Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipment4404 - Wireless LAN Controller
71727374757677787980
74
The 802.1x protocol allows for different authentication methods. The different
authentication methods are provided through the use of the Extensible Authentication
Protocol (EAP). There are a variety of EAP variants. The authentication methods and
therefore the EAP variants used by this TOE for authentication are EAP -TLS, EAP-
MSCHAPv2, EAP-GCT, and EAP-FAST.
The TOE uses a supplicant, authenticator, and authentication server model to perform
authentication for wireless users. The supplicant is a wireless client attempting to gain
access to the wired network that the TOE controls. The supplicant is not part of the TOE.
An example of a supplicant is a laptop computer with a wireless adapter card. For this
evaluation the authenticators are the Controllers with the APs providing 802.1x port access
control. The authentication server is the ACS/ISE TOE component.
When EAP-TLS, EAP-MSCHAPv2, EAP-GCT or EAP-FAST is configured, mutual
authentication is performed between the supplicant (wireless user) and the TOE's
authentication server.
The TOE is also able to implement FIPS 140-2 validated WPA2 using pre-share key
(WPA2-PSK). Using WPA2-PSK does not require the use of an authentication server. When
using WPA2-PSK all authentication is done between the supplicant and the authenticator.
The PSK acts as a type of authentication credential when WPA2 -PSK is used. Wireless
clients trying to connect to the wired network controlled by the TOE needs to know the PSK
for their wireless client software to successfully identify and authenticate to the TOE.
With EAP-FAST, EAP-MSCHAPv2, EAP-GCT, and EAP-TLS wireless human users are
identified by login/password credentials and the MAC address of the client they are using to
access the wired network that is controlled by the TOE. Further, after successful
authentication of a wireless client an IP address will be another identifier associated with the
wireless client that successfully authenticates if the client is using DHCP. If the client is not
using DHCP then the IP address already configured into the client will be used as an
additional identifier for the client along with the MAC address.
The Controller components of the TOE are capable of allowing for wireless administration
however this feature is disabled in the evaluated configuration so the TOE does not allow
administration from wireless clients.