Archived U.S. Government Approved Protection Profile - Protection Profile for Wireless Local Area Network (WLAN) Clients Version 1.0
Short Name: pp_wlan_cli_v1.0
Technology Type: Wireless LAN
CC Version: 3.1
Succeeded By: pp_wlan_cli_ep_v1.0
Sunset Date: 2016.05.06
Conformance Claim: NoneProtection Profile
This document specifies Security Functional Requirements for a WLAN Client. The TOE defined by this PP is the WLAN Client, a component executing on a client machine (often referred to as a "remote access client"). The TOE establishes a secure wireless tunnel between the client device and a WLAN Access System through which all data will traverse. The WLAN Access System ensures that only authorized clients obtain this access through authentication with an Authentication Server. For the purpose of this PP a typical wireless to wired network configuration is discussed. However the intent is not to preclude any other wireless configuration that may exist and meet the requirements in this PP. This PP does not dictate any particular configuration. Instead the PP addresses the security requirements for the client that provides communication between the wireless user and the wired network and its resources. As discussed in the following sections, it is important to stress that the PP covers the functionality of the WLAN client and its administrative capabilities only; it does not levy requirements that will be implemented in the IT environment such as Identification and Authentication, Audit Storage, etc. These capabilities should conform to requirements specified for general purpose operating systems, for example.
The WLAN Client supports IEEE 802.1X Port Based Network Access Control. The architectural framework of Port-based access control defines three distinct roles: Supplicant (the TOE), Authenticator (WLAN Access System); and Authentication Server (AS). The WLAN Access System requires successful authentication of the TOE, relying on the AS to authenticate the TOE, before providing network access. The WLAN Access System acts as a pass through device between the TOE and the AS. The WLAN Access System allows the WLAN Client access to the private network only after it has been successfully authenticated by the AS. The TOE and AS must perform mutual machine authentication using X.509 v3 certificates and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) messages. If either the TOE or AS fail to authenticate, the WLAN Access System ceases to communicate with the WLAN Client. Secure communication tunnels to the private network can only be established if authentication is successful.
This U.S. Government Approved Protection Profile is not assigned to any Validated Products
Active Related Technical Decisions
Please forward any Protection Profile specific comments to the applicable Technical Rapid Response Team (TRRT).
Please forward any general questions to our Q&A tool.