Specifications
62
synchronization.
Controller Logging
Controllers may send audit logs to up to three syslog servers that may be configured to receive
messages at or below a selected severity level:
Emergencies = Severity level 0
Alerts = Severity level 1
Critical = Severity level 2
Errors = Severity level 3
Warnings = Severity level 4
Notifications = Severity level 5
Informational = Severity level 6
Debugging = Severity level 7
All system messages have a facility code, a severity level, a mnemonic code and a message text.
AP Logging
Access points log all system messages (with a severity level less than or equal to notifications,
i.e. 0-5) to the access point event log. The event log can contain up to 1024 lines of messages,
with up to 128 characters per line. When the event log becomes filled, the oldest message is
removed to accommodate a new event message. The event log is saved in a file on the access
point flash, which ensures that it is saved through a reboot cycle. To minimize the number of
writes to the access point flash, the contents of the event log are written to the event log file
during normal reload and crash scenarios only.
The AP system event log may be viewed from the controller CLI.
Related TOE IT Environment SFRs:
FAU_GEN.1(2): ACS/ISE generates those auditing records that deal with the
management of user accounts controlled by the ACS/ISE, the encryption policies
controlled by the ACS/ISE for wireless users, the changing of auditing capabilities
controlled by the ACS/ISE, authentication actions, and administrative actions. The
ACS/ISE auditing capability is implemented in three different logging capabilities of
ACS/ISE. These logging capabilities are the CSV Failed Attempts, CSV Passed
Authentication, and CSV RADIUS Accounting. Within each of these logging
capabilities the ACS/ISE Administrator is able to define what is audited based on the
type of event.
ACS/ISE also provides the TOE functionality that allows for administrator actions
through the Controller to be logged and viewed. This is accomplished using Controller
TACACS+ accounting. For this, the ACS/ISE acts as an AAA server and the Controller
as the AAA client. All actions performed by the Controller administrator are forwarded
back to ACS/ISE in the form of Controller TACACS+ accounting logs. These logs are
then viewable through the ACS/ISE interface in the TACACS+ Administration Active
CSV logs. This log, in conjunction with the Passed Authentication Active CSV log,
provides the audit generation capability for the audit requirements stated in the SFR.
FAU_GEN.2
Administrator management activities include the user name of the administrator in the event
logs. Wireless users cannot establish interactive user interface with the TOE and thus there are
not auditable user actions other than any activity related to the wireless client, which will be
audited by the AP with proper client identification (see IPS_*_EXT.1 for more details). The AP
provides wireless client MAC address so the Controller can record the MAC address in syslog
messages, and the ACS/ISE server in the TOE IT Environment can record the user identity as the
“Caller-ID” field.
The SNMPv3 interface on the Controller is a programmatic interface, not an interactive
administrative interface. Each “SNMPv3 User” account is used to authenticate a single external
entity (one instance of an NCS or WCS). An SNMPv3 server is not capable of (re)authenticate