Aruba Networks FIPS 140-2 manual Modes of Operation, Configuring Remote AP Fips Mode

Page 17

3.3 Modes of Operation

The module has the following FIPS approved modes of operations:

Remote AP (RAP) FIPS mode – When the module is configured as a Remote AP, it is intended to be deployed in a remote location (relative to the Mobility Controller). The module provides cryptographic processing in the form of IPSec for all traffic to and from the Mobility Controller.

Control Plane Security (CPSec) protected AP FIPS mode – When the module is configured as a Control Plane Security protected AP it is intended to be deployed in a local/private location (LAN, WAN, MPLS) relative to the Mobility Controller). The module provides cryptographic processing in the form of IPSec for all Control traffic to and from the Mobility Controller.

Remote Mesh Portal FIPS mode – When the module is configured in Mesh Portal mode, it is intended to be connected over a physical wire to the mobility controller. These modules serve as the connection point between the Mesh Point and the Mobility Controller. Mesh Portals communicate with the Mobility Controller through IPSec and with Mesh Points via 802.11i session. The Crypto Officer role is the Mobility Controller that authenticates via IKEv1/IKEv2 pre-shared key or RSA certificate authentication method, and Users are the "n" Mesh Points that authenticate via 802.11i preshared key.

Mesh Point FIPS MODE – an AP that establishes all wireless path to the Remote Mesh portal in FIPS mode over 802.11 and an IPSec tunnel via the Remote Mesh Portal to the controller.

This section explains how to place the module in FIPS mode in either Remote AP FIPS mode, Control Plane Security AP FIPS Mode, Remote Mesh Portal FIPS mode or Mesh Point FIPS Mode. How to verify that it is in FIPS mode. An important point in the Aruba APs is that to change configurations from any one mode to any other mode requires the module to be re-provisioned and rebooted before any new configured mode can be enabled.

The access point is managed by an Aruba Mobility Controller in FIPS mode, and access to the Mobility Controller’s administrative interface via a non-networked general purpose computer is required to assist in placing the module in FIPS mode. The controller used to provision the AP is referred to below as the “staging controller”. The staging controller must be provisioned with the appropriate firmware image for the module, which has been tested to FIPS 140-2, prior to initiating AP provisioning.

After setting up the Access Point by following the basic installation instructions in the module User Manual, the Crypto Officer performs the following steps:

3.3.1 Configuring Remote AP FIPS Mode

1.Apply TELs according to the directions in section 3.2

2.Log into the administrative console of the staging controller

3.Deploying the AP in Remote FIPS mode configure the controller for supporting Remote APs, For detailed instructions and steps, see Section “Configuring the Secure Remote Access Point Service” in Chapter “Remote Access Points” of the Aruba OS User Manual.

4.Enable FIPS mode on the controller. This is accomplished by going to the Configuration > Network > Controller > System Settings page (this is the default page when you click the Configuration tab), and clicking the FIPS Mode for Mobility Controller Enable checkbox.

17

Page 16 Page 18
Image 17
Page 16 Page 18
Contents Fips 140-2 Non-Proprietary Security Policy Page Aruba Dell Relationship Acronyms and Abbreviations ServicesAruba AP-120 Series Security Levels Physical SecurityPage Aruba Dell Relationship IntroductionAcronyms and Abbreviations GHzLAN Aruba AP-120 Series Product OverviewPhysical Description Aruba Part Number Dell Corresponding Part NumberEnet Indicator LEDs Label Function Action StatusPWR Label Function Action Status Security Levels Module ObjectivesPhysical Security Applying TELsAP-124 Front view Aruba AP-124 TEL PlacementAP-124 Back view AP-124 Bottom view Aruba AP-125 TEL PlacementAP-125 Front view AP-125 Right view AP-125 Bottom view Inspection/Testing of Physical Security MechanismsModes of Operation Configuring Remote AP Fips ModeEnable Fips mode on the AP. This accomplished by going to Configuring Remote Mesh Portal Fips Mode Configuring Remote Mesh Point Fips Mode Operational Environment Verify that the module is in Fips modeFips 140-2 Logical Interfaces Module Physical Interface Logical InterfacesRoles Roles, Authentication and ServicesCrypto Officer Authentication Wireless Client Authentication User AuthenticationStrength of Authentication Mechanisms Authentication Mechanism StrengthWPA2-PSK Crypto Officer Services ServicesService Description CSPs Accessed see section WPA2 PSKService User ServicesService Description CSPs Wireless Client Services ∙ FTP ∙ Tftp ∙ NTP Unauthenticated ServicesNon-FIPS Approved Algorithms Cryptographic AlgorithmsHmac Critical Security ParametersRNG AES-CCM PSKPTK GTK GMKSelf Tests For an AES Cavium hardware Post failure
Top Page Image Contents