) Authentication (FIA_8021X_EXT.1)
FIA_8021X_EXT.1.1
The TSF shall conform to IEEE Standard 802.1X for a Port Access Entity (PAE) in the
'Authenticator' role.
FIA_8021X_EXT.1.2
The TSF shall support communications to a RADIUS authentication server conforming to RFCs
2865 and 3579.
FIA_8021X_EXT.1.3
The TSF shall ensure that no access to its 802.1X controlled port is given to the wireless client
prior to successful completion of this authentication exchange.
Component Assurance Activity:
In order to show that the TSF implements the 802.1X-2010 standard correctly, the evaluator shall
ensure that the TSS contains the following information:
• the sections (clauses) of the standard that the TOE implements;
• For each identified section, any options allowed by the standards are specified; and
• For each identified section, any non-conformance is identified and described, including a
justification for the non-conformance.
Because the connection to the RADIUS server will be contained in an IPsec tunnel
(FCS_IPSEC_EXT.1), the security mechanisms detailed in the RFCs identified in the requirement
are not relied on to provide protection for these communications. Consequently, no extensive
analysis of the RFCs is required. However, the evaluator shall ensure that the TSS describes the
measures (documentation, testing) that are taken by the product developer to ensure that the TOE
conforms to the RFCs listed in this requirement.
The evaluator shall also perform the following tests:
• Test 1: The evaluator shall demonstrate that a wireless client has no access to the test network.
After successfully authenticating with a RADIUS server through the TOE, the evaluator shall
demonstrate that the wireless client does have access to the test network.
• Test 2: The evaluator shall demonstrate that a wireless client has no access to the test network.
The evaluator shall attempt to authenticate using an invalid client certificate, such that the
EAP-TLS negotiation fails. This should result in the wireless client still being unable to
access the test network.
• Test 3: The evaluator shall demonstrate that a wireless client has no access to the test network.
The evaluator shall attempt to authenticate using an invalid RADIUS certificate, such that the
EAP-TLS negotiation fails. This should result in the wireless client still being unable to
access the test network.
It should be noted that tests 2 and 3 above are not tests that "EAP-TLS works", although that's a
by-product of the test. The test is actually that a failed authentication (under two failure modes)
results in denial of access to the network, which is the 3rd element of this component.
5.2.4.2 Authentication Failure Handling (FIA_AFL.1)
FIA_AFL.1.1
Refinement: The TSF shall detect when an Authorized Administrator configurable positive integer
of successive unsuccessful authentication attempts occur related to administrators attempting to
authenticate remotely.
FIA_AFL.1.2
When the defined number of unsuccessful authentication attempts has been met, the TSF shall
[prevent the offending remote administrator from successfully authenticating until an
Authorized Administrator defined time period has elapsed].