Specifications
27
The Controller can be configured to require the APs to use the Controller’s internal database
of wireless user accounts, or to use either ACS or ISE to perform RADIUS authentication,
authorization, and accounting of wireless clients that connect to the TOE. When RADIUS is
ued, the Controller is configured into ACS or ISE as a RADIUS client which enables APs to
pass secure wireless user authentication requests through the Controller to a AAA server.
IEEE 802.1X (which is part of IEEE 802.11i security) is used by the TOE to manage secure
authentication of wireless clients into the TOE.
APs enforce the 802.1X port access control, Controllers manage the 802.1X state
machine and the AAA server terminates the 802.1X client authentication and resulting
802.11i key derivation.
With 802.1X port access control, APs disallow all wireless packets transmitted from
wireless hosts from entering the trusted wired network except for 802.1X EAP packets.
APs forward 802.1X EAP packets to the Controller which passes them to the AAA
server. Upon the completion of a successful 802.1X authentication session between a
wireless client and the AAA server, access is granted to the trusted wired network.
The RADIUS protocol is used to communicate the 802.1X authentication information between
the Controller and ACS/ISE. ACS/ISE verifies the username and password using the user
databases it is configured to query, such as the local ACS/ISE user database, or a RADIUS
store. ACS/ISE returns a success or failure response via the Controller to the AP, which
permits or denies user access based on the response it receives. When the user authenticates
successfully, ACS/ISE sends a set of authorization attributes to the AP. If RADIUS
accounting is also configured the AP then begins forwarding wireless user accounting
information to ACS/ISE for logging.
When the user has successfully authenticated, a set of session attributes can be sent to the
AAA client to provide additional security and control of privileges, otherwise known as
authorization. These attributes might include the IP address pool, access control lists (ACLs),
or type of connection.
ACS or ISE can also be used for authentication, authorization and accounting for
administrators of the TOE (Management Users only, not SNMPv3 Users). When ISE is used
as a directly-accessible (first-tier) RADIUS server for any Controller(s), ISE must be
configured to defer (proxy) authentication and authorization requests for those accounts to a
separate (second-tier) authentication server that is able to enforce lockout after failed login
attempts. Those second-tier authentication servers could include Active Directory, LDAP, or
an ACS server. The Controller’s Management Users can be configured through ACS for
authentication and authorization using RADIUS, and controller TACACS+ accounting can be
used by ACS/ISE for logging actions performed by Management Users on the Controller.
The network communication interface between ACS/ISE and the Controller is controlled
and protected with the use of the RADIUS protocol for non-crypto client related
communications and AES RADIUS key wrap for FIPS compliant transfer of the 802.11i
PMK to the controller.
The ACS/ISE controls and mediates all actions that occur through these interfaces and
make sure that the enforcement functions (those dealing with access control of the
interfaces) are invoked and succeed before allowing any other mediated action to occur
with any of its other security functions. Through these mediations and access controls of
the interfaces of the ACS/ISE the ACS/ISE achieves non-bypassability.
2.5.4 Cisco Wireless Control System (WCS) and Network Control System (NCS)
The Cisco Wireless Control System (WCS) is a software product that provides a centralized
management service for Cisco WLAN products including the APs, Controllers and MSEs.