DELL PowerConnect W-AP92
Contents
1. Federal Information Processing Standards Publication 140 2 Security Requirements for Cryptographic Modules details the U S Government requirements for cryptographic modules More information about the FIPS 140 2 standard and validation program is available on the National Institute of Standards and Technology NIST Web site at http csrc nist gov groups STM cmvp index html This document can be freely distributed 1 1 Aruba Dell Relationship Aruba Networks is the OEM for the Dell PowerConnect W line of products Dell products are identical to the Aruba products other than branding and Dell software is identical to Aruba software other than branding Table 1 Corresponding Aruba and Dell Part Numbers Aruba Part Number Dell Corresponding Part Number AP 92 Fl W AP92 Fl AP 93 Fl W AP93 Fl AP 105 Fl W AP105 Fl AP 175P Fl W AP175P Fl AP 175AC Fl W AP175AC Fl AP 175DC F1 W AP175DC Fl NOTE References to Aruba ArubaOS Aruba AP 92 Aruba AP 93 Aruba AP 105 and Aruba AP 175 wireless access points apply to both the Aruba and Dell versions of these products and documentation 1 2 Acronyms and Abbreviations AES Advanced Encryption Standard AP Access Point CBC Cipher Block Chaining CLI Command Line Interface CO Crypto Officer CPSec Control Plane Security protected CSEC Communications Security Establishment Canada CSP Critical Security Parameter ECO External Crypto Officer EMC Electromagnetic Compatibility EMI Ele2. Controller on the network Configuring Remote Mesh Portal FIPS Mode Apply TELs according to the directions in section 3 2 Log into the administrative console of the staging controller Deploying the AP in Remote Mesh Portal mode create the corresponding Mesh Profiles on the controller as described in detail in Section Mesh Profiles of Chapter Secure Enterprise Mesh of the Aruba OS User Manual a For mesh configurations configure a WPA2 PSK which is 16 ASCII characters or 64 hexadecimal digits in length generation of such keys is outside the scope of this policy Enable FIPS mode on the controller This is accomplished by going to the Configuration gt Network gt Controller gt System Settings page this is the default page when you click the Configuration tab and clicking the FIPS Mode for Mobility Controller Enable checkbox Enable FIPS mode on the AP This accomplished by going to the Configuration gt Wireless gt AP Configuration gt AP Group page There you click the Edit button for the appropriate AP group and then select AP gt AP System Profile Then check the Fips Enable box check Apply and save the configuration If the staging controller does not provide PoE either ensure the presence of a PoE injector for the LAN connection between the module and the controller or ensure the presence of a DC power supply appropriate to the particular model of the module Connect the module via an Ether
3. In volatile memory only zeroized on reboot In volatile memory only zeroized on reboot Stored in plaintext in volatile memory zeroized on reboot USE Used to derive the PMK for 802 111 mesh connections between APs and in advanced Remote AP connections programmed into AP by the controller over the IPSec session Used to derive 802 111 Pairwise Transient Key PTK All session encryption dec ryption keys are derived from the PTK Used for integrity validation in 4 way handshake Used for confidentiality in 4 way handshake Used for 802 111 packet encryption and integrity verification this is the CCMP or AES CCM key 802 111 Group Master Key GMK 802 111 Group Transient Key GTK 802 111 Group AES CCM Data Encryption MIC Key RSA private Key CSP TYPE 256 bit secret used to derive GTK 256 bit shared secret used to derive group multicast encryption and integrity keys 128 bit AES CCM key derived from GTK 1024 2048 bit RSA private key GENERATION Generated from approved RNG Internally derived by AP which assumes authenticator role in handshake Derived from 802 11 group key handshake Generated on the AP remains in AP at all times 43 STORAGE And ZEROIZATI ON Stored in plaintext in volatile memory zeroized on reboot Stored in plaintext in volatile memory zeroized on reboot Stored in plaintext in vo
4. and module LEDs 802 11 a b g n FTP TFTP NTP GRE tunneling of 802 11 wireless user frames when acting as a Local AP Reboot module by removing replacing power Self test and initialization at power on 38 5 Cryptographic Algorithms FIPS approved cryptographic algorithms have been implemented in hardware and firmware The firmware supports the following cryptographic implementations e ArubaOS OpenSSL AP Module implements the following FIPS approved algorithms o AES Cert 1851 o HMAC Cert 1099 o RNG Cert 970 o RSA Cert 934 o SHS Cert 1628 o Triple DES Cert 1199 e ArubaOS Module implements the following FIPS approved algorithms o AES Cert 1850 o HMAC Cert 1098 o RNG Cert 969 o RSA Cert 933 o SHS Cert 1627 o Triple DES Cert 1198 e ArubaOS Kernel implements the following FIPS approved algorithms o AES Cert 1847 o HMAC Cert 1097 o SHS Cert 1625 o Triple DES Cert 1197 e ArubaOS UBOOT Bootloader implements the following FIPS approved algorithms o RSA Cert 935 o SHS Cert 1629 e Aruba Atheros hardware CCM implements the following FIPS approved algorithms o AES Cert 1849 Non FIPS Approved Algorithms The cryptographic module implements the following non approved algorithms that are not permitted for use in the FIPS 140 2 mode of operations e MD5 In addition within the FIPS Approved mode of operation the module supports the following allowed
5. configured as a Remote Mesh Portal FIPS mode and Remote Mesh Point FIPS mode the User role is authenticated via the WPA2 pre shared key When the module is configured as a Remote AP FIPS mode and CPSec protected AP FIPS mode the User role is authenticated via the same IKEv1 IKEv2 pre shared key RSA certificate that is used by the Crypto Officer 4 1 3 Wireless Client Authentication The wireless client role defined in each of FIPS approved modes authenticates to the module via WPA2 Please notice that WEP and or Open System configurations are not permitted in FIPS mode In advanced Remote AP configuration when Remote AP cannot communicate with the controller the wireless client role authenticates to the module via WPA2 PSK only 4 1 4 Strength of Authentication Mechanisms The following table describes the relative strength of each supported authentication mechanism Authentication Mechanism Strength Mechanism IREvIAREv2 For IKEv1 IKEv 2 there are a 9518 6 63 x 1015 possible pre shared keys shared secret CO Tn order to test the guessed key the attacker must complete an IKEv1 IKEv2 role aggressive mode exchange with the module IKEv1 IKEv2 aggressive mode consists of a 3 packet exchange but for simplicity let s ignore the final packet sent from the AP to the attacker An IKEv1 IKEv2 aggressive mode initiator packet with a single transform using Diffie Hellman group 2 and having an eight character group name has an IKEv1 IK
6. defined in section 3 3 has the same services Service Description CSPs Accessed see section 6 below for complete description of CSPs FIPS mode enable disable The CO selects de selects FIPS None mode as a configuration option Key Management The CO can configure modify the IKEv1 IKEv2 shared IKEv1 IKEv2 shared secret The secret RSA private key 1s protected by non volatile memory and cannot WPA2 PSK be modified and the WPA2 PSK KEK used in advanced Remote AP configuration Also the CO User implicitly uses the KEK to read write configuration to non volatile memory Remotely reboot module The CO can remotely trigger a KEK is accessed when reboot configuration is read during reboot The firmware verification key and firmware verification CA key are accessed to validate firmware prior to boot Self test triggered by CO User The CO can trigger a KEK is accessed when reboot programmatic reset leading to configuration is read during self test and initialization reboot The firmware verification key and firmware verification CA key are accessed to validate firmware prior to boot Update module firmware The CO can trigger a module The firmware verification key firmware update and firmware verification CA key are accessed to validate firmware prior to writing to flash Configure non security related CO can configure various module parameters operational parameters that do not relate to security 35 Service Description CSPs Ac
7. during IPSec AP s RSA private key is contained in the AP s non volatile memory and is generated at manufacturing time in factory b During the provisioning process as Remote Mesh Portal the WPA2 PSK is input to the module via the corresponding Mesh cluster profile This key is stored on flash encrypted Via the logging facility of the staging controller ensure that the module the AP is successfully provisioned with firmware and configuration Terminate the administrative session Disconnect the module from the staging controller and install it on the deployment network when power is applied the module will attempt to discover and connect to an Aruba Mobility Controller on the network To verify that the module is in FIPS mode do the following L 2 3 Log into the administrative console of the Aruba Mobility Controller Verify that the module is connected to the Mobility Controller Verify that the module has FIPS mode enabled by issuing command show ap ap name lt ap name gt config Terminate the administrative session Configuring Remote Mesh Point FIPS Mode Apply TELs according to the directions in section 3 2 Log into the administrative console of the staging controller Deploying the AP in Remote Mesh Point mode create the corresponding Mesh Profiles on the controller as described in detail in Section Mesh Points of Chapter Secure Enterprise Mesh of the Aruba OS User Manual a For mesh confi
8. e AP 175AC 100 240 volt AC from external AC power source e AP 175DC 12 48 volt DC from external DC power source 14 2 4 1 3 Indicator LEDs There is an array of LEDs which operate as follows Table 5 AP 175 Indicator LEDs Label LED Function Action Status Position AP power system status Ethernet Network Link Status Activity ENETO D15 o EN o D7 D2 Radio0 Status Radiol Status Signal Radio0 Radiol significant bit Strength least Signal Strength Radio0 Radio1 second most significant bit Signal Radio0 Radiol significant bit Strength least D9 D4 D10 D5 SS1 SS2 SS3 S4 Signal Radio0 Radiol significant bit Strength most Flashing Green On Green Off On Yellow On Green Flashing On Orange Blue For Radi00 Orange and For Radiol Blue Off 15 No power to AP System Alarm Power did not connect well or equipment failure Device ready Ethernet link unavailable 10 100Mbs Ethernet link negotiated 1000Mbs negotiated Ethernet link activity RadioO disabled RadioO enabled Radiol disabled Radiol enabled SS1 to SS4 LEDs turn on off depending on the signal strength of the current radio neighbors Stronger the signal more LEDs get lit starting with SS1 least signal strength indicator all the way to SS4 highest signal strength indicator Ethernet link 3 Module Objectives This section describes the assurance
9. hardware product is protected by the standard Aruba warranty of one year parts labor For more information refer to the ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS Altering this device such as painting it voids the warranty Copyright 2011 Aruba Networks Inc Aruba Networks trademarks include Aruba Networks Aruba Wireless Networks the registered Aruba the Mobile Edge Company logo and Aruba Mobility Management System Dell the DELL logo andPowerConnect are trademarks of Dell Inc 1 INTRODUCTION ai 5 ll ARUBA DEL RELATIONS HIP reia teclado sisi orita lec 5 LZ ACRONYMS AND ABBREVIAT ON S A A dis 5 2 TRODUCTOVERVIE Visisanin a da s 7 Dl APO a O T zdel PAYSNCALDES CUPONES pit 7 ALLU DIMAS A cds 8 2 EA A altell 8 DAA Indicar LEDS tas ais 8 DS AR II O E dade II A O O Wadah bocncn tents 9 LL EMS ICO ADCS CE DIO A AAA AN 9 22 1 1 Dimensions Vero tesi time tios em las 10 D EN OO 10 A ES SS A aa poco todos dla ua peto te ates dt te saad tte Sethe ade rales 10 Die PAOD SER ES A MI A E OE A EOE 11 Dek O ET BES ION A coed ngage NSA cs 12 Zola Dimensions W C1 SIMU oi idoni oso 12 DS CRIA ado da 12 De de MAC CEE BS Soe eee ean een ee Rr eerie Eee tire Ener Erneta Teer brea tire En re ern Cerner Freeney reer 12 DE SS 13 DA PCa DES TPO citat ea lt Ge 14 ZC Dimensions Wero tienen tit ents elements iii ero 14 DAM A ns hatter vata aaa dae ects sae jonas sence E tas dee uae saediooia atacant diet
10. provides wireless LAN access air monitoring and wireless intrusion detection and prevention over the 2 4GHz and 5GHz RF spectrum The access point works in conjunction with Aruba Mobility Controllers to deliver high speed secure user centric network services in education enterprise finance government healthcare and retail applications 11 2 3 1 Physical Description The Aruba AP 105 Access Point is a multi chip standalone cryptographic module consisting of hardware and software all contained in a hard plastic case The module contains two dual band 2 4 GHz 5 GHz 802 11 a b g n transceivers and 4 x integrated omni directional antenna elements supporting up to 2x2 MIMO with spatial diversity The plastic case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module The Access Point configuration tested during the cryptographic module testing included Aruba Part Number Dell Corresponding Part Number AP 105 F1 W AP105 Fl The exact firmware versions tested were e ArubaOS_6xx_6 1 2 3 FIPS e Dell PCVV 6xx 6 1 2 3 FIPS 2 3 1 1 Dimensions Weight The AP has the following physical dimensions e 132 mmx 135 mm x 45 mm 5 2 x 5 3 x 1 8 e 0 3 kg 10 56 oz 2 3 1 2 Interfaces The module provides the following network interfaces e 1x 10 100 1000 Base T Ethernet RJ45 Auto sensing link speed and MDI MDX e Antenna internal e 1x RJ 45 console interfac
11. the position and serial number of each applied TEL in a security log For physical security the AP requires Tamper Evident Labels TELs to allow detection of the opening of the device and to block the serial console port on the bottom of the device The tamper evident labels shall be installed for the module to operate in a FIPS approved mode of operation To protect the device from tampering TELs should be applied by the Crypto Officer as pictured below 16 3 2 2 AP 92 TEL Placement This section displays all the TEL locations of the Aruba AP 92 The AP 92 requires a minimum of 3 TELs to be applied as follows 3 2 2 1 To detect access to restricted ports 1 Spanning the serial port 3 2 2 2 To detect opening of the chassis cover 2 Spanning the bottom and top chassis covers on the right side 3 Spanning the bottom and top chassis covers on the left side Following is the TEL placement for the AP 92 Figure 5 AP 92 Tel placement front view Figure 6 Aruba AP 92 Tel placement left view 17 Figure7 Aruba AP 92 Tel placement right view Figure Aruba AP 92 Tel placement top view 18 Figure 9 Aruba AP 92 Tel placement bottom view 3 2 3 AP 93 TEL Placement This section displays all the TEL locations of the Aruba AP 93 The AP 93 requires a minimum of 3 TELs to be applied as follows 3 2 3 1 To detect access to restricted ports 1 Spanning the serial port 3 2 3 2 To detect opening of the chas
12. to complete the provisioning process a During the provisioning process as Remote AP if Pre shared key is selected to be the Remote IP Authentication Method the IKE pre shared key which is at least 8 characters in length is input to the module during provisioning Generation of this key is outside the scope of this policy In the initial provisioning of an AP this key will be entered in plaintext subsequently during provisioning it will be entered encrypted over the secure IPSec session If certificate based authentication is chosen AP s RSA key pair is used to authenticate AP to controller during IPSec AP s RSA private key is contained in the AP s non volatile memory and is generated at manufacturing time in factory Via the logging facility of the staging controller ensure that the module the AP is successfully provisioned with firmware and configuration Terminate the administrative session Disconnect the module from the staging controller and install it on the deployment network when power is applied the module will attempt to discover and connect to an Aruba Mobility Controller on the network Configuring Control Plane Security CPSec protected AP FIPS mode Apply TELs according to the directions in section 3 2 Log into the administrative console of the staging controller Deploying the AP in CPSec AP mode configure the staging controller with CPSec under Configuration gt Controller gt Control Plane Security tab A
13. 802 11a b g n Radio Transceiver Data Output Interface 10 100 1000 Ethernet Ports 802 11a b g n Radio Transceiver Control Input Interface 10 100 1000 Ethernet Ports PoE SV power input jack Status Output Interface 10 100 1000 Ethernet Ports 802 11a b g n Radio Transceiver LEDs Data input and output control input status output and power interfaces are defined as follows e Data input and output are the packets that use the networking functionality of the module e Control input consists of manual control inputs for power and reset through the power interfaces It also consists of all of the data that 1s entered into the access point while using the management interfaces e Status output consists of the status indicators displayed through the LEDs the status data that is output from the module while using the management interfaces and the log file o LEDs indicate the physical state of the module such as power up or rebooting utilization level and activation state The log file records the results of self tests configuration errors and monitoring data e A power supply may be used to connect the electric power cable Operating power may also be provided via Power Over Ethernet POE device when connected The power is provided through the connected Ethernet cable e Console port is disabled when operating in each of FIPS modes The module distinguishes between different forms of data control and status traffic over the n
14. Ev2 packet size of 256 bytes Adding the eight byte UDP header and 20 byte IP header gives a total size of 284 bytes 2272 bits The response packet is very similar in size except that it also contains the HASH_R payload an additional 16 bytes so the total size of the second packet is 300 bytes 2400 bits Assuming a link speed of 1 Gbits sec this is the maximum rate supported by the module this gives a maximum idealized guessing rate of 60 000 000 000 4 672 12 842 466 guesses per minute This means the odds of guessing a correct key in one minute is less than 12 842 466 6 63x10 15 1 94 x 10 9 which is much less than 1 in 1045 33 Authentication Mechanism Strength Mechanism Wireless Client For WPA2 PSK there are at least 95116 4 4 x 10131 possible WPA2 PSK combinations In order to test a guessed key the attacker must complete the Wireless Client 4 way handshake with the AP Prior to completing the 4 way handshake the role attacker must complete the 802 11 association process That process involves the following packet exchange Attacker sends Authentication request at least 34 bytes AP sends Authentication response at least 34 bytes Attacker sends Associate Request at least 36 bytes AP sends Associate Response at least 36 bytes Total bytes sent at least 140 Note that since we do not include the actual 4 way handshake this is less than half the bytes that would actually be sent so the numb
15. FIPS 140 2 Non Proprietary Security Policy for Aruba AP 92 AP 93 AP 105 AP 175 Dell W AP92 W AP93 W AP105 and W AP175 Wireless Access Points Version 1 2 Feb 2012 A BI La networks Aruba Networks 1322 Crossman Ave Sunnyvale CA 94089 1113 Copyright 2012 Aruba Networks Inc Aruba Networks trademarks include ALT AVE Aruba Networks Aruba Wireless Networks the registered Aruba the Mobile Edge Company logo Aruba Mobility Management System Mobile Edge Architecture People Move Networks Must Follow RFProtect Green Island All rights reserved All other trademarks are the property of their respective owners Open Source Code Certain Aruba products include Open Source software code developed by third parties including software code subject to the GNU General Public License GPL GNU Lesser General Public License LGPL or other Open Source Licenses The Open Source code used can be found at this site http www arubanetworks com open_source Legal Notice The use of Aruba Networks Inc switching platforms and software by all individuals or corporations to terminate other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies in full Aruba Networks Inc from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors Warranty This
16. IKEv1 IKEv2 Diffie Hellman Private key IKEv1 IKEv2 Diffie Hellman shared secret ArubaOS OpenSSL RNG Seed for FIPS compliant ANSI X9 31 Appendix A2 4 using AES 128 Key algorithm ArubaOS OpenSSL RNG Seed key for FIPS compliant ANSI X9 31 Appendix A2 4 using AES 128 Key algorithm ArubaOS Cryptographic Module RNG Seed for FIPS compliant 186 2 General Purpose X change Notice SHA 1 RNG ArubaOS Cryptographic Module RNG Seed key for FIPS compliant 186 2 General Purpose X change Notice SHA 1 RNG CSP TYPE 1024 bit Diffie Hellman private key Seed 16 Bytes Seed key 16 bytes AES 128 Key algorithm Seed 64 bytes Seed Key 64 bytes 128 bit Octet GENERATION Generated internally during IKEv1 IKEv2 negotiation Generated internally during IKEv1 IKEv2 negotiation Derived using NON FIPS approved HW RNG dev urandom Derived using NON FIPS approved HW RNG dev urandom Derived using NON FIPS approved HW RNG dev urandom Derived using NON FIPS approved HW RNG dev urandom 41 STORAGE And ZEROIZATI ON Stored in plaintext in volatile memory zeroized when session is closed or system is powered off Stored in plaintext in volatile memory zeroized when session 1S closed or system is powered off Stored in plaintext in volatile memory only zeroized on reboot Stored in plaintext in volatile memory only zeroized on reboot
17. P will authenticate to the controller using certificate based authentication to establish IPSec AP is configured with RSA key pair at manufacturing AP s certificate 1s signed by Aruba Certification Authority trusted by all Aruba controllers and the AP s RSA private key is stored in non volatile memory Refer to Configuring Control Plane Security Section in ArubaOS User Manual for details on the steps Enable FIPS mode on the controller This is accomplished by going to the Configuration gt Network gt Controller gt System Settings page this is the default page when you click the Configuration tab and clicking the FIPS Mode for Mobility Controller Enable checkbox Enable FIPS mode on the AP This accomplished by going to the Configuration gt Wireless gt AP Configuration gt AP Group page There you click the Edit button for the appropriate AP group and then select AP gt AP System Profile Then check the Fips Enable box check Apply and save the configuration If the staging controller does not provide PoE either ensure the presence of a PoE injector for the LAN connection between the module and the controller or ensure the presence of a DC power supply appropriate to the particular model of the module 27 10 11 3 3 3 Connect the module via an Ethernet cable to the staging controller note that this should be a direct connection with no intervening network or devices if PoE is being supplied
18. Stored in plaintext in volatile memory only zeroized on reboot Stored in plaintext in volatile memory only zeroized on reboot USE Used in establishing the session key for IPSec IKEv1 IKEv2 payload integrity verification Seed ANSI X9 31 RNG Seed ANSI X9 31 RNG Seed 186 2 General Purpose X change Notice SHA 1 RNG Seed 186 2 General Purpose X change Notice SHA 1 RNG WPA2 PSK 802 111 Pairwise Master Key PMK 802 111 Pairwise Transient Key PTK 802 11i EAPOL MIC Key 802 111 EAPOL Encr Key 802 111 data AES CCM encryption MIC key CSP TYPE 16 64 character shared secret used to authenticate mesh connections and in remote AP advanced configuration 512 bit shared secret used to derive 802 111 session keys 512 bit shared secret from which Temporal Keys TKs are derived 128 bit shared secret used to protect 4 way key handshake 128 bit shared secret used to protect 4 way handshakes 128 bit AES CCM key GENERATION CO configured Derived from WPA2 PSK Derived during 802 111 4 way handshake Derived from PTK Derived from PTK Derived from PTK 42 STORAGE And ZEROIZATI ON Encrypted in flash using the KEK zeroized by updating through administrative interface or by the ap wipe out flash command In volatile memory only zeroized on reboot In volatile memory only zeroized on reboot
19. There are 4 bicolor power ENET and WLAN LEDs which operate as follows Table 3 AP 93 Indicator LEDs AP power ready status Off No power to AP Initial power up condition Flashing Green Device booting not ready On Green Device ready Ethernet Network Link Ethernet link unavailable a On Amber 10 100Mbs Ethernet link negotiated 1000Mbs Ethernet link negotiated 10 11b g n 2 4GHz Radio Status 2 4GHz radio disabled On Amber 2 4GHz radio enabled in WLAN mode On Green 2 4GHz radio enabled in 802 11n mode Flashing Green 2 4GHz Air monitor or RF protect sensor lla n 5GHz Radio Status 5GHz radio disabled On Amber 5GHz radio enabled in WLAN mode On Green 5GHz radio enabled in 802 11n mode Flashing Green SGHz Air monitor or RF protect sensor 2 3 AP 105 Series This section introduces the Aruba AP 120 series Wireless Access Points APs with FIPS 140 2 Level 2 validation It describes the purpose of the AP its physical attributes and its interfaces Figure 3 AP 105 Wireless Access Point A ESA j x kh y 7 y A Y N 7 YA Y L A 7 YA Y i DB N P N i Ja a a i 4 i a 4 4 ve o a The Aruba AP 105 is high performance 802 11n 2x2 2 MIMO dual radio concurrent 802 11a n b g n indoor wireless access points capable of delivering combined wireless data rates of up to 600Mbps This multi function access point
20. by an injector this represents the only exception That is nothing other than a PoE injector should be present between the module and the staging controller Once the module is connected to the controller by the Ethernet cable navigate to the Configuration gt Wireless gt AP Installation page where you should see an entry for the AP Select that AP click the Provision button which will open the provisioning window Now provision the CPSec Mode by filling in the form appropriately Detailed steps are listed in Section Provisioning an Individual AP of Chapter The Basic User Centric Networks of the Aruba OS User Guide Click Apply and Reboot to complete the provisioning process a For CPSec AP mode the AP always uses certificate based authentication to establish IPSec connection with controller AP uses the RSA key pair assigned to it at manufacturing to authenticate itself to controller during IPSec Refer to Configuring Control Plane Security Section in Aruba OS User Manual for details on the steps to provision an AP with CPSec enabled on controller Via the logging facility of the staging controller ensure that the module the AP is successfully provisioned with firmware and configuration Terminate the administrative session Disconnect the module from the staging controller and install it on the deployment network when power is applied the module will attempt to discover and connect to an Aruba Mobility
21. cessed see section 6 below for complete description of CSPs Creation use of secure The module supports use of IKEv1 IKEv2 Preshared management session between IPSec for securing the Secret module and CO management channel DH Private Key DH Public Key IPSec session encryption keys IPSec session authentication keys RSA key pair Creation use of secure mesh The module requires secure WPA2 PSK channel connections between mesh points using 802 11i 802 111 PMR 802 111 PTK 802 111 EAPOL MIC Key 802 111 EAPOL Encryption Key 802 111 AES CCM key 802 111 GMK 802 111 GTK 802 111 AES CCM key System Status CO may view system status See creation use of secure information through the secured management session above management channel 4 2 2 User Services The User services defined in Remote AP FIPS mode and CPSec protected AP FIPS mode shares the same services with the Crypto Officer role please refer to Section 4 2 1 Crypto Officer Services The following services are provided for the User role defined in Remote Mesh Portal FIPS mode and Remote Mesh Point FIPS mode Service Description CSPs Accessed see section 6 below for complete description of CSPs Generation and use of 802 111 When the module is in mesh 802 111 PMK cryptographic keys configuration the inter module ia lee os h 802 11i PTK mesh links are secured with 802 111 802 111 EAPOL MIC Key 802 111 EAPOL Encryption Key 36 Ser
22. console port 2 Spanning the power connector plug AP 175P only 3 Spanning the hex screw 3 2 5 2 To detect opening of the chassis cover 4 Spanning the top and bottom chassis covers on the left side 5 Spanning the top and bottom chassis covers on the right side Following is the TEL placement for the AP 175 Figure 19 Aruba AP 175 Tel placement front view 23 Figure 20 Aruba AP 175 Tel placement back view Figure 21 Aruba AP 175 Tel placement left view Figure 22 Aruba AP 175 Tel placement right view 7 cC ais 24 Figure 23 Aruba AP 175 Tel placement top view Figure 24 Aruba AP 175 Tel placement bottom view 3 2 6 Inspection Testing of Physical Security Mechanisms Physical Security Mechanism Recommended Test Frequency Tamper evident labels TELs Once per month Examine for any sign of removal replacement tearing etc See images above for locations of TELs Opaque module enclosure Once per month Examine module enclosure for any evidence of new openings or other access to the module internals 25 3 3 Modes of Operation The module has the following FIPS approved modes of operations e Remote AP RAP FIPS mode When the module is configured as a Remote AP it is intended to be deployed in a remote location relative to the Mobility Controller The module provides cryptographic processing in the form of IPSec for all traffic to and from the Mobility Con
23. ctromagnetic Interference FE Fast Ethernet GE GHz HMAC Hz IKE IPSec KAT KEK L2TP LAN LED SHA SNMP SPOE TEL TFTP WLAN Gigabit Ethernet Gigahertz Hashed Message Authentication Code Hertz Internet Key Exchange Internet Protocol security Known Answer Test Key Encryption Key Layer 2 Tunneling Protocol Local Area Network Light Emitting Diode Secure Hash Algorithm Simple Network Management Protocol Serial amp Power Over Ethernet Tamper Evident Label Trivial File Transfer Protocol Wireless Local Area Network 2 Product Overview This section introduces the various Aruba Wireless Access Points providing a brief overview and summary of the physical features of each model covered by this FIPS 140 2 security policy 2 1 AP 92 This section introduces the Aruba AP 92 Wireless Access Point AP with FIPS 140 2 Level 2 validation It describes the purpose of the AP 1ts physical attributes and its interfaces Figure 1 AP 92 Wireless Access Point 14440410110 2 Li The Aruba AP 92 is robust performance 802 11n 2x2 2 MIMO single radio supporting 2 4 GHz or 5 GHz 802 11a b 8 n indoor wireless access points capable of delivering wireless data rates of up to 300Mbps This multi function access point provides wireless LAN access air monitoring and wireless intrusion detection and prevention The access point works in conjunction with Aruba Mobility Controllers to deliver high speed secure user ce
24. dened outdoor 802 11n access point AP that provides maximum deployment flexibility in high density campuses storage yards warehouses container transportation facilities extreme industrial production areas and other harsh environments 13 2 4 1 Physical Description The Aruba AP 175 Access Point is a multi chip standalone cryptographic module consisting of hardware and software all contained in a hard case The module contains two 802 11 a b g n transceivers and 4 x N type female interfaces 2 x 2 4 GHz 2 x 5 GHz for external antenna support supports MIMO The hard case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module The Access Point configuration tested during the cryptographic module testing included Aruba Part Number Dell Corresponding Part Number AP 175P F1 W AP175P Fl The exact firmware versions tested were e ArubaOS_6xx_6 1 2 3 FIPS e Dell PCW_6xx_6 1 2 3 FIPS 2 4 1 1 Dimensions Weight The AP has the following physical dimensions e 260 mm x 240 mm x 105 mm 10 2 x 9 4 x4 1 e 3 25 kg 7 lb 2 4 1 2 Interfaces The module provides the following network interfaces e 1x 10 100 1000 Base T Ethernet RJ45 Auto sensing link speed and MDI MDX e Antenna o 4x N Type female antenna interfaces e 1x RJ 45 console interface The module provides the following power interfaces e AP 175P 48 volt DC 802 3at power over Ethernet PoE
25. e The module provides the following power interfaces e 48 V DC 802 3af power over Ethernet e 12 V DC for external AC supplied power adapter sold separately 2 3 1 3 Indicator LEDs There are 4 bicolor power ENET and WLAN LEDs which operate as follows Table 4 AP 105 Indicator LEDs AP power ready status No power to AP Initial power up condition Flashing Green Device booting not ready 12 Ethernet Network Off Ethernet link unavailable Ne AA AAA Status Activity 10 100Mbs Ethernet link negotiated 1000Mbs Ethernet link negotiated Flashing Ethernet link activity 11b g n 2 4GHz Radio Status Off 2 4GHz radio disabled 2 4GHz radio enabled in WLAN mode 2 4GHz Air monitor or RFprotect sensor 5GHz Air monitor or RFprotect sensor 2 4 AP 175 Series This section introduces the Aruba AP 175 series Wireless Access Points APs with FIPS 140 2 Level 2 validation It describes the purpose of the AP its physical attributes and its interfaces Figure 4 AP 175 Wireless Access Point a a l The Aruba AP 175 is high performance 802 1 1n 2x2 2 MIMO dual radio concurrent 802 1 1a n b g n indoor wireless access points capable of delivering combined wireless data rates of up to 600Mbps This multi function access point provides wireless LAN access air monitoring and wireless intrusion detection and prevention over the 2 4GHz and 5GHz RF spectrum The multifunction AP 175 is an affordable fully har
26. eckbox 5 Enable FIPS mode on the AP This accomplished by going to the Configuration gt Wireless gt AP Configuration gt AP Group page There you click the Edit button for the appropriate AP group and then select AP gt AP System Profile Then check the Fips Enable box check Apply and save the configuration 26 10 11 3 3 2 If the staging controller does not provide PoE either ensure the presence of a PoE injector for the LAN connection between the module and the controller or ensure the presence of a DC power supply appropriate to the particular model of the module Connect the module via an Ethernet cable to the staging controller note that this should be a direct connection with no intervening network or devices 1f PoE is being supplied by an injector this represents the only exception That is nothing other than a PoE injector should be present between the module and the staging controller Once the module is connected to the controller by the Ethernet cable navigate to the Configuration gt Wireless gt AP Installation page where you should see an entry for the AP Select that AP click the Provision button which will open the provisioning window Now provision the AP as Remote AP by filling in the form appropriately Detailed steps are listed in Section Provisioning an Individual AP of Chapter The Basic User Centric Networks of the Aruba OS User Guide Click Apply and Reboot
27. ers we derive will absolutely bound the answer The theoretical bandwidth limit for IEEE 802 11n is 300Mbit which is 37 500 000 bytes sec In the real world actual throughput is significantly less than this but we will use this idealized number to ensure that our estimate is very conservative This means that the maximum number of associations assume no delays no inter frame gaps that could be completed is less than 37 500 000 214 267 857 per second or 16 071 429 associations per minute This means that an attacker could certainly not try more than this many keys per second it would actually be MUCH less due to the added overhead of the 4 way handshake in each case and the probability of a successful attack in any 60 second interval MUST be less than 16 071 429 4 4 x 10431 or roughly 1 in 1025 which is much less than 1 in 1045 Mesh AP WPA2 Same as Wireless Client WPA2 PSK above PSK User role RSA Certificate The module supports RSA 1024 bit keys and 2048 bit RSA keys RSA 1024 based authentication bit keys correspond to 80 bits of security The probability of a successful CO role random attempt is 1 2480 which is less than 1 1 000 000 The probability of a success with multiple consecutive attempts in a one minute period is less than 1 100 000 34 4 2 Services The module provides various services depending on role These are described below 4 2 1 Crypto Officer Services The CO role in each of FIPS modes
28. es edi 14 DAMS dica tor LEDS otitis 15 3 MODULE OBJECTIVES cro et items matat EEO O 16 IL ECURIT LEVES ieseana e e a e a alocada 16 dilo PHYSICAL SECUR TY aaa daa 16 Dr SS O E Cnr SP at me dte 16 BD AA IZ TIE PACO RA A a 17 SD Todetect access to resticted POS os a a aaa 17 3 22 2 Toodete OpemimoO1 te CHasSIS CO VEL ia nda 17 S20 ADS A men a 19 Ll EO detect access to TESHICIE POMS contar iio 19 3232 To detect openine ot the chassis COVER ii 19 E AAP IOS TTL AA O entes nitestamet i 21 3 2 4 1 To detect opening of the chassis cover ooooooonnnnnnccnnnnnnnnnnnnononnnnnannnnnnnnnnnnnnnnnnnnonnnnnnnanannnnnnos 21 Liz To detect access to TESITICLE porn nda dios 21 BLO O Y al II A MA A IS A AA 23 JAD To detect access to testraicicd PONS tela tada lala asma ei 23 3 2 5 2 To detect opening of the Chassis cover cccccccccccccceccecsseseseeseeececcccceeeeeeaaaaessssseeeeeeeeess 23 3 2 6 Inspection Testing of Physical Security Mechanisms occcccnonononnnnnnnnnnnnnnnnnnnnnnnnnnnannncnnnnnnnnaninnnss 29 35 gt LMIODE SS OF OPERATION nazenin A A emesos i 26 3 3 1 Configuring Remote AP FIPS Mode a 26 3 3 2 Configuring Control Plane Security CPSec protected AP FIPS mode 27 3 3 3 Configuring Remote Mesh Portal FIPS Mode oooooonnnnccnnninnnnonnnccnnnnnnnnnnnononnnnnnnnnnnncnnnnnnnnnnnanoss 28 3 3 4 Configuring Remote Mesh Point FIPS Mode ooooononnnnnncnnnnninononncnnnnnnnnnannnnnnnnnnnonannn
29. etwork ports by analyzing the packet headers and contents 31 4 Roles Authentication and Services 4 1 Roles The module supports the roles of Crypto Officer User and Wireless Client no additional roles e g Maintenance are supported Administrative operations carried out by the Aruba Mobility Controller map to the Crypto Officer role The Crypto Officer has the ability to configure manage and monitor the module including the configuration loading and zeroization of CSPs Defining characteristics of the roles depend on whether the module is configured as a Remote AP mode or as a Remote Mesh Portal mode e Remote AP O Crypto Officer Role the Crypto Officer is the Aruba Mobility Controller that has the ability to configure manage and monitor the module including the configuration loading and zeroization of CSPs User role in the standard configuration the User operator shares the same services and authentication techniques as the Mobility Controller in the Crypto Officer role Wireless Client role in Remote AP configuration a wireless client can create a connection to the module using WPA2 and access wireless network access bridging services In advanced Remote AP configuration when Remote AP cannot communicate with the controller the wireless client role authenticates to the module via WPA2 PSK only e CPSec AP O Crypto Officer Role the Crypto Officer is the Aruba Mobility Controller that has the abi
30. gurations configure a WPA2 PSK which is 16 ASCII characters or 64 hexadecimal digits in length generation of such keys is outside the scope of this policy Enable FIPS mode on the controller This is accomplished by going to the Configuration gt Network gt Controller gt System Settings page this is the default page when you click the Configuration tab and clicking the FIPS Mode for Mobility Controller Enable checkbox Enable FIPS mode on the AP This accomplished by going to the Configuration gt Wireless gt AP Configuration gt AP Group page There you click the Edit button for the appropriate AP group and then select AP gt AP System Profile Then check the Fips Enable box check Apply and save the configuration If the staging controller does not provide PoE either ensure the presence of a PoE injector for the LAN connection between the module and the controller or ensure the presence of a DC power supply appropriate to the particular model of the module Connect the module via an Ethernet cable to the staging controller note that this should be a direct connection with no intervening network or devices if PoE is being supplied by an injector this 29 10 11 3 3 5 represents the only exception That is nothing other than a PoE injector should be present between the module and the staging controller Once the module is connected to the controller by the Ethernet cable navigate to the Configuratio
31. her mode requires the module to be re provisioned and rebooted before any new configured mode can be enabled The access point is managed by an Aruba Mobility Controller in FIPS mode and access to the Mobility Controller s administrative interface via a non networked general purpose computer is required to assist in placing the module in FIPS mode The controller used to provision the AP is referred to below as the staging controller The staging controller must be provisioned with the appropriate firmware image for the module which has been tested to FIPS 140 2 prior to initiating AP provisioning After setting up the Access Point by following the basic installation instructions in the module User Manual the Crypto Officer performs the following steps 3 3 1 Configuring Remote AP FIPS Mode 1 Apply TELs according to the directions in section 3 2 2 Log into the administrative console of the staging controller 3 Deploying the AP in Remote FIPS mode configure the controller for supporting Remote APs For detailed instructions and steps see Section Configuring the Secure Remote Access Point Service in Chapter Remote Access Points of the Aruba OS User Manual 4 Enable FIPS mode on the controller This is accomplished by going to the Configuration gt Network gt Controller gt System Settings page this is the default page when you click the Configuration tab and clicking the FIPS Mode for Mobility Controller Enable ch
32. key establishment schemes e Diffie Hellman key agreement key establishment methodology provides 80 bits of encryption strength 39 6 Critical Security Parameters The following Critical Security Parameters CSPs are used by the module Key Encryption Key KEK IKEv1 IKEv2 Pre shared secret IPSec session encryption keys IPSec session authentication keys CSP TYPE Triple DES 168 bits key 64 character preshared key 168 bit Triple DES or 128 192 256 bit AES keys HMAC SHA 1 keys GENERATION Hard coded CO configured Established during Diffie Hellman key agreement Established during Diffie Hellman key agreement 40 STORAGE And ZEROIZATI ON Stored in flash zeroized by the ap wipe out flash command Encrypted in flash using the KEK zeroized by updating through administrative interface or by the ap wipe out flash command Stored in plaintext in volatile memory zeroized when session 1S closed or system powers off Stored in plaintext in volatile memory zeroized when session 1S closed or system powers off USE Encrypts IKEv1 IKEv2 preshared keys and configuration parameters Module and crypto officer authentication during IKEv1 TIKEv2 entered into the module in plaintext during initialization and encrypted over the IPSec session subsequently Secure IPSec traffic Secure IPSec traffic CSP
33. latile memory zeroized on reboot Stored in and protected by AP s non volatile memory zeroized by the ap wipe out flash command Used to derive Group Transient Key GTK Used to derive multicast cryptographic keys Used to protect multicast message confidentiality and integrity AES CCM Used for IKEv1 IKEv2 authentication when AP is authenticating using certificate based authentication 7 Self Tests The module performs the following Self Tests after being configured into either Remote AP mode or Remote Mesh Portal mode The module performs both power up and conditional self tests In the event any self test fails the module enters an error state logs the error and reboots automatically The module performs the following power up self tests e Aruba Hardware known Answer tests o AES KAT o HMAC SHAI KAT o Triple DES KAT e ArubaOS OpenSSL AP Module o AES KAT o HMAC HMAC SHA1 HMAC SHA256 and HMAC SHA384 KAT o RNG KAT o RSA KAT o SHS SHA1 SHA256 and SHA384 KAT o Triple DES KAT e ArubaOS Cryptographic Module o AES KAT o HMAC HMAC SHA1 HMAC SHA256 HMAC SHA384 and HMAC512 KAT o FIPS 186 2 RNG KAT o RSA sign verify o SHS SHA1 SHA256 SHA384 and SHA512 KAT o Triple DES KAT e ArubaOS Uboot Bootloader Module o Firmware Integrity Test RSA 2048 bit Signature Validation e Aruba Atheros hardware CCM o AES CCM KAT The following Conditional Self tests are performed in the
34. levels for each of the areas described in the FIPS 140 2 Standard In addition 1t provides information on placing the module in a FIPS 140 2 approved configuration 3 1 Security Levels Cryptographic Module Specification Cryptographic Module Ports and Interfaces Roles Services and Authentication Finite State Model Operational Environment Cryptographic Key Management EMI EMC 7 C Design Assurance Mitigation of Other Attacks 3 2 Physical Security The Aruba Wireless AP is a scalable multi processor standalone network device and is enclosed in a robust plastic housing The AP enclosure is resistant to probing please note that this feature has not been tested as part of the FIPS 140 2 validation and is opaque within the visible spectrum The enclosure of the AP has been designed to satisfy FIPS 140 2 Level 2 physical security requirements 2 2 2 2 2 N A 2 2 2 2 A 3 2 1 Applying TELs The Crypto Officer 1s responsible for securing and having control at all times of any unused tamper evident labels The Crypto Officer should employ TELs as follows e Before applying a TEL make sure the target surfaces are clean and dry e Do not cut trim punch or otherwise alter the TEL e Apply the wholly intact TEL firmly and completely to the target surfaces e Ensure that TEL placement is not defeated by simultaneous removal of multiple modules e Allow 24 hours for the TEL adhesive seal to completely cure e Record
35. lity to configure manage and monitor the module including the configuration loading and zeroization of CSPs User role in the standard configuration the User operator shares the same services and authentication techniques as the Mobility Controller in the Crypto Officer Wireless Client role in CPSec AP configuration a wireless client can create a connection to the module using WPA2 and access wireless network access services e Mesh AP Mesh Point or Remote Mesh Portal configuration O Crypto Officer role the Crypto Officer role is the Aruba Mobility Controller that has the ability to configure manage and monitor the module including the configuration loading and zeroization of CSPs User role the second or third or nth AP in a given mesh cluster Wireless Client role in Mesh AP configuration a wireless client can create a connection to the module using WPA2 and access wireless network access services 4 1 1 Crypto Officer Authentication In each of FIPS approved modes the Aruba Mobility Controller implements the Crypto Officer role Connections between the module and the mobility controller are protected using IPSec Crypto Officer authentication is accomplished via either proof of possession of the IKEv1 IKEv2 pre shared key or RSA certificate which occurs during the IKEv1 IKEv2 key exchange 32 4 1 2 User Authentication Authentication for the User role depends on the module configuration When the module is
36. module e Continuous Random Number Generator Test This test is run upon generation of random data by the module s random number generators to detect failure to a constant value The module stores the first random number for subsequent comparison and the module compares the value of the new random number with the random number generated in the previous round and enters an error state if the comparison is successful The test is performed for the approved as well as non approved RNGs e RSA pairwise Consistency Test e Firmware load test These self tests are run for the Atheros hardware cryptographic implementation as well as for the Aruba OpenSSL and ArubaOS cryptographic module implementations 44 Self test results are written to the serial console In the event of a KATs failure the AP logs different messages depending on the error For an ArubaOS OpenSSL AP module and ArubaOS cryptographic module KAT failure AP rebooted DATE TIME Restarting System SW FIPS KAT failed For an AES Atheros hardware POST failure Starting HW SHAl KAT Completed HW SHAl AT Starting HW HMACSSHAL RAT seg Completeo HW HMAC SHAL KAT Starting HW DES KAT Completed HW DES KAT Starting HW AES KAT Restarting system 45
37. mware and configuration Terminate the administrative session Disconnect the module from the staging controller and install 1t on the deployment network when power 1s applied the module will attempt to discover and connect to an Aruba Mobility Controller on the network Verify that the module is in FIPS mode For all the approved modes of operations in either Remote AP FIPS mode Control Plane Security AP FIPS Mode Remote Mesh Portal FIPS mode or Mesh Point FIPS Mode do the following to vefiry the module is in FIPS mode 1 Log into the administrative console of the Aruba Mobility Controller 2 Verify that the module is connected to the Mobility Controller 3 Verify that the module has FIPS mode enabled by issuing command show ap ap name lt ap name gt config 4 Terminate the administrative session 3 4 Operational Environment The operational environment is non modifiable The Operating System OS is Linux a real time multi threaded operating system that supports memory protection between processes Access to the underlying Linux implementation is not provided directly Only Aruba provided Crypto Officer interfaces are used There is no user interface provided 30 3 5 Logical Interfaces The physical interfaces are divided into logical interfaces defined by FIPS 140 2 as described in the following table Table 6 FIPS 140 2 Logical Interfaces Module Physical Interface Data Input Interface 10 100 1000 Ethernet Ports
38. n gt Wireless gt AP Installation page where you should see an entry for the AP Select that AP click the Provision button which will open the provisioning window Now provision the AP as Remote Mesh Portal by filling in the form appropriately Detailed steps are listed in Section Provisioning an Individual AP of Chapter The Basic User Centric Networks of the Aruba OS User Guide Click Apply and Reboot to complete the provisioning process a During the provisioning process as Remote Mesh Point if Pre shared key is selected to be the Remote IP Authentication Method the IKE pre shared key which is at least 8 characters in length is input to the module during provisioning Generation of this key is outside the scope of this policy In the initial provisioning of an AP this key will be entered in plaintext subsequently during provisioning 1t will be entered encrypted over the secure IPSec session If certificate based authentication 1s chosen AP s RSA key pair is used to authenticate AP to controller during IPSec AP s RSA private key is contained in the AP s non volatile memory and is generated at manufacturing time in factory b During the provisioning process as Mesh Point the WPA2 PSK is input to the module via the corresponding Mesh cluster profile This key 1s stored on flash encrypted Via the logging facility of the staging controller ensure that the module the AP is successfully provisioned with fir
39. ncnnnnnnnanannnss 29 3 3 5 Verify that the module is in FIPS mode oooonnccnnnnnnnnnnnnnccnnnnnnonanncnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnanoss 30 3A OPERATIONAL EN VIRONMEN Tit ecesteismei E cadillacs di 30 zor LOGICAL INTERFACES olaaa aii 31 4 ROLES AUTHENTICATION AND SERVICES sssssesecsssssscssssscscssssscsesosssccsssssssssssssscsssssssssssssssse 32 Ad ROLES ura EE see menes entes 32 ALD Crypto Officer AuhentiCati Oleiro dadas dada 32 Adel A A Sd 33 Aled Wireless Client Authentication lost soem vate tees 33 4 1 4 Strength of Authentication MECHanTS IIS aa 33 De SERVICES aa T E A A ica 35 ALL CIPO OCET SCLVICE Si AA A A ES 35 CRD AS SOP CIVICS a oa ls tao a ona 36 Dv VVICIOSS IC ENS OC VICCS oE n E E E E E E E E NE 37 AE Unquinentented CIC AA A A Ei 37 9 CRYPTOGRAPHIC ALGORITHMS oncion a a a a aE 39 6 CRITICAL SECURITY PARAMETERS sossisssissososisscestesssoossoasoooiveniocesssssiedoossosedssossosvsoioses siressa ti 40 T SELETES TS ai io 44 1 Introduction This document constitutes the non proprietary Cryptographic Module Security Policy for the AP 92 AP 93 AP 105 and AP 175 Wireless Access Points with FIPS 140 2 Level 2 validation from Aruba Networks This security policy describes how the AP meets the security requirements of FIPS 140 2 Level 2 and how to place and maintain the AP in a secure FIPS 140 2 mode This policy was prepared as part of the FIPS 140 2 Level 2 validation of the product FIPS 140 2
40. net cable to the staging controller note that this should be a direct connection with no intervening network or devices if PoE is being supplied by an injector this represents the only exception That is nothing other than a PoE injector should be present between the module and the staging controller Once the module is connected to the controller by the Ethernet cable navigate to the Configuration gt Wireless gt AP Installation page where you should see an entry for the AP Select that AP click the Provision button which will open the provisioning window Now provision 28 10 11 the AP as Remote Mesh Portal by filling in the form appropriately Detailed steps are listed in Section Provisioning an Individual AP of Chapter The Basic User Centric Networks of the Aruba OS User Guide Click Apply and Reboot to complete the provisioning process a During the provisioning process as Remote Mesh Portal if Pre shared key is selected to be the Remote IP Authentication Method the IKE pre shared key which is at least 8 characters in length is input to the module during provisioning Generation of this key is outside the scope of this policy In the initial provisioning of an AP this key will be entered in plaintext subsequently during provisioning it will be entered encrypted over the secure IPSec session If certificate based authentication is chosen AP s RSA key pair is used to authenticate AP to controller
41. ntric network services in education enterprise finance government healthcare and retail applications 2 1 1 Physical Description The Aruba AP 92 series Access Point 1s a multi chip standalone cryptographic module consisting of hardware and software all contained in a hard plastic case The module contains 802 11 a b g n transceiver and supports external antennas through dual detachable antenna interface The plastic case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module The Access Point configuration tested during the cryptographic module testing included Aruba Part Number Dell Corresponding Part Number AP 92 Fl W AP92 Fl The exact firmware versions tested were e ArubaOS_6xx_6 1 2 3 FIPS e Dell PCW_6xx_6 1 2 3 FIPS 2 1 1 1 Dimensions Weight The AP has the following physical dimensions e 120 mm x 130 mm x 35 mm 4 7 x 5 1 x 1 4 e 255 g 9 oz 2 1 1 2 Interfaces The module provides the following network interfaces e 1x 10 100 1000 Base T Ethernet RJ45 Auto sensing link speed and MDI MDX e Antenna o 2x RP SMA antenna interfaces supports up to 2x2 MIMO with spatial diversity e 1x RJ 45 console interface The module provides the following power interfaces e 48 V DC 802 3af power over Ethernet e 12 V DC for external AC supplied power adapter sold separately 2 1 1 3 Indicator LEDs There are 4 bicolor power ENET and WLAN LED
42. s which operate as follows Table 2 AP 92 Indicator LEDs ENET Ethernet Network Link Ethernet link unavailable Status Activity On Amber 10 100Mbs Ethernet link negotiated 1000Mbs Ethernet link negotiated Flashing Ethernet link activity 11b g n 2 4GHz Radio Status 2 4GHz radio disabled On Amber 2 4GHz radio enabled in WLAN mode PWR AP power ready status No power to AP Initial power up condition Flashing Green Device booting not ready On ff On Green 2 4GHz radio enabled in 802 11n mode Flashing Green 2 4GHz Air monitor or RF protect sensor 5GHz Radio Status 5GHz radio disabled On Amber 5GHz radio enabled in WLAN mode On Green 5GHz radio enabled in 802 11n mode Flashing Green SGHz Air monitor or RF protect sensor 2 2 AP 93 This section introduces the Aruba AP 93 Wireless Access Point AP with FIPS 140 2 Level 2 validation It describes the purpose of the AP its physical attributes and its interfaces Figure 2 AP 93 Wireless Access Point AU E T gt 1 Y eee The Aruba AP 93 is robust performance 802 1 1n 2x2 2 MIMO single radio supporting 2 4 GHz or 5 GHz 802 1 1a b g n indoor wireless access points capable of delivering wireless data rates of up to 300Mbps This multi function access point provides wireless LAN access air monitoring and wireless intrusion detection and prevention The access point works in conjunction wi
43. sis cover 2 Spanning the bottom and top chassis covers on the left side 3 Spanning the bottom and top chassis covers on the right side Following is the TEL placement for the AP 93 Figure 10 Aruba AP 93 Tel placement front view 7 fl iii NV 19 Figure 11 Aruba AP 93 Tel placement left view Figure 12 Aruba AP 93 Tel placement right view Figure 13 Aruba AP 93 Tel placement bottom view 20 Figure 14 Aruba AP 93 Tel placement top view 3 2 4 AP 105 TEL Placement This section displays all the TEL locations of the Aruba AP 105 The AP 105 requires a minimum of 3 TELs to be applied as follows 3 2 4 1 To detect opening of the chassis cover 1 Spanning the bottom and top chassis covers on the left side 2 Spanning the bottom and top chassis covers on the right side 3 2 4 2 To detect access to restricted ports 3 Spanning the serial port Following is the TEL placement for the AP 105 Figure 15 Aruba AP 105 Tel placement front view Figure 16 Aruba AP 105 Tel placement left view Figure 17 Aruba AP 105 Tel placement right view Power Input Inlet Figure 18 Aruba AP 105 Tel placement top view 22 Figure 19 Aruba AP 105 Tel placement bottom view 3 2 5 AP 175 TEL Placement This section displays all the TEL locations of the Aruba AP 175 The AP 175 requires a minimum of 6 TELs to be applied as follows 3 2 5 1 To detect access to restricted ports 1 Spanning the USB
44. th Aruba Mobility Controllers to deliver high speed secure user centric network services in education enterprise finance government healthcare and retail applications 2 2 1 Physical Description The Aruba AP 93 series Access Point 1s a multi chip standalone cryptographic module consisting of hardware and software all contained in a hard plastic case The module contains 802 11 a b g n transceiver and 2 integrated omni directional multi band dipole antenna elements supporting up to 2x2 MIMO with spatial diversity The plastic case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module The Access Point configuration tested during the cryptographic module testing included Aruba Part Number Dell Corresponding Part Number AP 93 Fl W AP93 Fl The exact firmware versions tested were e ArubaOS_6xx_6 1 2 3 FIPS e Dell PCW_6xx_6 1 2 3 FIPS 2 2 1 1 Dimensions Weight The AP has the following physical dimensions e 120mmx 130 mm x 35 mm 4 7 x 5 1 x 1 4 e 255 g 9 oz 2 2 1 2 Interfaces The module provides the following network interfaces e 1x 10 100 1000 Base T Ethernet RJ45 Auto sensing link speed and MDI MDX e Antenna internal e 1x RJ 45 console interface The module provides the following power interfaces e 48 V DC 802 3af power over Ethernet e 12 V DC for external AC supplied power adapter sold separately 2 2 1 3 Indicator LEDs
45. troller e Control Plane Security CPSec protected AP FIPS mode When the module is configured as a Control Plane Security protected AP it is intended to be deployed in a local private location LAN WAN MPLS relative to the Mobility Controller The module provides cryptographic processing in the form of IPSec for all Control traffic to and from the Mobility Controller e Remote Mesh Portal FIPS mode When the module is configured in Mesh Portal mode it is intended to be connected over a physical wire to the mobility controller These modules serve as the connection point between the Mesh Point and the Mobility Controller Mesh Portals communicate with the Mobility Controller through IPSec and with Mesh Points via 802 111 session The Crypto Officer role is the Mobility Controller that authenticates via IKEv1 IKEv2 pre shared key or RSA certificate authentication method and Users are the n Mesh Points that authenticate via 802 111 preshared key e Mesh Point FIPS MODE an AP that establishes all wireless path to the Remote Mesh portal in FIPS mode over 802 11 and an IPSec tunnel via the Remote Mesh Portal to the controller This section explains how to place the module in FIPS mode in either Remote AP FIPS mode Control Plane Security AP FIPS Mode Remote Mesh Portal FIPS mode or Mesh Point FIPS Mode How to verify that it is in FIPS mode An important point in the Aruba APs is that to change configurations from any one mode to any ot
46. vice Description CSPs Accessed see section 6 below for complete description of CSPs e 802 111 AES CCM key e 802 111 GMK e 802 111 GTK Use of WPA pre shared key for When the module is in mesh establishment of IEEE 802 111 configuration the inter module keys mesh links are secured with 802 111 This is authenticated with a shared secret e WPA2 PSK 4 2 3 Wireless Client Services The following module services are provided for the Wireless Client role in each of FIPS approved modes defined in section 3 3 Service Description CSPs Accessed see section 6 below for complete description of CSPs Generation and use of 802 111 In all modes the links between 802 111 PMK cryptographic keys the module and wireless client are secured with 802 111 802 111 PTK 802 111 EAPOL MIC Key 802 111 EAPOL Encryption Key 802 111 AES CCM key 802 111 GMK 802 111 GTK Use of WPA pre shared key for When the module is in advanced establishment of IEEE 802 111 Remote AP configuration the keys links between the module and the wireless client are secured with 802 111 This is authenticated with a shared secret only WPA2 PSK Wireless bridging services The module bridges traffic between the wireless client and the wired network 4 2 4 Unauthenticated Services The module provides the following unauthenticated services which are available regardless of role No CSPs are accessed by these services 37 System status SYSLOG
Download Pdf Manuals
Related Search