FIPS 140-2 Non-Proprietary Security Policy for Aruba AP
Contents
1. 802 1 1a b g n Radio Transceiver Control Input Interface 10 100 1000 Ethernet Ports PoE Status Output Interface 10 100 1000 Ethernet Ports 802 1 la b g n Radio Transceiver LEDs Power Interface Power Supply PoE 21 Data input and output control input status output and power interfaces are defined as follows Data input and output are the packets that use the networking functionality of the module Control input consists of manual control inputs for power and reset through the power interfaces 5V DC or PoE It also consists of all of the data that is entered into the access point while using the management interfaces Status output consists of the status indicators displayed through the LEDs the status data that is output from the module while using the management interfaces and the log file o LEDs indicate the physical state of the module such as power up or rebooting utilization level and activation state The log file records the results of self tests configuration errors and monitoring data A power supply may be used to connect the electric power cable Operating power may also be provided via Power Over Ethernet POE device when connected The power is provided through the connected Ethernet cable Console port is disabled by covering TEL when operating in each of FIPS modes The module distinguishes between different forms of data control and status traffic over the network ports by analyzing the pack2. session subsequently IPSec session encryption 168 bit Established during Stored in Secure IPSec keys Triple DES Diffie Hellman key plaintext in traffic or agreement volatile 128 192 256 memory bit AES zeroized when keys session is closed or system powers off IPSec session HMAC Established during Stored in Secure IPSec authentication keys SHA 1 keys Diffie Hellman key plaintext in traffic agreement volatile memory zeroized when session is closed or system powers off 31 STORAGE CSP CSP TYPE GENERATION And USE ZEROIZATI ON IKEv1 IKEv Diffie 1024 bit Generated internally Stored in Used in Hellman Private key Diffie during IKEv1 IKEv2 plaintext in establishing Hellman negotiation volatile the session key private key memory for IPSec zeroized when session is closed or system is powered off IKEv1 IKEv Diffie 128 bit Octet Generated internally Stored in IKEv1 IKEv2 Hellman shared secret during IKEv1 IKEv2 plaintext in payload negotiation volatile integrity memory verification zeroized when session is closed or system is powered off ArubaOS OpenSSL RNG_ Seed 16 Derived using NON Stored in Seed ANSI Seed for FIPS compliant Bytes FIPS approved HW RNG plaintext in X9 31 RNG ANSI X9 31 Appendix dev urandom volatile A2 4 using AES 128 Key memory only algorithm zeroized on reboot ArubaOS OpenSSL RNG Seed key 16 Derived using NON Stored in Seed ANSI Seed k
3. 2 RNG KAT o RSA sign verify o SHA SHA1 SHA256 SHA384 and SHA512 KAT o Triple DES KAT e ArubaOS Uboot Bootloader Module o Firmware Integrity Test RSA 2048 bit Signature Validation The following Conditional Self tests are performed in the module e Continuous Random Number Generator Test This test is run upon generation of random data by the module s random number generators to detect failure to a constant value The module stores the first random number for subsequent comparison and the module compares the value of the new random number with the random number generated in the previous round and enters an error state if the comparison is successful The test is performed for the approved as well as non approved RNGs e RSA pairwise Consistency Test e Firmware load test These self tests are run for the Cavium hardware cryptographic implementation as well as for the Aruba OpenSSL AP and ArubaOS cryptographic module implementations Self test results are written to the serial console 35 In the event of a KATs failure the AP logs different messages depending on the error For an ArubaOS OpenSSL AP module and ArubaOS cryptographic module KAT failure AP rebooted DATE TIME Restarting System SW FIPS KAT failed For an AES Cavium hardware POST failure Starting HW SHA1 KAT Completed HW SHA1 AT Starting HW HMAC SHA1 KAT Completed HW HMAC SHA1 KAT Starting HW DES KAT Completed HW DES
4. AP Prior to completing the 4 way handshake the attacker must complete the 802 11 association process That process involves the following packet exchange e Attacker sends Authentication request at least 34 bytes e AP sends Authentication response at least 34 bytes e Attacker sends Associate Request at least 36 bytes e AP sends Associate Response at least 36 bytes Total bytes sent at least 140 Note that since we do not include the actual 4 way handshake this is less than half the bytes that would actually be sent so the numbers we derive will absolutely bound the answer The theoretical bandwidth limit for IEEE 802 11n is 300Mbit which is 37 500 000 bytes sec In the real world actual throughput is significantly less than this but we will use this idealized number to ensure that our estimate is very conservative This means that the maximum number of associations assume no delays no inter frame gaps that could be completed is less than 37 500 000 214 267 857 per second or 16 071 429 associations per minute This means that an attacker could certainly not try more than this many keys per second it would actually be MUCH less due to the added overhead of the 4 way handshake in each case and the probability of a successful attack in any 60 second interval MUST be less than 16 071 429 4 4 x 1031 or roughly 1 in 10425 which is much less than 1 in 1045 Mesh AP WPA2 PSK User role Same as Wireless Client WPA
5. KAT Starting HW AES KAT Restarting system 36
6. References to Aruba ArubaOS Aruba AP 120 Series wireless access points in the following context will apply to both the Aruba and Dell versions of these products and documentation 1 2 Acronyms and Abbreviations AES Advanced Encryption Standard AP Access Point CBC Cipher Block Chaining CLI Command Line Interface CO Crypto Officer CPSec Control Plane Security protected CSEC Communications Security Establishment Canada CSP Critical Security Parameter ECO External Crypto Officer EMC Electromagnetic Compatibility EMI Electromagnetic Interference FE Fast Ethernet GE Gigabit Ethernet GHz Gigahertz HMAC Hashed Message Authentication Code Hz Hertz IKE Internet Key Exchange IPSec Internet Protocol security KAT Known Answer Test KEK Key Encryption Key L2TP LAN LED SNMP SPOE TEL TFTP WLAN Layer 2 Tunneling Protocol Local Area Network Light Emitting Diode Secure Hash Algorithm Simple Network Management Protocol Serial amp Power Over Ethernet Tamper Evident Label Trivial File Transfer Protocol Wireless Local Area Network 2 Product Overview This section introduces the various Aruba Wireless Access Points providing a brief overview and summary of the physical features of each model covered by this FIPS 140 2 security policy 2 1 Aruba AP 120 Series This section introduces the Aruba AP 120 series Wireless Access Points APs with FIPS 140 2 Level 2 validation It describes the purpose of the AP its
7. controller Once the module is connected to the controller by the Ethernet cable navigate to the Configuration gt Wireless gt AP Installation page where you should see an entry for the AP Select that AP click the Provision button which will open the provisioning window Now provision the AP as Remote Mesh Portal by filling in the form appropriately Detailed steps are listed in Section Provisioning an Individual AP of Chapter The Basic User Centric Networks of the Aruba OS User Guide Click Apply and Reboot to complete the provisioning process a During the provisioning process as Remote Mesh Point if Pre shared key is selected to be the Remote IP Authentication Method the IKE pre shared key which is at least 8 characters in length is input to the module during provisioning Generation of this key is outside the scope of this policy In the initial provisioning of an AP this key will be entered in plaintext subsequently during provisioning it will be entered encrypted over the secure IPSec session If certificate based authentication is chosen AP s RSA key pair is used to authenticate AP to controller during IPSec AP s RSA private key is contained in the AP s non volatile memory and is generated at manufacturing time in factory 20 b During the provisioning process as Mesh Point the WPA2 PSK is input to the module via the corresponding Mesh cluster profile This key is stored on flash encrypted
8. physical attributes and its interfaces Figure 1 Aruba AP 120 Series Wireless Access Points The Aruba AP 124 and AP 125 are high performance 802 1 1n 3x3 MIMO dual radio concurrent 802 1 1a n b g n indoor wireless access points capable of delivering combined wireless data rates of up to 600Mbps These multi function access points provide wireless LAN access air monitoring and wireless intrusion detection and prevention over the 2 4 2 5GHz and 5GHz RF spectrum The access points work in conjunction with Aruba Mobility Controllers to deliver high speed secure user centric network services in education enterprise finance government healthcare and retail applications 2 1 1 Physical Description The Aruba AP 120 series Access Point is a multi chip standalone cryptographic module consisting of hardware and firmware all contained in a hard plastic case The module contains IEEE 802 1 1a 802 11b 802 11g and 802 11n transceivers and up to 3 integrated or external omni directional multi band dipole antenna elements may be attached to the module The plastic case physically encloses the complete set of hardware and firmware components and represents the cryptographic boundary of the module The Access Point configuration validated during the cryptographic module testing included Aruba Part Number Dell Corresponding Part Number AP 124 FI W AP124 F1 AP 125 FI W AP125 F1 The exact firmware versions validated were 2
9. the standard Aruba warranty of one year parts labor For more information refer to the ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS Altering this device such as painting it voids the warranty Copyright 2012 Aruba Networks Inc Aruba Networks trademarks include Aruba Networks Aruba Wireless Networks the registered Aruba the Mobile Edge Company logo and Aruba Mobility Management System Dell the DELL logo andPowerConnect are trademarks of Dell Inc 1 INTRODUCTION ccsssssssssesssssrsessessrsessessrsessessssessessrsessessssessessssessassesessessnsessesessasensessessssessesersors 5 1 1 ARUBA DEEE RELATIONSHIP ies ere ed ee EE en Ge Ve Ee ee Vee Re eke ee ee De ee Gee Gee ge Re ee Re be ie De 5 1 2 ACRONYMSANDABBREVIATIONS ee ese ese sesse ee ee se ese Ge ee E ee ee be ee E Gee ee ee E Ge ee Ge AR 5 2 PRODUCT OVERVIEW seseeseese see sesse see see se See see se See See Se See Ee Be Re Ee Be SEER Be Re Be Re Ee Be Re Ee Be Re Ee Be Ee Ee Be Re Ee ee 7 2 1 ARUBAAP LAO SERIES is vesg on eyes ie Ge oue eke Seed otennssneevens test Ve SR EKG Ee veer Gegee GN ee ee eek GEGEE Ee Ge Nee EER Bee 7 2 1 1 de SEE EE EE OE EE ER EE EE EEN Z 2 11 Dimensions Weight isacioun onua rn Re EEUE RE DUE see EATE i 8 EWE oue eo EE E IE AE RE OE RE IE 8 HLL Tndicator LEDS ER EE ER RE EN N OE EE 8 3 MODULE OBJECTIVES seesesse se ese ese se ese ese se ese ese Se ees se Se ees se Se ee se ee se Se ee Se Se ee Ee SR EE S
10. verify that it is in FIPS mode An important point in the Aruba APs is that to change configurations from any one mode to any other mode requires the module to be re provisioned and rebooted before any new configured mode can be enabled The access point is managed by an Aruba Mobility Controller in FIPS mode and access to the Mobility Controller s administrative interface via a non networked general purpose computer is required to assist in placing the module in FIPS mode The controller used to provision the AP is referred to below as the staging controller The staging controller must be provisioned with the appropriate firmware image for the module which has been validated to FIPS 140 2 prior to initiating AP provisioning After setting up the Access Point by following the basic installation instructions in the module User Manual the Crypto Officer performs the following steps 3 3 1 Configuring Remote AP FIPS Mode 1 Apply TELs according to the directions in section 3 2 2 Log into the administrative console of the staging controller 3 Deploying the AP in Remote FIPS mode configure the controller for supporting Remote APs For detailed instructions and steps see Section Configuring the Secure Remote Access Point Service in Chapter Remote Access Points of the Aruba OS User Manual 4 Enable FIPS mode on the controller This is accomplished by going to the Configuration gt Network gt Controller gt System Setting
11. 1 1 1 ArubaOS_6 1 2 3 FIPS DELL PCW 6 1 2 3 FIPS Dimensions Weight The AP has the following physical dimensions 2 1 1 2 Interfaces 4 9 x 5 13 x 2 0 124mm x 130mm x 51mm 150z 0 42 Kgs The module provides the following network interfaces O Antenna model Aruba AP 124 only 1 x RJ 45 console interface The module provides the following power interfaces 2 1 1 3 Indicator LEDs There are 5 bicolor power ENET 0 1 and WLAN LEDs which operate as follows Table 1 Indicator LEDs 2 x 10 100 1000 Base T Ethernet RJ45 Auto sensing link speed and MDI MDX 3 x RP SMA antenna interfaces supports up to 3x3 MIMO with spatial diversity 48V DC 802 3af or 802 3at or PoE interoperable Power over Ethernet PoE with intelli source PSE sourcing intelligence 5V DC for external AC supplied power adapter sold separately Label Function Action Status PWR AP power ready status Off No power to AP Red Power applied bootloader starting Flashing Green Device booting not ready On Green Device ready ENET 0 Ethernet Network Link Off Ethernet link unavailable RE On Amber 10 100Mbs Ethernet link negotiated On Green 1000Mbs Ethernet link negotiated Flashing Ethernet link activity ENET 1 Ethernet Network Link Off Ethernet link unavailable Dual radio Sus AD On Amber 10 100Mbs Ethernet link negotiated Labe
12. 2 PSK above Certificate based authentication RSA key pair CO role The module supports RSA 2048 bit keys which has at least 112 bits of equivalent strength The probability of a successful random attempt is 1424112 which is less than 1 1 000 000 The probability of a success with multiple consecutive attempts in a one minute period is 5 6e7 2M 12 which is less than 1 100 000 25 4 2 Services The module provides various services depending on role These are described below 4 2 1 Crypto Officer Services The CO role in each of FIPS modes defined in section 3 3 has the same services Service Description CSPs Accessed see section 6 below for complete description of CSPs FIPS mode enable disable Key Management The CO selects de selects FIPS mode as a configuration option The CO can configure modify the IKE shared secret The RSA private key is protected by non volatile memory and cannot be modified and the WPA2 PSK used in advanced Remote AP configuration Also the CO User implicitly uses the KEK to read write configuration to non volatile memory None e IKE shared secret e WPA2 PSK e KEK Remotely reboot module The CO can remotely trigger a reboot KEK is accessed when configuration is read during reboot The firmware verification key and firmware verification CA key are accessed to validate firmware prior to boot Self test triggered by CO User rebo
13. 9 Via the logging facility of the staging controller ensure that the module the AP is successfully provisioned with firmware and configuration 10 Terminate the administrative session 11 Disconnect the module from the staging controller and install it on the deployment network when power is applied the module will attempt to discover and connect to an Aruba Mobility Controller on the network 3 3 5 Verify that the module is in FIPS mode For all the approved modes of operations in either Remote AP FIPS mode Control Plane Security AP FIPS Mode Remote Mesh Portal FIPS mode or Mesh Point FIPS Mode do the following to verify the module is in FIPS mode 1 Log into the administrative console of the Aruba Mobility Controller 2 Verify that the module is connected to the Mobility Controller 3 Verify that the module has FIPS mode enabled by issuing command show ap ap name lt ap name gt config 4 Terminate the administrative session 3 4 Operational Environment This section does not apply as the operational environment is non modifiable 3 5 Logical Interfaces The physical interfaces are divided into logical interfaces defined by FIPS 140 2 as described in the following table Table 2 FIPS 140 2 Logical Interfaces FIPS 140 2 Logical Interface Module Physical Interface Data Input Interface 10 100 1000 Ethernet Ports 802 1 1a b g n Radio Transceiver Data Output Interface 10 100 1000 Ethernet Ports
14. FIPS 140 2 Non Proprietary Security Policy for Aruba AP 120 Series and Dell W AP120 Series Wireless Access Points Version 1 6 October 2012 ADHD A San BUILD networks Aruba Networks 1322 Crossman Ave Sunnyvale CA 94089 1113 T Copyright 2012 Aruba Networks Ine Aruba Networks trademarks include TO AITWAVE aruba Networks Aruba Wireless Networks the registered Aruba the Mobile Edge Company logo Aruba Mobility Management System Mobile Edge Architecture People Move Networks Must Follow RFProtect Green Island All rights reserved All other trademarks are the property of their respective owners Open Source Code Certain Aruba products include Open Source software code developed by third parties including software code subject to the GNU General Public License GPL GNU Lesser General Public License LGPL or other Open Source Licenses The Open Source code used can be found at this site http www arubanetworks com open_source Legal Notice The use of Aruba Networks Inc switching platforms and software by all individuals or corporations to terminate other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies in full Aruba Networks Inc from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors Warranty This hardware product is protected by
15. POL MIC Key e 802 1li EAPOL Encryption Key e 802 1li AES CCM key e 802 11 GMK e 802 111 GTK 28 Use of WPA preshared key for When the module is in advanced establishment of IEEE 802 1 1i Remote AP configuration the keys links between the module and the wireless client are secured with 802 11 This is authenticated with a shared secret only e WPA PSK Wireless bridging services The module bridges traffic between the wireless client and None the wired network 4 24 Unauthenticated Services The module provides the following unauthenticated services which are available regardless of role No CSPs are accessed by these services e View system status module LEDs e Reboot module by removing replacing power e Self test and initialization at power on 29 5 Cryptographic Algorithms FIPS approved cryptographic algorithms have been implemented in hardware and firmware The firmware supports the following cryptographic implementations e ArubaOS OpenSSL AP Module implements the following FIPS approved algorithms o AES Cert 1851 o HMAC Cert 1099 o RNG Cert 970 o RSA Cert 934 o SHS Cert 1628 o Triple DES Cert 1199 e ArubaOS Module implements the following FIPS approved algorithms o AES Cert 1850 o HMAC Cert 1098 o RNG Cert 969 o RSA Cert 933 o SHS Cert 1627 o Triple DES Cert 1198 e ArubaOS UBOOT Bootloader implements the following FI
16. PS approved algorithms o RSA Cert 935 o SHS Cert 1629 Hardware encryption acceleration is provided by Cavium Octeon 5010 for bulk cryptographic operations for the following FIPS approved algorithms e AFS Cert 861 e HMAC Cert 478 e SHS Cert 856 e Triple DES Cert 708 Non FIPS Approved Algorithms The cryptographic module implements the following non approved algorithms that are not permitted for use in the FIPS 140 2 mode of operations e MD5 In addition within the FIPS Approved mode of operation the module supports the following allowed key establishment schemes Diffie Hellman key agreement key establishment methodology provides 80 bits of encryption strength 30 6 Critical Security Parameters The following Critical Security Parameters CSPs are used by the module STORAGE CSP CSP TYPE GENERATION And USE ZEROIZATI ON Key Encryption Key Triple DES Hard coded Stored in flash Encrypts KEK 168 bits key zeroized by the IKEv1 IKEv2 ap wipe out preshared keys flash and command configuration parameters IKEv1 IKEv2 Pre shared 64 character CO configured Encrypted in Module and secret preshared flash using the crypto officer key KEK zeroized authentication by updating during through IKEv 1 IKEv2 administrative entered into interface or by the module in the ap wipe plaintext out flash during command initialization and encrypted over the IPSec
17. al AP of Chapter The Basic User Centric Networks of the Aruba OS User Guide Click Apply and Reboot to complete the provisioning process 17 10 11 3 3 2 a During the provisioning process as Remote AP if Pre shared key is selected to be the Remote IP Authentication Method the IKE pre shared key which is at least 8 characters in length is input to the module during provisioning Generation of this key is outside the scope of this policy In the initial provisioning of an AP this key will be entered in plaintext subsequently during provisioning it will be entered encrypted over the secure IPSec session If certificate based authentication is chosen AP s RSA key pair is used to authenticate AP to controller during IPSec AP s RSA private key is contained in the AP s non volatile memory and is generated at manufacturing time in factory Via the logging facility of the staging controller ensure that the module the AP is successfully provisioned with firmware and configuration Terminate the administrative session Disconnect the module from the staging controller and install it on the deployment network when power is applied the module will attempt to discover and connect to an Aruba Mobility Controller on the network Configuring Control Plane Security CPSec protected AP FIPS mode Apply TELs according to the directions in section 3 2 Log into the administrative console of the staging controller Deployin
18. and monitor the module including the configuration loading and zeroization of CSPs o User role the User operator shares the same services and authentication techniques as the Mobility Controller in the Crypto Officer o Wireless Client role in CPSec AP configuration a wireless client can create a connection to the module using WPA2 and access wireless network access services e Remote Mesh Portal FIPS mode o Crypto Officer role the Crypto Officer is the Aruba Mobility Controller that has the ability to configure manage and monitor the module including the configuration loading and zeroization of CSPs o User role the User operator shares the same services and authentication techniques as the Mobility Controller in the Crypto Officer o Wireless Client role in CPSec AP configuration a wireless client can create a connection to the module using WPA2 and access wireless network access services e Remote Mesh Point FIPS mode o Crypto Officer role the Crypto Officer role is the Aruba Mobility Controller that has the ability to configure manage and monitor the module including the configuration loading and zeroization of CSPs The first mesh AP configured is the only AP with the direct wired connection o User role the adjacent APs in a given mesh cluster 23 o Wireless Client role in Mesh AP configuration a wireless client can create a connection to the module using WPA2 and access wireless network access service
19. cure IPSec session If certificate based authentication is chosen AP s RSA key pair is used to authenticate AP to controller during IPSec AP s RSA private key is contained in the AP s non volatile memory and is generated at manufacturing time in factory b During the provisioning process as Remote Mesh Portal the WPA2 PSK is input to the module via the corresponding Mesh cluster profile This key is stored on flash encrypted Via the logging facility of the staging controller ensure that the module the AP is successfully provisioned with firmware and configuration 19 10 Terminate the administrative session 11 Disconnect the module from the staging controller and install it on the deployment network when power is applied the module will attempt to discover and connect to an Aruba Mobility Controller on the network To verify that the module is in FIPS mode do the following 1 2 3 Log into the administrative console of the Aruba Mobility Controller Verify that the module is connected to the Mobility Controller Verify that the module has FIPS mode enabled by issuing command show ap ap name lt ap name gt config Terminate the administrative session Configuring Remote Mesh Point FIPS Mode Apply TELs according to the directions in section 3 2 Log into the administrative console of the staging controller Deploying the AP in Remote Mesh Point mode create the corresponding Mesh Profiles on the controlle
20. d the controller or ensure the presence of a DC power supply appropriate to the particular model of the module Connect the module via an Ethernet cable to the staging controller note that this should be a direct connection with no intervening network or devices if PoE is being supplied by an injector this represents the only exception That is nothing other than a PoE injector should be present between the module and the staging controller Once the module is connected to the controller by the Ethernet cable navigate to the Configuration gt Wireless gt AP Installation page where you should see an entry for the AP Select that AP click the Provision button which will open the provisioning window Now provision the AP as Remote Mesh Portal by filling in the form appropriately Detailed steps are listed in Section Provisioning an Individual AP of Chapter The Basic User Centric Networks of the Aruba OS User Guide Click Apply and Reboot to complete the provisioning process a During the provisioning process as Remote Mesh Portal if Pre shared key is selected to be the Remote IP Authentication Method the IKE pre shared key which is at least 8 characters in length is input to the module during provisioning Generation of this key is outside the scope of this policy In the initial provisioning of an AP this key will be entered in plaintext subsequently during provisioning it will be entered encrypted over the se
21. e SR EE Be Re Se Re ee 10 3 1 SECURITY IBVEESS ER GE GE GE Ge Ge GE Ge GE Ge DR RD RE Ee 10 32 PHYSICAL SECURITY SE EE ESE ee ee EE ee SE Ee ee ee EE ewe ERGE ee ee Gee Ge Reg ge ee ge ee ere ee ee i 10 3 2 1 Applying TELS a a a ee a de e adt 10 322 Ariba VEE TEL AG GO HE OR EE EE eeiceens ll 3 2 2 1 To detect opening of the Chassis COVer i e ese se se ee Ge ee ee Ge Re Gee Re Re AA Ge Re Ge ee ke ee 11 3222 To detect access to restricted DOT esse se se ee se ee ee SA Ge Re Gee Re ee Ge Re Ge Re ke ee 11 3 2 3 Atuba AP 125 TEL Placement soniai aa a a a EA E E be Ge Eg Ea EE 14 3 2 3 1 To detect opening of the Chassis COVET i e ese se se ek Ge ee AA Ge Re Gee Re eke GR Ge Re Gee Re Gee ee 14 3 2 3 2 To detect access to restricted Or esse se see see Ge GR Ge Re Gee Re Re Ge Ge Re Gee Re eke ee 14 3 2 4 Inspection Testing of Physical Security Mechanism eise esse se se Se cess Ge Se cee Gee ee ee se ee 16 3 3 MOBESOEOPERATIONS EES ee Ee GEE sess ek GER Ee ee LR edge ee ee GR SR ee De N eek en ge Se ee eb gere ee ene 16 3 3 1 Configuring Remote AP FIPS Mode iese ee ee Ge ee ee ee Se ee ee ee ee ee ee ee ee 17 3 3 2 Configuring Control Plane Security CPSec protected AP FIPS mode iese sesse sesse sees 18 3 3 3 Configuring Remote Mesh Portal FIPS Mode iese ee see ee se Ge Gee see se ee ee ee ee ee ee 19 3 3 4 Configuring Remote Mesh Point FIPS Mode iese sesse ee se ee Ge ee ee Re Ge Re Ge ee GR ee ee 20 3 3 5 Verify that
22. ed from WPA2 memory only 802 1 li used to PSK zeroized on Pairwise derive reboot Transient Key 802 111 PTK session keys 802 11i Pairwise Transient 512 bit Derived during 802 11 In volatile All session Key PTK shared secret 4 way handshake memory only encryption dec from which zeroized on ryption keys Temporal reboot are derived Keys TKs from the PTK are derived 802 111 128 bit Derived from PTK In volatile Used for shared secret memory only integrity ES FOL MIC Key used to zeroized on validation in 4 protect 4 reboot way way key handshake handshake 802 11i EAPOL Encr Key 128 bit Derived from PTK In volatile Used for shared secret memory only confidentiality used to zeroized on in 4 way protect 4 reboot handshake way handshakes 802 11i data AES CCM 128 bit AES Derived from PTK Stored in Used for encryption MIC key CCM key plaintext in 802 111 packet volatile encryption and memory integrity zeroized on verification reboot this is the CCMP or AES CCM key 33 STORAGE CSP CSP TYPE GENERATION And USE ZEROIZATI ON 802 11i Group Master Key 256 bit Generated from approved Stored in Used to derive GMK secret used RNG plaintext in Group to derive volatile Transient Key GTK memory GTK zeroized on reboot 802 111 Group Transient 256 bit Internally derived by AP Stored in Used to derive Key GTK shared secret which assumes plaintext in multicast used to authenticator role
23. et headers and contents 22 4 Roles Authentication and Services 4 1 Roles The module supports the roles of Crypto Officer User and Wireless Client no additional roles e g Maintenance are supported Administrative operations carried out by the Aruba Mobility Controller map to the Crypto Officer role The Crypto Officer has the ability to configure manage and monitor the module including the configuration loading and zeroization of CSPs Defining characteristics of the roles depend on whether the module is configured as a Remote AP CPSec AP a Remote Mesh Portal AP or a Remote Mesh Point AP e Remote AP FIPS mode o Crypto Officer role the Crypto Officer is the Aruba Mobility Controller that has the ability to configure manage and monitor the module including the configuration loading and zeroization of CSPs o User role the User operator shares the same services and authentication techniques as the Mobility Controller in the Crypto Officer role o Wireless Client role in Remote AP configuration a wireless client can create a connection to the module using WPA2 and access wireless network access bridging services In advanced Remote AP configuration when Remote AP cannot communicate with the controller the wireless client role authenticates to the module via WPA2 PSK only e CPSec AP FIPS mode o Crypto Officer role the Crypto Officer is the Aruba Mobility Controller that has the ability to configure manage
24. etect access to restricted ports 3 Spanning the serial port The tamper evident labels shall be installed for the module to operate in a FIPS approved mode of operation Following is the TEL placement for the Aruba AP 125 Figure 7 AP 125 Front view Figure 8 AP 125 Back view 14 Figure 9 AP 125 Left view Figure 10 AP 125 Right view 15 Figure 12 AP 125 Bottom view 3 2 4 Inspection Testing of Physical Security Mechanisms Physical Security Mechanism Recommended Test Frequency Guidance Tamper evident labels TELs Once per month Examine for any sign of removal replacement tearing etc See images above for locations of TELs Opaque module enclosure Once per month Examine module enclosure for any evidence of new openings or other access to the module internals 3 3 Modes of Operation The module can be configured to be in the following FIPS approved modes of operations via corresponding Aruba or Dell Mobility Controllers that have been certificated to FIPS level 2 e Remote AP RAP FIPS mode When the module is configured as a Remote AP it is intended to be deployed in a remote location relative to the Mobility Controller The module provides cryptographic processing in the form of IPSec for all traffic to and from the Mobility Controller that has been validated e Control Plane Security CPSec protected AP FIPS mode When the module is configured as a Control Plane Securi
25. ey for FIPS bytes AES FIPS approved HW RNG plaintext in X9 31 RNG compliant ANSI X9 31 128 Key dev urandom volatile Appendix A2 4 using algorithm memory only AES 128 Key algorithm zeroized on reboot ArubaOS Cryptographic Seed 64 Derived using NON Stored in Seed 186 2 Module RNG Seed for bytes FIPS approved HW RNG plaintext in General FIPS compliant 186 2 dev urandom volatile Purpose X General Purpose X memory only change change Notice SHA 1 zeroized on Notice SHA RNG reboot 1 RNG ArubaOS Cryptographic Seed Key Derived using NON Stored in Seed 186 2 Module RNG Seed key for 64 bytes FIPS approved HW RNG plaintext in General FIPS compliant 186 2 dev urandom volatile Purpose X General Purpose X memory only change change Notice SHA 1 zeroized on Notice SHA RNG reboot 1 RNG 32 STORAGE CSP CSP TYPE GENERATION And USE ZEROIZATI ON WPA2 PSK 16 64 CO configured Encrypted in Used to derive character flash using the the PMK for shared secret KEK zeroized 802 11i mesh used to by updating connections authenticate through between APs mesh administrative and in connections interface or by advanced and in the ap wipe Remote AP remote AP out flash connections advanced command programmed configuration into AP by the controller over the IPSec session 802 1 1i Pairwise Master 512 bit In volatile Used to derive Key PMK shared secret Deriv
26. g controller and install it on the deployment network when power is applied the module will attempt to discover and connect to an Aruba Mobility Controller on the network Configuring Remote Mesh Portal FIPS Mode Apply TELs according to the directions in section 3 2 Log into the administrative console of the staging controller Deploying the AP in Remote Mesh Portal mode create the corresponding Mesh Profiles on the controller as described in detail in Section Mesh Profiles of Chapter Secure Enterprise Mesh of the Aruba OS User Manual a For mesh configurations configure a WPA2 PSK which is 16 ASCII characters or 64 hexadecimal digits in length generation of such keys is outside the scope of this policy Enable FIPS mode on the controller This is accomplished by going to the Configuration gt Network gt Controller gt System Settings page this is the default page when you click the Configuration tab and clicking the FIPS Mode for Mobility Controller Enable checkbox Enable FIPS mode on the AP This accomplished by going to the Configuration gt Wireless gt AP Configuration gt AP Group page There you click the Edit button for the appropriate AP group and then select AP gt AP System Profile Then check the Fips Enable box check Apply and save the configuration If the staging controller does not provide PoE either ensure the presence of a PoE injector for the LAN connection between the module an
27. g the AP in CPSec AP mode configure the staging controller with CPSec under Configuration gt Controller gt Control Plane Security tab AP will authenticate to the controller using certificate based authentication to establish IPSec AP is configured with RSA key pair at manufacturing AP s certificate is signed by Aruba Certification Authority trusted by all Aruba controller s and the AP s RSA private key is stored in non volatile memory Refer to Configuring Control Plane Security Section in ArubaOS User Manual for details on the steps Enable FIPS mode on the controller This is accomplished by going to the Configuration gt Network gt Controller gt System Settings page this is the default page when you click the Configuration tab and clicking the FIPS Mode for Mobility Controller Enable checkbox Enable FIPS mode on the AP This accomplished by going to the Configuration gt Wireless gt AP Configuration gt AP Group page There you click the Edit button for the appropriate AP group and then select AP gt AP System Profile Then check the Fips Enable box check Apply and save the configuration If the staging controller does not provide PoE either ensure the presence of a PoE injector for the LAN connection between the module and the controller or ensure the presence of a DC power supply appropriate to the particular model of the module Connect the module via an Ethernet cable to the staging controlle
28. has been designed to satisfy FIPS 140 2 Level 2 physical security requirements 3 2 1 Applying TELs The Crypto Officer must apply Tamper Evident Labels TELs to the AP to allow detection of the opening of the device and to block the serial console port on the bottom of the device The TELs shall be installed for the module to operate in a FIPS Approved mode of operation Vendor provides FIPS 140 designated TELs which have met the physical security testing requirements for tamper evident labels under the FIPS 140 2 Standard TELs are not endorsed by the Cryptographic Module Validation Program CMVP Aruba provides double the required amount of TELs with shipping and additional replacement TELs can be obtained by calling customer support and requesting part number 4010061 01 The Crypto Officer is responsible for securing and having control at all times of any unused tamper evident labels The Crypto Officer should employ TELs as follows e Before applying a TEL make sure the target surfaces are clean and dry e Do not cut trim punch or otherwise alter the TEL e Apply the wholly intact TEL firmly and completely to the target surfaces e Ensure that TEL placement is not defeated by simultaneous removal of multiple modules 10 e Allow 24 hours for the TEL adhesive seal to completely cure e Record the position and serial number of each applied TEL in a security log Once applied the TELs included with the AP cannot be surreptitiously b
29. in volatile cryptographic derive group handshake memory keys multicast zeroized on encryption reboot and integrity keys 802 111 Group AES CCM 128 bit Derived from 802 11 Stored in Used to protect Data Encryption MIC Key AES CCM group key handshake plaintext in multicast key derived volatile message from GTK memory confidentiality zeroized on and integrity reboot AES CCM RSA private Key 1024 2048 Generated on the AP Stored in and Used for bit RSA remains in AP at all protected by IKEv1 IKEv2 private key times AP s non authentication volatile when AP is memory authenticating zeroized by the using ap wipe out certificate flash based command authentication 34 7 Self Tests The module performs the following Self Tests after being configured into either Remote AP mode or Remote Mesh Portal mode The module performs both power up and conditional self tests In the event any self test fails the module enters an error state logs the error and reboots automatically The module performs the following power up self tests e Aruba Hardware known Answer tests o AES KAT o AES CCM KAT o HMAC SHA1 KAT o Triple DES KAT e ArubaOS OpenSSL AP Module o AES KAT o HMAC HMAC SHA1 HMAC SHA256 and HMAC SHA384 KAT o RNG KAT o RSA KAT o SHA SHA1 SHA256 and SHA384 KAT o Triple DES KAT e ArubaOS Cryptographic Module o AES KAT o HMAC HMAC SHA1 HMAC SHA256 HMAC SHA384 and HMAC512 KAT o FIPS 186
30. l Function Action Status only On Green 1000Mbs Ethernet link negotiated Flashing Ethernet link activity WLAN 2 4Ghz 2 4GHz Radio Status Off 2 4GHz radio disabled On Amber 2 4GHz radio enabled in WLAN mode On Green 2 4GHz radio enabled in 802 1 1n mode Flashing 2 4GHz Air monitor WLAN 5Ghz 5GHz Radio Status Off 5GHz radio disabled On Amber 5GHz radio enabled in WLAN mode On Green 5GHz radio enabled in 802 1 1n mode Flashing 2 4GHz Air monitor 3 Module Objectives This section describes the assurance levels for each of the areas described in the FIPS 140 2 Standard In addition it provides information on placing the module in a FIPS 140 2 approved configuration 3 1 Security Levels Section Section Title Level 1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles Services and Authentication 2 4 Finite State Model 2 5 Physical Security 2 6 Operational Environment N A 7 Cryptographic Key Management 2 8 EMI EMC 2 9 Self tests 2 10 Design Assurance 2 11 Mitigation of Other Attacks N A 3 2 Physical Security The Aruba Wireless AP is a scalable multi processor standalone network device and is enclosed in a robust plastic housing The AP enclosure is resistant to probing please note that this feature has not been validated as part of the FIPS 140 2 validation and is opaque within the visible spectrum The enclosure of the AP
31. ment session above 27 4 2 2 User Services The User services defined in Remote AP FIPS mode CPSec protected AP FIPS mode and the Remote Mesh Portal FIPS mode shares the same services with the Crypto Officer role please refer to Section 4 2 1 Crypto Officer Services The following services are provided for the User role defined in Remote Mesh Point FIPS mode Service Description CSPs Accessed see section 6 below for complete description of CSPs Generation and use of 802 1 1i cryptographic keys When the module is in mesh configuration the inter module mesh links are secured with 802 11i e 802 1li PMK e 802 1li PTK e 802 111 EAPOL MIC Key e 802 1li EAPOL Encryption Key e 802 1li AES CCM key e 802 11 GMK e 802 111 GTK Use of WPA preshared key for establishment of IEEE 802 1 1i keys When the module is in mesh configuration the inter module mesh links are secured with 802 11i This is authenticated with a shared secret e WPA PSK 4 2 3 Wireless Client Services The following module services are provided for the Wireless Client role in each of FIPS approved modes Service Description CSPs Accessed see section 6 below for complete description of CSPs Generation and use of 802 1 1i cryptographic keys In all modes the links between the module and wireless client are secured with 802 11i e 802 1li PMK e 802 1li PTK e 802 111 EA
32. n Mechanism Strength Mechanism IKE shared secret For IKE there are a 95A8 6 63 x 1015 possible preshared keys In order CO role to test the guessed key the attacker must complete an IKE aggressive mode exchange with the module IKE aggressive mode consists of a 3 packet exchange but for simplicity let s ignore the final packet sent from the AP to the attacker An IKE aggressive mode initiator packet with a single transform using Diffie Hellman group 2 and having an eight character group name has an IKE packet size of 256 bytes Adding the eight byte UDP header and 20 byte IP header gives a total size of 284 bytes 2272 bits The response packet is very similar in size except that it also contains the HASH_R payload an additional 16 bytes so the total size of the second packet is 300 bytes 2400 bits Assuming a link speed of 1Gbits sec this is the maximum rate supported by the module this gives a maximum idealized guessing rate of 60 000 000 000 4 672 12 842 466 guesses per minute This means the odds of guessing a correct key in one minute is less than 12 842 466 6 63x 1015 1 94 x 10 9 which is much less than 1 in 1045 24 Authentication Mechanism Mechanism Strength Wireless Client WPA2 PSK Wireless Client Role For WPA2 PSK there are at least 95416 4 4 x 10431 possible combinations In order to test a guessed key the attacker must complete the 4 way handshake with the
33. ot The CO can trigger a programmatic reset leading to self test and initialization KEK is accessed when configuration is read during reboot The firmware verification key and firmware verification CA key are accessed to validate firmware prior to boot Update module firmware The CO can trigger a module firmware update The firmware verification key and firmware verification CA key are accessed to validate firmware prior to writing to flash Configure non security related module parameters CO can configure various operational parameters that do not relate to security 26 None Service Description CSPs Accessed see section 6 below for complete description of CSPs Creation use of secure management session between module and CO The module supports use of IPSec for securing the management channel e IKE Preshared Secret e DH Private Key e DH Public Key e IPSec session encryption keys e IPSec session authentication keys e RSA key pair Creation use of secure mesh channel The module requires secure connections between mesh points using 802 11i e WPA2 PSK e 802 1li PMK e 802 1li PTK e 802 111 EAPOL MIC Key e 802 1li EAPOL Encryption Key e 802 111 AES CCM key e 802 11 GMK e 802 111 GTK e 802 111 AES CCM key System Status CO may view system status information through the secured management channel See creation use of secure manage
34. r note that this should be a direct connection with no intervening network or devices if PoE is being supplied by an injector this represents the only exception That is nothing other than a PoE injector should be present between the module and the staging controller Once the module is connected to the controller by the Ethernet cable navigate to the Configuration gt Wireless gt AP Installation page where you should see an entry for the AP Select that AP click the Provision button which will open the provisioning window Now provision the CPSec Mode by filling in the form appropriately Detailed steps are listed in Section Provisioning an Individual AP of Chapter The Basic User Centric Networks of the Aruba OS User Guide Click Apply and Reboot to complete the provisioning process a For CPSec AP mode the AP always uses certificate based authentication to establish IPSec connection with controller AP uses the RSA key pair assigned to it at manufacturing to authenticate itself to controller during IPSec Refer to Configuring Control Plane Security Section in Aruba OS User Manual for details on the steps to provision an AP with CPSec enabled on controller 18 10 11 3 3 3 9 Via the logging facility of the staging controller ensure that the module the AP is successfully provisioned with firmware and configuration Terminate the administrative session Disconnect the module from the stagin
35. r as described in detail in Section Mesh Points of Chapter Secure Enterprise Mesh of the Aruba OS User Manual a For mesh configurations configure a WPA2 PSK which is 16 ASCII characters or 64 hexadecimal digits in length generation of such keys is outside the scope of this policy Enable FIPS mode on the controller This is accomplished by going to the Configuration gt Network gt Controller gt System Settings page this is the default page when you click the Configuration tab and clicking the FIPS Mode for Mobility Controller Enable checkbox Enable FIPS mode on the AP This accomplished by going to the Configuration gt Wireless gt AP Configuration gt AP Group page There you click the Edit button for the appropriate AP group and then select AP gt AP System Profile Then check the Fips Enable box check Apply and save the configuration If the staging controller does not provide PoE either ensure the presence of a PoE injector for the LAN connection between the module and the controller or ensure the presence of a DC power supply appropriate to the particular model of the module Connect the module via an Ethernet cable to the staging controller note that this should be a direct connection with no intervening network or devices if PoE is being supplied by an injector this represents the only exception That is nothing other than a PoE injector should be present between the module and the staging
36. roken removed or reapplied without an obvious change in appearance Removed amp Reapplied Residue Each TEL has a unique serial number to prevent replacement with similar label To protect the device from tampering TELs should be applied by the Crypto Officer as pictured below 3 2 2 Aruba AP 124 TEL Placement This section displays all the TEL locations on the Aruba AP 124 The AP124 requires a minimum of 3 TELs to be applied as follows 3 2 2 1 To detect opening of the chassis cover 1 Spanning the left chassis cover and the top and bottom chassis covers 2 Spanning the right chassis cover and the top and bottom chassis covers 3 2 2 2 To detect access to restricted ports 3 Spanning the serial port The tamper evident labels shall be installed for the module to operate in a FIPS approved mode of operation 11 Following is the TEL placement for the Aruba AP 124 Figure 1 AP 124 Front view Figure 2 AP 124 Back view Figure 3 AP 124 Left view Figure 4 AP 124 Right view 12 Figure 5 AP 124 Top view Figure 6 AP 124 Bottom view 13 3 2 3 Aruba AP 125 TEL Placement This section displays all the TEL locations on the Aruba AP 125 The AP125 requires a minimum of 3 TELs to be applied as follows 32 3 1 To detect opening of the chassis cover 1 Spanning the top and bottom covers on the left side 2 Spanning the top and bottom covers on the right 3 2 3 2 To d
37. s 4 1 1 Crypto Officer Authentication The Aruba Mobility Controller implements the Crypto Officer role Connections between the module and the mobility controller are protected using IPSec Crypto Officer authentication is accomplished via either proof of possession of the IKE preshared key or AP s RSA key pair which occurs during the IKE key exchange In CPSec AP mode AP can only authenticate using RSA key stored in non volatile memory 4 1 2 User Authentication Authentication for the User role depends on the module configuration When the module is configured as a Mesh AP the User role is authenticated via the WPA2 preshared key When the module is configured as a Remote AP the User role is authenticated via the same IKE pre shared key RSA key pair that is used by the Crypto Officer In CPSec AP mode User authentication is accomplished via same RSA key pair that is used by the Crypto Officer 4 1 3 Wireless Client Authentication The wireless client role in the Remote AP Mesh AP or CPSec AP configuration authenticates to the module via WPA2 WEP and or Open System configurations are not permitted in FIPS mode In advanced Remote AP configuration when Remote AP cannot communicate with the controller the wireless client role authenticates to the module via WPA2 PSK only 4 1 4 Strength of Authentication Mechanisms The following table describes the relative strength of each supported authentication mechanism Authenticatio
38. s page this is the default page when you click the Configuration tab and clicking the FIPS Mode for Mobility Controller Enable checkbox 5 Enable FIPS mode on the AP This accomplished by going to the Configuration gt Wireless gt AP Configuration gt AP Group page There you click the Edit button for the appropriate AP group and then select AP gt AP System Profile Then check the Fips Enable box check Apply and save the configuration 6 If the staging controller does not provide PoE either ensure the presence of a PoE injector for the LAN connection between the module and the controller or ensure the presence of a DC power supply appropriate to the particular model of the module 7 Connect the module via an Ethernet cable to the staging controller note that this should be a direct connection with no intervening network or devices if PoE is being supplied by an injector this represents the only exception That is nothing other than a PoE injector should be present between the module and the staging controller 8 Once the module is connected to the controller by the Ethernet cable navigate to the Configuration gt Wireless gt AP Installation page where you should see an entry for the AP Select that AP click the Provision button which will open the provisioning window Now provision the AP as Remote AP by filling in the form appropriately Detailed steps are listed in Section Provisioning an Individu
39. the module is in FIPS mode ese sesse see se se ee Ge ee GR ee SA Ge Re Ge ee GR ee de ee 21 34 OPERATIONAL ENVIRONMENT ei reid ee ses Pe orde Oe vee bees ae peA ese ee besk Keep ee ese e NEE ie gesek Goed ee ie 21 B D LOGICAL INTERFACES EE EE EE EE RE EE 21 4 ROLES AUTHENTICATION AND SERVICES ueeseesee se esse sees sees ee sees ee se esse sees se ese se es ee se ees sees se ese 23 4 1 AO EE OE EE EE EA 23 4 1 1 Crypto Officer Authentication sree ee se ee ee Ge Se Se GR SA GRA Ge ee ee ee ee ee 24 4 1 2 Us rAuthenticdHON ss Es ESE ee SE GE De SE EE ee E DE ee ease bone ee ee Ge ng bee Ge ae ae Se Gee 24 4 1 3 Wireless Client Authentication cccccscceessecenceesseceenceensecesneeesseceeneeesaecesneeesaeceeneecnaeceeeeenaeenses 24 4 1 4 Strength of Authentication Mechanisms eie ee se SS Ge ee ee ee ee ee Ge ee ee ee 24 42 oi aie EE EE EE e Ree 26 4 2 1 Crypto AE MR EE EE OR OE EE OE N 26 4 2 2 BEAT EE NR OR EE RE EE ER N EO tebe 28 4 2 3 Wireless Chet Servi OE RE EE anes coh oe ER EE OE 28 4 2 4 Unauthenticated Services iese se se ee RA RA ee RA ee RA Ge AR ee Re ee 29 CRYPTOGRAPHIC ALGORITHMS ees see see se esse ese se ee Be ee See EG Be EG Be Ee GEE EG Be EG Bee Ge See Ge ee 30 CRITICAL SECURITY PARAMETERS esse sees sesse sesse sees se ees se ees bees ee sees se ese be ee Ge Be ee Be ee See se ee 31 BEL OM N OS EE EE EE EA EE EE OE EA EE 35 1 Introduction This document constitutes the non proprietary Cryptographic Mod
40. ty protected AP it is intended to be deployed in a local private location LAN WAN MPLS relative to the Mobility Controller The module provides cryptographic processing in the form of IPSec for all Control traffic to and from the Mobility Controller e Remote Mesh Portal FIPS mode When the module is configured in Mesh Portal mode it is intended to be connected over a physical wire to the mobility controller These modules serve as the connection point between the Mesh Point and the Mobility Controller Mesh Portals communicate with the Mobility Controller through IPSec and with Mesh Points via 802 1 1i 16 session The Crypto Officer role is the Mobility Controller that authenticates via IKEv1 IKEv2 pre shared key or RSA certificate authentication method and Users are the n Mesh Points that authenticate via 802 111 preshared key e Remote Mesh Point FIPS mode an AP that establishes all wireless path to the Remote Mesh portal in FIPS mode over 802 11 and an IPSec tunnel via the Remote Mesh Portal to the controller In addition the module also supports a non FIPS mode an un provisioned AP which by default does not serve any wireless clients The Crypto Officer must first enable and then provision the AP into a FIPS AP mode of operation This section explains how to place the module in FIPS mode in either Remote AP FIPS mode Control Plane Security AP FIPS Mode Remote Mesh Portal FIPS mode or Mesh Point FIPS Mode and how to
41. ule Security Policy for the AP 120 series Wireless Access Points with FIPS 140 2 Level 2 validation from Aruba Networks This security policy describes how the AP meets the security requirements of FIPS 140 2 Level 2 and how to place and maintain the AP in a secure FIPS 140 2 mode This policy was prepared as part of the FIPS 140 2 Level 2 validation of the product FIPS 140 2 Federal Information Processing Standards Publication 140 2 Security Requirements for Cryptographic Modules details the U S Government requirements for cryptographic modules More information about the FIPS 140 2 standard and validation program is available on the National Institute of Standards and Technology NIST Web site at http csrc nist gov groups STM cmvp index html This document can be freely distributed 1 1 Aruba Dell Relationship Aruba Networks is the OEM for the Dell PowerConnect W line of products Dell products are identical to the Aruba products other than branding and Dell firmware is identical to Aruba firmware other than branding For example Aruba AP 124 F1 is equivalent to Dell W AP124 F1 and ArubaOS_6 12 3 FIPS is equivalent to DELL_PCW_6 1 2 3 FIPS Table 1 Corresponding Aruba and Dell Part Numbers Aruba Part Number Aruba Firmware Dell Part Number Dell Firmware AP 124 FI1 ArubaOS_6 1 2 3 FIPS W AP124 F1 DELL PCW 6 1 2 3 FIPS AP 125 F1 ArubaOS_6 1 2 3 FIPS W AP125 F1 DELL PCW 6 1 2 3 FIPS NOTE
Download Pdf Manuals
Related Search