Specifications
69
FMT_MOF.1(3)
The Controller administrator is able to configure (enable/disable/define/re-define) authentication
servers used by the Controller. The controller does not enforce account lockout for multiple
failed login attempts to the local serial console, and requires that all remote administrative
sessions (SSH or TLS) are authenticated to the remote authentication server so the remote
authentication server can enforce lockout of accounts after successive failed login attempts.
The TOE must be configured to defer all authentication of Management Users to the
RADIUS server, though the administrator can allow or disallow use of the RADIUS server
for wireless users, and can add or remove secondary, tertiary (up to 17 total) RADIUS
servers.
The Controller administrator defines the length of time that an administrative session can remain
inactive before the session is terminated, and can configure serial console, SSH, and TLS with
separate timeout limits.
FMT_MSA.2
In support of meeting FCS_COP and FCS_CKM, the AP, and Controller generate keys that meet
all requirements defined in all iterations of FCS_CKM and FCS_COP to ensure that only secure
values are accepted for security attributes. Cryptographic keys are generated using FIPS
approved random number generators, with RSA keys subject to pairwise consistency tests to
confirm their validity.
FMT_MTD.1(1)
The Controller administrator is able to query, modify, and clear (disable), create (enable) the
audit data that will be stored locally (buffer), displayed at the local console, or transmitted to
syslog server(s) by enabling or disabling any of those logging facility (buffer, console, syslog),
and by setting the event type (syslog severity level) for each facility.
See related controls in rationale for FMT_MOF.1(2), and FAU_SEL.1(1).
FMT_MTD.1(2)
FMT_MTD.1(3)
The Controller administrator is able to query, modify, delete, clear, and create authentication
credentials, and user identification credentials for users defined in the local user authentication
database. The administrator can create users, and assign usernames and passwords, and can
delete users and change user passwords.
TOE users (administrators) with access to the administrative interfaces of the TOE (Controller
CLI and Controller GUI) are able to modify their own passwords.
FMT_MTD.1(2) is specific to credentials of administrative accounts defined within the local
user database of the Controller (SNMPv3 Users).
FMT_MTD.1(3) is specific to credentials of wireless user accounts defined within the local user
database of the Controller.
Relevant TOE IT Environment functions (not explicitly related to SFRs defined in the PP):
ACS/ISE Administrators perform all aspects of user account management for accounts
stored in the ACS/ISE user database including TOE administrative accounts (ACS only,
not ISE) and wireless client accounts (ACS or ISE). The ACS also provides an optional
User Change Password web service that can be used to provide a web interface for users
to manage their passwords. This can be provided for all users authenticated against the
ACS, including wireless users and Controller and ACS administrators.
ACS/ISE can implement certain administration capabilities for the TOE. Specifically
the ACS/ISE allows for the administration of wireless user authentication credentials
and authorizations rights. ACS/ISE also allows for authentication and authorization of
Controller administrators. The ACS/ISE contains a RADIUS server and the APs and
Controllers may be configured to use the RADIUS server in ACS/ISE to carry out their
respective TSF authentication and authorization capabilities. The administration
capabilities provided by the ACS can be used to setup the policies for access control
when the Controllers and APs have been administratively configured to have a
RADIUS server carry out authentication and authorization for wireless users of the
TOE. These policies include lockout failure settings available on ACS, or through ISE
by ISE is referring authentication to a second-tier authentication server such as AD,
LDAP, or ACS.