26
3.3 Modes of Operation The module has the following FIPS approved modes of operations:
• Remote AP (RAP) FIPS mode – When the module is configured as a Remote AP, it is i ntended to
be deplo yed in a remote location (relative to the Mobility Co ntroller). The module provides
cryptographic processing in the form of IPSec for all traffic to and from the Mobility Controller.
• Control Plane Security (CPSec) protected AP FIPS mode – When the module is configured as a
Control Plane Security protected AP it is intended to be deployed in a local/private location ( LAN,
WAN, MPLS) relative to the Mobility Controller). The mod ule provides cryptographic processing
in the form of IPSec for all Control traffic to and from the Mobility Controller.
• Remote Mesh Portal FIPS mode – When the module is configured in Mesh P ortal mode, it is
intended to be connected over a physical wire to the mobilit y controller. These modules serve as
the connection point between the Mesh Point and the Mo bility Controller. Mesh Portals
communicate with t he Mobilit y Controller throug h IPSec and with Mesh Points via 802.11i
session. The Crypto Officer role is the Mobility Controller that authenticates via IKEv1/IKEv2
pre-shared key or RSA certificate authentication method , and Users are the "n" Mesh Points that
authenticate via 802.11i preshared key.
• Mesh Point FIPS MODE – an AP that establishes all wireless path to the Remote Me sh portal in
FIPS mode over 802.11 and an IPSec tunnel via the Remote Mesh Portal to the controller.
This section explains how to place the module in FIPS mode in either Remote AP FIPS mode, Control
Plane Security AP FIPS Mode, Re mote Mesh Portal FIPS mode or Mesh Point FIPS Mode. How to verify
that it is in FIPS mode. An important p oint in the Aruba APs is that to change configurations from any one
mode to any other mode requires t he module to be re-provisioned and rebooted before any new configured
mode can be enabled.
The access point is managed by an Aruba Mobility Controller in FIPS mode, and access to the Mobility
Controller’s administrative interface via a non-networked general purpose computer is required to assist in
placing the module in FIPS mode. The controller used to provision the AP is referred to below as the
“staging controller”. The staging controller must be provisioned with the appropriate firmware image for
the module, which has been tested to FIPS 140-2, prior to initiating AP provisioning.
After setting up the Access Point by following the basic installation instructions in the module User
Manual, the Crypto Officer performs the following steps:
3.3.1 Configuring Remote AP FIPS Mode
1. Apply TELs according to the directions in section 3.2
2. Log into the administrative console of the staging controller
3. Deploying the AP in Remote FIPS mode configure the controller for supporting Remote APs, For
detailed instructions and steps, see Section “Configuring the Secure Remote Access Point Service”
in Chapter “Remote Access Points” of the Aruba OS User Manual.
4. Enable FIPS mode on the controller. This is accomplished by going to the Configuration > Network
> Controller > System Settings page (this is the default page when you click the Configuration tab), and
clicking the FIPS Mode for Mobility Controller Enable checkbox.
5. Enable FIPS mode on the AP. This accomplished by going to the Configuration > Wireless > AP
Configuration > AP Group p age. There, you click the Edit button for th e appropriate AP group, and then
select AP > AP System Profile. Then, check the “Fips Enable” box, check “Apply”, and save the
configuration.