Specifications
Cisco ISR-800 Security Target
55
TOE SFRs
How the SFR is Met
the Authorized Administrator. New passwords must contain a minimum of 4
character changes from the previous password.
FIA_PSK_EXT.1
The TOE supports use of IKEv1 (ISAKMP) and IKEv2 pre-shared keys for
authentication of IPsec tunnels. Preshared keys can be entered as ASCII character
strings, or HEX values.
The TOE supports keys that are from 22 characters in length up to 128 bytes in
length. The data that is input is conditioned prior to use via SHA-1.
Through the implementation of the CLI, the TOE supports use of IKEv1
(ISAKMP) and IKEv2 pre-shared keys for authentication of IPsec tunnels.
Preshared keys can be entered as ASCII character strings, or HEX values. The
TOE supports keys that are from 22 characters in length up to 128 bytes in length.
The data that is input is conditioned by the cryptographic module prior to use via
SHA-1 or AES.
FIA_UIA_EXT.1
The TSF only allows the display of the warning banner, in accordance with
FTA_TAB.1, before successful identification and authentication of the users.
Administrative access to the TOE is facilitated through the TOE’s CLI. The TOE
mediates all administrative actions through the CLI. Once a potential
administrative user attempts to access the CLI of the TOE through either a directly
connected console or remotely through an SSHv2 connection, the TOE prompts
the user for a user name and password. Only after the administrative user presents
the correct authentication credentials will access to the TOE administrative
functionality be granted. No access is allowed to the administrative functionality
of the TOE until an administrator is successfully identified and authenticated.
The TOE provides a local password based authentication mechanism as well as
RADIUS and TACACS+ authentication.
The administrator authentication policies include authentication to the local user
database or redirection to a remote authentication server. Interfaces can be
configured to try one or more remote authentication servers, and then fail back to
the local user database if the remote authentication servers are inaccessible.
The TOE correctly invokes an external authentication server to provide a single-
use authentication mechanism by forwarding the authentication requests to the
external authentication server (when configured by the TOE to provide single-use
authentication).
The TOE implementation of SSHv2 supports the following public key algorithms
for authentication: RSA Signature Verification
The process for authentication is the same for administrative access whether
administration is occurring via a directly connected console cable or remotely via
SSHv2. At initial login the
administrative user is prompted to provide a username.
After the user provides the username, the user is prompted to provide the
administrative password associated with the user account. The TOE then either
grants administrative access (if the combination of username and password is
correct)and the user is not locked out due to authentication failure handling or
indicates that the login was unsuccessful. The TOE does not provide a reason for
failure in the cases of a login failure.
FIA_UAU_EXT.2
FIA_UAU.7
When a user enters their password at the local console, the TOE displays blank