Dell W-AP135, AP-134, AP-135 Roles, Authentication and Services, Crypto Officer Authentication

Page 22

4 Roles, Authentication and Services

4.1 Roles

The module supports the roles of Crypto Officer, User, and Wireless Client; no additional roles (e.g., Maintenance) are supported. Administrative operations carried out by the Aruba Mobility Controller map to the Crypto Officer role. The Crypto Officer has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of CSPs.

Defining characteristics of the roles depend on whether the module is configured as a Remote AP mode or as a Remote Mesh Portal mode.

Remote AP:

oCrypto Officer role: the Crypto Officer is the Aruba Mobility Controller that has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of CSPs.

oUser role: in the standard configuration, the User operator shares the same services and authentication techniques as the Mobility Controller in the Crypto Officer role.

oWireless Client role: in Remote AP configuration, a wireless client can create a connection to the module using WPA2 and access wireless network access/bridging services. In advanced Remote AP configuration, when Remote AP cannot communicate with the controller, the wireless client role authenticates to the module via WPA2-PSK only.

CPSec AP:

oCrypto Officer Role: the Crypto Officer is the Aruba Mobility Controller that has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of CSPs.

oUser role: in the standard configuration, the User operator shares the same services and authentication techniques as the Mobility Controller in the Crypto Officer

oWireless Client role: in CPSec AP configuration, a wireless client can create a connection to the module using WPA2 and access wireless network access services.

Mesh AP (Mesh Point or Remote Mesh Portal configuration):

oCrypto Officer Role: the Crypto Officer role is the Aruba Mobility Controller that has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of CSPs.

oUser role: the second (or third, or nth) AP in a given mesh cluster

oWireless Client role: in Mesh AP configuration, a wireless client can create a connection to the module using WPA2 and access wireless network access services.

4.1.1Crypto Officer Authentication

In each of FIPS approved modes, the Aruba Mobility Controller implements the Crypto Officer role. Connections between the module and the mobility controller are protected using IPSec. Crypto Officer authentication is accomplished via either proof of possession of the IKEv1/IKEv2 pre-shared key or RSA certificate, which occurs during the IKEv1/IKEv2 key exchange.

22

Page 21 Page 23
Image 22
Page 21 Page 23
Contents Fips 140-2 Non-Proprietary Security Policy Page Modes of Operation Aruba Dell Relationship Acronyms and AbbreviationsSecurity Levels Physical Security Operational Environment Logical InterfacesServices Acronyms and Abbreviations IntroductionAruba Dell Relationship CPSecSHA Physical Description Product OverviewAP-134 Aruba Part Number Dell Corresponding Part NumberENET0 AP-134 Indicator LEDs Label Function Action StatusPWR ENET1AP-135 AP-135 Indicator LEDs Label Function Action Status Physical Security Module ObjectivesSecurity Levels Applying TELs2 AP-134 TEL Placement AP-134 Front view3 AP-135 TEL Placement AP-134 Top ViewAP-135 Front view Inspection/Testing of Physical Security Mechanisms AP-135 Top viewConfiguring Remote AP Fips Mode Modes of OperationEnable Fips mode on the AP. This accomplished by going to Configuring Remote Mesh Portal Fips Mode Configuring Remote Mesh Point Fips Mode Verify that the module is in Fips mode Operational EnvironmentLogical Interfaces Fips 140-2 Logical Interface Module Physical InterfaceCrypto Officer Authentication Roles, Authentication and ServicesRoles Strength of Authentication Mechanisms User AuthenticationWireless Client Authentication Authentication Mechanism StrengthWPA2-PSK WPA2 PSK ServicesCrypto Officer Services KEKPTK User ServicesPMK Eapol MICWireless Client Services Unauthenticated Services∙ FTP ∙ Tftp ∙ NTP Cryptographic Algorithms Non-FIPS Approved AlgorithmsCritical Security Parameters HmacRNG PSK AES-CCMGMK GTKSelf Tests For an AES Atheros hardware Post failure
Top Page Image Contents