Specifications
72
FPT_STM_(EXT).1
The Controllers each maintain their own hardware clock, which is settable by the Controller
administrator. The Controller may be configured to receive automated clock updates via
encrypted and authenticated connection from WCS/NCS. The Controller ensures that each of its
managed APs maintain synchronized time with the Controller.
Related TOE IT Environment SFRs:
FPT_STM.1: The ACS/ISE, WCS/NCS, and Syslog server will each maintain their
own clock to apply timestamps to the audit records which they generate, and should all
be configured to synchronize their clocks with the same centralized time server.
FMT_MTD.1(4): The WCS/NCS administrator is able to set the clock on the
WCS/NCS and configure the WCS/NCS to update the Controller clocks via SNMPv3.
FMT_MTD.1(5): The syslog server administrator is able to configure the syslog
message filters to select upon receipt at the syslog server’s network interface which
messages will be stored in the audit log.
FPT_TST_(EXT).1
FPT_TST.1(1)
FPT_TST.1(2)
The hardware components of the TOE perform TSF tests during initial start-up of the
component. These include the cryptographic module testing on the APs and Controllers. The
APs and Controllers also perform a SHA-1 integrity check on the configuration files upon initial
start up. The results for these tests are reported at the console upon boot up.
The Controller and APs execute FIPS 140-2 power on self tests and conditional tests to ensure
the proper operation of the cryptographic functionality, including firmware integrity tests and
cryptographic algorithm known answer tests. This verifies the functionality of the cryptographic
implementations and the key generation functionality. Cryptographic administrators can initiate
the tests by methods specified in the relevant FIPS 140-2 Security Policies. In addition, the
Controller administrator may initiate cryptographic self tests via special control packets sent to
the crypto processing components and configure periodic self-tests.
The capability to verify integrity of stored code can only be performed through the Controller
CLI, thus can only be performed by Management User accounts, not SNMPv3 User accounts.
The capability to verify integrity of TSF data related to key generation can only be performed
through the Controller CLI, thus can only be performed by Management User accounts, not
SNMPv3 User accounts.
FTA_SSL.3
The Controller GUI and CLI interfaces each enforce an inactivity timer and terminate interactive
sessions when the time limit has been reached. The GUI timeout is configurable from 30 and
160 minutes (inclusive). The CLI automatically logs out users without saving any changes after
an administratively configured time from 1 to 160 minutes, and serial and SSH timeout can be
configured to separate limits.
FTA_TAB.1
The Controller management interfaces each display a login banner to administrative users, and
optionally for wireless clients. This SFR applies only to interactive administrative interfaces, the
Controller CLI, and the Controller GUI, and does not apply to the SNMPv3 interface.
FTP_ITC_(EXT).1(1)
The following Inter-TSF Trusted Channels are provided and utilized by the TOE:
The Controller initiates sending wIPS data to the MSE over TLS.
The Controller initiates sending alerts to WCS/NCS via SNMPv3.
The Controller initiates sending syslog data to the syslog server over TLS.
Related TOE IT Environment SFRs:
FTP_ITC_(EXT).1(2):
The WCS/NCS initiates encrypted and authenticated communication with the
Controller over SNMPv3 to configuration updates, and to update the Controller clock.
The MSE initiates encrypted and authenticated communication with the Controller to
update wIPS policies.
FTP_TRP.1
The administrator has control over whether or not unencrypted data will be allowed to pass