Specifications
71
configuration or in the TOEs evaluated configuration and is covered with a tamper evident label
once the FIPS Kit is installed.
Related TOE IT Environment SFRs:
FMT_SMR.1(2):
There are two administrator roles maintained by the TOE IT Environment in the
evaluated configuration, the ACS/ISE Administrator, and the Syslog Administrator. The
ACS Administrator is responsible for management of users and their authentication
parameters for those Controller administrators that use SSH and TLS to access the
Controller. ACS or ISE can be used for authentication of wireless user accounts. The
Syslog Administrator manages the syslog server including restricting access to audit
records, and configuring the syslog server's selective audit capability.
TOE IT Environment
Role
When used
Responsibilities
ACS/ISE Administrator
Used during Setup and
in the Evaluated
Configuration
Management of Administrative
users for ACS/ISE and
Controller and management of
wireless clients
Syslog Administrator
Used during setup and
in the Evaluated
Configuration
Management of the selectable
audit capability
FPT_ITT.1
TSF data is protected from modification and disclosure by means of SNMPv3, CAPWAP and
AES Key Wrap.
WLAN Internal Data Protection Mechanisms
Authenticated
Connectivity
Protocol
Authentication
Mechanism
Description
Controller to
ACS/ISE
AES key wrap
Privacy
Password
(AES key) and
Authentication
Password
(HMAC-
SHA1 key)
(passwords are
on both
systems)
The keywrap passwords are like
pre-shared keys. Once set up
correctly on each end then
communication between the 2
endpoints takes place using the
privacy of the keywrap protocol
Controller to AP
CAPWAP
X.509
certificates
X.509 auth takes place based on
factory installed certificates
MSE to
Controller
NMSP (TLS
based)
X.509
certificates
Authentication takes place
based on factory installed
Controller to
MSE
NMSP (TLS
based)
X.509
certificates
Authentication takes place
based on factory installed
WCS or NCS to
Controller
SNMPv3
(sha1/aes)
Password
HMAC-SHA-1 based
authentication, AES encryption