Specifications
63
administrators who have individually authenticated to an external entity prior to trigging an
SNMPv3 GET or SET command to be sent from the external entity to an SNMPv3 server. Thus,
Controller-generated audit records of actions performed on a Controller by an “SNMPv3 User”
are actions performed by an external entity (one instance of WCS or NCS).
FAU_SEL.1(1)
The Controller supports pre-selection of audit generation based on event type, which are
standard syslog severity levels 0 through 7. The severity level can be set separately for APs than
for the Controller itself, and can be set separately for those messages stored in the local log, or
written to the console, or transmitted via syslog. Additionally, the logging of process
information (procinfo) and traceback information (traceinfo) can be enabled or disabled. The
writing of timestamps into audit records can be enabled or disabled, and must remain enabled for
all security-relevant logging (not required for debugging) in the evaluated configuration.
Related TOE IT Environment SFRs:
FAU_SEL.1(2):
The Kiwi Syslog Daemon and the Syslog-ng software package filtering capabilities are
used to support both pre- and post-selection of audit data. To satisfy pre-selection in
FAU_SEL.1(2), the wireless user "passed authentications" wireless user "failed
attempts" and ACS/ISE admin "Administrative Audit" logs are generated by ACS/ISE
but not stored locally in ACS/ISE persistent storage. Instead these event records are
forwarded by ACS/ISE directly to the syslog server for pre-filtering before being placed
in persistent storage. The ability to filter passed or failed attempts, administration,
password changes, and service monitoring events is selected based on the GUI setting
for that event report.
All other ACS/ISE audit log files may be written into ACS/ISE persistent storage for a
time before being sent to the Syslog server. Post selection filtering can be done on any
audit records stored on the Syslog server.
Syslog audit log filtering will map the fields identified in FAU_SEL.1.1(2) to the
following wireless user audit log fields generated by ACS/ISE.
FAU_SEL.1.1(2) Term
ACS/ISE Log Event Field
“user identity”
“User Name”
“event type”
“Priority” set to “Auth”
“device interface”
Implied WLAN interface [The ACS/ISE
audit logs for wireless users “Passed
Authentications” and “Failed Attempts”
only apply to TOE audit events generated
by a wireless users WLAN interface]
“wireless client identity”
“Caller-ID”. [The ACS/ISE “Caller-ID”
field corresponds to the wireless client
machine MAC ID address]
The TOE administrator has the ability to either enable or disable logging for each of
these categories, based on the syslog fields. This is done on the syslog side through the
graphical user interface on the Kiwi Syslog Server or the Command Line Interface on
the Syslog-ng server.
FCS_BCM_(EXT).1
The APs and Controllers are FIPS PUB 140-2 validated Level 2 cryptomodules and perform
cryptographic functions in FIPS approved modes of operation.
The following FIPS 140-2 certificates apply:
FIPS certificate #1446 (APs 1522, and 1524)