CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide 

The Aruba ClearPass Policy Manager platform provides role- and device-based network access control for employees, contractors and guests across any wired, wireless and VPN infrastructure. ClearPass implements RADIUS services, as well as profiling, onboarding, guest access, and health checks facilitating centralized management of network access policies. The authentication services are the focus of this evaluation and other services are not evaluated.

ClearPass provides user and device authentication based on 802.1X, non-802.1X and web portal access methods. Multiple authentication protocols like PEAP, EAP-FAST, EAP-TLS, and EAP-TTLS can be used concurrently to strengthen security in any environment. Attributes from multiple identity stores such as Microsoft Active Directory, LDAP-compliant directory, ODBC-compliant SQL database, token servers and internal databases can be used within a single policy for fine-grained control.

Additional information about the supported network access control capabilities can be found in the ClearPass Policy Manager data sheet (https://www.arubanetworks.com/assets/ds/DS_ClearPass_PolicyManager.pdf); however, for the purpose of evaluation, ClearPass will be treated as a network infrastructure authentication server device offering authentication services, CAVP tested cryptographic functions, security auditing, secure administration, trusted updates, self-tests, and secure connections to other servers (e.g., to transmit audit records).

The ClearPass evaluated configuration includes one of the following devices:

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance.  The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017.  The product, when delivered and configured as identified in the Common Criteria Configuration Guidance Aruba ClearPass Policy Manager, Version 6.11, March 2023 document, satisfies all of the security functional requirements stated in the Aruba ClearPass Policy Manager 6.11 Security Target, Version 1.0, March 21, 2023.  The project underwent CCEVS Validator review.  The evaluation was completed in March 2023.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11324-2023) prepared by CCEVS.

The logical boundaries of the ClearPass Policy Manager are realized in the security functions that it implements. Each of these security functions is summarized below.

Security audit:

The TOE is designed to be able to generate logs for a wide range of security relevant events. The TOE can be configured to store the logs locally so they can be accessed by an administrator or alternately to send the logs to a designated syslog server.

Communication:

The TOE implements the RADIUS protocol in order to service authentication requests from associated NAS devices.  The TOE requires RADIUS encapsulated EAP Message Authenticators that conform to RFC 3579 and each Access-Request from a NAS must have the correct Message Authenticator so that the NAS can be determined to be authentic. In response, the TOE includes its own identifier, Response Authenticator (conforming to RFC 2865), and the response packet with the requested authentication results.

Cryptographic support:

The TOE includes a version of Hewlett Packard Enterprise OpenSSL Cryptographic Module on Red Hat Enterprise Linux that provides key management, random bit generation, encryption/decryption, digital signature and secure hashing and key-hashing features in support of higher-level cryptographic protocols including IPsec, SSH, and TLS/HTTPS.

Identification and authentication:

The TOE offers no TSF-mediated functions except display of a login banner until the administrator is identified and authenticated.  The TOE authenticates administrative users accessing the TOE via the command-line interface (local serial console or SSH) or web interface (Web UI) in the same manner using its own password-based authentication mechanism.  The TOE also supports public-key based authentication of users through the SSH-based CLI interface and supports certificate authentication for the Web UI.

The TOE supports certificate authentication for TLS and IPsec and supports pre-shared key authentication for RADIUS and IPsec connections.  The TOE uses X.509v3 certificates and validates received authentication certificates. OCSP is supported for X509v3 certificate validation.

Security management:

The TOE provides Command Line (CLI) commands (locally via a serial console or remotely via SSH) and a Web-based Graphical User Interface (Web GUI) to access the available functions to manage the TOE security functions. Security management commands are limited to authorized users (i.e., administrators) only after they have been correctly identified and authenticated. The security management functions are controlled through the use of Admin Privileges that can be assigned to TOE users.

Protection of the TSF:

The TOE implements a number of features designed to protect itself to ensure the reliability and integrity of its security features.

It protects particularly sensitive data such as stored passwords and private cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for audit records).

The TOE includes functions to perform self-tests so that it might detect when it is failing. It also includes mechanisms so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE.

TOE access:

The TOE can be configured to display an informative banner when an administrator establishes an interactive session and subsequently will enforce an administrator-defined inactivity timeout value after which the inactive session (local or remote) will be terminated.  The TOE can also reject authentication requests based on time of day, account status, location and role mapping.

Trusted path/channels:

The TOE protects interactive communication with administrators using a console and SSHv2 for CLI access and TLS/HTTPS for Web UI access. In each case, both the integrity and disclosure protection is ensured via the secure protocol. If the negotiation of a secure session fails or if the user cannot be authenticated for remote administration, the attempted session will not be established.

The TOE protects communication with network peers, such as a syslog server or NTP server, using IPsec connections to prevent unintended disclosure or modification of logs. The TOE uses either RadSec or IPsec to communicate with associated NAS servers for RADIUS requests and responses.

Vendor Information