Specifications
66
through the TOE by providing the ability to enable and disable the encryption policy of the TOE.
This encryption policy determines whether the APs and Controllers will encrypt and decrypt
communications with wireless clients.
After a wireless client has successfully authenticated to the TOE the wireless client can
communicate with other wireless clients that have successfully authenticated through the TOE
and with other wired clients that operate on the wired network controlled by the TOE. If the
administrator has enabled encryption of wireless client user data, the TOE will encrypt user data
transmitted to a wireless client from the radio interface of the wireless access system and decrypt
user data received from a wireless client by the radio interface of the wireless access system.
This ensures that the TOE supports end-to-end wireless encryption.
The TOE allows for the detection of modification of user data while carrying out network
communications on the wireless network through the use of AES operating in CCM (CCMP).
This is done through this standard through the integrity protection capabilities of the algorithm.
The Cipher Block Chaining Message Authentication Code (CBC-MAC) component of CCMP
provides data integrity. The CBC-MAC allows for the detection of a modified packet. If a CBC-
MAC indicates a packet has been modified the packet is dropped.
FDP_RIP.1(1)
Network packet objects are padded with zeroes upon allocation of network interfaces of each
TOE component (AP, and WLC).
Related TOE IT Environment SFRs:
FDP_RIP.1(2): The ACS/ISE also ensures through their network interface drivers that
any residual data from previous packets is not re-transmitted any subsequent packets.
This requirement does not apply to the remote syslog server since it only receives audit
records, but does not transmit audit records.
FIA_AFL.1(1)
To meet the requirement to be able to lock administrative accounts (Management Users only, not
SNMPv3 Users) after failed login attempts to remote administrative interfaces (SSH or TLS), the
Controller will be configured to defer authentication of SSH and TLS administrative
authentication to the remote authentication server.
Locked accounts on the RADIUS server can be resolved bythe RADIUS administrator
unlocking administrative accounts Related TOE IT Environment SFRs:
FIA_AFL.1(2): The ACS enforces the number of unsuccessful authentication attempts
and will lock out user accounts after they reach the administrator-defined threshold. An
ACS administrator is required to unlock a user account. When ISE is used as the
directly-accessible (first-tier) RADIUS server for the Controller(s), ISE must be
configured to defer authentication of Controller administrators (Management Users) to
a separate (second-tier) authentication server that is able to enforce lockout after failed
login attempts. Those second-tier authentication servers could include Active
Directory, LDAP, or an ACS server.
FIA_ATD.1(1)
Controller SNMPv3 Users (administrative accounts) are defined in the Controller’s local user
database with their username and password.
Related TOE IT Environment SFRs:
FIA_ATD.1(3):
The remote authentication server (ACS, and optionally AD, or LDAP servers
referenced through ACS or ISE) maintains username and password for Controller
administrators (Management Users) authenticating to the TOE via any remote
administration method (SSH or TLS).
FIA_ATD.1(2)
Wireless users authenticating to the TOE can be authenticated to the local user database or to
authentication can be deferred to a remote authentication server. When users are authenticated
locally, the Controller maintains their authentication credentials listed below as appropriate for
each authentication method:
• EAP-TLS: client’s device certificate