Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipment4404 - Wireless LAN Controller
71727374757677787980
73
through the TOE by providing the ability to enable and disable the encryption policy of the TOE.
This encryption policy determines whether the APs and Controllers will encrypt and decrypt
communications with wireless clients.
After a wireless client has successfully authenticated to the TOE the wireless client can
communicate with other wireless clients that have successfully authenticated through the TOE
and with other wired clients that operate on the wired network controlled by the TOE. If the
administrator has enabled encryption, the TOE will encrypt user data transmitted to a wireless
client from the radio interface of the wireless access system and decrypt user data received from
a wireless client by the radio interface of the wireless access system. This ensures that the TOE
supports end-to-end wireless encryption.
The TOE allows for the detection of modification of user data while carrying out network
communications on the wireless network through the use of AES operating in CCM (CCMP).
This is done through this standard through the integrity protection capabilities of the algorithm.
The Cipher Block Chaining Message Authentication Code (CBC-MAC) component of CCMP
provides data integrity. The CBC-MAC allows for the detection of a modified packet. If a CBC-
MAC indicates a packet has been modified the packet is dropped.
Details of Wireless User Identification & Authentication
The TOE implements WiFi CERTIFIED WPA2 security which also includes IEEE 802.1X port
access control to provide for the authentication of wireless clients and to restrict unauthorized
access into the TOE.
AP components of the TOE use 802.1X port based authentication. When a wireless user
attempts to associate to a given network they must first associate with an AP. The TOE
maintains the userID and MAC address for the user (and their client) throughout the users
session. During the security policy discovery phase of 802.11i, the wireless client
determines the security methods enforced by the TOE which are advertised by the AP.
Using those security methods the client responds with a request to authenticate to the TOE.
Once the wireless client and AP have negotiated the required security methods the
authentication phase of the process is initiated. If a user successfully associates to an AP
then the AP only forwards 802.1X EAP authentication packets to the Controller. During this
802.1x authentication state, the AP denies all packets sent by the client which are not 802.1x
EAP packets to pass through the AP. The Controller encapsulates the same user 802.1X
packets received from the AP using the RADIUS protocol and forwards them to the
ACS/ISE. Once the wireless client has successfully authenticated with WPA2 -PSK, EAP-
TLS, or EAP-FAST using WPA2 they are granted access to the wired and wireless entities
connected to the TOE based on the rights granted to the client by the ACS/ISE and the
Controller. See below for this process flow.