1. There is an unmatched bracket in FMT_SMF_EXT.1.1/WLAN
2. Clarity of intent is needed for FTA_WSE_EXT.1.1; as written, it implies there must be some ability for an administrator to restrict APs which is identified as an (optional) function of the referenced requirement FMT_SMF_EXT.1/WLAN.1.  Also, FMT_SMF_EXT.1/WLAN.1 specifically identifies SSIDs for restrictions while the FTA_WSE_EXT.1.1 application note mentions SSID as well as MAC, certificates, etc.

FMT_SMF_EXT.1.1/WLAN

FMT_SMF_EXT.1.1/WLAN is modified as follows, with strikethroughs indicating deletions:

FMT_SMF_EXT.1.1/WLAN The TSF shall be capable of performing the following management functions: [

• configure security policy for each wireless network:
• [selection: specify the CA(s) from which the TSF will accept WLAN authentication server certificate(s), specify the FQDN(s) of acceptable WLAN authentication server certificate(s)]
• security type
• authentication protocol
• client credentials to be used for authentication;
• (optional) specify wireless networks (SSIDs) to which the TSF may connect;
• (optional) enable/disable certificate revocation list checking;
• (optional) disable ad hoc wireless client-to-client connection capability;
• (optional) disable wireless network bridging capability (for example, bridging a connection between the WLAN and cellular radios on a smartphone so it can function as a hotspot);
• (optional) disable roaming capability;
• (optional) enable/disable IEEE 802.1X pre-authentication;
• (optional) enable/disable and configure PMK caching:
• set the amount of time (in minutes) for which PMK entries are cached;
• set the maximum number of PMK entries that can be cached.

Application Note: For installation, the WLAN Client relies on the underlying platform to authenticate the administrator to the client machine on which the TOE is installed.

For the function configure the cryptoperiod for the established session keys, the unit of measure for configuring the cryptoperiod shall be no greater than an hour. For example: units of measure in seconds, minutes and hours are acceptable and units of measure in days or greater are not acceptable.

Items marked as optional are equivalent to ‘OO’ in the OS PP and ‘OOOO’ in MDF PP.

FTA_WSE_EXT.1

FTA_WSE_EXT.1.1 is modified as follows, with underlines indicating additions and strikethroughs indicating deletions:

FTA_WSE_EXT.1.1 The TSF shall be able to attempt connections only to wireless networks specified as acceptable networks as configured by the administrator in FMT_SMF_EXT.1.1/WLAN.

Application Note: The intent of this requirement is to allow the administrator to limit the access points wireless networks to which the TOE is allowed to connect. The assignment is used by the ST author to specify the attributes (e.g., MAC Address, SSID, certificates, etc.) that can be used by the administrator to specify the acceptable access points.

Assurance Activity

TSS

The evaluator shall examine the TSS to determine that all of the attributes that can be used to it defines SSIDs as the attribute to specify acceptable networks (access points) are specifically defined.

AGD

The evaluator shall examine the operational guidance to determine that it contains guidance for configuring each of the attributes identified in the TSS the list of SSID that the WLAN Client is able to connect to.

Test

The evaluator shall also perform the following test for each attribute:

• Test 1: The evaluator configures the TOE to allow a connection to a wireless network with a specific access point SSID. The evaluator also configures the test environment such that the allowed access point SSID and an access point SSID that is not allowed are both “visible” to the TOE. The evaluator shall demonstrate that they can successfully establish a session with the allowed access point SSID. The evaluator will then attempt to establish a session with the disallowed access point SSID, and observe that the access attempt fails.
• Test 2: The evaluator configures the TOE to allow a connection with a specific access point using EAP-TLS authentication (not only will the valid SSID be configured but the TOE will also be provided with certificates to complete the EAP-TLS authentication). The evaluator also configures the test environment such that an access point broadcasts the SSID the TOE has been configured to connect to but the authentication server does not have valid credentials. The evaluator will then attempt to establish a session with the valid SSID/invalid authentication server, and observe that the access attempt fails.

The intent of FTA_WSE_EXT.1 is to provide management control to limit, via SSIDs, the networks that the TOE can connect to.