Dell W- AP92, W-AP105, AP-92 Roles, Authentication and Services, Crypto Officer Authentication

Page 32

4 Roles, Authentication and Services

4.1 Roles

The module supports the roles of Crypto Officer, User, and Wireless Client; no additional roles (e.g., Maintenance) are supported. Administrative operations carried out by the Aruba Mobility Controller map to the Crypto Officer role. The Crypto Officer has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of CSPs.

Defining characteristics of the roles depend on whether the module is configured as a Remote AP mode or as a Remote Mesh Portal mode.

Remote AP:

oCrypto Officer Role: the Crypto Officer is the Aruba Mobility Controller that has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of CSPs.

oUser role: in the standard configuration, the User operator shares the same services and authentication techniques as the Mobility Controller in the Crypto Officer role.

oWireless Client role: in Remote AP configuration, a wireless client can create a connection to the module using WPA2 and access wireless network access/bridging services. In advanced Remote AP configuration, when Remote AP cannot communicate with the controller, the wireless client role authenticates to the module via WPA2-PSK only.

CPSec AP:

oCrypto Officer Role: the Crypto Officer is the Aruba Mobility Controller that has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of CSPs.

oUser role: in the standard configuration, the User operator shares the same services and authentication techniques as the Mobility Controller in the Crypto Officer

oWireless Client role: in CPSec AP configuration, a wireless client can create a connection to the module using WPA2 and access wireless network access services.

Mesh AP (Mesh Point or Remote Mesh Portal configuration):

oCrypto Officer role: the Crypto Officer role is the Aruba Mobility Controller that has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of CSPs.

oUser role: the second (or third, or nth) AP in a given mesh cluster

oWireless Client role: in Mesh AP configuration, a wireless client can create a connection to the module using WPA2 and access wireless network access services.

4.1.1Crypto Officer Authentication

In each of FIPS approved modes, the Aruba Mobility Controller implements the Crypto Officer role. Connections between the module and the mobility controller are protected using IPSec. Crypto Officer authentication is accomplished via either proof of possession of the IKEv1/IKEv2 pre-shared key or RSA certificate, which occurs during the IKEv1/IKEv2 key exchange.

32

Image 32
Contents Version Feb Aruba Networks Crossman Ave Sunnyvale, CA Page Aruba Dell Relationship Acronyms and Abbreviations AP-105 SeriesAP-175 Series Security Levels Physical SecurityROLES, Authentication and Services Acronyms and Abbreviations IntroductionAruba Dell Relationship GHz IPSecProduct Overview AP-92Physical Description Aruba Part Number Dell Corresponding Part NumberEnet AP-92 Indicator LEDs Label Function Action StatusPWR AP-93 Label Function Action StatusAP-93 Indicator LEDs Label Function Action Status AP-105 Wireless Access Point AP-105 SeriesAP-105 Indicator LEDs Label Function Action Status AP-175 Wireless Access Point AP-175 SeriesPhysical Description AP-175 Indicator LEDs Label Function Action Status PositionModule Objectives Security LevelsPhysical Security Applying TELs2 AP-92 TEL Placement AP-92 Tel placement front viewAruba AP-92 Tel placement right view 3 AP-93 TEL Placement Aruba AP-92 Tel placement bottom viewAruba AP-93 Tel placement left view 4 AP-105 TEL Placement Aruba AP-93 Tel placement top viewAruba AP-105 Tel placement left view 5 AP-175 TEL Placement Aruba AP-105 Tel placement bottom viewAruba AP-175 Tel placement back view Inspection/Testing of Physical Security Mechanisms Aruba AP-175 Tel placement top viewConfiguring Remote AP Fips Mode Modes of OperationEnable Fips mode on the AP. This accomplished by going to Configuring Remote Mesh Portal Fips Mode Configuring Remote Mesh Point Fips Mode Verify that the module is in Fips mode Operational EnvironmentLogical Interfaces Fips 140-2 Logical Interfaces Module Physical InterfaceRoles Roles, Authentication and ServicesCrypto Officer Authentication User Authentication Wireless Client AuthenticationStrength of Authentication Mechanisms Authentication Mechanism StrengthWPA2-PSK Services Crypto Officer ServicesWPA2 PSK KEKUser Services PMKPTK Eapol MICWireless Client Services Unauthenticated Services∙ FTP ∙ Tftp ∙ NTP Cryptographic Algorithms Non-FIPS Approved AlgorithmsCritical Security Parameters HmacRNG PSK AES-CCMGMK GTKSelf Tests For an AES Atheros hardware Post failure