WIDS PP-Module requires that a product must implement an allowlist for detecting both APs and end user devices (EUDs). The TOE implements the allowlist for the EUDs via an access list. This access list causes the TOE to block an unauthorized EUD (not in the access list) from joining to one of the allowed APs. This means that in addition to detection, the TOE is performing prevention of unauthorized EUDs.

Test 22.1 of FAU_SAA.1 requires a non-allowlisted EUD to first be joined to an allowlisted AP before traffic is generated. Because the TOE implements prevention of non-allowisted EUDs, this is a connection state that is not allowed by the TOE.

Test 22.1 of FAU_SAA.1 in the Supporting Document for WIDS PP-Module 1.0 is modified as follows with strikethroughs denoting deletion and underlines denoting additions:

Step 1: Deploy an allowlisted AP with no encryption.

Step 2: Connect an allowlisted EUD to AP and generate traffic.

Step 3: Verify that the TOE detects unencrypted data frames being sent between the allowlisted AP and EUD.

Step 4: Attempt to cConnect a non-allowlisted EUD to AP and generate traffic.

Step 5: If the connection attempt succeeds, generate traffic from the non-allowlisted EUD and vVerify that the TSF detects unencrypted data frames being sent between the allowlisted AP and non-allowlisted EUD.

It is acceptable for a TOE to not permit a non-allowlisted EUD to connect to an AP (disallows association and authentication).