Specifications
Security Target Version 1.0 9/29/2014
73
interoperability testing through custom-built automated test beds which contain numerous client operating systems
(Windows XP, Windows Vista, Windows 7, Windows 8, Mac OS X, Linux, Apple iOS, Android, etc.) connecting to
Aruba Wi-Fi access points. Finally, the products are Wi-Fi certified by the Wi-Fi Alliance – conformance with
802.1X and EAP/RADIUS are requirements to pass these tests.
The Identification and authentication function is designed to satisfy the following security functional requirements:
• FIA_8021X_EXT.1: see above
• FIA_AFL.1: After an administrator specified numbers of failed attempts, the TOE will lockout (blacklist)
the offending remote administrator, log the event, and send a SNMP trap. The offending administrator will
remain locked out until the lock-out period has expired. The administrator can configure the lock-out
period:
- password-lock-out Configuring the number of failed attempts within 3 minute window to
lockout the user. Provides ability to reduce the number of passwords that can be guessed in a short
time. Automatically clears the lockout after configured "lock-out" minutes. Range: 0-10 attempts.
Default: 0 (lockout of users is disabled by default).
- password-lock-out-time Configuring the number of minutes the user is locked out. The lockout is
cleared without administrator intervention. Range: 1 min to 1440 min (24 hrs). Default: 3 min.
• FIA_AFL.1 is enforced by the TOE and when using external authentication server.
• FIA_PMG_EXT.1: The TOE authentication mechanism provides configuration for minimum password
length. The administrator should at a minimum, requires password to be at least 6 characters long. The
following calculation is based on the following facts:
- Password is case-sensitive
- A-Z, a-z, 0-9, !@#$%^&*()_+, and extended characters
- Password minimum length is set to 8
- Passwords have maximum lifetime and new passwords must contain a minimum of 4 character
changes from the previous password
Passwords must be at least eight characters long. Numeric, alphabetic (upper and lower case), and
keyboard/extended characters can be used, which gives a total of 95 characters to choose from. An eight
character password using all characters has 95^8 total possible combinations. The probability for a random
attempt to succeed is therefore less than one in 1,000,000,000,000,000.
• FIA_PSK_EXT.1: The TOE accepts between 22-64 character text based pre-shared keys ( composed of any
combination of upper and lower case letters, numbers, and special characters (that include: '!', '@', '#', '$',
'%', '^', '&', '*', '(', and ')')) for IPsec, WPA2 and IKEv1/IKEv2.
• FIA_UAU.6 requires a user to reauthenticate when a password is changed or the session is locked
• FIA_UAU.7: The TOE provides only obscured feedback to the administrative user while authentication is
in progress at the local console by displaying an asterisk (*) for each character entered.
• FIA_UAU_EXT.5: The TOE provides local accounts and can also be configured to utilize LDAP,
RADIUS, and TACACS+ authentication servers in its operational environment. The administrator can
configure TOE to provide the same or different authentication mechanism (local, remote) for wireless users
and administrators. The TOE shall invoke the correct authentication mechanism as configured by the
administrator.
• FIA_UIA_EXT.1: Prior to establishing an administrative user session the TSF displays an Authorized
Administrator-specified advisory notice and consent warning message regarding unauthorized use of the
TOE (FTA_TAB.1). The TOE requires an administrator to be successfully identified and authenticated
before allowing any other TSF-mediated actions on behalf of that user.
• FIA_X509_EXT.1: The TOE protects, stores and allows authorized administrators to load X.509v3
certificates for use to support authentication for IPsec, TLS and SSH connections. Certificates are loaded