NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0171:  Testing for RADIUS EAP responses and EAP-TLS protocols

Publication Date

Protection Profiles

Other References

Issue Description

The test activities for FCS_RADIUS_EXT.1 were not clear in terms of EAP Response and for FCS_EAP-TLS_EXT.1 the term 'protocol' within the test activity should be replaced with 'ciphersuite'.


FCS_RADIUS_EXT.1 test activities are modified as follows:

Test 1, Bullet 1:  The evaluator shall verify that the TOE returns either an access-reject or an access-reject with an encapsulated EAP-response with type NAK.

Test 1, Bullet 4: An access-request containing an encapsulated EAP-response message of type MD5-challenge. The evaluator shall verify that the TOE responds with an access-reject or access-challenge message of type Nak or expanded Nak.

Test 1, Bullet 5, sub-bullet 4: During an otherwise successful handshake, the evaluator shall send an access-request with encapsulated EAP-response with EAP-type set to anything but EAP-TLS, and verify that the TOE returns an access-challenge with encapsulated EAP-request of type EAP-TLS, indicating error-cause: invalid EAP type error (ignored), an access-reject message, or silently discard the request. The evaluator shall verify that subsequent handshake steps complete normally.

Test 1, Bullet 5, sub-bullet 5: During an otherwise successful handshake, the evaluator shall send five or less invalid EAP packets, and verify that the TOE returns an access-reject with encapsulated EAP-failure packet after receiving an invalid packet. If the number of packets are configurable, the evaluator must follow the instructions in the operational guidance to verify the ability to set this value to 5 or less.


FCS_EAP-TLS_EXT.1, Test 3 is modified as follows:

Test 3: The evaluator shall follow the administrative guidance to configure the list of ciphersuites to be proposed during EAP-TLS negotiations that is limited to only those specified by the first element of this component. The evaluator shall have the EAP-TLS client propose a set of ciphersuites and show that the TOE will only negotiate the configured ciphers and ignore any others when proposed by a client. If the initial list is not a subset of the total set of ciphersuites proposed by the client, the evaluator shall repeat the test specifying a proper subset of the ciphersuites used in the initial test.


Changes align with RFCs.

Site Map              Contact Us              Home