WiFiProtect® 3e-520 SERIES USER’S GUIDE Document Number: 29010012-001, Revision J2 21 December 2020 Prepared by: Ultra Intelligence & Communications 12410 Milestone Center Drive, Germantown, MD 20876 Tel 800-449-3384 Fax 301-515-1027 www.Ultra-3eTI.com CONFIDENTIAL & PROPRIETARY INFORMATION OF 3eTI: THE INFORMATION CONTAINED IN THIS DOCUMENT IS CONFIDENTIAL TO AND THE PROPRIETARY PROPERTY OF ULTRA ELECTRONICS, 3eTI.
WiFiProtect User’s Guide 3e-520 Series Copyright © 2020 3e Technologies International, Inc. (3eTI). All rights reserved. No part of this documentation may be reproduced in any form or by any means or to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3eTI.
WiFiProtect User’s Guide 3e-520 Series Revision History Revision Letter Date Description A 05-12-2014 Initial Release B 03-19-2015 Revised for Common Criteria C 03-26-2015 Updated with review comments D 08-11-2015 Updated with reivew comments and fixed missing figures E 09-10-2017 Updated for Common Criteria NDcPP20/WLANAScEP10 F 05-04-2018 Updated with review comments G 05-08-2018 Updated with review comments H 03-24-2020 Updated for DoDIN APL I 10-22-2020 Include model 3e-523
WiFiProtect User’s Guide 3e-520 Series Table of Contents Government Rights Legend .......................................................................................... i Export Restrictions ........................................................................................................ i 1. Introduction ............................................................................................................. 1 1.1 Typical Deployment .........................................................
WiFiProtect User’s Guide 3e-520 Series 2.3.6 Bridge .............................................................................................................................................. 28 2.3.7 Ethernet VLAN ................................................................................................................................ 28 2.3.8 MAC Address Filtering .................................................................................................................... 29 2.3.
WiFiProtect User’s Guide 3e-520 Series 2.10 Monitoring/Reports ........................................................................................................................... 76 2.10.1 System Status ............................................................................................................................... 76 2.10.2 Bridge Status ................................................................................................................................. 77 2.10.
WiFiProtect User’s Guide 3e-520 Series 4.2 Installation Instructions ..................................................................................................................... 103 4.2.1 3e-525N Ethernet Cable Assembly ............................................................................................... 103 4.2.2 Pole Mounting ............................................................................................................................... 104 5.
WiFiProtect User’s Guide 3e-520 Series A.10.13 Audit Event: Failure of IPsec Security Association Establishment ............................................. 14 A.10.14 Audit Event: Establishment or Termination of an IPsec Security Association............................ 15 A.10.15 Audit Event: Failure of Random Bit Generation ......................................................................... 15 A.10.16 Audit Event: Authentication Failure Handling .............................................
WiFiProtect User’s Guide 3e-520 Series D.2 PHY Settings Specific to 3e-523E-900 ................................................................................................ 1 Appendix E. Technical Support ................................................................................. 2 E.1 Manufacturer’s Statement....................................................................................................................
WiFiProtect User’s Guide 3e-520 Series List of Figures Figure 1: Typical Deployment Diagram ........................................................................................................ 1 Figure 2: 3e-523 External Connectors and Indicators ................................................................................. 2 Figure 3: 3e-523N Power Supply and Ground Connections .........................................................................
WiFiProtect User’s Guide 3e-520 Series Figure 31: Enable Time of Day for MAC Address Filtering ......................................................................... 31 Figure 32: System Configuration – Certificate Store .................................................................................. 32 Figure 33: Certificate Store Device CSR .................................................................................................... 33 Figure 34: CSR Generation................................
WiFiProtect User’s Guide 3e-520 Series Figure 64: Services Settings – Serial Communication – TCP Socket ........................................................ 65 Figure 65: Services Settings — Remote Administration Access Control ................................................... 66 Figure 66: Services Settings — Web Server .............................................................................................. 67 Figure 67: Admin User Management — List All Users ..................................
WiFiProtect User’s Guide 3e-520 Series Figure 97: System Administration — Utilities .............................................................................................. 97 Figure 98: System Administration — Help: Hardware and Software Version Information ......................... 98 Figure 99: 3e-523N DIN Rail Mounting ..................................................................................................... 100 Figure 100: 3e-523N Rear Mounting ........................................
WiFiProtect User’s Guide 3e-520 Series Table 18: 3e-525N Accessories ................................................................................................................ 102 Table 19: Operational Environment Objective ............................................................................................. 1 Table 20: Device Organizational Assumption .............................................................................................. 2 Table 21: Firmware Requirements .............
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series 1. Introduction This manual covers the installation and operation of 3e Technologies International’s (3eTI) latest members of the WiFiProtect ® product family. The WiFiProtect 3e-520 series product family consists of the 3e-523N and the 3e-525N Access Point (hereinafter referred to as WiFiProtect products, or 3e-520 series product unless otherwise specified).
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series 1.2 Products and Features The 3e-520 series includes two different 802.11n products – 3e-523N and 3e-525N. Both products use a common hardware platform and run the same software. The major difference between these two models is single radio vs dual radio. The 3e-523N includes a single 802.11a/g/n radio card, indoor enclosure and is powered by a DC power adapter. The 3e-525N comes with dual 802.
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series Table 1: 3e-523N External Connectors and Indicators Interfaces RF A, RF B, RF C Antenna Ports UPLINK (WAN) LOCAL (WLAN) SERIAL – I/O PWR IN RST 1.2.1.2 Description For 802.11 a/g operation, connect a single antenna to RF A; it can be mounted directly to the unit, or mounted remotely. For 802.11n MIMO operation, it requires the use of three antennas.
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series 1.2.1.3 Indicator LEDs Figure 2 shows the location of the external connectors, indicator LEDs, and Reset Button on the 3e–523N. The LEDs and their function are described below in Table 2. Table 2: 3e-523N Indicator LEDs LED Power The Power Indicator LED will light to indicate that power is being supplied to the unit. WAN WLAN FIPS/ALARM 1.2.1.4 Description The WAN LED indicates activity and uplink signal strength on the WAN.
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series For a simple reboot, hold the button for slightly more than 5 seconds, specifically until the WLAN LED goes dark. Then release the button. The device will reboot, and the LEDs will indicate the normal pattern one sees just after power up. NOTE: If you hold the button too long, you could accidentally restore to factory defaults and wipe out your device configuration.
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series Table 3: 3e-525N External Interfaces Interfaces Antenna Ports Uplink (WAN Port) Local (Management Port) AUX Ground Reset Screw Description Six antenna ports; Antenna ports RF1A, 1B, 1C are connected to Radio 1 Antenna ports RF2A, 2B, 2C are connected to Radio 2 The Uplink Port is used to connect the unit to the enterprise local network. This port accepts PoE compatible with 802.3at and 802.
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series The functional description of AUX pins is shown in Table 4. Table 4: 3e-525N AUX Port Signal Name Pin Device Alarm 1 + C 3e-525N Alarm1 - B 3e-525N Alarm 2 + M 3e-525N Alarm 2 - H 3e-525N Reset A 3e-525N Reset Return D 3e-525N Connector 3e-CONN-A1 listed in Table 18 is used to connect with this AUX port on 3e-525N model. The Alarm functions are reserved for future use. 1.2.2.
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series Table 5: Indicator LED Descriptions LED Description LED blinks, Ethernet packets are being transmitted or received by the interface. When the LED is off, the AP does not have an active connection to the network. WLAN1 WLAN2 Uplink SS (Signal Strength) FIPS/MODE When the LED is on, radio 1 is turned on. When the LED is off, radio 1 is turned off. When the LED is on, radio 2 is turned on. When the LED is off, radio 2 is turned off.
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series 1.3 Wireless and Networking Basics Wireless networking uses electromagnetic Radio Frequency (RF) waves to transmit and receive data. Communication occurs by establishing radio links between the wireless AP and devices configured to be part of the WLAN. 1.3.1 IEEE 802.11 The WiFiProtect product family incorporates Institute of Electrical and Electronics Engineers (IEEE) 802.11 Wi-Fi standards and FIPS 140-2 security for wireless communication.
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series 1) Standalone AP Network a) An AP can be used as a standalone AP without any connection to a wired network. In this configuration, the AP simply provides a standalone wireless network for a group of wireless devices (Figure 8). Figure 8: Standalone AP Network 2) Independent AP Networks a) Multiple APs (Figure 9) can be connected to an existing Ethernet network to bridge between the wired and wireless environments.
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series 3) Integrated AP Networks a) Integrated AP networks are the most prevalent topology choice. In this topology, multiple APs (Figure 10) are connected to a wired network and operate off of that network’s Dynamic Host Configuration Protocol (DHCP) server to provide a wider coverage area for wireless devices, enabling the devices to “roam” freely about the entire site. The APs must use the same SSID.
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series 1.3.2.2.1 Dual Bridge Mode Operation In 3e-525N products, there are two radios, which can work as bridges at different frequency bands. As shown in Figure 11, the two groups of bridges can work at two different frequency bands. The bridge in the middle uses two radios and works on different frequency bands to connect the two groups together.
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series 1.3.5 Data Encryption and Security Authentication mechanisms are used to authenticate an operator accessing the WiFiProtect device and to verify that the operator is authorized to assume the requested role and perform services within that role.
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series • • 4-Way Handshake: The 4-way handshake defined in 802.
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series Optionally, the user can configure the WAN Ethernet port on a specific VLAN. In this case, only traffic with this specific VLAN ID can be sent out of the WAN Ethernet port and it also remains untagged. All Ethernet traffic coming into the WAN port is automatically tagged with the configured VLAN tag. 1.
Section 1: Introduction WiFiProtect User’s Guide 3e-520 Series User Roles Service and Purpose Configuring A&A Remote 3e-local Details 3e-Crypto Officer 3e-administrator Allow to configure remote A&A parameter X Change password Administrator changes password only. own X X X Show system status View traffic status and systems log excluding security audit log. X X X Manage audit logging Select audit events to be logged. Configure remote audit logging. View audit event records.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2. Device Configuration 2.1 Quick Setup In order to begin configuring your device, you will need to perform the following steps (details in the referenced sections): 2.1.1 3e-523N 1) Connect power to the unit: a) Use a 5-12 VDC power supply (Section 0). 2) Connect your laptop to the Designated Management Interface – Local port: a) Use a standard RJ-45 Cat6 Ethernet cable (Section 3.1). 3) Log in to the unit (Section 2.2.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 14: 3e-525N Quick Setup 2.2 Initial Device Configuration The user can access the device’s Web Management UI application either through the dedicated Local Ethernet port or the Uplink (WAN) Ethernet port. The access is identical over IP and HTTPS. For initial access to the device, the user shall use the dedicated Local Ethernet port since the WAN IP is not set up. 2.2.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Plug one end of an Ethernet cable to the Local (Management) port of the device and connect the other end to a RJ-45 Ethernet port on your laptop. On your computer, pull up a browser window and type in the default Uniform Resource Identifier (URL) for the unit's Local LAN in the address line (https://192.168.15.1). Note that https is required to ensure a secure connection. 1) Browser Notes: a) SSL 2.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.2.2 Login Figure 17: Login Screen You will be asked for your Username and Password (Figure 18). The default Username is "CryptoOfficer" and the default Password is "CryptoFIPS" to give full access for setup configuration (Username and Password are case-sensitive). Please read the terms and conditions and check the checkbox, then click Sign In to continue configuration.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series • • • • • Default IP address of the Local Management port (https://192.168.15.1), DNS IP address, The MAC addresses of all wireless cards that will be used to access the network, The appropriate AES encryption key, SSID to identify all members of the WLAN. Figure 19: Internet Explorer Successful Login Web Page 2.3.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series You will immediately be directed to the System Configuration – General screen (Figure 20). This screen lists the 3e-520 series firmware version number for your unit and allows you to enter a Host Name, Domain Name, and Description (a description of the physical location of the unit is useful when deploying units to remote locations). Defaults are “default location”, “default”, and “default” respectively.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 22: NTP Time Source While the NTP protocol provides an authentication mechanism, it does not provide for confidentiality. Therefore, the device can be configured to tunnel all NTP packets through an IPsec tunnel. Select the “IPsec Tunnel” check box and provide a “Tunnel Profile” in order to protect time synchronization packets with IPsec.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Note: IPsec Tunnel Profiles must be configured before IPsec can be used to protect NTP packets. See Section 0 in order to configure an IPsec Tunnel Profile. Note: Compliance with Common Criteria (PPWLAN) requires that all NTP traffic be transmitted within IPsec tunnels. The 3e-520 series initiates the IPsec protocol when building and IPsec tunnel to an NTP server.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series You can modify the terms and conditions in the Login Banner which is displayed on the Login screen. The default is "This device is for authorized use only. Any unauthorized use of this product is prohibited." When you are satisfied with your changes, click Apply. 2.3.3 Noisy Channel Control The System Configuration – Noisy Channel Control screen (Figure 25) allows the installer the ability to manually eliminate channels from the 802.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.3.4 WAN The System Configuration – WAN screen is shown in Figure 26. You can select the specific link speed and duplex configuration of the WAN/LAN Link. By default, this will be automatically negotiated. If using an IEEE 802.1Q VLAN tag on this port, please enter its value; a value of 0 indicates no VLAN support and is configured by default. 2.3.4.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 26: System Configuration – WAN 2.3.5 LAN (Local Management) The System Configuration – LAN (Local Management) screen (Figure 27) configures the IPv4 Address and Subnet Mask for the Local Management port, which provides local access for configuration (defaults are 192.168.15.1 and 255.255.255.0 respectively).
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 27: System Configuration – LAN (Local Management) 2.3.6 Bridge RSTP (Rapid Spanning Tree Protocol) requires each bridge in the network to be assign with a priority index. The bridge with lowest priority index will be assigned as root after the tree topology converges. The System Configuration – Bridge screen (Figure 28) allows you to assign bridge priority to the device.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series The WAN Ethernet interface can be configured as VLAN truck or a single VLAN in 3e-520 series as shown in Figure 29. In 3e-523N series, the WAN Ethernet interface is always in VLAN trunk mode. In trunk mode, packets are sent and received unmodified. 2.3.8 MAC Address Filtering The System Configuration – MAC Address Filtering screen (Figure 30) is used to configure MAC address filtering for the unit.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Table 7: Add MAC Address Settings Settings Radio Card WLAN Service Options Description Default All Radio 1 Radio 2 Select the applicable radio(s) for Mac filtering list item. Radio 1 Wireless AP Wireless Bridge Select the applicable WLAN Service Wireless Bridge is available only if All radios are selected for filtering. Wireless AP Click Add to include the selected MAC Address on the list.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 31: Enable Time of Day for MAC Address Filtering The Time of Day Filtering works in conjunction with the Access Point Client Session LifeTime (see Section 2.4.4 for details on setting the Client Session LifeTime). When a client is successfully associated with the Access Point, it is afforded the session lifetime independent of the time of day filtering.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series specific information such as MAC address and IP address when applicable. All CSRs and their associated private keys are centrally stored and managed in the device KeyStore. If the user is deploying a 3e-520 series device into a system that already has a public key infrastructure and a certificate authority that can only accept CSRs, then the 3e-520 series device can be used to generate the required CSR.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 33: Certificate Store Device CSR Note: The CSR feature will rarely be used since most institutions will load their own certificates generated by their CAs. Note: The following characters are not allowed in the Common Name field: <>~!@#$%^*/()? ,& Characters <>~!@#$%^*/()?.,& are not allowed in the Organization, Department, City, State/province, and Country fields. Common Name: Enter a fully qualified domain name.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series will display confirmation of CSR generation; from here the user is offered options to ‘View CSR’, ‘Export CSR’, and ‘Delete CSR’, as well as an option to upload a signed certificate. Figure 34: CSR Generation 2.3.9.2 Device Certs The Device Certs page allows users to upload combined certificate/private key to the 3e-520 series device. The certificate/private key file must be in the *.pem, *.pfx or *.p12 formats.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 35: Device Certs 2.3.9.3 Intermediate CA The Intermediate CA page allows users to upload Intermediate CA certificates to the 3e-520 series device. The certificates can be in the *.pem, or *.der format. The page lists certificates uploaded to the 3e-520 series device. To view a list of certificates in store click on the Intermediate CA tab in the Certificate Store page.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.3.9.4 Trust Root CA The Trust Root CA page allows users to upload Trust Root CA certificates to the 3e-520 series device. The certificates can in the *.pem, or *.der format. The page lists certificates uploaded to the 3e-520 series device. To view a list of certificates in store click on the Trust Root CA tab in the Certificate Store page.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.3.9.6 OCSP Signer The OCSP Signer tab allows users to upload OCSP Signer certificates to the 3e-520 series device. The certificates can be in the *.pem, or *.der formats. The page lists certificates uploaded to the 3e-520 series device. To view a list of certificates in store click on the OCSP Signer tab in the Certificate Store page.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.4.1.4 Client Mode When a radio is configured as Client Mode, the radio interface acts as a Wi-Fi client device. It will scan the available APs and connect to the nearest AP which has the same SSID and encryption key as configured. 2.4.1.5 WAN Interface The WAN Ethernet interface can be configured as VLAN truck or a single VLAN in the 3e-525N series. In 3e-523N series, WAN Ethernet interface is always in VLAN trunk mode.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.4.3 Radio PHY Setting Configuration The Radio – PHY Setting link is used for configuration of the radio’s Physical Layer (PHY) parameters. Figure 41: Radio 1 – PHY Setting 2.4.3.1 Wireless Mode Select the wireless mode from the drop-down list. You can choose from the following options: • • 802.11a, 802.11g. See Section 2.4.3.3 to configure 802.11n. Note: The 3e-523E-900 product uses only 802.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Table 8: Frequency Channel Numbers Wireless Mode Channel No. 1 (2.412 GHz) 2 (2.417 GHz) 3 (2.422 GHz) 4 (2.427 GHz) 5 (2.432 GHz) 6 (2.437 GHz) 7 (2.442 GHz) 8 (2.447 GHz) 9 (2.452 GHz) 10 (2.457 GHz) 11 (2.462 GHz) 802.11g 36 (5.18 GHz) 40 (5.2 GHz) 44 (5.22 GHz) 48 (5.24 GHz) 149 (5.745 GHz) 153 (5.765 GHz) 157 (5.785 GHz) 161 (5.805 GHz) 165 (5.825 GHz) 802.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.4.3.5 RTS Threshold The Request to Send (RTS) Threshold is the number of bytes used for the RTS/CTS handshake boundary. When a packet size is greater than the RTS threshold, the RTS/CTS handshaking is performed. 2.4.3.6 Propagation Distance Propagation distance is an estimate of the radio distance to the nearby devices. It is used to estimate propagation delays between devices.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Table 9: Radio Settings Settings Broadcast SSID Options Description When disabled, the AP hides the SSID in outgoing beacon frames and stations cannot obtain the SSID through passive scanning. Also, when it is disabled, the AP does not send probe responses to probe requests with unspecified SSIDs. The time interval in time unit (TU) which the 802.11 beacon is transmitted 1 TU = 1.024 milliseconds.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.4.4.2 AP Security Figure 43: Radio – AP Security The Radio – AP Security screen (Figure 43) displays a default factory setting of no encryption (Key not Set), for security reasons the unit will not communicate with any clients unless the encryption is set. 2.4.4.2.1 FIPS 802.11i For the 802.11i setting, you must enable either PSK Settings or 802.1x (RADIUS) Settings.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.4.4.2.1.2 Encryption Suite and Re-keying Re-keying time is the frequency in which new encryption keys are generated and distributed to the client. The more frequent re-keying, the better the security. For highest security, select the lowest re-keying interval. Once you have selected the options you will use, click Apply. 2.4.4.2.2 802.1X / RADIUS (Common Criteria Compliant Mode) If a RADIUS Server will be used, select 802.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Note: Compliance with Common Criteria (WLANEP) requires that all RADIUS traffic be transmitted within IPsec tunnels. The 3e-520 series initiates the IPsec protocol when building and IPsec tunnel to a RADIUS server. During the authentication phase of the protocol, the 3e-520 series (Initiator) will specify to which of the RADIUS server’s (Responder’s) identities it wants to communicate with.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.4.4.4 Wireless VLAN Mapping In the 3e-520 series, by enabling Wireless VLAN Mapping, VLAN tag would be added to the packets of wireless client and be forwarded to their dedicated VLAN network. Figure 47 shows configuration for wireless VLAN mapping. Figure 47: Radio – Wireless VLAN Mapping 2.4.4.4.1 Enable Wireless VLAN To enable VLAN mapping, hit the Enable button and the Apply button.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.4.4.4.2 Create VLAN Click on the Create VLAN tab to create VLANs for each SSID. Figure 49 shows the VLAN configuration screen in Create VLAN page. Each SSID can be associated with a different VLAN tag. That VLAN tag will be added to the Ethernet package when coming into the AP and be removed when sent out through the radio. A VLAN tag configuration of “0” will eliminate the VLAN modification for the SSID.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 1) Notes and Tips: a) In 3e-520 series, VLAN 1 is always tagged. VLAN 0 can be used for untagged VLAN. b) If the WAN Ethernet interface is put in “Single VLAN” mode and its VLAN ID is different than the “Management VLAN”, the device is not manageable through the WAN port. In this scenario, manage the device through the LAN port when the user is around the device.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.4.5.2 Wireless Mesh General The Radio – Wireless Mesh General screen (Figure 50) contains wireless bridging information. This screen is important in setting up your bridge configuration. Figure 50: Radio – Wireless Mesh General From a mesh network, the wireless mesh sniffs for beacons from other wireless mesh nodes and identifies APs that match a policy such as SSID and channel.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Table 11: Wireless Mesh General Setting Options Settings Options RSSI Window Size 1-100 Signal Strength Threshold 50% 45% 40% 35% 30% 25% 20% 15% 10% None 50% 45% 40% 35% 30% 25% 20% 15% 10% None Yes/No Link Sensitivity Ignore Mesh Signature Remote AP's MAC Address 2.4.5.3 Read Only Description RF signal fluctuates over time and the fluctuation varies in different operating environments.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 51: Wireless Bridge Information (Monitoring) 2.4.5.4 Auto Bridge Security The Radio – Auto Bridge Security screen (Figure 52) is used to configure static encryption keys for the wireless bridge. This is an important screen to set up to ensure that your bridge is working correctly.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.4.6 Wireless Client Configuration The radios in the 3e-520 series can be configured as wireless clients to connect with an AP. The client mode of a radio cannot be combined with either bridge or AP mode. 2.4.6.1 Radio PHY Setting in Client Mode The Radio – PHY Setting screen is shown in Figure 53. It is used to setup physical layer parameters of the radio. The client radio will scan all the channels to find out the available APs.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 54: Radio – Client General 2.4.6.3 Client Security The Radio – Client Security screen is shown in Figure 55. The client authentication security is carried out on this screen. The Security Type can be configured as WPA2-PSK-PASSPHRASE, WPA2-PSK-CCMP or WPA2-EAP-TLS-CCMP. WPA2-PSK-PASSPHRASE: The 8-to-63 characters should be entered in the Passphrase field.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 56: Radio – Client Security – WPA2-EAP-TLS-CCMP A device certificate and root CA must be loaded from Certificate Store (details in Section 2.3.9 and Figure 57). Then click on Apply to save the client security. Figure 57: Certificate Store – Loading Client Certificates for WPA2-EAP-TLS-CCMP PROPRIETARY INFORMATION: Use or disclosure of this data is subject to the restrictions on the title page of this document.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.5 IPsec Configuration IPsec tunnels can be configured to protect communication between the 3e-520 series and external services such as a RADIUS authentication server, NTP server or Remote Audit Log server. IPsec tunnels are used for a trusted channel to external servers in Common Criteria configuration. In order to use IPsec, at least one IPsec Tunnel Profile must be configured.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 58: IPsec Tunnel Profiles Configured Profiles: this section lists all configured profiles and allows the user to select a profile for deletion.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Table 12: IPsec Tunnel Profile Settings Settings Options • Pre-Shared Key • Description String from 16 to 32 characters long enclosed within double quotation marks Hex string of 8 to 63 characters The Pre-Shared Key used during the IKEv2 Phase 1 Security Association establishment. The key can be entered as a hex string or a double quoted string that is hashed into the resulting key.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Mode IKEv2 Encryption Integrity Pseudo Random Function Diffie Hellman Group ESP (Hardware encryption) Integrity (where Encryption applicable) aes128cbc Suite B GCM 128 aes128cbc sha256 sha256 ecp256 aes128gcm128 - Suite B GCM 256 aes256cbc sha384 sha384 ecp384 aes256gcm128 - AES CBC 128 aes128cbc sha256 sha256 ecp256 aes128cbc sha256 AES CBC 256 aes256cbc sha384 sha384 ecp384 aes256cbc sha384 Suite B GM
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 60: Services Settings — DHCP Server 2.6.2 SNMP Agent The Services Settings – SNMP Agent screen (Figure 61) allows you to configure the Simple Network Management Protocol (SNMP) Agent for the device. By default, the SNMP Agent is set to disable (both SNMPv1/SNMPv2c and SNMPv3 protocol are unchecked shown in Figure 61).
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 61: Services Settings — SNMP Agent WiFiProtect 3e-520 series products support multiple versions of SNMP protocols: SNMPv1, SNMPv2c and SNMPv3. You can disable any SNMP protocols by unchecking the SNMP protocol version.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2) SNMPv1/SNMPv2c Trap Receivers: a) Trap Receiver Address – The IP address of the trap receiver that receives SNMP traps from this device. b) Community – The community string to be used in reporting SNMP traps. c) Type – The type of SNMP traps. Select between SNMPv1 Trap and SNMPv2 Trap. The default setting is SNMPv1 Trap.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series following 4 groups, and at least 2 of each group: uppercase letters, lowercase letters, numerals, and symbols found on the keyboard. d) AES Encryption Password – The AES encryption password for sending SNMPv3 traps. Enter a cryptographically strong password, one that contains characters from all of the following 4 groups, and at least 2 of each group: uppercase letters, lowercase letters, numerals, and symbols found on the keyboard.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Table 14: Service Settings – Serial Communication Settings Options Description Interface Type RS-232 RS-422 RS-485 Select the interface type for the serial I/O port. Duplex (RS485 only) Full-Duplex Half-Duplex In full duplex mode data is transmitted and received simultaneously. In half duplex mode data is transmitted or received but not at the same time.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.6.4 Serial Communication (3e-523N Only) The Services Settings - Serial Communication section (Figure 63) displays the status and configuration of the current serial port mode of operation. You can choose to Enable or Disable (default) serial communications and select a serial Port Profile. NOTE: See System Configuration – Serial Port Section 2.6.3 to configure the serial interface. 2.6.4.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series If the 3e–520 series device is configured as a TCP Server, other network devices can initiate a TCP connection with the serial device connected to the serial port. Network devices initiating connections must be configured with the IP address of the serial device and the TCP port number associated with its serial port. The TCP Port can be configured as needed in this screen (default is 18000).
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 65: Services Settings — Remote Administration Access Control Up to 8 Access Control policies can be specifically defined in the Access Control List, with the following fields for each entry: • • • • Policy – ACCEPT or DROP a request packet if it matches this access control policy. Protocol – The protocol field can be HTTPS, SNMP, ICMP or All.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series • • • Management PC MAC Only – This is a MAC address filter. Only the source MAC of request packets is checked. Management PC IP and MAC – This is an IP address and MAC address filter. Both the source IP and source MAC of request packets are checked. Both Management PC IP and Management PC MAC are unspecified – This is a match-all filter. The access control policy applies to any request packet.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.7 Admin User Management Users can access the device through either dedicated local Ethernet port or the WAN Ethernet port. The Management UI treat users identically regardless of the access ports. 2.7.1 List all Users The Admin User Management – List All Users screen (Figure 67) lists the CryptoOfficer and any accounts configured for the unit. You can edit or delete users from this screen.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 68: Admin User Management — Edit User 2.7.2 Add New User The Admin User Management – Add New User screen (Figure 69) allows you to add new users with 3elocal role and configure the associated User ID, Password, and Note fields.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series • • • • • User ID: User-defined unique user identification string User Password: User-defined user authentication string. Password can be composed of any combination of upper- and lower-case letters, numbers, and the following special characters: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“ or “)”.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.7.3 User Login Policy The Admin User Management - User Login Policy screen (Figure 71) allows you to configure options governing user login policy and associated device functionality. The "User Login Policy" applies to all local users. Figure 71: Admin User Management — User Login Policy You can choose to Enable or Disable (default) the Password Complexity Check.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.8 Remote Authentication and Authorization The 3e-520 series devices offer both local and remote user authentication. Local authentication is done via username and password. When the user accesses the 3e-520 series device URL, he/she inputs username and password, the 3e-520 series device authenticates the user with its local on-device username/password then authorizes the user based on local user privilege policy.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 72: Admin User Management – Remote A&A Setup 2.8.2 Remote A&A User Groups As discussed in Section 1.4.1 ‘User Roles’, any of three roles can be assigned to Remote A&A users: ‘3elocal’, ‘3e-CryptoOfficer’, and ‘3e-administrator’. Users/roles created at the centralized management server are independent of users created locally at the 3e-520 series device.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series The remote user will be associated with one of these three (3) groups in the ‘memberOf’ attribute. The 3e520 series device would authenticate the remote user’s username & password against the LDAP server by querying the ‘memberOf’ attribute of the user. The group info (‘memberOf’ attribute) of the user will be returned from the LDAP server to the 3e-520 series device to grant the privilege of the user for remote management access. 2.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.9.1.2 OCSP Responder If “Enforce OCSP check” is enabled on 3e-520 series device, an OCSP responder is required to be installed and setup in the network. Software such as Tumbleweed Validation Authority running on Windows Server platform can be configured as an OCSP responder. DoD CA-23 certificate and any corresponding CRL can be loaded to the OCSP Responder from a local file.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series management. An IPsec tunnel can be used to further secure the LDAPS connection. Please refer to Section 2.8 Remote Authentication and Authorization for more detail. Note: Two-Factor Authentication configuration change will take effect after device reboot. 2.10 Monitoring/Reports This section gives you a variety of lists and status reports. Most of these are self-explanatory. 2.10.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.10.2 Bridge Status The Monitoring/Reports - Bridge Status screen (Figure 76) displays the Spanning Tree Protocol (STP) status for each port, as well as associated Bridge Information for the device. Ethernet Link STP Status: This is for the Uplink Ethernet port of the device. This screen displays current STP parameters for this port. Bridge Information: This screen displays current STP parameters for the bridge link.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.10.3 Bridge Site Map The Monitoring/Reports – Bridging Site Map screen (Figure 77) shows the spanning tree network topology of both wired and wireless nodes connected to the network. The root STP node is always on top and the nodes of the hierarchy are displayed below it. Wired links are double dotted lines and wireless links are single dotted lines. NOTE: This map does not update dynamically.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.10.4 Adjacent AP List The Monitoring/Reports – Adjacent AP List screen (Figure 78) shows all the APs on the network. These APs are detected by the device’s radio(s). The list of APs is only within the band that can be seen from a particular channel. For example, if the AP is on channel 1, it will display APs on channels 1-3.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.10.5 DHCP Client List The Monitoring/Reports - DHCP Client List screen (Figure 79) displays all clients currently connected to the unit via the DHCP server, including their reference Index, Hostname, IP Address, and MAC Address. It also indicates an Expired at Date for the client, based on the displayed DHCP server lease period. The DHCP Client list constantly collects entries.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 80: Logs – System Log 2.11.2 Web Access Log The Logs – Web Access Log screen (Figure 81) displays System Facility Messages with a Date-Time stamp for any actions involving web access. All configuration operation access via web GUI will be logged. For example, web access log records when you set encryption mode, change operating mode, etc., using the web browser.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 81: Logs – Web Access Log 2.12 Auditing The unit collects audit data and provides an interface for authorized administrators to review generated audit records. It generates records for two separate classes of events: authentication/access to the system, and actions taken directly on the system.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series NOTE: Many of these event notifications cannot be disabled for security reasons. They are displayed for reference only. Figure 82: Auditing – Configuration PROPRIETARY INFORMATION: Use or disclosure of this data is subject to the restrictions on the title page of this document. Ultra Electronics, 3eTI • 12410 Milestone Center Drive, Germantown MD 20876 • 800.449.3384 • www.ultra-3eti.com 21 DECEMBER 2020 83 29010012-001, Rev.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Table 16: Auditing – Configuration Event Types and Description Event Type Audit Startup Shutdown Description Audit record generated when the audit service is started or stopped. This record cannot be disabled. Self-test Any modification to the audit log configuration (enable/disable, recorded event types, etc.) will trigger the creation of an audit record. Cannot be disabled.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.12.1.1 Audit Records Limited by Admin User ID In addition to limiting audit records by event type, the device can further limit records based on administrative user ID. To limit audit logging to only events associated with an administrative user, add the username to the ‘Admin User ID’ attribute. Figure 83: Audit Records Limited By User ID 2.12.1.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series configuration screen to create a “Profile”, in which the user will specify the peer IP address, certificates used for peer authentication and ESP encryption options. To view the IPsec tunnel status, user should refer to Section 2.5.2. In case of IPsec tunnel connection failure, the user can see the IPsec status and the device will continue to try establishing the tunnel will save the log to local storage.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 86: Auditing – Log 2.13 System Administration The System Administration screens contain administrative functions. The screens and functions are detailed in the following section. 2.13.1 Email Notification Configuration All system notification emails need to be set up using the System Administration – Email Notification Configuration screen (Figure 87). Your email server must support SMTP protocol.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 87: System Administration – Email Notification Configuration To test the email function, the email address needs to be filled in. Afterwards click on the Test button and a pop-up window such as the one shown in Figure 88 will indicate the result of email test. Figure 88: Email Test Result 2.13.2 Radio TX Off Control The radios can be programmed to turn off and turn on during a specified time in the future as shown in Figure 89.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 89: System Administration – Radio TX Off Control 2.13.3 System Upgrade The System Administration – System Upgrade screen (Figure 90) gives you the ability to upload updates to the device’s firmware as they become available. When a new upgrade file becomes available, you can perform a firmware upgrade from the Firmware Upgrade window. Normally, the user will first get email notification from 3eTI’s product support team.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Figure 90: System Administration — System Upgrade – Firmware Upgrade 2.13.3.2 Configuration Export/Import On the System Administration – System Upgrade screen (Figure 91) click on the Configuration Export/Import tab to upload and download configuration files to APs connected to the network. To upload a configuration file, select the file using the browse button and enter the passphrase for that file.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 1) Notes and Tips: a) When Exporting configuration files, keys are NOT downloaded. b) When Importing configuration files to a device, if the device currently is configured to the same security options as those in the uploaded file, the keys are reused. Otherwise, the keys are zeroized and marked “key not set” from the web GUI. e.g.: The current device has the 802.11i-PMK option on AP security.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.13.4 Default Configuration The System Administration – Default Configuration screen (Figure 92) is used to reset the AP to its factory settings. The Restore button is a fallback troubleshooting function that should only be used to reset to last saved general configuration. The Save button can save the current general configuration to be restored in the future.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.13.5 Remote Logging The System Administration – Remote Logging screen (Figure 93) allows you to forward the syslog data from each machine to a central remote logging server. In the unit, this function uses the syslogd daemon. If you enable Remote Logging, input a System Log Server IP Address and System Log Server Port. Click Apply to accept these values.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.13.6 Reboot The System Administration – Reboot screen (Figure 94) allows you to reboot the unit without changing any preset functionality. Figure 94: System Administration — Reboot 2.13.7 Self-Test Self-tests are run to verify the correctness of cryptographic related functions.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series Test results are written to the system log. The platform should not pass secure data while self-tests are executing therefore network interfaces are disabled during self-tests. The platform is halted if any self-test fails. There are many possible factors can lead to a self-test error. For example, faulty hardware components in the noise/entropy generator could lead to DRBG and key generation failures.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.13.7.2 Periodic Self-test Selecting the Periodic Self-test link (Figure 96) allows the user to enable/disable periodic tests. One test iteration executes each self-test except the firmware and bootloader integrity checks.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.13.8 Utilities The System Administration – Utilities screen (Figure 97) gives you ready access to two useful utilities: Ping and Traceroute. Simply enter the IP Address or hostname you wish to ping or traceroute and click either the Ping or Traceroute button, as appropriate.
Section 2: Device Configuration WiFiProtect User’s Guide 3e-520 Series 2.13.9 Help The System Administration – Help screen (Figure 98) displays detailed hardware and software version information when you click on Help. Figure 98: System Administration — Help: Hardware and Software Version Information PROPRIETARY INFORMATION: Use or disclosure of this data is subject to the restrictions on the title page of this document. Ultra Electronics, 3eTI • 12410 Milestone Center Drive, Germantown MD 20876 • 800.
Section 3: 3e-523N Hardware Installation WiFiProtect User’s Guide 3e-520 Series 3. 3e-523N Hardware Installation 3.1 Preparation for Use This section describes installation of the 3e–523N unit; see the following sections for 3e-525N series information. The 3e–523N requires physical mounting and installation on the site, following a prescribed placement design to ensure optimum operation. NOTE: The 3e–523N is designed for indoor use but can be deployed outdoors within a suitable enclosure.
Section 3: 3e-523N Hardware Installation WiFiProtect User’s Guide 3e-520 Series 3.2 Device Installation 3.2.1 DIN Rail Mounting The 3e-523N includes a standard locking DIN Rail mount as shown in Figure 99. Figure 99: 3e-523N DIN Rail Mounting 3.2.2 Rear Mounting The DIN Rail mount can be remoted to allow the 3e-523N directly mounts to a panel or other flat surface, using metal screws to attach the unit at four mounting holes as shown in Figure 100 and Figure 102.
Section 3: 3e-523N Hardware Installation WiFiProtect User’s Guide 3e-520 Series 3.2.3 Base Mounting The 3e-523N can be mounted directly to a panel or other flat surface on its side, using metal screws to attach the unit at four mounting holes as shown in Figure 101 and Figure 102. However, this may obscure the label that provides important product information as shown below. Note that these screws cannot penetrate more than 0.25 inches into the enclosure. Figure 101: 3e-523N Base Mounting 3.2.
Section 5: 3e-523E-900 Hardware Installation WiFiProtect User’s Guide 3e-520 Series 4. 3e-525N Hardware Installation 4.1 Installation Preparation The 3e-525N product family requires physical mounting and installation on the site, following a prescribed placement design to ensure optimum operation and roaming.
Section 5: 3e-523E-900 Hardware Installation WiFiProtect User’s Guide 3e-520 Series WARNING: To comply with FCC RF exposure compliance requirements, the antennas used with the 3e-525N family products must be installed with a minimum separation distance of 20 cm, 35 cm for any approved directional antenna, from all persons and must not be colocated or operated in conjunction with any other antenna or transmitter.
Section 5: 3e-523E-900 Hardware Installation WiFiProtect User’s Guide 3e-520 Series 4.2.2 Pole Mounting To mount the unit outdoors, you should choose a suitable post to mount the unit high in the air. You can purchase a pole mounting kit from 3eTI. Use the U-ring, screws and nuts to attach the mounting plate to the post. Next attach the unit to the mounting plate with screws. Figure 104: 3e-525N Pole Mount Installation NOTE: Pole Mount Kit is designed for a Pole of Ø 2.5”.
Section 5: 3e-523E-900 Hardware Installation WiFiProtect User’s Guide 3e-520 Series 5. 3e-523E-900 Hardware Installation 5.1 Installation Preparation The 3e-523E-900 radio-communications product requires physical mounting and installation on site, following a prescribed placement design to ensure optimum operation and roaming. By design, the 3e523E-900 will only transmit and receive the intended direct-sequence spread spectrum modulated 900MHz through the use of automatic keying and code deciphering.
Section 5: 3e-523E-900 Hardware Installation WiFiProtect User’s Guide 3e-520 Series 5.1.2 Mounting Pattern PROPRIETARY INFORMATION: Use or disclosure of this data is subject to the restrictions on the title page of this document. Ultra Electronics, 3eTI • 12410 Milestone Center Drive, Germantown MD 20876 • 800.449.3384 • www.ultra-3eti.com 21 DECEMBER 2020 103 29010012-001, Rev.
Section 5: 3e-523E-900 Hardware Installation WiFiProtect User’s Guide 3e-520 Series 5.1.3 Installation Instructions ! WARNING ! Do not attempt to install any outdoor equipment during hazardous conditions such as a thunderstorm, where lightning could strike the equipment or installer. Failure to follow this warning could result in injury or death. Mounting feet (and screws) are supplied with the unit, attached inside of the cover. Installer must attach these to the enclosure prior to mounting.
Section 5: 3e-523E-900 Hardware Installation WiFiProtect User’s Guide 3e-520 Series External grounding wire is not provided with the unit. Protection for the user and unit require a safety ground wire attached to the threaded stud at the bottom of the unit to a secure earth bonded surface. The length of this grounding wire should be kept to a minimum, Ultra-3eTI recommends less than 3 feet.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series Appendix A. Common Criteria A.1 Overview Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. The 520 series claims compliance with CPP_ND_V20 and PP_WLAN_AS_EP_V1.0. This appendix provides details of how to administer the Device to be compliant with the requirements specified in the protection profiles.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series Table 20: Device Organizational Assumption Operational Function Description Banners The device will display a customizable banner prior to the login process. General Purpose Security Only those services that are necessary for the operation, administration and support of the device are required. The physical security for the device is provided by the environment.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series Software version 5.1.0.0 Build 260 for 3e-523N: Figure 106: Software Version The following requirements are satisfied by running the device with firmware image version 5.1. Table 21: Firmware Requirements PPWLAN Requirement Description FCS_CKM.1 (1) - Cryptographic Key Generation (symmetric Keys for WPA2 Connections. The firmware provides symmetric key generation using a FIPS approved cryptographic engine FCS_CKM.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series PPWLAN Requirement FCS_TLS_EXT.1 - Extended: TLS FCS_HTTPS_EXT.1 - Extended: HTTPS Description The firmware provides a WEB interface that supports TLS version 1.1 or 1.2 with ciphers AES-CBC-128 or AES-CBC-256. The cipher suite is auto-negotiated on each web request and requires no further configuration.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series out even after the login threshold is reached. Note that the ‘Password Lockout Period’ should not otherwise be set to 0. • Enable the “Password Aging” attribute for each use and set the “Maximum Password Age” to force the user to change his password on a regular basis. • Set the ‘Minimum Password Length’ to 15 characters in the User Login Policy page by following the guidance in Section 2.7.3.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series A.6 Configuring System Time The device requires a reliable time source for proper operation. The device is equipped with a real-time clock that is used as the local time source. Additionally, the device can be configured to synchronize its real-time clock with an external NTP time source.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series 1) Add an IPsec Tunnel Profile to the device by following the guidance in Section 0. Ensure that the Cipher Suite selected is NOT “Suite B GMAC 128” or “Suite B GMAC 256”. These Cipher Suites do not provide confidentiality.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series Table 25: Access Point Session Establishment NDPP Requirement FTA_TSE.1 - TOE Session Establishment Description The device is able to deny establishment of a wireless client session based on MAC address, time or day. The “MAC Address Filtering” is per wireless interface based, so that a wireless client can be added to the “deny list” on one interface while be on the “allowed list” on the other interface.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series 2) Enable the Remote Auditing and provide the ‘Audit Server Address’ and ‘Audit Server Port’ described in Section 2.12.1. Be sure to check the IPsec Tunnel check box and select the IPsec Tunnel profile add in the above step. The following PPWLAN requirements are satisfied once the audit logging is configured. Table 26: Audit Log Requirements PPWLAN Requirement Description FAU_GEN.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series Table 27: Fields in Audit Event Message Field Description Index Number The Audit Event logging utility prepends each message with an index number that is incremented with every message. The index is set to ‘1’ whenever the system is rebooted. The index wraps back around to ‘1’ after its maximum value of ‘99999’.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series • 319 Sep 11 15:03:48 2017 2 EVT_SYSTEM_CONFIG, CryptoOfficer, Failed to update audit configuration, , , A.10.4 Audit Event: Loss of Connectivity to Server Audit log messages are generated when the link to the external audit server is not available. The following messages are generated as a result of losing connectivity to the audit server 192.168.205.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series c) 649 Sep 11 15:44:17 2017 1 EVT_ENCRYPT_ALG_CHANGED, CryptoOfficer, AP1 FIPS802.11i PSK Master Key changed., , , d) 651 Sep 11 15:44:17 2017 1 EVT_SYSTEM_CONFIG, CryptoOfficer, Updated AP security configuration, , , 6) Configure AP PSK with Passphrase: a) 654 Sep 11 15:45:15 2017 1 EVT_ENCRYPT_ALG_CHANGED, CryptoOfficer, AP1 FIPS802.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series 12) Generating/import of, changing, or deleting of cryptographic keys WiFi PSK change: a) 31 Apr 12 19:05:34 2018 1 EVT_ENCRYPT_ALG_CHANGED, CryptoOfficer, AP1 FIPS802.11i sub-algorithm is changed from PSK Master Key to PSK Passphrase, , , b) 32 Apr 12 19:05:34 2018 1 EVT_KEY_GENERATION, CryptoOfficer, AP1 FIPS-802.11i PSK Master Key changed., , , c) 33 Apr 12 19:05:34 2018 1 EVT_ENCRYPT_ALG_CHANGED, CryptoOfficer, AP1 FIPS802.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series A.10.8 Audit Event: Failure of Cryptographic Signature Audit log messages are generated when cryptographic signing fails. The following is an example of an audit log message resulting from cryptographic signature failure: • 3614 May 10 13:11:52 2015 2 EVT_CRYPTO_SIGNATURE_ERR, , audit1 VPN [192.168.205.9]: Cryptographic signature failed, , , A.10.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series • 3244 May 10 13:12:53 2015 2 EVT_IPSEC_SA, , audit1 VPN [192.168.205.9]: Traffic selector mismatch, , , The device verifies that the algorithm used in the ESP SA (IKEv2 CHILD_SA) is less than or equal to the algorithm of the parent IKE_SA.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series A.10.17 Audit Event: Admin User Authentication Audit log events are generated whenever an administrative user successfully or unsuccessfully attempts WEB interface access.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series A.10.20 Audit Event: Failure of the TSF Audit log messages are generated when any failure of the TSF is detected—for example, the following messages are generated as a result of RNG self-test failures: • 7 May 11 10:01:07 2015 2 EVT_SELF_TEST, , Random Number Generator (openssl) selftest failed, , , • 30 May 11 10:01:08 2015 2 EVT_SELF_TEST, , The self-test failed, , , A.10.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series • 8 Sep 11 14:13:13 2017 1 EVT_SELF_TEST, , Hashed Message Authentication Code (openssl) self-test passed, , , • 9 Sep 11 14:13:13 2017 1 EVT_SELF_TEST, , RSA Algorithm (openssl) self-test passed, , , • 10 Sep 11 14:13:13 2017 1 EVT_SELF_TEST, , Triple DES (openssl) self-test passed, , , • 11 Sep 11 14:13:13 2017 1 EVT_SELF_TEST, , TLS-KDF Key Distribution Function (openssl) selftest passed, , , • 12 Sep 11 14:13:13 2017 1 EVT_SELF
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series A.10.23 Audit Event: Successful or Failed System Updates An audit log message is generated on initiation of system software updates—for example, the following messages are generated as a result of success firmware update: • 77 Sep 12 15:10:49 2017 1 EVT_SOFTWARE_UPDATE, CryptoOfficer, System software update initiated, 192.168.15.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series • 32 Mar 18 15:07:09 2015 1 EVT_ADMIN_USER_AUTH, CryptoOfficer, Login session timed out., , , A.10.27 Audit Event: Termination of an Interactive Session Audit log messages are generated whenever an authenticated administrator logs off the device—for example, the following message is generated as a result of a log off: • 37 Mar 18 15:08:00 2015 1 EVT_ADMIN_USER_AUTH, CryptoOfficer, httpd - User CryptoOfficer from 192.168.205.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series • 143 May 11 15:29:34 2015 2 EVT_MANAGEMENT_CONNECTION, , Failed to initiate a TCP connection to the audit server, , 192.168.205.9:8889, A.10.32 Audit Event: Trust Channel Connection Re-establishment No recovery is needed as the TOE will automatically attempt to establish a new connection. A.10.
Appendix A: Common Criteria WiFiProtect User’s Guide 3e-520 Series Process Name Process Description syslogd The Linux system logging daemon klogd The Kernel Log Daemon configDaemon The system configuration daemon rtocd The Radio Transfer Off Control (rtoc) daemon for scheduling and maintaining radio silence syscmdd The system command scheduler daemon miscHWD The miscellaneous hardware daemon that controls hardware buttons and LED displays self-testd The daemon for performing on-demand or per
Appendix B: Term Reference Guide WiFiProtect User’s Guide 3e-520 Series Appendix B. Term Reference Guide B.
Appendix B: Term Reference Guide WiFiProtect User’s Guide 3e-520 Series ICMP – Internet Control Message Protocol SSL – Secure Socket Layer ID – Identifier STA – Station IE IEEE – – Information Element Institute of Electrical and Electronics Engineers STP TCP – – Spanning Tree Protocol Transmission Control Protocol IP – Internet Protocol TLS – Transport Layer Security ISP – Internet Service Provider TU – Time Unit LAN – Local Area Network Tx – Transmission LED – Light Em
Appendix B: Term Reference Guide WiFiProtect User’s Guide 3e-520 Series Term Definition addressing simplifies network administration because the software keeps track of IP addresses rather than requiring an administrator to manage the task. This means that a new computer can be added to a network without the hassle of manually assigning it a unique IP address. Many Internet Service Providers (ISPs) use dynamic IP addressing for dial-up users.
Appendix C: Serial I/O Interface Board WiFiProtect User’s Guide 3e-520 Series Appendix C. Serial I/O Interface Board The Serial I/O Interface Board Cable is used to connect to the SERIAL – I/O connector on the 3e-523N as shown in Figure 107. The Serial I/O Termination connector provides secure termination for connections to serial I/O, LED status, and power as described in Table 29.
Appendix C: Serial I/O Interface Board WiFiProtect User’s Guide 3e-520 Series Table 29: Serial I/O Termination Terminal Block Label LED D LED E LED F +3.3V SMB CK SMB DT GND PWR PWR + Connection Description Active low LED driver3 Active low LED driver3 Active low LED driver3 LED driver voltage source (ties to LED Anode terminal) SM Bus Clock signal SM Bus Data Circuit Ground Alternate power return (limited to 2A max) Alternate power source (limited to 2A max) Notes: 1.
Appendix C: Serial I/O Interface Board WiFiProtect User’s Guide 3e-520 Series Table 30: Serial I/O Configuration DIP Switch Switch Name 1 “ON” Connects input power rail to source both “OUT 1 +” and “IN 1 +” terminals 2 “ON” Connects input power rail to source “IN 0 +” terminal 3 “ON” Connects input power rail to source “OUT 0 +” terminal 4 Set RS-485 slew rate to “low” (default, OFF position, is high slew rate) 5 Terminate RS-485 RX pair with 120-ohm load 6 Set to Half-Duplex RS-485 mode (must
Appendix E: 3e-523E-900 Specific Operation WiFiProtect User’s Guide 3e-520 Series Appendix D. 3e-523E-900 Specific Operation D.1 3e-523E-900 Overview The 3e-523E-900 system transmits WiFi protocols over the 900MHz ISM band instead of 2.4GHz or 5GHz bands at up to 1Watt RF power. Channel selection is limited to four selections, distributed across 902 to 928 MHz.
Appendix E: 3e-523E-900 Specific Operation WiFiProtect User’s Guide 3e-520 Series Appendix E. Technical Support E.1 Manufacturer’s Statement The 3e-523N and 3e-525N are provided with a warranty. It is not desired or expected that the user opens the device. If a malfunction is experienced and all external causes are eliminated, the user should return the unit to the manufacturer and replace it with a functioning unit.
