Compliant Product - Aruba ClearPass Policy Manager 6.9
Certificate Date: 2020.08.31CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11074-2020
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.1
Extended Package for Authentication Servers Version 1.0
CC Testing Lab: Gossamer Security Solutions
The Aruba ClearPass Policy Manager platform provides role- and device-based network access control for employees, contractors and guests across any wired, wireless and VPN infrastructure. ClearPass implements RADIUS services, as well as profiling, onboarding, guest access, and health checks facilitating centralized management of network access policies.
ClearPass provides user and device authentication based on 802.1X, non-802.1X and web portal access methods. Multiple authentication protocols like PEAP, EAP-FAST, EAP-TLS, and EAP-TTLS can be used concurrently to strengthen security in any environment. Attributes from multiple identity stores such as Microsoft Active Directory, LDAP-compliant directory, ODBC-compliant SQL database, token servers and internal databases can be used within a single policy for fine-grained control.
Additional information about the supported network access control capabilities can be found in the ClearPass Policy Manager data sheet (http://www.arubanetworks.com/pdf/products/DS_ClearPass_PolicyManager.pdf); however, for the purpose of evaluation, ClearPass will be treated as a network infrastructure authentication server device offering authentication services, FIPS certified cryptographic functions, security auditing, secure administration, trusted updates, self-tests, and secure connections to other servers (e.g., to transmit audit records).
The evaluated configuration consists of the following appliance models running software version 6.9:
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Common Criteria Configuration Guidance Aruba ClearPass Policy Manager, Version 4.1, August 2020 document, satisfies all of the security functional requirements stated in the Aruba ClearPass Policy Manager (NDcPP21/AUTHSRVEP10) Security Target, Version 1.1, 08/26/2020. The project underwent CCEVS Validator review. The evaluation was completed in August 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The logical boundaries of the TOE are realized in the security functions that it implements. Each of these security functions is summarized below.
The TOE is designed to be able to generate logs for a wide range of security relevant events. The TOE can be configured to store the logs locally so they can be accessed by an administrator or alternately to send the logs to a designated syslog server.
The TOE implements the RADIUS protocol in order to service authentication requests from associated NAS devices. The TOE requires RADIUS encapsulated EAP Message Authenticators that conform to RFC 3579 and each Access-Request from a NAS must have the correct Message Authenticator so that the NAS can be determined to be authentic. In response, the TOE includes its own identifier, Response Authenticator (conforming to RFC 2865), and the response packet with the requested authentication results.
The TOE includes an Aruba Linux Cryptographic Module that provides key management, random bit generation, encryption/decryption, digital signature and secure hashing and key-hashing features in support of higher-level cryptographic protocols including IPsec, SSH, and TLS/HTTPS.
Identification and authentication:
The TOE offers no TSF-mediated functions except display of a login banner until the administrator is identified and authenticated. The TOE authenticates administrative users accessing the TOE via the command-line interface (local serial console or SSH) or web interface (Web UI) in the same manner using its own password-based authentication mechanism. The TOE also supports public-key based authentication of users through the SSH-based CLI interface and supports certificate authentication for the Web UI.
The TOE supports certificate authentication for TLS and IPsec and supports pre-shared key authentication for RADIUS and IPsec connections. The TOE uses X.509v3 certificates and validates received authentication certificates. CRL and OCSP are supported for X509v3 certificate validation.
The TOE provides Command Line (CLI) commands (locally via a serial console or remotely via SSH) and a Web-based Graphical User Interface (Web GUI) to access the available functions to manage the TOE security functions. Security management commands are limited to authorized users (i.e., administrators) only after they have been correctly identified and authenticated. The security management functions are controlled through the use of Admin Privileges that can be assigned to TOE users.
Protection of the TSF:
The TOE implements a number of features design to protect itself to ensure the reliability and integrity of its security features.
It protects sensitive data such as stored passwords and private cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for audit records).
The TOE includes functions to perform self-tests so that it might detect when it is failing. It also includes mechanisms so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE.
The TOE can be configured to display an informative banner when an administrator establishes an interactive session and subsequently will enforce an administrator-defined inactivity timeout value after which the inactive session (local or remote) will be terminated. The TOE can also reject authentication requests based on time of day, account status, location and role mapping.
The TOE protects interactive communication with administrators using a console and SSHv2 for CLI access and TLS/HTTPS for Web UI access. In each case, both the integrity and disclosure protection is ensured via the secure protocol. If the negotiation of a secure session fails or if the user cannot be authenticated for remote administration, the attempted session will not be established.
The TOE protects communication with network peers, such as a syslog server or NTP server, using IPsec connections to prevent unintended disclosure or modification of logs. The TOE uses either RadSec or IPsec to communicate with associated NAS servers for RADIUS requests and responses.
Aruba, a Hewlett Packard Enterprise Company