Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipment4404 - Wireless LAN Controller
21222324252627282930
26
which requires integration with MSE and NCS or WCS, but Adaptive wIPS is beyond the
logical scope of this evaluation, so is not discussed further in this ST.
2.5 IT Environment Dependencies
The following section defines the IT Environment components relied upon by the TOE and
not included in the physical boundary and therefore supplied by the IT Environment. The
following section details the IT Environment supplied components and the dependencies on
them from TOE components.
2.5.1 Wireless Client Hosts
All wireless client hosts connecting to the wired network from the wireless network are
excluded from the TOE’s physical boundary.
2.5.2 Administrator Management Hosts
The Controllers support remote access from a workstation via HTTPS or SSH (authenticated
via RADIUS). Additionally, the controllers support serial access from a workstation, but that
functionality is not permitted in the TOE evaluated configuration and would be authenticated
to the local Management User database on the Controller. Administrator Management Hosts
(HTTPS and SSH clients) are not included in the TOEs physical boundary.
2.5.3 Cisco Secure Access Control Server (ACS) and Cisco Identity Services
Engine (ISE)
The Cisco Secure ACS version 5.x (hereafter referred to as the ACS) and Cisco Identity
Services Engine (ISE) are different generations of products that provide centralized
authentication, authorization and accounting. The ACS/ISE centralizes access control and
accounting and enables ACS/ISE administrators the ability to configure user accounts from a
centralized source. User account information includes support for wireless client hosts
attempting to access the wired LAN and Controller administrator accounts for access to
Controllers.
Cisco Secure ACS is available in several platform configurations. Cisco Secure ACS
version 5.x software is provided on either the Cisco 1120 Secure ACS 5.x Appliance or
the Cisco 1121 Secure ACS 5.x Appliance. Additionally, Cisco Secure ACS version 5.2
software is available as a virtual appliance running VMware version ESX 3.5 or 4.0.
Cisco ISE is available as a physical appliance on the 3300 series models (3315, 3355, and
3395, for small, medium, and large deployments respectively), and the Cisco Identity
Services Engine virtual appliances supported on VMware ESX/ESXi 4.x, which should
be run on hardware that equals or exceeds the characteristics of the physical appliances.
o When ISE is used as the RADIUS server for Controller(s), the wireless client
accounts can be defined within ISE, but ISE must be configured to defer (proxy)
authentication of Controller administrators (Management Users) to a separate
(second-tier) authentication server that is able to enforce lockout after failed
login attempts. Those second-tier authentication servers could include Active
Directory, LDAP, or an ACS server.