Dell W-AP134, AP-134, AP-135, W-AP135 manual User Authentication, Wireless Client Authentication

Page 23

4.1.2 User Authentication

Authentication for the User role depends on the module configuration. When the module is configured as a Remote Mesh Portal FIPS mode and Remote Mesh Point FIPS mode, the User role is authenticated via the WPA2 pre-shared key. When the module is configured as a Remote AP FIPS mode and CPSec protected AP FIPS mode, the User role is authenticated via the same IKEv1/IKEv2 pre-shared key/RSA certificate that is used by the Crypto Officer

4.1.3 Wireless Client Authentication

The wireless client role defined in each of FIPS approved modes authenticates to the module via WPA2. Please notice that WEP and/or Open System configurations are not permitted in FIPS mode. In advanced Remote AP configuration, when Remote AP cannot communicate with the controller, the wireless client role authenticates to the module via WPA2-PSK only.

4.1.4 Strength of Authentication Mechanisms

The following table describes the relative strength of each supported authentication mechanism.

Authentication

 

Mechanism Strength

Mechanism

 

 

 

 

 

IKEv1/IKEv2

 

For IKEv1/IKEv2, there are a 95^8 (=6.63 x 10^15) possible pre-shared keys.

shared secret

(CO

In order to test the guessed key, the attacker must complete an IKEv1/IKEv2

role)

 

 

aggressive mode exchange with the module. IKEv1/IKEv2 aggressive mode

 

 

 

 

consists of a 3 packet exchange, but for simplicity, let’s ignore the final

 

 

packet sent from the AP to the attacker.

 

 

An IKEv1/IKEv2 aggressive mode initiator packet with a single transform,

 

 

using Diffie-Hellman group 2, and having an eight character group name has

 

 

an IKEv1/IKEv2 packet size of 256 bytes. Adding the eight byte UDP header

 

 

and 20 byte IP header gives a total size of 284 bytes (2272 bits).

 

 

The response packet is very similar in size, except that it also contains the

 

 

HASH_R payload (an additional 16 bytes), so the total size of the second

 

 

packet is 300 bytes (2400 bits).

Assuming a link speed of 1Gbits/sec (this is the maximum rate supported by the module), this gives a maximum idealized guessing rate of 60,000,000,000

/4,672 = 12,842,466 guesses per minute. This means the odds of guessing a correct key in one minute is less than 12,842,466/ (6.63x10^15) = 1.94 x 10^- 9, which is much less than 1 in 10^5.

23

Image 23
Contents Fips 140-2 Non-Proprietary Security Policy Page Operational Environment Logical Interfaces Aruba Dell Relationship Acronyms and AbbreviationsSecurity Levels Physical Security Modes of OperationServices CPSec IntroductionAruba Dell Relationship Acronyms and AbbreviationsSHA Aruba Part Number Dell Corresponding Part Number Product OverviewAP-134 Physical DescriptionENET1 AP-134 Indicator LEDs Label Function Action StatusPWR ENET0AP-135 AP-135 Indicator LEDs Label Function Action Status Applying TELs Module ObjectivesSecurity Levels Physical SecurityAP-134 Front view 2 AP-134 TEL PlacementAP-134 Top View 3 AP-135 TEL PlacementAP-135 Front view AP-135 Top view Inspection/Testing of Physical Security MechanismsModes of Operation Configuring Remote AP Fips ModeEnable Fips mode on the AP. This accomplished by going to Configuring Remote Mesh Portal Fips Mode Configuring Remote Mesh Point Fips Mode Operational Environment Verify that the module is in Fips modeFips 140-2 Logical Interface Module Physical Interface Logical InterfacesRoles Roles, Authentication and ServicesCrypto Officer Authentication Authentication Mechanism Strength User AuthenticationWireless Client Authentication Strength of Authentication MechanismsWPA2-PSK KEK ServicesCrypto Officer Services WPA2 PSKEapol MIC User ServicesPMK PTKUnauthenticated Services Wireless Client Services∙ FTP ∙ Tftp ∙ NTP Non-FIPS Approved Algorithms Cryptographic AlgorithmsHmac Critical Security ParametersRNG AES-CCM PSKGTK GMKSelf Tests For an AES Atheros hardware Post failure