Specifications
Security Target Version 1.0 9/29/2014
72
account in the internal database and assign a predefined role to that account. User log in to the Controller are
restricted based on their assigned role. In this case, the authentication mechanism is provided by the TOE and the
credentials are maintained in the internal database. The administrator can also configure the TOE so that wireless
users are authenticated using an external authentication server
9
. The TOE supports the RADIUS, LDAP, and
TACACS+ servers. A trusted channel is established between the TOE and the authentication server. For wireless
users using 802.1X authentication, when a user client connects to the TOE, the TOE passes authentication protocol
messages between the client and the authentication server, until the user is authenticated, or authentication is denied.
As a part of the initial handshake, the authentication server presents to the client a TLS server certificate.
Communications between the client and the server are then encrypted by AES. The following authentication
protocols are supported: EAP-TLS, EAP-TTLS, PEAP.
For EAP-TTLS and PEAP protocols, the user will authenticate to the server over a TLS encrypted connection using
a username and password. For EAP-TLS, the user will use a X.509 client certificate
10
to authenticate. The certificate
will contain the username of the user, and may contain other user-specific information. The authentication server
will maintain a list of trusted certification authorities to verify the client certificate. If the authentication fails, the
authentication server will communicate the authentication failure to the TOE. Otherwise, the authentication server
will communicate the authentication success to the TOE and send to the TOE the session key, which was derived
during the EAP-TLS/EAP-TTLS/PEAP handshake, as well as the user role attribute. The session key may be used
by the TOE to encrypt further communications with a wireless client.
For users connecting with a VPN client, the IPsec/IKE VPN is established between the TOE and the client prior to
the user authentication using pre-shared keys or certificates, and can optionally authenticate to the external
authentication server using a username and password. The external authentication server communicates success or
failure of the authentication to the TOE.
The TOE accepts pre-shared keys for IPsec (IKEv1, IKEv2) and WPA2 (WPA-PSK, aka WPA-Personal). It accepts
bit-based pre-shared keys for all of these protocols, and it accepts text-based PSKs that are transformed into bit-
based PSKs only for WPA2. Text-based keys are conditioned using PBKDF2, as specified in 802.11i.
When a wireless user exceeds the configured authentication threshold, the user is automatically blacklisted by the
controller, an event is logged, and an SNMP trap is sent (optional SNMP server in the operating environment must
be set up to capture SNMP traps). By default, the maximum authentication failure threshold is set to 0 (but can be
set as high as 255), which means that there is no limit to the number of times a user can attempt to authenticate.
When users are blacklisted because they exceed the authentication failure threshold, they are blacklisted indefinitely
by default. Administrator can configure the duration of the blacklisting. Please refer to the “Management Password
Policy” section in the Aruba OS User Guide documentation for information on configuring blacklisting.
Remote administrators are configured as users who have privileges to access the CLI and Web GUI administration
interfaces. Remote administrators are authenticated as users using a local database or external authentication server.
A trusted channel is established between the TOE and the authentication server. The remote administrators
authenticate as users using a username and password via Web GUI and username/password for SSH. The Web GUI
interface provides a trusted path to connect to the TOE via HTTPS. The HTTPS interface uses a server RSA or
ECDSA certificate which is stored on the TOE.
The controller maintains a counter of failed authentication attempts for a given administrative username within the
past three minutes. An unsuccessful authentication attempt is detected when an invalid password is entered for a
valid username. If the failed authentication threshold is reached for a given username, that user account is locked
out for the configured lock-out period. Note that no indication is given to the remote system attempting to log in
that the account has been locked out – authentication simply fails as though an incorrect password were provided.
Additionally, no indication is given to the remote system whether a given username was valid or not valid.
In general, Aruba uses an automated test tool (Ixia IxANVL) to test conformance with RFCs and 802.1X.
Information about IxANVL is at http://www.ixiacom.com/products/network_test/applications/ixanvl/. Aruba also
uses VeriWave test tools (http://www.ixiacom.com/solutions/wifi-performance-test/) to test Wi-Fi performance –
one component of the VeriWave test suite is to exercise 802.1X capabilities of the product. Aruba also conducts
9
The Controller accepts the user credentials and sends the credentials to the authentication server. The wireless
clients never communicate directly with the authentication server.
10
When authentication server is used, the credentials (password or certificate) are maintained outside the TOE.