Aruba Networks FIPS 140-2 4 Roles, Authentication and Services

4 Roles, Authentication and Services

The module supports the r oles of Crypto Officer, User, and Wireless Client; no additional roles (e.g.,

Maintenance) are supported. Administrative operations carried out by t he Aruba Mobility Controller map

to the Crypto Officer role. The Crypto Officer has the ability to configure, manage, and monitor t he

module, including the configuration, loading, and zeroization of CSPs.

Defining characteristics of the roles depend on whether the module is configured as a Remote AP, CPSec

AP or as a Mesh AP:

 Remote AP:

o Crypto Officer role: the Crypto Officer is the Aruba Mobility Controller that has the

ability to configure, manage, and monitor the module, including the configuration,

loading, and zeroization of CSPs.

o User role: in the standard configuration, the User op erator shares the same services and

authentication techniques as the Mobility Controller in the Crypto Officer role.

o Wireless Client role: in Remote AP configuration, a wireless client can create a

connection to t he module using W PA2 and access wireless network access/bridging

services. In advanced Remote AP configuration, when Remote AP cannot communicate

with the controller, the wireless client role authenticates to the module via WPA2-PSK

only.

 CPSec AP:

o Crypto Officer role: the Cr ypto Officer is the Aruba Mobility Controller that has the

ability to configure, manage, and monitor the module, including the configuration,

loading, and zeroization of CSPs.

o User role: in the standard configuration, the User op erator shares the same services a nd

authentication techniques as the Mobility Controller in the Crypto Officer

o Wireless Client role: in CPSec AP configuration, a wireless client can create a connection

to the module using WPA2 and access wireless network access services.

 Mesh AP (Mesh Point or Remote Mesh Portal configuration):

o Crypto Officer role: the Crypto Officer r ole is the Aruba Mobility Controller that has the

ability to configure, manage, and monitor the module, including the configuration,

loading, and zeroization of CSPs.

o User role: the second (or third, or nth) AP in a given mesh cluster

o Wireless Client role: in Mesh AP configuration, a wireless client can create a connection

to the module using WPA2 and access wireless network access services.

The Aruba Mobility Controller implements the Crypto Officer role. Connections between the module and

the mobility controller are protected using IPSec. Crypto Officer authentication is accomplished via either

proof of possession of the IKE preshared key or AP’s RSA key pair, which occurs during the IKE key

exchange. In CPSec AP mode, AP can only authenticate using RSA key (stored in non-volatile memory).