Specifications
67
• EAP-FAST without client certificate: username and password
• EAP-FAST with client certificate: client’s device certificate
• EAP-FAST with EAP-GTC: username and PAC (Protected Access Credential)
• EAP-MSCHAPv2 without client certificate: username and password
• EAP-MSCHAPv2 with client certificate: client’s device certificate
• WPA2-PSK: Passphrase ( ASCII or Hex)]
Protected access credentials (PACs) are strong shared secrets that enable the Controller and an
EAP-FAST client to authenticate each other and establish a TLS tunnel for use in EAP-FAST.
PACs can be either automatically or manually provisioned from the Controller to the client.
When manual PAC provisioning is enabled, the PAC file is manually generated on the
controller. PACs generated off the Controller can be downloaded to the Controller by an
administrator.
Client certificates and CA server certificates can also be downloaded to the Controller by an
administrator.
Related TOE IT Environment SFRs:
FIA_ATD.1(3):
Wireless users who are remotely authenticated against user stores within ACS/ISE have
the following authentication parameters stored within the ACS/ISE: user ID, passwords,
and host MAC address are used for simple authentication (users can be disabled by their
User ID, and clients can be disabled by their MAC address). X.509 certificates, PACs
or smart card tokens are security attributes that may optionally be used when
authenticating the user. 802.11i session encryption keys are provisioned to clients and
APs from the ACS/ISE, and are used to protect wireless traffic.
FIA_UAU.1
The TOE provides GUI and CLI administrative interfaces at the Controller that both require an
authenticated session to providing any administrative services. Unauthenticated users
connecting via TLS will be directed to log in to the GUI, and connections via SSH or serial
console require authentication to the CLI. In addition, the AP and Controller TOE components
authenticate each other during set up of the communications channel.
To be consisten with the application notes in the WLAN PP, this SFR is specific to accounts
authenticated locally on the TOE, which can include wireless users (if configured by the
Controller administrator to authenticate locally), and SNMPv3 Users. The TOE does not allow
actions to be performed by any identified wireless user, or SNMPv3 User until authentication has
completed successfully.
FIA_UAU_(EXT).5(1)
The Controller administrator can configure both local authentication and remote authentication.
Remote authentication is required for remote administrative access to the TOE.
The TOE can be configured (independently for each WLAN) to authenticate wireless users to its
local wireless user database, or to defer authentication of wireless users to one or more RADIUS
servers. The TOE can be configured (independently for each WLAN) to authenticate
wireless users to its local wireless user database, or to defer authentication of wireless users
to one or more RADIUS servers. The TOE authenticates SNMPv3 User accounts locally.
Management User accounts defined within the local user database of the Controller are not
used in the evaluated configuration in which all remote access by Management Users is
authenticated to the RADIUS server, and the serial console port is inaccessible when the
FIPS Kit is installed.
Related TOE IT Environment SFRs:
FIA_UAU_(EXT).5(2): The ACS/ISE is the remote authentication server for the TOE,
providing administrator and wireless user authentication via RADIUS.
FIA_UID.2
No administrative or user actions are permitted on the AP or Controller without identification to
AP, or WLC. All wireless users and TOE administrators (including Controller administrators