Aruba Networks FIPS 140-2 manual Roles, Authentication and Services, Crypto Officer Authentication

Page 23

4Roles, Authentication and Services

4.1 Roles

The module supports the roles of Crypto Officer, User, and Wireless Client; no additional roles (e.g., Maintenance) are supported. Administrative operations carried out by the Aruba Mobility Controller map to the Crypto Officer role. The Crypto Officer has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of CSPs.

Defining characteristics of the roles depend on whether the module is configured as a Remote AP, CPSec AP or as a Mesh AP:

Remote AP:

oCrypto Officer role: the Crypto Officer is the Aruba Mobility Controller that has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of CSPs.

oUser role: in the standard configuration, the User operator shares the same services and authentication techniques as the Mobility Controller in the Crypto Officer role.

oWireless Client role: in Remote AP configuration, a wireless client can create a connection to the module using WPA2 and access wireless network access/bridging services. In advanced Remote AP configuration, when Remote AP cannot communicate with the controller, the wireless client role authenticates to the module via WPA2-PSK only.

CPSec AP:

oCrypto Officer role: the Crypto Officer is the Aruba Mobility Controller that has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of CSPs.

oUser role: in the standard configuration, the User operator shares the same services and authentication techniques as the Mobility Controller in the Crypto Officer

oWireless Client role: in CPSec AP configuration, a wireless client can create a connection to the module using WPA2 and access wireless network access services.

Mesh AP (Mesh Point or Remote Mesh Portal configuration):

oCrypto Officer role: the Crypto Officer role is the Aruba Mobility Controller that has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of CSPs.

oUser role: the second (or third, or nth) AP in a given mesh cluster

oWireless Client role: in Mesh AP configuration, a wireless client can create a connection to the module using WPA2 and access wireless network access services.

4.1.1Crypto Officer Authentication

The Aruba Mobility Controller implements the Crypto Officer role. Connections between the module and the mobility controller are protected using IPSec. Crypto Officer authentication is accomplished via either proof of possession of the IKE preshared key or AP’s RSA key pair, which occurs during the IKE key exchange. In CPSec AP mode, AP can only authenticate using RSA key (stored in non-volatile memory).

23

Page 22 Page 24
Image 23
Page 22 Page 24
Contents Fips 140-2 Non-Proprietary Security Policy Page Security Levels Physical Security ServicesAruba Dell Relationship Acronyms and Abbreviations Aruba AP-120 SeriesPage GHz IntroductionAruba Dell Relationship Acronyms and AbbreviationsLAN Aruba Part Number Dell Corresponding Part Number Product OverviewAruba AP-120 Series Physical DescriptionEnet Indicator LEDs Label Function Action StatusPWR Label Function Action Status Applying TELs Module ObjectivesSecurity Levels Physical SecurityAP-124 Front view Aruba AP-124 TEL PlacementAP-124 Back view AP-124 Bottom view Aruba AP-125 TEL PlacementAP-125 Front view AP-125 Right view AP-125 Bottom view Inspection/Testing of Physical Security MechanismsModes of Operation Configuring Remote AP Fips ModeEnable Fips mode on the AP. This accomplished by going to Configuring Remote Mesh Portal Fips Mode Configuring Remote Mesh Point Fips Mode Operational Environment Verify that the module is in Fips modeFips 140-2 Logical Interfaces Module Physical Interface Logical InterfacesRoles Roles, Authentication and ServicesCrypto Officer Authentication Authentication Mechanism Strength User AuthenticationWireless Client Authentication Strength of Authentication MechanismsWPA2-PSK WPA2 PSK ServicesCrypto Officer Services Service Description CSPs Accessed see sectionService User ServicesService Description CSPs Wireless Client Services ∙ FTP ∙ Tftp ∙ NTP Unauthenticated ServicesNon-FIPS Approved Algorithms Cryptographic AlgorithmsHmac Critical Security ParametersRNG AES-CCM PSKPTK GTK GMKSelf Tests For an AES Cavium hardware Post failure
Top Page Image Contents