WIXLIB

Secure ConfigurationConfigure EAP-FASTEAP-FAST is an Extensible Authentication protocol and can be used as an authentication methodbetween the Controller and the wireless client. When a RADIUS server is used to authenticate clients,no extra EAP-FAST configuration is required.The following CLI command is used by the crypto officer to enter a new EAP-FAST server key, wherehex-key can be up to 32 hex digits or 16 bytes. config local-auth method fast server-key hex-keyRefer to the Cisco Wireless LAN Controller Configuration Guide for instructions on configuring LocalEAP server with EAP-FAST as the authentication method for the wireless clients.Configure EAP-TLSEAP-TLS is an Extensible Authentication protocol and can be used as an authentication method betweenthe Controller and the wireless client. It requires configuration based on certificates issued from a PKI.Refer to the Cisco EAP-TLS Deployment Guide for Wireless LAN Networks configuration instructions touse EAP-TLS as the authentication method for the wireless clients.Click this URL for an example 2/tk809/technologies configuration example09186a0080851b42.shtmlConfigure Data DTLS (optional)The crypto officer may configure the module to use CAPWAP data encryption. CAPWAP data packetsencapsulate forwarded wireless frames. Configuring the module to use CAPWAP data encryption isoptional.The following CLI commands enable DTLS data encryption for access points on the controller:Step 1To enable or disable data encryption for all access points or a specific access point, enter this command: config ap link-encryption {enable disable} {all Cisco AP}Step 2When prompted to confirm that you want to disconnect the access point(s) and attached client(s), enter YStep 3To save your changes, enter this command: save configRefer to the Cisco Wireless LAN Controller Configuration Guide for additional instructions.FIPS 140-2 Security Policy for Cisco 5508 Wireless LAN Controllers8OL-9658-09

Roles, Services, and AuthenticationConfigure Data DTLS with Office Extend Access Points (optional)The crypto officer may configure the module to use CAPWAP data encryption with Office ExtendAccess Points (AP models 1131, 1142, and 3502i). CAPWAP data encryption with Office Extend APssecures communications from a controller to a remote access points using CAPWAP data encryption.The following CLI commands enable CAPWAP data encryption with Office Extend APs:Step 1To enable hybrid-REAP on the access point, enter this command: config ap mode h-reap Cisco APStep 2To configure one or more controllers for the access point, enter one or all of these commands: config ap primary-base controller name Cisco AP controller ip address config ap secondary-base controller name Cisco AP controller ip address config ap tertiary-base controller name Cisco AP controller ip addressStep 3To enable the OfficeExtend mode for this access point, enter this command: config hreap office-extend {enable disable} Cisco APStep 4To save your changes, enter this command: save configRefer to the Cisco Wireless LAN Controller Configuration Guide for additional instructions.Save and RebootAfter executing the above commands, you must save the configuration and reboot the system: save config reset systemRoles, Services, and AuthenticationThis section describes the roles, services, and authentication types in the security policy.RolesThe module supports these four roles: AP Role—This role is filled by an access point associated with the controller. Client Role—This role is filled by a wireless client associated with the controller. User Role—This role performs general security services including cryptographic operations andother approved security functions. The product documentation refers to this role as a managementuser with read-only privileges.FIPS 140-2 Security Policy for Cisco 5508 Wireless LAN ControllersOL-9658-099

Roles, Services, and Authentication Crypto Officer (CO) Role—This role performs the cryptographic initialization and managementoperations. In particular, it performs the loading of optional certificates and key-pairs and thezeroization of the module. The product documentation refers to this role as a management user withread-write privileges.The module does not support a maintenance role.ServicesThe services provided are summarized in Table 1.Table 1Module ServicesServiceRolePurposeSelf Test andInitializationCOCryptographic algorithm tests, firmwareintegrity tests, module initialization.System StatusUser or COThe LEDs show the network activity andoverall operational status and the commandline status commands output system status.Key ManagementCOKey and parameter entry, key output, keyzeroization.Module ConfigurationCOSelection of non-cryptographic configurationsettings.SNMPv3CONon security related monitoring by the COusing SNMPv3.TACACS User or COUser & CO authentication to the module usingTACACS .IPSecUser or COSecure communications between controllerand RADIUSCAPWAPAPEstablishment and subsequent data transfer ofa CAPWAP session for use between themodule and an access point.1MFPAPGeneration and subsequent distribution ofMFP key to the AP over a CAPWAP session.TLSCOEstablishment and subsequent data transfer ofa TLS session for use between the module andthe CO.Local EAP Authenticator ClientEstablishment of EAP-TLS or EAP-FASTbased authentication between the client andthe Controller.802.11iAPEstablishment and subsequent data transfer ofan 802.11i session for use between the clientand the access point.RADIUS KeyWrapAnyEstablishment and subsequent receive 802.11iPMK from the RADIUS server.FIPS 140-2 Security Policy for Cisco 5508 Wireless LAN Controllers10OL-9658-09

Roles, Services, and AuthenticationTable 1Module Services (continued)ServiceRolePurposeDTLS data encryptCOEnabling optional DTLS data path encryptionfor Office Extend APs.2TLS for syslog messages COEstablishment of TLS tunnel for theprotection of syslog messages.1. CAPWAP uses RSA Key wrapping which provides 96 bits of effective key strength.2. For further DTLS data configuration information, see the Cisco Wireless LAN Controller Configuration Guide.The module does not support a bypass capability in the approved mode of operations.These services are not FIPS compliant: TACACS SNMPv3 SSH TelnetUser and CO AuthenticationWhen a user first connects to the module via console port, the module prompts the user to enter ausername and password. The user is authenticated based on the password provided. Once the user hasbeen authenticated, the module provides services to that user based on whether they have read-onlyprivileges (the user role) or read-write privileges (the CO role). The "*" characters are used to mask userpassword when the users authenticate. If the incorrect password is entered, the module will re-promptthe user to login again. After the module power cycles, a user must reauthenticate.The module supports password based local authentication for access via the CLI or HTTPS, as well asremote authentication using RADIUS and TACACS . The module also supports remote access viaSNMPv3. All SNMP traffic to and from the module is considered unprotected. RADIUS, TACACS andSNMPv3 may be used in the FIPS mode.The security policy stipulates that all user passwords must be 8 alphanumeric characters, so the passwordspace is 2.8 trillion possible passwords. The possibility of randomly guessing a password is thus far lessthan one in one million. To exceed a one in 100,000 probability of a successful random password guessin one minute, an attacker would have to be capable of 28 million password attempts per minute, whichfar exceeds the operational capabilities of the module to support.AP AuthenticationThe module performs mutual authentication with an access point through the CAPWAP protocol, usingan RSA key pair with 1536 bit modulus, which has an equivalent symmetric key strength of 96 bits. Anattacker would have a 1 in 296 chance of randomly obtaining the key, which is much stronger than theone in a million chance required by FIPS 140-2. To exceed a one in 100,000 probability of a successfulrandom key guess in one minute, an attacker would have to be capable of approximately 7.9x10 23attempts per minute, which far exceeds the operational capabilities of the module to support.FIPS 140-2 Security Policy for Cisco 5508 Wireless LAN ControllersOL-9658-0911

Cryptographic Key ManagementClient AuthenticationThe module performs mutual authentication with a wireless client through EAP-TLS or EAP-FASTprotocols. EAP-FAST is based on EAP-TLS and uses EAP-TLS key pair and certificates. The RSA keypair for the EAP-TLS credentials has modulus size of 1024 bit to 2048 bit, thus providing between 80bits and 112 bits of strength. Assuming the low end of that range, an attacker would have a 1 in 280 chanceof randomly obtaining the key, which is much stronger than the one in a million chance required by FIPS140-2. To exceed a one in 100,000 probability of a successful random key guess in one minute, anattacker would have to be capable of approximately 1.8 x 10 21 attempts per minute, which far exceedsthe operational capabilities of the modules to support.Ports and InterfacesThe module has the following physical ports and interfaces:– 8 1000BaseT, 1000Base-SX and 1000Base-LH transceiver slots (data input, data output, statusoutput, control input)– LED indicators (status output)– Console Port: RS232 (DB-9 male/RJ-45), mini-USB (control input, status output)– Power Supply 1, Power Supply 2 (power input)– Service Port: 10/100/1000 Mbps Ethernet (RJ45), not used in FIPS mode.– Utility Port: 10/100/1000 Mbps Ethernet (RJ45), not used in FIPS mode.Cryptographic Key ManagementCryptographic keys are stored in plaintext form, in flash for long-term storage and in SDRAM for activekeys. The AES key wrap KEK, AES key wrap MAC keys, and the Pre shared key (PSK) are input by theCO in plaintext over a local console connection. The PMK and NSK are input from the RADIUS serverencrypted with the AES key wrap protocol or via IPSec. RSA public keys are output in plaintext in theform of X.509 certificates. The CAPWAP session key is output wrapped with the AP's RSA key, and theMFP MIC key and 802.11i PTK, 802.11i GTK are output encrypted with the CAPWAP session key. PACkey is output wrapped with the Client's RSA key. Asymmetric key establishment (RSA key transport) isused in the creation of session keys during EAP-TLS and EAP-FAST. Any keys not explicitly mentionedare not input or output.Table 2 lists the secret and private cryptographic keys and CSPs used by the module. Table 3 lists thepublic keys used by the module. Table 4 lists the access to the keys by service.Table 2Secret and Private Cryptographic Keys and CSPsNameAlgorithmStorageDescriptionPRNG seed keyFIPS 186-2FlashThis is the seed key for the PRNG. It isstatically stored in the code.PRNG seedFIPS 186-2SDRAMThis is the seed for the PRNG. It isgenerated using an un-approved RNGbased on the controller's /dev/urandomdevice.FIPS 140-2 Security Policy for Cisco 5508 Wireless LAN Controllers12OL-9658-09

Cryptographic Key ManagementTable 2Secret and Private Cryptographic Keys and CSPs (continued)NameAlgorithmStorageDescriptionDTLS Pre-MasterSecretShared secretSDRAMShared secret generated by approved RNGfor generating the DTLS encryption key.DTLS EncryptionKey (CAPWAPSession Key)AES-CBCSDRAMSession key used to encrypt and decryptCAPWAP control messages.DTLS Integrity KeyHMAC- SHA-1 SDRAMSession key used for integrity checks onCAPWAP control messages.AAA Shared SecretTDESFlashUsed to derive IPSec encryption keys andIPSec HMAC keys.RADIUSOverIPSecEncryptionKeyTDESSDRAMTDES encryption/decryption key, used inIPSec tunnel between module andRADIUS to encrypt/decrypt EAP /authentication key, used in IPSectunnel between module and RADIUS.User PasswordShared secretFlashIdentity-based authentication data for auser.SNMPv3 PasswordShared secretFlashThis secret is used to derive HMAC-SHA1key for SNMPv3 authentication.TACACS authentication secretShared secretFlashThis TACACS shared secret is used toobfuscate the Crypto-Officer'sauthentication requests and responsesbetween the module and the TACACS server. Entered by the Crypto-Officer inplaintext form and stored in plaintextform. Note that encryption algorithm isnot FIPS compliant and the Crypto-Officermust ensure a strong user password.TACACS authorization secretShared secretFlashThis TACACS shared secret is used toobfuscate the Crypto-Officers' operation'sauthorization requests and responsesbetween the module and the TACACS server. Entered by the Crypto-Officer inplaintext form and stored in plaintextform. Note that encryption algorithm isnot FIPS compliant.TACACS accounting secretShared secretFlashThis TACACS shared secret is used toobfuscate accounting requests andresponses between the module and theTACACS server. Entered by theCrypto-Officer in plaintext form andstored in plaintext form. Note thatencryption algorithm is not FIPScompliant.bsnOldDefaultIdCertRSAFlash1536-bit RSA private key used toauthenticate to the access point, generatedduring the manufacturing process.FIPS 140-2 Security Policy for Cisco 5508 Wireless LAN ControllersOL-9658-0913

Cryptographic Key ManagementTable 2Secret and Private Cryptographic Keys and CSPs ltIdCertRSAFlash1536-bit RSA private key, not used inFIPS mode.bsnSslWebadminCert RSAFlash1536-bit RSA private key used forHTTPS-TLS, generated during themanufacturing process.bsnSslWebauthCertRSAFlash1024-bit RSA private key, not used inFIPS mode.VendorDeviceCertRSAFlashCertificate to authenticate controller toEAP clients during EAP authentication. Itmay be used in EAP-TLS or EAP-FASTauthentication method.HTTPS TLSPre-Master SecretShared secretSDRAMShared secret created using asymmetriccryptography from which new HTTPSsession keys can be created.HTTPS TLSEncryption KeyAES-CBCSDRAMAES key used to encrypt HTTPS data.HTTPS TLS Integrity HMAC- SHA-1 SDRAMKeyHMAC-SHA-1 key used for HTTPSintegrity protection.Infrastructure MFPMIC KeyAES-CMACFlashThis 128-bit AES key is generated in thecontroller using FIPS 186-2 approvedRNG. This key is sent to the AP encryptedwith the DTLS encryption key. This key isused by the AP to sign managementframes when infrastructure MFP isenabled.Pre-Shared Key(PSK)AES-CCMFlashThe 802.11i pre shared key (PSK). Thiskey is optionally used as a PMK.802.11i PairwiseMaster Key (PMK)Shared secretSDRAMThe PMK is a secret shared between an802.11 supplicant and authenticator, and isused to establish the other 802.11i keys.802.11i KeyConfirmation Key(KCK)HMAC- SHA-1 SDRAMThe KCK is used by IEEE 802.11i toprovide data origin authenticity in the4-Way Handshake and Group KeyHandshake messages.802.11i KeyEncryption Key(KEK)AES-KeyWrapSDRAMThe KEK is used by the EAPOL-Keyframes to provide confidentiality in the4-Way Handshake and Group KeyHandshake messages.802.11i PairwiseTransient Key (PTK)AES-CCMSDRAMThe PTK, also known as the CCMP key, isthe 802.11i session key for unicastcommunications.802.11i GroupAES-CCMTemporal Key (GTK)SDRAMThe GTK is the 802.11i session key forbroadcast communications.FIPS 140-2 Security Policy for Cisco 5508 Wireless LAN Controllers14OL-9658-09

Cryptographic Key ManagementTable 2Secret and Private Cryptographic Keys and CSPs (continued)NameAlgorithmStorageDescriptionRADIUS AESKeyWrap KEKAES-KeyWrapFlashThe key encrypting key used by the AESKey Wrap algorithm to protect the PMKfor the 802.11i protocol.RADIUS AESKeyWrap MACKAES-KeyWrapFlashThe MAC key used by the AES Key Wrapalgorithm to authenticate RADIUSconversation.EAP-TLS Pre-Master Shared secretSecretSDRAMShared secret created using asymmetriccryptography from which new EAP-TLSsession keys can be created.EAP-TLS Encryption AES-CBCKeySDRAMAES key used to encrypt EAP-TLSsession data.EAP-TLS IntegrityKeyHMAC- SHA-1 SDRAMHMAC-SHA-1 key used for EAP-TLSintegrity protection.EAP-TLS PeerEncryption KeyShared secretSDRAMThis 32-byte key is master session key ofthe EAP-TLS authentication algorithm. Itis the PMK for 802.11i.EAP-FAST ServerKeyAES-CCMFlashEAP-FAST server master key to generateclient protected access credential (PAC).EAP-FAST PAC-KeyShared secretSDRAMShared secret between the local EAPauthenticator and the wireless client. ForEAP-FAST authentication. It is created byPRNG and is used to derive EAP-FASTtunnel master secret.EAP-FAST tunnelmaster secretShared SecretSDRAMThis is the master secret for EAP-FAST. Itis used to derive EAP-FAST Encryptionkey, EAP-FAST Integrity key, EAP-FASTSession Key Seed.EAP-FASTEncryption KeyAES-CBCSDRAMEncryption Key for EAP-FAST tunnel.EAP-FAST IntegrityKeyHMAC-SHA-1SDRAMIntegrity Key for EAP-FAST tunnel.EAP-FASTSession-Key SeedShared SecretSDRAMThis secret is used to derive theEAP-FAST master session key by mixingwith the EAP-FAST Inner Method SessionKey.EAP-FAST InnerMethod Session KeyShared SecretSDRAMThis 32-byte key is the session keygenerated by the EAP handshake insidethe EAP-FAST tunnel.EAP-FAST MasterSession KeyShared SecretSDRAMThis 64-byte key is the session keygenerated by the EAP-FASTauthentication method. It is then used asPMK for 802.11i.TLS Pre-MasterSecretShared secretSDRAMShared secret used to generate new TLSsession keys for syslog.FIPS 140-2 Security Policy for Cisco 5508 Wireless LAN ControllersOL-9658-0915

Cryptographic Key ManagementTable 2Secret and Private Cryptographic Keys and CSPs (continued)NameAlgorithmStorageDescriptionTLS Encryption KeyAES-CBC keySDRAMSymmetric AES key for encrypting syslogmessages over TLS.TLS Integrity KeyHMAC-SHA-1keySDRAMUsed for TLS integrity protection ofsyslog messages.Table 3Public KeysNameAlgorithmStorageDescription and ZeroizationbsnOldDefaultCaCertRSAFlashVerification certificate, used forCAPWAP ation certificate, used tovalidate the controller'sfirmware image.bsnDefaultCaCertRSAFlashVerification certificate, used forCAPWAP tion certificate, used tovalidate the controller'sfirmware image.cscoDefaultNewRootCaCert RSAFlashVerification certificate, usedwith CAPWAP to validate thecertificate that authenticates theaccess point.cscoDefaultMfgCaCertRSAFlashVerification certificate, usedwith CAPWAP to authenticatethe acce

The Cisco 5508 Wireless LAN Controller (herein referred to as the module) is designed for maximum 802.11n performance and offers scalability for medium to large-scale enterprise and Government wireless deployments. The module supports Control and Provisioning of Wireless Access Points (CAPWAP) and Wi-Fi Protected Access 2 (WPA2) security. CAPWAP uses DTLS to provide a secure link over which .