1 Dell W-AP92, W-AP93, W-AP104, W-AP105, and W

Dell W-AP92, W-AP93, W-AP104, W-AP105, and W-AP175
Wireless Access Points with Dell AOS FIPS Firmware
Non-Proprietary Security Policy FIPS 140-2
January 26, 2015
This is to advise that the Aruba Networks document entitled “FIPS 140-2 Non-Proprietary Security
Policy for Aruba AP-92, AP-93, AP-104, AP-105, and AP-175 Wireless Access Points” Version 2.1, dated
August 2014, applies to Dell W-AP92, W-AP93, W-AP104, W-AP105, and W-AP175 Wireless Access Points
with Dell AOS FIPS Firmware. Aruba Networks is the Original Equipment Manufacturer (OEM) for the
Dell Networking W-Series of products. This document, provided below, is applicable for use by Dell WSeries customers for security policy information and instruction on how to place and maintain the
Wireless Access Points in a secure FIPS 140-2 mode.
Dell Networking W-Series products are equivalent in features and functionality to the corresponding
Aruba Networks product models. Accordingly, the Dell AOS FIPS firmware is the validated ArubaOS FIPS
firmware version, with the exception of branding. When using the FIPS Security Policy document, the
screenshots, configurations, TEL placement locations, and images can be applied to Dell Networking WSeries products without any need for changes.
Product Name Mapping:
Aruba Networks Model name
Aruba AP-92-F1
Dell Networking Model name
W-AP92-F1
Aruba AP-93-F1
W-AP93-F1
Aruba AP-104-F1
W-AP104-F1
Aruba AP-105-F1
W-AP105-F1
Aruba AP-175-F1
W-AP175P-F1
Aruba AP-175AC-F1
W-AP175AC-F1
Aruba AP-175DC-F1
No Dell Model
Description
Wireless AP, 11n, external
Antennas
Wireless AP, 11n, internal
Antennas
Wireless AP, 11n, external
Antennas
Wireless AP, 11n, internal
Antennas
Outdoor AP, 11n, external
Antenna, with POE port
Outdoor AP, 11n, external
Antenna
Discontinued Outdoor AP, DC
power

These models include Aruba FIPS kit 4010061-01 (contains tamper evident labels)

The exact firmware version validated was ArubaOS 6.3.1.7-FIPS
The Dell Networking W-Series products are rebranded for Dell customers, as shown in the product
images below.
Dell W-AP92/3, W-AP104/5 and W-AP175 Wireless Access Points FIPS 140-2
1
Dell Networking W-AP92 and W-AP93 Product Images (no rebranding of the exterior, except labeling):
Aruba Networks AP-92 and AP-93 Product Images:
Dell W-AP92/3, W-AP104/5 and W-AP175 Wireless Access Points FIPS 140-2
2
Dell Networking W-AP104 and W-AP105 Product Images (no rebranding of the exterior, except labeling):
Aruba Networks AP-104 and AP-105 Product Images:
Dell W-AP92/3, W-AP104/5 and W-AP175 Wireless Access Points FIPS 140-2
3
Dell Networking W-AP175 Product Image:
Aruba Networks AP-175 Product Image:
If you have questions or concerns, please contact Dell Technical Support at www.dell.com/support,
additional product documentation is also available by device under user manuals.
Attachment: FIPS 140-2 Non-Proprietary Security Policy for Aruba AP-92, AP-93, AP-104, AP-105, and
AP-175 Wireless Access Points
Dell W-AP92/3, W-AP104/5 and W-AP175 Wireless Access Points FIPS 140-2
4
FIPS 140-2 Non-Proprietary Security Policy
for Aruba AP-92, AP-93, AP-104, AP-105, AP-175
Wireless Access Points
Version 2.1
August 2014
Aruba Networks™
1322 Crossman Ave.
Sunnyvale, CA 94089-1113
1
Copyright
© 2014 Aruba Networks, Inc. Aruba Networks trademarks include
,Aruba Networks®, Aruba Wireless Networks®, the registered Aruba
the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge
Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All
rights reserved. All other trademarks are the property of their respective
owners. Open Source Code
Certain Aruba products include Open Source software code developed by third
parties, including software code subject to the GNU General Public License
(GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses.
The Open Source code used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all
individuals or corporations, to terminate other vendors’ VPN client devices
constitutes complete acceptance of liability by that individual or corporation
for this action and indemnifies, in full, Aruba Networks, Inc. from any and all
legal actions that might be taken against it with respect to infringement of
copyright on behalf of those vendors.
Warranty
This hardware product is protected by the standard Aruba warranty of one year
parts/labor. For more information, refer to the ARUBACARE SERVICE AND SUPPORT
TERMS AND CONDITIONS.
Altering this device (such as painting it) voids the warranty.
Copyright
© 2014 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba
Networks®, Aruba Wireless Networks®,the registered Aruba the Mobile Edge
Company logo, and Aruba Mobility Management System®.
2
1 INTRODUCTION .................................................................................................................................5 1.1 2 ACRONYMS AND ABBREVIATIONS ................................................................................................... 5 PRODUCT OVERVIEW ......................................................................................................................6 2.1 AP-92.............................................................................................................................................. 6 2.1.1 2.2 2.1.1.1 Dimensions/Weight ............................................................................................................ 6 2.1.1.2 Interfaces ............................................................................................................................ 6 2.1.1.3 Indicator LEDs ................................................................................................................... 7 AP-93.............................................................................................................................................. 7 2.2.1 2.3 Dimensions/Weight ............................................................................................................ 8 2.2.1.2 Interfaces ............................................................................................................................ 8 2.2.1.3 Indicator LEDs ................................................................................................................... 8 AP-104............................................................................................................................................ 9 Dimensions/Weight .......................................................................................................... 10 2.3.1.2 Interfaces .......................................................................................................................... 10 2.3.1.3 Indicator LEDs ................................................................................................................. 10 AP-105.......................................................................................................................................... 11 Physical Description............................................................................................................. 11 2.4.1.1 Dimensions/Weight .......................................................................................................... 11 2.4.1.2 Interfaces .......................................................................................................................... 11 2.4.1.3 Indicator LEDs ................................................................................................................. 12 AP-175.......................................................................................................................................... 12 2.5.1 3 Physical Description............................................................................................................... 9 2.3.1.1 2.4.1 2.5 Physical Description............................................................................................................... 8 2.2.1.1 2.3.1 2.4 Physical Description............................................................................................................... 6 Physical Description............................................................................................................. 13 2.5.1.1 Dimensions/Weight .......................................................................................................... 13 2.5.1.2 Interfaces .......................................................................................................................... 13 2.5.1.3 Indicator LEDs ................................................................................................................. 13 MODULE OBJECTIVES ...................................................................................................................15 3.1 SECURITY LEVELS ......................................................................................................................... 15 3.2 PHYSICAL SECURITY ..................................................................................................................... 15 3.2.1 Applying TELs ...................................................................................................................... 15 3.2.2 AP-92 TEL Placement .......................................................................................................... 16 3.2.2.1 To detect access to restricted ports: .................................................................................. 16 3.2.2.2 To detect opening of the chassis cover: ............................................................................ 16 3.2.3 3.2.3.1 AP-93 TEL Placement .......................................................................................................... 18 To detect access to restricted ports: .................................................................................. 18 3
3.2.3.2 3.2.4 AP-104 TEL Placement ........................................................................................................ 20 3.2.4.1 To detect opening of the chassis cover: ............................................................................ 20 3.2.4.2 To detect access to restricted ports: .................................................................................. 20 3.2.5 AP-105 TEL Placement ........................................................................................................ 22 3.2.5.1 To detect opening of the chassis cover: ............................................................................ 22 3.2.5.2 To detect access to restricted ports: .................................................................................. 22 3.2.6 AP-175 TEL Placement ........................................................................................................ 24 3.2.6.1 To detect access to restricted ports: .................................................................................. 24 3.2.6.2 To detect opening of the chassis cover: ............................................................................ 24 3.2.7 4 To detect opening of the chassis cover: ............................................................................ 18 Inspection/Testing of Physical Security Mechanisms ........................................................... 26 3.3 OPERATIONAL ENVIRONMENT....................................................................................................... 26 3.4 LOGICAL INTERFACES ................................................................................................................... 26 ROLES, AUTHENTICATION AND SERVICES ............................................................................28 4.1 ROLES ........................................................................................................................................... 28 4.1.1 Crypto Officer Authentication .............................................................................................. 29 4.1.2 User Authentication .............................................................................................................. 29 4.1.3 Wireless Client Authentication ............................................................................................. 29 4.1.4 Strength of Authentication Mechanisms ............................................................................... 29 4.2 SERVICES ...................................................................................................................................... 30 4.2.1 Crypto Officer Services......................................................................................................... 30 4.2.2 User Services ........................................................................................................................ 31 4.2.3 Wireless Client Services ....................................................................................................... 31 4.2.4 Unauthenticated Services ..................................................................................................... 32 5 CRYPTOGRAPHIC ALGORITHMS ..............................................................................................33 6 CRITICAL SECURITY PARAMETERS .........................................................................................35 7 SELF TESTS........................................................................................................................................40 8 SECURE OPERATION ......................................................................................................................42 4
1 Introduction
This document constitutes the non-proprietary Cryptographic Module Security Policy for the AP-92, AP93, AP-104, AP-105 and AP-175 Wireless Access Points with FIPS 140-2 Level 2 validation from Aruba
Networks. This security policy describes how the AP meets the security requirements of FIPS 140-2 Level
2, and how to place and maintain the AP in a secure FIPS 140-2 mode. This policy was prepared as part of
the FIPS 140-2 Level 2 validation of the product.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2, Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the National Institute of
Standards and Technology (NIST) Web-site at:
http://csrc.nist.gov/groups/STM/cmvp/index.html
This document can be freely distributed.
1.1 Acronyms and Abbreviations
AES
AP
CBC
CLI
CO
Advanced Encryption Standard
Access Point
Cipher Block Chaining
Command Line Interface
Crypto Officer
CPSec
Control Plane Security protected
CSE
CSP
ECO
EMC
EMI
FE
GE
GHz
HMAC
Hz
IKE
IPsec
KAT
KEK
L2TP
LAN
LED
SHA
SNMP
SPOE
TEL
TFTP
WLAN
Communications Security Establishment Canada
Critical Security Parameter
External Crypto Officer
Electromagnetic Compatibility
Electromagnetic Interference
Fast Ethernet
Gigabit Ethernet
Gigahertz
Hashed Message Authentication Code
Hertz
Internet Key Exchange
Internet Protocol security
Known Answer Test
Key Encryption Key
Layer-2 Tunneling Protocol
Local Area Network
Light Emitting Diode
Secure Hash Algorithm
Simple Network Management Protocol
Serial & Power Over Ethernet
Tamper-Evident Label
Trivial File Transfer Protocol
Wireless Local Area Network
5
2 Product Overview
This section introduces the various Aruba Wireless Access Points, providing a brief overview and summary
of the physical features of each model covered by this FIPS 140-2 security policy.
2.1 AP-92
This section introduces the Aruba AP-92 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation.
It describes the purpose of the AP, its physical attributes, and its interfaces.
The Aruba AP-92 is a high-performance 802.11n (2x2:2) MIMO, single-radio 2.4 GHz or 5 GHz (802.11a/
b/g/n) indoor wireless access point capable of delivering combined wireless data rates of up to 300Mbps.
This multi-function access point provides wireless LAN access, air monitoring, and wireless intrusion
detection and prevention over the 2.4-2.5GHz and 5GHz RF spectrum. The access points work in
conjunction with Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in
education, enterprise, finance, government, healthcare, and retail applications.
2.1.1 Physical Description
The Aruba AP-92 Access Point is a multi-chip standalone cryptographic module consisting of hardware
and software, all contained in a hard plastic case. The module contains an 802.11 a/b/g/n transceiver and
supports external antennas through 2 x dual-band (RP-SMA) antenna interfaces for supporting external
antennas.
The plastic case physically encloses the complete set of hardware and software components and represents
the cryptographic boundary of the module.
The Access Point configuration validated during the cryptographic module testing included:

AP-92-F1

FIPS Kit
o
4010061-01 (Part number for Tamper Evident Labels)
The exact firmware version validated was:

2.1.1.1
ArubaOS 6.3.1.7-FIPS
Dimensions/Weight
The AP has the following physical dimensions:


2.1.1.2
120 mm x 130 mm x 35 mm (4.7" x 5.1" x 1.4")
255 g (9 oz)
Interfaces
The module provides the following network interfaces:

1 x 10/100/1000 Base-T Ethernet (RJ45) Ports

802.11a/b/g/n Antenna (External)
o

2x RP-SMA antenna interfaces (supports up to 2x2 MIMO with spatial diversity)
1 x RJ-45 console interface (disabled in FIPS mode by TEL)
The module provides the following power interfaces:

48V DC via Power-over-Ethernet (POE)
6

2.1.1.3
12V DC power supply
Indicator LEDs
There are 5 bicolor (power, ENET and WLAN) LEDs which operate as follows:
Table 1- AP-92 Indicator LEDs
Label
Function
Action
Status
PWR
AP power / ready status
Off
No power to AP
Red
Initial power-up condition
Flashing – Green
Device booting, not ready
On – Green
Device ready
Off
Ethernet link unavailable
On – Amber
10/100Mbs
negotiated
On – Green
1000Mbs Ethernet link negotiated
Flashing
Ethernet link activity
Off
2.4GHz radio disabled
On – Amber
2.4GHz radio enabled in WLAN
mode
On – Green
2.4GHz radio enabled in 802.11n
mode
Flashing - Green
2.4GHz Air monitor or RF protect
sensor
Off
5GHz radio disabled
On - Amber
5GHz radio enabled in WLAN
mode
On – Green
5GHz radio enabled in 802.11n
mode
Flashing - Green
5GHz Air monitor or RF protect
sensor
ENET
11b/g/n
11a/n
Ethernet Network Link
Status / Activity
2.4GHz Radio Status
5GHz Radio Status
Ethernet
link
2.2 AP-93
This section introduces the Aruba AP-93 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation.
It describes the purpose of the AP, its physical attributes, and its interfaces.
The Aruba AP-93 is a high-performance 802.11n (2x2:2) MIMO, single-radio 2.4 GHz or 5 GHz (802.11a/
b/g/n) indoor wireless access point capable of delivering combined wireless data rates of up to 300Mbps.
This multi-function access point provides wireless LAN access, air monitoring, and wireless intrusion
detection and prevention over the 2.4-2.5GHz and 5GHz RF spectrum. The access points work in
7
conjunction with Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in
education, enterprise, finance, government, healthcare, and retail applications.
2.2.1 Physical Description
The Aruba AP-92 Access Point is a multi-chip standalone cryptographic module consisting of hardware
and software, all contained in a hard plastic case. The module contains an 802.11 a/b/g/n transceiver and 2
integrated omni-directional multi-band dipole antenna elements (supporting up to 2x2 MIMO with spatial
diversity).
The plastic case physically encloses the complete set of hardware and software components and represents
the cryptographic boundary of the module.
The Access Point configuration validated during the cryptographic module testing included:

AP-93-F1

FIPS Kit
o
4010061-01 (Part number for Tamper Evident Labels)
The exact firmware version validated was:

2.2.1.1
ArubaOS 6.3.1.7-FIPS
Dimensions/Weight
The AP has the following physical dimensions:


2.2.1.2
120 mm x 130 mm x 35 mm (4.7" x 5.1" x 1.4")
255 g (9 oz)
Interfaces
The module provides the following network interfaces:

1 x 10/100/1000 Base-T Ethernet (RJ45) Ports

802.11a/b/g/n Antenna Interfaces (Internal)

1 x RJ-45 console interface (disabled in FIPS mode by TEL)
The module provides the following power interfaces:

48V DC via Power-over-Ethernet (POE)

12V DC power supply
2.2.1.3
Indicator LEDs
There are 5 bicolor (power, ENET and WLAN) LEDs which operate as follows:
Table 2 - AP-93 Indicator LEDs
Label
Function
Action
Status
PWR
AP power / ready status
Off
No power to AP
Red
Initial power-up condition
8
Label
Function
ENET
Ethernet Network Link
Status / Activity
11b/g/n
2.4GHz Radio Status
11a/n
5GHz Radio Status
Action
Status
Flashing – Green
Device booting, not ready
On – Green
Device ready
Off
Ethernet link unavailable
On – Amber
10/100Mbs
negotiated
On – Green
1000Mbs Ethernet link negotiated
Flashing
Ethernet link activity
Off
2.4GHz radio disabled
On – Amber
2.4GHz radio enabled in WLAN
mode
On – Green
2.4GHz radio enabled in 802.11n
mode
Flashing - Green
2.4GHz Air monitor or RF protect
sensor
Off
5GHz radio disabled
On - Amber
5GHz radio enabled in WLAN
mode
On – Green
5GHz radio enabled in 802.11n
mode
Flashing - Green
5GHz Air monitor or RF protect
sensor
Ethernet
link
2.3 AP-104
This section introduces the Aruba AP-104 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation.
It describes the purpose of the AP, its physical attributes, and its interfaces.
The Aruba AP-104 is a high-performance 802.11n (2x2:2) MIMO, dual-radio (concurrent 802.11a/n +
b/g/n) indoor wireless access point capable of delivering combined wireless data rates of up to 900Mbps.
This multi-function access point provides wireless LAN access, air monitoring, and wireless intrusion
detection and prevention over the 2.4-2.5GHz and 5GHz RF spectrum. The access points work in
conjunction with Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in
education, enterprise, finance, government, healthcare, and retail applications.
2.3.1 Physical Description
The Aruba AP-104 Access Point is a multi-chip standalone cryptographic module consisting of hardware
and software, all contained in a hard plastic case. The module contains an 802.11 a/b/g/n transceiver and
supports external antennas through 4 x dual-band (RP-SMA) antenna interfaces for supporting external
antennas.
The plastic case physically encloses the complete set of hardware and software components and represents
the cryptographic boundary of the module.
The Access Point configuration validated during the cryptographic module testing included:

AP-104-F1
9

FIPS Kit
o
4010061-01 (Part number for Tamper Evident Labels)
The exact firmware version validated was:

2.3.1.1
ArubaOS 6.3.1.7-FIPS
Dimensions/Weight
The AP has the following physical dimensions:

132 mm x 135 mm x 45 mm (5.2" x 5.3" x 1.8")

0.3 kg (10.56 oz)
2.3.1.2
Interfaces
The module provides the following network interfaces:

1 x 10/100/1000 Base-T Ethernet (RJ45) Ports

802.11a/b/g/n Antenna (External)
o

4x RP-SMA antenna interfaces (supports up to 2x2 MIMO with spatial diversity)
1 x RJ-45 console interface (disabled in FIPS mode by TEL)
The module provides the following power interfaces:

48V DC via Power-over-Ethernet (POE)

12V DC power supply
2.3.1.3
Indicator LEDs
There are 4 bicolor (power, ENET and WLAN) LEDs which operate as follows:
Table 3 - AP-104 Indicator LEDs
Label
Function
Action
Status
PWR
AP power / ready status
Off
No power to AP
Red
Initial power-up condition
Flashing – Green
Device booting, not ready
On – Green
Device ready
Off
Ethernet link unavailable
On – Amber
10/100Mbs Ethernet link negotiated
On – Green
1000Mbs Ethernet link negotiated
Flashing
Ethernet link activity
Off
2.4GHz radio disabled
On – Amber
2.4GHz radio enabled in WLAN mode
On – Green
2.4GHz radio enabled in 802.11n mode
ENET
11b/g/n
Ethernet Network
Status / Activity
2.4GHz Radio Status
Link
10
11a/n
5GHz Radio Status
Flashing - Green
2.4GHz Air monitor or RFprotect sensor
Off
5GHz radio disabled
On - Amber
5GHz radio enabled in WLAN mode
On – Green
5GHz radio enabled in 802.11n mode
Flashing - Green
5GHz Air monitor or RFprotect sensor
2.4 AP-105
This section introduces the Aruba AP-105 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation.
It describes the purpose of the AP, its physical attributes, and its interfaces.
The Aruba AP-105 is a high-performance 802.11n (2x2:2) MIMO, dual-radio (concurrent 802.11a/n +
b/g/n) indoor wireless access point capable of delivering combined wireless data rates of up to 900Mbps.
This multi-function access point provides wireless LAN access, air monitoring, and wireless intrusion
detection and prevention over the 2.4-2.5GHz and 5GHz RF spectrum. The access points work in
conjunction with Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in
education, enterprise, finance, government, healthcare, and retail applications.
2.4.1 Physical Description
The Aruba AP-135 series Access Point is a multi-chip standalone cryptographic module consisting of
hardware and software, all contained in a hard plastic case. The module contains 802.11 a/b/g/n
transceivers and supports 3 integrated omni-directional multi-band dipole antenna elements (supporting up
to 2x2 MIMO with spatial diversity).
The plastic case physically encloses the complete set of hardware and software components and represents
the cryptographic boundary of the module.
The Access Point configuration validated during the cryptographic module testing included:

AP-105-F1

FIPS Kit
o
4010061-01 (Part number for Tamper Evident Labels)
The exact firmware version validated was:

2.4.1.1
ArubaOS 6.3.1.7-FIPS
Dimensions/Weight
The AP has the following physical dimensions:

132 mm x 135 mm x 45 mm (5.2" x 5.3" x 1.8")

0.3 kg (10.56 oz)
2.4.1.2
Interfaces
The module provides the following network interfaces:

1 x 10/100/1000 Base-T Ethernet (RJ45) Ports

802.11a/b/g/n Antenna Interfaces (Internal)
11

1 x RJ-45 console interface (disabled in FIPS mode by TEL)
The module provides the following power interfaces:

48V DC via Power-over-Ethernet (POE)

12V DC power supply
2.4.1.3
Indicator LEDs
There are 4 bicolor (power, ENET and WLAN) LEDs which operate as follows:
Table 4 - AP-105 Indicator LEDs
Label
Function
Action
Status
PWR
AP power / ready status
Off
No power to AP
Red
Initial power-up condition
Flashing – Green
Device booting, not ready
On – Green
Device ready
Off
Ethernet link unavailable
On – Amber
10/100Mbs Ethernet link negotiated
On – Green
1000Mbs Ethernet link negotiated
Flashing
Ethernet link activity
Off
2.4GHz radio disabled
On – Amber
2.4GHz radio enabled in WLAN mode
On – Green
2.4GHz radio enabled in 802.11n mode
Flashing - Green
2.4GHz Air monitor or RFprotect sensor
Off
5GHz radio disabled
On - Amber
5GHz radio enabled in WLAN mode
On – Green
5GHz radio enabled in 802.11n mode
Flashing - Green
5GHz Air monitor or RFprotect sensor
ENET
11b/g/n
11a/n
Ethernet Network
Status / Activity
2.4GHz Radio Status
5GHz Radio Status
Link
2.5 AP-175
This section introduces the Aruba AP-175 series Wireless Access Points (APs) with FIPS 140-2 Level 2
validation. It describes the purpose of the AP, its physical attributes, and its interfaces.
The Aruba AP-175 series are high-performance 802.11n (2x2:2) MIMO, dual-radio (concurrent 802.11a/n
+ b/g/n) indoor/outdoor wireless access points capable of delivering combined wireless data rates of up to
600Mbps. These multi-function access points provides wireless LAN access, air monitoring, and wireless
intrusion detection and prevention over the 2.4GHz and 5GHz RF spectrum. The multifunction AP-175 is
an affordable, fully hardened outdoor 802.11n access point (AP) that provides maximum deployment
12
flexibility in high-density campuses, storage yards, warehouses, container/transportation facilities, extreme
industrial production areas and other harsh environments.
2.5.1 Physical Description
The Aruba AP-175 Access Point is a multi-chip standalone cryptographic module consisting of hardware
and software, all contained in a hard case. The module contains two 802.11 a/b/g/n transceivers, and 4 x Ntype female interfaces (2 x 2.4 GHz, 2 x 5 GHz) for external antenna support (supports MIMO)
The hard case physically encloses the complete set of hardware and software components and represents
the cryptographic boundary of the module.
The Access Point configuration validated during the cryptographic module testing included:

AP-175P-F1

AP-175AC-F1

AP-175DC-F1

FIPS Kit
o
4010061-01 (Part number for Tamper Evident Labels)
The exact firmware version validated was:

2.5.1.1
ArubaOS 6.3.1.7-FIPS
Dimensions/Weight
The AP has the following physical dimensions:

260 mm x 240 mm x 105 mm (10.2" x 9.4" x4.1")

3.25 kg (7 lb)
2.5.1.2
Interfaces
The module provides the following network interfaces:

1 x 10/100/1000 Base-T Ethernet (RJ45) ports

1 x RJ-45 console interface (Disabled in FIPS mode by TEL)

4 x N-Type female antenna interfaces
The module provides the following power interfaces:

AP-175P:
48-volt DC 802.3at power over Ethernet (PoE+)

AP-175AC:
100-240 volt AC from external AC power source

AP-175DC:
12-48 volt DC from external DC power source
2.5.1.3
Indicator LEDs
There is an array of LEDs which operate as follows:
Table 5 - AP-175 Indicator LEDs
13
Label
LED
Position
Function
Action
Status
PWR
D11
AP power / system status
Off
No power to AP
Red
System Alarm
Flashing - Green
Power did not connect
well or equipment failure
On - Green
Device ready
Off
Ethernet link unavailable
On - Yellow
10/100Mbs Ethernet link
negotiated
On - Green
1000Mbs Ethernet link
negotiated
Flashing
Ethernet link activity
Off
Radio0 disabled
On - Orange
Radio0 enabled
Off
Radio1 disabled
On - Blue
Radio1 enabled
On - Orange/Blue
SS1 to SS4 LEDs turn
on/off depending on the
signal strength of the
current radio neighbors.
Stronger the signal, more
LEDs get lit starting with
SS1 (least signal strength
indicator) all the way to
SS4
(highest
signal
strength indicator).
ENET0
WLAN0
WLAN1
SS1
D15
D6
D1
D7/D2
Ethernet Network Link
Status / Activity
Radio0 Status
Radio1 Status
Signal
Strength
(Radio0/Radio1)
least
significant bit
SS2
D8/D3
Signal
Strength
(Radio0/Radio1) second
most significant bit
SS3
D9/D4
Signal
Strength
(Radio0/Radio1)
least
significant bit
SS4
D10/D5
Signal
Strength
(Radio0/Radio1)
most
significant bit
(For Radio0: Orange and
For Radio1: Blue)
Off
14
3 Module Objectives
This section describes the assurance levels for each of the areas described in the FIPS 140-2 Standard. .
3.1 Security Levels
Table 6 - Security Levels
Section
Section Title
Level
1
Cryptographic Module Specification
2
2
Cryptographic Module Ports and Interfaces
2
3
Roles, Services, and Authentication
2
4
Finite State Model
2
5
Physical Security
2
6
Operational Environment
7
Cryptographic Key Management
2
8
EMI/EMC
2
9
Self-tests
2
10
Design Assurance
2
11
Mitigation of Other Attacks
N/A
N/A
Overall Overall module validation level
2
3.2 Physical Security
The Aruba Wireless AP is a scalable, multi-processor standalone network device and is enclosed in a robust
plastic housing. The AP enclosure is resistant to probing (please note that this feature has not been
validated as part of the FIPS 140-2 validation) and is opaque within the visible spectrum. The enclosure of
the AP has been designed to satisfy FIPS 140-2 Level 2 physical security requirements.
3.2.1 Applying TELs
The Crypto Officer must apply Tamper-Evident Labels (TELs) to the AP to allow detection of the opening
of the device, and to block the serial console port (on the bottom of the device). The TELs shall be installed
for the module to operate in a FIPS Approved mode of operation. Vendor provides FIPS 140 designated
TELs which have met the physical security testing requirements for tamper evident labels under the FIPS
140-2 Standard. TELs are not endorsed by the Cryptographic Module Validation Program (CMVP). Aruba
provides double the required amount of TELs with shipping and additional replacement TELs can be
obtained by calling customer support and requesting part number 4010061-01.
The Crypto Officer is responsible for securing and having control at all times of any unused tamper evident
labels. The Crypto Officer should employ TELs as follows:

Before applying a TEL, make sure the target surfaces are clean and dry.

Do not cut, trim, punch, or otherwise alter the TEL.

Apply the wholly intact TEL firmly and completely to the target surfaces.
15

Allow 24 hours for the TEL adhesive seal to completely cure.

Record the position and serial number of each applied TEL in a security log.
Once applied, the TELs included with the AP cannot be surreptitiously broken, removed or reapplied
without an obvious change in appearance:
Each TEL has a unique serial number to prevent replacement with similar label. To protect the device from
tampering, TELs should be applied by the Crypto Officer as pictured below:
3.2.2 AP-92 TEL Placement
This section displays all the TEL locations of the Aruba AP-92. The AP-92 requires a minimum of 3 TELs
to be applied as follows:
3.2.2.1

3.2.2.2
To detect access to restricted ports:
Spanning the serial port
To detect opening of the chassis cover:

Spanning the bottom and top chassis covers on the right side

Spanning the bottom and top chassis covers on the left side
Following is the TEL placement for the AP-92:
Figure 1 - AP-92 TEL placement front view
Figure 2 - Aruba AP-92 TEL placement left view
16
Figure 3 - Aruba AP-92 TEL placement right view
Figure 4 - Aruba AP-92 TEL placement top view
Figure 5 - Aruba AP-92 TEL placement bottom view
17
3.2.3 AP-93 TEL Placement
This section displays all the TEL locations of the Aruba AP-93. The AP-93 requires a minimum of 3 TELs
to be applied as follows:
3.2.3.1
To detect access to restricted ports:
1.
3.2.3.2
Spanning the serial port
To detect opening of the chassis cover:
2.
Spanning the bottom and top chassis covers on the left side
3.
Spanning the bottom and top chassis covers on the right side
Following is the TEL placement for the AP-93:
Figure 6 - Aruba AP-93 TEL placement front view
18
Figure 7 - Aruba AP-93 TEL placement left view
Figure 8 - Aruba AP-93 TEL placement right view
Figure 9 - Aruba AP-93 TEL placement bottom view
19
Figure 10 - Aruba AP-93 TEL placement top view
3.2.4 AP-104 TEL Placement
This section displays all the TEL locations of the Aruba AP-104. The AP-104 requires a minimum of 3
TELs to be applied as follows:
3.2.4.1
3.2.4.2
To detect opening of the chassis cover:
1.
Spanning the bottom and top chassis covers on the left side
2.
Spanning the bottom and top chassis covers on the right side
To detect access to restricted ports:
3.
Spanning the serial port
Following is the TEL placement for the AP-104:
Figure 11 - Aruba AP-104 TEL placement front view
Figure 12 - Aruba AP-104 TEL placement left view
20
Figure 13 - Aruba AP-104 TEL placement right view
Figure 14 - Aruba AP-104 TEL placement top view
Figure 15 - Aruba AP-104 TEL placement bottom view
21
3.2.5 AP-105 TEL Placement
This section displays all the TEL locations of the Aruba AP-105. The AP-105 requires a minimum of 3
TELs to be applied as follows:
3.2.5.1
3.2.5.2
To detect opening of the chassis cover:
1.
Spanning the bottom and top chassis covers on the left side
2.
Spanning the bottom and top chassis covers on the right side
To detect access to restricted ports:
3.
Spanning the serial port
Following is the TEL placement for the AP-105:
Figure 16 - Aruba AP-105 TEL placement front view
Figure 17 - Aruba AP-105 TEL placement left view
22
Figure 18 - Aruba AP-105 TEL placement right view
Power Input Inlet
Figure 19 - Aruba AP-105 TEL placement top view
Figure 20 - Aruba AP-105 TEL placement bottom view
23
3.2.6 AP-175 TEL Placement
This section displays all the TEL locations of the Aruba AP-175. The AP-175 requires a minimum of 6
TELs to be applied as follows:
3.2.6.1
3.2.6.2
To detect access to restricted ports:
1.
Spanning the USB console port
2.
Spanning the power connector plug (AP-175P only)
3.
Spanning the hex screw
To detect opening of the chassis cover:
4.
Spanning the top and bottom chassis covers on the left side
5.
Spanning the top and bottom chassis covers on the right side
Following is the TEL placement for the AP-175:
Figure 21 - Aruba AP-175 TEL placement front view
Figure 22 - Aruba AP-175 TEL placement back view
24
Figure 23 - Aruba AP-175 TEL placement left view
Figure 24 - Aruba AP-175 TEL placement right view
Figure 25 - Aruba AP-175 TEL placement top view
Figure 26 - Aruba AP-175 TEL placement bottom view
25
3.2.7 Inspection/Testing of Physical Security Mechanisms
Table 7 - Inspection/Testing of Physical Security Mechanisms
Physical Security Mechanism
Recommended Test Frequency
Guidance
Tamper-evident labels (TELs)
Once per month
Examine for any sign of removal,
replacement, tearing, etc. See
images above for locations of
TELs
Opaque module enclosure
Once per month
Examine module enclosure for
any evidence of new openings or
other access to the module
internals.
3.3 Operational Environment
This section does not apply as the operational environment is non-modifiable.
3.4 Logical Interfaces
The physical interfaces are divided into logical interfaces defined by FIPS 140-2 as described in the
following table.
Table 8 - Logical Interfaces
FIPS 140-2 Logical Interface
Data Input Interface
Data Output Interface
Module Physical Interface

10/100/1000 Ethernet Ports

802.11a/b/g/n/ac Antenna Interfaces

USB 2.0 port

10/100/1000 Ethernet Ports

802.11a/b/g/n/ac Antenna Interfaces
26
Control Input Interface
Status Output Interface
Power Interface

USB 2.0 port

10/100/1000 Ethernet Ports

802.11a/b/g/n/ac Antenna Interfaces

Reset button

10/100/1000 Ethernet Ports

802.11a/b/g/n/ac Antenna Interfaces

LEDs

Power Supply

Power-over-Ethernet (POE)
Data input and output, control input, status output, and power interfaces are defined as follows:

Data input and output are the packets that use the networking functionality of the module.

Control input consists of manual control inputs for power and reset through the power interfaces
(DC power supply or POE). It also consists of all of the data that is entered into the access point
while using the management interfaces. A reset button is present which is used to reset the AP to
factory default settings.

Status output consists of the status indicators displayed through the LEDs, the status data that is
output from the module while using the management interfaces, and the log file.
o
LEDs indicate the physical state of the module, such as power-up (or rebooting),
utilization level, and activation state. The log file records the results of self-tests,
configuration errors, and monitoring data.

A power supply is used to connect the electric power cable. Operating power may also be
provided via Power Over Ethernet (POE) device when connected. The power is provided through
the connected Ethernet cable.

Console port is disabled when operating in FIPS mode by TEL.
The module distinguishes between different forms of data, control, and status traffic over the network ports
by analyzing the packet headers and contents.
27
4 Roles, Authentication and Services
4.1 Roles
The module supports the roles of Crypto Officer, User, and Wireless Client; no additional roles (e.g.,
Maintenance) are supported. Administrative operations carried out by the Aruba Mobility Controller map
to the Crypto Officer role. The Crypto Officer has the ability to configure, manage, and monitor the
module, including the configuration, loading, and zeroization of CSPs.
Defining characteristics of the roles depend on whether the module is configured as a Remote AP mode or
as a Remote Mesh Portal mode.




Remote AP FIPS mode:
o
Crypto Officer role: the Crypto Officer is the Aruba Mobility Controller that has the
ability to configure, manage, and monitor the module, including the configuration,
loading, and zeroization of CSPs.
o
User role: in the configuration, the User operator shares the same services and
authentication techniques as the Mobility Controller in the Crypto Officer role.
o
Wireless Client role: in Remote AP configuration, a wireless client can create a
connection to the module using WPA2 and access wireless network access/bridging
services. In advanced Remote AP configuration, when Remote AP cannot communicate
with the controller, the wireless client role authenticates to the module via WPA2-PSK
only.
CPSec AP FIPS mode:
o
Crypto Officer role: the Crypto Officer is the Aruba Mobility Controller that has the
ability to configure, manage, and monitor the module, including the configuration,
loading, and zeroization of CSPs.
o
User role: in the configuration, the User operator shares the same services and
authentication techniques as the Mobility Controller in the Crypto Officer
o
Wireless Client role: in CPSec AP configuration, a wireless client can create a connection
to the module using WPA2 and access wireless network access services.
Remote Mesh Portal FIPS mode:
o
Crypto Officer role: the Crypto Officer is the Aruba Mobility Controller that has the
ability to configure, manage, and monitor the module, including the configuration,
loading, and zeroization of CSPs.
o
User role: the adjacent Mesh Point APs in a given mesh cluster. Please notice that
Remote Mesh Portal AP must be physically wired to Mobility Controller.
o
Wireless Client role: in Remote Mesh Portal FIPS AP configuration, a wireless client can
create a connection to the module using WPA2 and access wireless network access
services.
Remote Mesh Point FIPS mode:
o
Crypto Officer role: the Crypto Officer role is the Aruba Mobility Controller that has the
ability to configure, manage, and monitor the module, including the configuration,
loading, and zeroization of CSPs. The first mesh AP configured is the only AP with the
direct wired connection.
o
User role: the adjacent Mesh APs in a given mesh cluster. Please notice that User role can
be a Mesh Point AP or a Mesh Portal AP in the given mesh network.
28
o
Wireless Client role: in Mesh Remote Mesh Point FIPS AP configuration, a wireless
client can create a connection to the module using WPA2 and access wireless network
access services.
4.1.1 Crypto Officer Authentication
In each of FIPS approved modes, the Aruba Mobility Controller implements the Crypto Officer role.
Connections between the module and the mobility controller are protected using IPSec. Crypto Officer
authentication is accomplished via either proof of possession of the IKEv1/IKEv2 pre-shared key or
RSA/ECDSA certificate, which occurs during the IKEv1/IKEv2 key exchange.
4.1.2 User Authentication
Authentication for the User role depends on the module configuration. When the module is configured as a
Remote Mesh Portal FIPS mode and Remote Mesh Point FIPS mode, the User role is authenticated via the
WPA2 pre-shared key. When the module is configured as a Remote AP FIPS mode and CPSec protected
AP FIPS mode, the User role is authenticated via the same IKEv1/IKEv2 pre-shared key or RSA/ECDSA
certificate that is used by the Crypto Officer
4.1.3 Wireless Client Authentication
The wireless client role defined in each of FIPS approved modes authenticates to the module via WPA2.
Please notice that WEP and TKIP configurations are not permitted in FIPS mode. In advanced Remote AP
configuration, when Remote AP cannot communicate with the controller, the wireless client role
authenticates to the module via WPA2-PSK only.
4.1.4 Strength of Authentication Mechanisms
The following table describes the relative strength of each supported authentication mechanism.
Table 9 - Strength of Authentication Mechanisms
Authentication
Mechanism
Mechanism Strength
IKEv1/IKEv2
shared secret (CO
role)
Passwords are required to be a minimum of eight characters and a maximum
of 32 with a minimum of one letter and one number. If six (6) integers, one
(1) special character and one (1) alphabet are used without repetition for an
eight (8) digit PIN, the probability of randomly guessing the correct sequence
is one (1) in 251,596,800 (this calculation is based on the assumption that the
typical standard American QWERTY computer keyboard has 10 Integer
digits, 52 alphabetic characters, and 32 special characters providing 94
characters to choose from in total. The calculation should be 10 x 9 x 8 x 7 x
6 x 5 x 32 x 52 = 251, 596, 800). Therefore, the associated probability of a
successful random attempt is approximately 1 in 251,596,800, which is less
than 1 in 1,000,000 required by FIPS 140-2.
Wireless Client
WPA2-PSK
(Wireless Client
role)
Same mechanism strength as IKEv1/IKEv2 shared secret above.
Mesh AP WPA2
PSK (User role)
Same mechanism strength as IKEv1/IKEv2 shared secret above.
29
Authentication
Mechanism
Mechanism Strength
RSA Certificate
based authentication
(CO role)
The module supports 2048-bit RSA keys. RSA 2048 bit keys correspond to
112 bits of security. Assuming the low end of that range, the associated
probability of a successful random attempt is 1 in 2^112, which is less than 1
in 1,000,000 required by FIPS 140-2.
ECDSA-based
authentication
(IKEv2)
ECDSA signing and verification is used to authenticate to the module during
IKEv2. Both P-256 and P-384 curves are supported. ECDSA P-256 provides
128 bits of equivalent security, and P-384 provides 192 bits of equivalent
security. Assuming the low end of that range, the associated probability of a
successful random attempt is 1 in 2^128, which is less than 1 in 1,000,000
required by FIPS 140-2.
4.2 Services
The module provides various services depending on role. These are described below.
4.2.1 Crypto Officer Services
The CO role in each of FIPS modes defined in section 3.3 has the same services.
Table 10 - Crypto Officer Services
Service
Description
CSPs Accessed (see section 6
below for complete description of
CSPs)
FIPS mode enable/disable
The CO selects/de-selects FIPS
mode as a configuration option.
None.
Key Management
The CO can configure/modify the
IKEv1/IKEv2 shared secret (The
RSA private key is protected by
non-volatile memory and cannot
be modified) and the WPA2 PSK
(used in advanced Remote AP
configuration). Also, the CO/User
implicitly uses the KEK to
read/write configuration to nonvolatile memory.
1 (read)
Remotely reboot module
The CO can remotely trigger a
reboot
1 (read)
Self-test triggered by CO/User
reboot
The CO can trigger a
programmatic reset leading to
self-test and initialization
1, 32 (read)
Update module firmware
The CO can trigger a module
firmware update
32 (read)
Configure non-security related
module parameters
CO can configure various
operational parameters that do not
relate to security
None.
30
14, 23, 24, 25 (read/write)
Service
Description
CSPs Accessed (see section 6
below for complete description of
CSPs)
Creation/use of secure
management session between
module and CO
The module supports use of
IPSec for securing the
management channel.
14, 21, 22, 23, 24 (read)
Creation/use of secure mesh
channel
The module requires secure
connections between mesh points
using 802.11i
25 (read)
System Status
CO may view system status
information through the secured
management channel
See creation/use of secure
management session above.
Zeroization
Zeroizes all flash memory
All CSPs will be destroyed.
8, 9, 10, 11, 12, 13, 15, 16, 17,
18, 19, 20 (read/write)
26, 27, 28, 29, 30, 31 (read/write)
4.2.2 User Services
The User services defined in Remote AP FIPS mode and CPSec protected AP FIPS mode shares the same
services with the Crypto Officer role, please refer to Section 4.2.1, “Crypto Officer Services”. The
following services are provided for the User role defined in Remote Mesh Portal FIPS mode and Remote
Mesh Point FIPS mode:
Table 11 - User Services
Service
Description
CSPs Accessed (see section 6
below for complete description of
CSPs)
Generation and use of 802.11i
cryptographic keys
When the module is in mesh
configuration, the inter-module
mesh links are secured with
802.11i.
26, 27, 28, 29, 30, 31 (read/write)
Use of WPA pre-shared key for
establishment of IEEE 802.11i
keys
When the module is in mesh
configuration, the inter-module
mesh links are secured with
802.11i. This is authenticated
with a shared secret
25 (read)
Zeroization
Zeroizes all flash memory
All CSPs will be destroyed.
4.2.3 Wireless Client Services
The following module services are provided for the Wireless Client role in each of FIPS approved modes
defined in section 3.3.
Table 12 - Wireless Client Services
Service
Description
CSPs Accessed (see section 6
below for complete description of
CSPs)
Generation and use of 802.11i
cryptographic keys
In all modes, the links between
the module and wireless client are
secured with 802.11i.
31
26, 27, 28, 29, 30, 31 (read/write)
Use of WPA pre-shared key for
establishment of IEEE 802.11i
keys
When the module is in advanced
Remote AP configuration, the
links between the module and the
wireless client are secured with
802.11i. This is authenticated
with a shared secret only.
Wireless bridging services
The module bridges traffic
between the wireless client and
the wired network.
25 (read)
None
4.2.4 Unauthenticated Services
The module provides the following unauthenticated services, which are available regardless of role.

System status – module LEDs

Reboot module by removing/replacing power

Self-test and initialization at power-on.
32
5 Cryptographic Algorithms
FIPS-approved cryptographic algorithms have been implemented in hardware and firmware.
The firmware supports the following cryptographic implementations.

ArubaOS OpenSSL Module implements the following FIPS-approved algorithms:
o
AES (Cert. #2680)
o
CVL (Cert. #152)
o
DRBG (Cert. #433)
o
ECDSA (Cert. #469)
o
HMAC (Cert. #1666)
o
KBKDF (Cert. #16)
o
RSA (Cert. #1379)
o
SHS (Cert. #2249)
o
Triple-DES (Cert. #1607)
o
RSA (Cert. #1379; non-compliant with the functions from the CAVP Historical RSA
List)
Note:
 FIPS186-2:
ALG[ANSIX9.31]: Key(gen)(MOD: 1024 PubKey Values: 65537)
ALG[RSASSA-PKCS1_V1_5]: SIG(gen): 1024, SHS: SHA-1/SHA-256/SHA384/SHA-512, 2048, SHS: SHA-1
o
ECDSA (Cert. #469; non-compliant with the functions from the CAVP Historical
ECDSA List)
 FIPS186-2:
SIG(gen): CURVES(P-256 P-384), SHS: SHA-1

ArubaOS Crypto Module implements the following FIPS-approved algorithms:
o
AES (Cert. #2677)
o
CVL (Cert. #150)
o
ECDSA (Cert. #466)
o
HMAC (Cert. #1663)
o
RNG (Cert. #1250)
o
RSA (Cert. #1376)
o
SHS (Cert. #2246)
o
Triple-DES (Cert. #1605)
o
RSA (Cert. #1376; non-compliant with the functions from the CAVP Historical RSA
List)
Note:
 FIPS186-2:
33
ALG[ANSIX9.31]: Key(gen)(MOD: 1024 PubKey Values: 65537)
ALG[RSASSA-PKCS1_V1_5]: SIG(gen): 1024, SHS: SHA-1/SHA-256/SHA384/SHA-512, 2048, SHS: SHA-1
o
ECDSA (Cert. #466; non-compliant with the functions from the CAVP Historical
ECDSA List)
 FIPS186-2:
SIG(gen): CURVES(P-256 P-384), SHS: SHA-1


ArubaOS UBOOT Bootloader implements the following FIPS-approved algorithms:
o
RSA (Cert. #1380)
o
SHS (Cert. #2250)
ArubaOS AP Kernel Crypto implements the following FIPS-approved algorithms:
o

AES (Cert. #2689)
Aruba AP Hardware (Atheros WLAN) implements the following FIPS-approved algorithms:
o
AES (Cert. #2450)
Non-FIPS Approved Algorithms Allowed in FIPS Mode

Diffie-Hellman (key agreement; key establishment methodology provides 112 bits of encryption
strength; non-compliant less than 112 bits of encryption strength)

EC Diffie-Hellman (key agreement; key establishment methodology provides 128 or 192 bits of
encryption strength)

NDRNGs
Non-FIPS Approved Algorithms
The cryptographic module implements the following non-approved algorithms that are not permitted for
use in the FIPS 140-2 mode of operations:

MD5
34
6 Critical Security Parameters
The following Critical Security Parameters (CSPs) are used by the module:
Table 12 - Critical Security Parameters
#
Name
CSPs type
Generation
Storage and
Zeroization
Use
1
Key Encryption Key
(KEK)
Triple-DES 168-bit key Hardcoded during
(three key Triple-DES manufacturing
only).
Stored in Flash.
Zeroized by using
command ‘ap wipe
out flash’
Encrypts
IKEv1/IKEv2 Preshared key, ECDSA
private key and
configuration
parameters.
2
DRBG entropy input
SP800-90a DRBG (512 Derived using NONbits)
FIPS approved HW
RNG
Stored in plaintext in
volatile memory.
Zeroized on reboot.
DRBG initialization
3
DRBG seed
SP800-90a DRBG (384 Generated per SP800bits)
90A using a derivation
function
Stored in plaintext in
volatile memory.
Zeroized on reboot.
DRBG initialization
4
DRBG key
SP800-90a (256 bits)
Generated per SP80090A
Stored in plaintext in
volatile memory.
Zeroized on reboot.
DRBG
5
DRBG V
SP800-90a (128 bits)
Generated per SP80090A
Stored in plaintext in
volatile memory.
Zeroized on reboot.
DRBG
6
RNG seed
FIPS 186-2 RNG Seed
(512 bits)
Derived using NONFIPS approved HW
RNG
Stored in plaintext in
volatile memory.
Zeroized on reboot.
Seed 186-2 General
purpose (x-change
Notice); SHA-1 RNG
35
7
RNG seed key
FIPS 186-2 RNG Seed
key (512 bits)
Derived using NONFIPS approved HW
RNG
Stored in plaintext in
volatile memory.
Zeroized on reboot.
Seed 186-2 General
purpose (x-change
Notice); SHA-1 RNG
8
Diffie-Hellman
private key
Diffie-Hellman private
key (224 bits)
Generated internally
during Diffie-Hellman
Exchange
Stored in the volatile
memory. Zeroized
after the session is
closed.
Used in establishing
the session key for an
IPSec session
9
Diffie-Hellman public Diffie-Hellman public
key
key (2048 bits)
Generated internally
during Diffie-Hellman
Exchange
Stored in the volatile
memory. Zeroized
after the session is
closed.
Used in establishing
the session key for an
IPSec session
Note: Key size of DH
Group 1 (768 bits) and
Group 2 (1024 bits) are
not allowed in FIPS
mode.
10
Diffie-Hellman shared Diffie-Hellman shared
secret
secret (2048 bits)
Established during
Diffie-Hellman
Exchange
Stored in plain text in Used in establishing
the session key for an
volatile memory,
Zeroized when session IPSec session
is closed.
11
EC Diffie-Hellman
private key
Elliptic Curve DiffieHellman (P-256 and P384).
Generated internally
during EC DiffieHellman Exchange
Stored in the volatile
memory. Zeroized
after the session is
closed.
Used in establishing
the session key for an
IPSec session
12
EC Diffie-Hellman
public key
Elliptic Curve DiffieHellman (P-256 and P384).
Generated internally
during EC DiffieHellman Exchange
Stored in the volatile
memory. Zeroized
after the session is
closed.
Used in establishing
the session key for an
IPSec session
13
EC Diffie-Hellman
shared secret
Elliptic Curve DiffieEstablished during EC
Hellman ( P-256 and P- Diffie-Hellman
384)
Exchange
36
Stored in plaintext in Key agreement in
volatile memory.
IKEv1/IKEv2
Zeroized when session
is closed.
14
IKEv1/IKEv2 Preshared key
8-64 character preshared key
CO configured
Stored encrypted in
Flash with the KEK.
Zeroized by changing
(updating) the preshared key through
the User interface.
15
skeyid
HMAC-SHA1/256/384
(160/256/384 bits)
Established during
IKEv1 negotiation
Stored in plaintext in Key agreement in
volatile memory.
IKEv1
Zeroized when session
is closed.
16
skeyid_d
HMAC-SHA1/256/384
(160/256/384 bits)
Established during
IKEv1 negotiation
Stored in plaintext in Key agreement in
volatile memory.
IKEv1
Zeroized when session
is closed.
17
IKEv1/IKEv2 session
authentication key
HMAC-SHA1/256/384 (160 / 256 /
384 bits)
Established as a result
of IKEv1/IKEv2
service
implementation.
Stored in plaintext in IKEv1/IKEv2 payload
volatile memory.
integrity verification
Zeroized when session
is closed.
18
IKEv1/IKEv2 session
encryption key
Triple-DES (168
bits/AES (128/196/256
bits - three key TripleDES only)
Established as a result
of IKEv1/IKEv2
service
implementation.
Stored in plaintext in IKEv1/IKEv2 payload
volatile memory.
encryption
Zeroized when session
is closed.
19
IPSec session
encryption keys
Triple-DES (168 bits /
AES (128/196/256 bits
- three key Triple-DES
only)
Established during the
IPSec service
implementation
Stored in plaintext in
volatile memory.
Zeroized when the
session is closed.
Secure IPSec traffic
20
IPSec session
authentication keys
HMAC-SHA-1 (160
bits)
Established during the
IPSec service
implementation
Stored in plaintext in
volatile memory.
Zeroized when the
session is closed.
IPSec traffic
authentication
37
User and module
authentication during
IKEv1/IKEv2
21
RSA Private Key
RSA 2048 bits private
key
Generated at time of
manufacturing by the
TPM.
Stored in non-volatile
memory (Trusted
Platform Module).
Zeroized by physical
destruction of the
module.
22
RSA public key
RSA 2048 bits public
key
Generated at time of
manufacturing by the
TPM.
Stored in non-volatile Used by
memory. Zeroized by IKEv1/IKEv2 for
physical destruction of device authentication
the module.
23
ECDSA Private Key
ECDSA suite B P-256
and P-384 curves
Generated in the
module
Stored in flash
memory encrypted
with KEK. Zeroized
by the CO command
ap wipe out flash.
Used by
IKEv1/IKEv2 for
device authentication.
24
ECDSA Public Key
ECDSA suite B P-256
and P-384 curves
Generated in the
module
Stored in flash
memory encrypted
with KEK. Zeroized
by the CO command
ap wipe out flash.
Used by
IKEv1/IKEv2 for
device authentication.
25
802.11i Pre-Shared
Key (PSK)
8-63 character 802.11i
pre-shared secret for
use in 802.11i (SP
800‐108) key
derivation
CO configured
Stored in flash
memory encrypted
with KEK. Zeroized
by the CO command
ap wipe out flash.
Used to derive the
PMK for 802.11i in
advanced Remote AP
connections;
programmed into AP
by the controller over
the IPSec session.
26
802.11i Pair-Wise
Master key (PMK)
802.11i secret key
(256-bit)
Derived during the
802.1X handshake
Stored in the volatile
memory. Zeroized on
reboot.
Used to derive
802.11i Pairwise
Transient Key (PTK)
27
802.11i Pairwise
Transient Key (PTK)
512-bit shared secret
Derived during 802.11i In volatile memory
from which Temporal
4-way handshake
only; zeroized on
Keys (TKs) are derived
reboot
Used to derive
802.11i session key
28
802.11i session key
AES-CCM key (128
bits)
Derived from 802.11
PMK
Stored in plaintext in
volatile memory.
Zeroized on reboot.
Used for 802.11i
encryption
29
802.11i Group Master
Key (GMK)
256-bit secret used to
derive GTK
Generated from
approved RNG
Stored in plaintext in
volatile memory;
zeroized on reboot
Used to derive Group
Transient Key (GTK)
38
Used by
IKEv1/IKEv2 for
device authentication
30
802.11i Group
Transient Key (GTK)
256-bit shared secret
used to derive group
(multicast) encryption
and integrity keys
31
802.11i Group AESCCM Data
Encryption/MIC Key
32
Factory CA Public
Key
Internally derived by
AP which assumes
“authenticator” role in
handshake
Stored in plaintext in
volatile memory;
zeroized on reboot
Used to derive
multicast
cryptographic keys
128-bit AES-CCM key Derived from 802.11
derived from GTK
group key handshake
Stored in plaintext in
volatile memory;
zeroized on reboot
Used to protect
multicast message
confidentiality and
integrity (AES-CCM)
RSA 2048 bits public
key
Stored in non-volatile Firmware verification
memory. Zeroized by
physical destruction of
the module.
Generated outside the
module.
39
7 Self-Tests
The module performs the following Self Tests after being configured into either Remote AP mode or
Remote Mesh Portal mode. The module performs both power-up and conditional self-tests. In the event any
self-test fails, the module enters an error state, logs the error, and reboots automatically.
The module performs the following power-up self-tests:
o
Aruba AP Hardware (Atheros WLAN) Known Answer Test:
o
o
o
o
ArubaOS OpenSSL Module Known Answer Tests:
o
AES (encrypt/decrypt) KATs
o
Triple-DES (encrypt/decrypt) KATs
o
DRBG KAT
o
RSA KAT
o
ECDSA Sign/Verify
o
SHS (SHA1, SHA256, SHA384 and SHA512) KATs
o
HMAC (HMAC-SHA1, HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512) KATs
ArubaOS Crypto Module Known Answer Tests:
o
AES (encrypt/decrypt) KATs
o
Triple-DES (encrypt/decrypt) KATs
o
SHS (SHA1, SHA256, SHA384 and SHA512) KATs
o
HMAC (HMAC-SHA1, HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512) KATs
o
RSA KAT
o
ECDSA Sign/Verify
o
FIPS 186-2 RNG KAT
ArubaOS Uboot Bootloader Module Known Answer Test
o
o
AES-CCM KAT
Firmware Integrity Test: RSA PKCS#1 v1.5 (2048 bits) signature verification with SHA1
ArubaOS AP Kernel Crypto Known Answer Tests:
o
AES (encrypt/decrypt) KATs
o
AES-GCM KAT
The following Conditional Self-tests are performed in the module:
o
ArubaOS OpenSSL Module
o
o
o
CRNG Test to Approved RNG (DRBG)
ECDSA Pairwise Consistency Test
RSA Pairwise Consistency Test
40
o
ArubaOS Crypto Module
o
o
o
CRNG Test to Approved RNG (FIPS 186-2 RNG)
ECDSA Pairwise Consistency Test
RSA Pairwise Consistency Test
o
ArubaOS Uboot BootLoader Module
o Firmware Load Test - RSA PKCS#1 v1.5 (2048 bits) signature verification
o
CRNG tests to non-approved RNGs
These self-tests are run for the Atheros hardware cryptographic implementation as well as for the Aruba
OpenSSL and ArubaOS cryptographic module implementations.
Self-test results are written to the serial console.
In the event of a KATs failure, the AP logs different messages, depending on the error.
For an ArubaOS OpenSSL AP module and ArubaOS cryptographic module KAT failure:
AP rebooted [DATE][TIME] : Restarting System, SW FIPS KAT failed
For an AES Atheros hardware POST failure:
Starting HW SHA1 KAT ...Completed HW SHA1 AT
Starting HW HMAC-SHA1 KAT ...Completed HW HMAC-SHA1 KAT
Starting HW DES KAT ...Completed HW DES KAT
Starting HW AES KAT ...Restarting system.
41
8 Secure Operation
The module can be configured to be in the following FIPS approved modes of operations via corresponding
Aruba Mobility Controllers that have been certificated to FIPS level 2:
•
Remote AP FIPS mode – When the module is configured as a Remote AP, it is intended to be
deployed in a remote location (relative to the Mobility Controller). The module provides
cryptographic processing in the form of IPSec for all traffic to and from the Mobility Controller.
•
Control Plane Security (CPSec) protected AP FIPS mode – When the module is configured as a
Control Plane Security protected AP it is intended to be deployed in a local/private location (LAN,
WAN, MPLS) relative to the Mobility Controller. The module provides cryptographic processing
in the form of IPSec for all Control traffic to and from the Mobility Controller.
•
Remote Mesh Portal FIPS mode – When the module is configured in Mesh Portal mode, it is
intended to be connected over a physical wire to the mobility controller. These modules serve as
the connection point between the Mesh Point and the Mobility Controller. Mesh Portals
communicate with the Mobility Controller through IPSec and with Mesh Points via 802.11i
session. The Crypto Officer role is the Mobility Controller that authenticates via IKEv1/IKEv2
pre-shared key or RSA/ECDSA certificate authentication method, and Users are the "n" Mesh
Points that authenticate via 802.11i preshared key.
•
Remote Mesh Point FIPS mode – an AP that establishes all wireless path to the Remote Mesh
portal in FIPS mode over 802.11 and an IPSec tunnel via the Remote Mesh Portal to the
controller.
In addition, the module also supports a non-FIPS mode – an un-provisioned AP, which by default does not
serve any wireless clients. The Crypto Officer must first enable and then provision the AP into a FIPS AP
mode of operation.
This section explains how to place the module in each FIPS mode and how to verify that it is in FIPS mode.
An important point in the Aruba APs is that to change configurations from any one mode to any other mode
requires the module to be re-provisioned and rebooted before any new configured mode can be enabled.
The access point is managed by an Aruba Mobility Controller in FIPS mode, and access to the Mobility
Controller’s administrative interface via a non-networked general purpose computer is required to assist in
placing the module in FIPS mode. The controller used to provision the AP is referred to below as the
“staging controller”. The staging controller must be provisioned with the appropriate firmware image for
the module, which has been validated to FIPS 140-2, prior to initiating AP provisioning. The Crypto
Officer shall perform the following steps:
8.1.1
Configuring Remote AP FIPS Mode
1.
Apply TELs according to the directions in section 3.2
2.
Log into the administrative console of the staging controller
3.
Deploying the AP in Remote FIPS mode configure the controller for supporting Remote APs, For
detailed instructions and steps, see Section “Configuring the Secure Remote Access Point Service”
in Chapter “Remote Access Points” of the Aruba OS User Manual.
4.
Enable FIPS mode on the controller. This is accomplished by going to the Configuration >
Network > Controller > System Settings page (this is the default page when you click the
Configuration tab), and clicking the FIPS Mode for Mobility Controller Enable checkbox.
5.
Enable FIPS mode on the AP. This accomplished by going to the Configuration > Wireless > AP
Configuration > AP Group page. There, you click the Edit button for the appropriate AP group,
and then select AP > AP System Profile. Then, check the “Fips Enable” box, check “Apply”, and
save the configuration.
42
6.
If the staging controller does not provide PoE, either ensure the presence of a PoE injector for the
LAN connection between the module and the controller, or ensure the presence of a DC power
supply appropriate to the particular model of the module.
7.
Connect the module via an Ethernet cable to the staging controller; note that this should be a direct
connection, with no intervening network or devices; if PoE is being supplied by an injector, this
represents the only exception. That is, nothing other than a PoE injector should be present between
the module and the staging controller.
8.
Once the module is connected to the controller by the Ethernet cable, navigate to the
Configuration > Wireless > AP Installation page, where you should see an entry for the AP.
Select that AP, click the “Provision” button, which will open the provisioning window. Now
provision the AP as Remote AP by filling in the form appropriately. Detailed steps are listed in
section entitled “Provisioning an Individual AP” in the ArubaOS User Guide. Click “Apply and
Reboot” to complete the provisioning process.
a.
9.
During the provisioning process as Remote AP if Pre-shared key is selected to be the
Remote AP Authentication Method, the IKE pre-shared key (which is at least 8
characters in length) is input to the module during provisioning. Generation of this key is
outside the scope of this policy. In the initial provisioning of an AP, this key will be
entered in plaintext; subsequently, during provisioning, it will be entered encrypted over
the secure IPSec session. If certificate based authentication is chosen, the AP’s RSA or
ECDSA key pair is used to authenticate AP to controller during IPSec.
Via the logging facility of the staging controller, ensure that the module (the AP) is successfully
provisioned with firmware and configuration
10. Terminate the administrative session
11. Disconnect the module from the staging controller, and install it on the deployment network; when
power is applied, the module will attempt to discover and connect to an Aruba Mobility Controller
on the network.
8.1.2
Configuring Control Plane Security (CPSec) protected AP FIPS mode
1.
Apply TELs according to the directions in section 3.2
2.
Log into the administrative console of the staging controller
3.
Configure the staging controller with CPSec under Configuration > Controller > Control Plane
Security tab. AP will authenticate to the controller using certificate based authentication (IKEv2)
to establish IPSec. The AP is configured with an RSA key pair at manufacturing. The AP’s
certificate is signed by Aruba Certification Authority (trusted by all Aruba controllers) and the
AP’s RSA private key is stored in non-volatile memory (TPM). Refer to the “Configuring Control
Plane Security” section in the ArubaOS User Manual for details on the steps.
4.
Enable FIPS mode on the controller. This is accomplished by going to the Configuration >
Network > Controller > System Settings page (this is the default page when you click the
Configuration tab), and clicking the FIPS Mode for Mobility Controller Enable checkbox.
5.
Enable FIPS mode on the AP. This accomplished by going to the
Configuration > Wireless > AP Configuration > AP Group page. There, you click the Edit
button for the appropriate AP group, and then select AP > AP System Profile. Then, check the
“FIPS Enable” box, check “Apply”, and save the configuration.
6.
If the staging controller does not provide PoE, either ensure the presence of a PoE injector for the
LAN connection between the module and the controller, or ensure the presence of a DC power
supply appropriate to the particular model of the module
7.
Connect the module via an Ethernet cable to the staging controller; note that this should be a direct
connection, with no intervening network or devices; if PoE is being supplied by an injector, this
43
represents the only exception. That is, nothing other than a PoE injector should be present between
the module and the staging controller.
8.
Once the module is connected to the controller by the Ethernet cable, navigate to the
Configuration > Wireless > AP Installation page, where you should see an entry for the AP.
Select that AP, click the “Provision” button, which will open the provisioning window. Now
provision the CPSec Mode by filling in the form appropriately. Detailed steps are listed in Section
“Provisioning an Individual AP” of Chapter “The Basic User-Centric Networks” of the Aruba OS
User Guide. Click “Apply and Reboot” to complete the provisioning process.
a.
9.
For CPSec AP mode, the AP always uses certificate based authentication to establish
IPSec connection with controller. AP uses the RSA key pair assigned to it at
manufacturing to authenticate itself to controller during IPSec. Refer to “Configuring
Control Plane Security” Section in Aruba OS User Manual for details on the steps to
provision an AP with CPSec enabled on controller.
Via the logging facility of the staging controller, ensure that the module (the AP) is successfully
provisioned with firmware and configuration
10. Terminate the administrative session
11. Disconnect the module from the staging controller, and install it on the deployment network; when
power is applied, the module will attempt to discover and connect to an Aruba Mobility Controller
on the network.
8.1.3
Configuring Remote Mesh Portal FIPS Mode
1.
Apply TELs according to the directions in section 3.2
2.
Log into the administrative console of the staging controller
3.
Deploying the AP in Remote Mesh Portal mode, create the corresponding Mesh Profiles on the
controller as described in detail in Section “Mesh Profiles” of Chapter “Secure Enterprise Mesh”
of the Aruba OS User Manual.
a.
For mesh configurations, configure a WPA2 PSK which is 16 ASCII characters or 64
hexadecimal digits in length; generation of such keys is outside the scope of this policy.
4.
Enable FIPS mode on the controller. This is accomplished by going to the Configuration >
Network > Controller > System Settings page (this is the default page when you click the
Configuration tab), and clicking the FIPS Mode for Mobility Controller Enable checkbox.
5.
Enable FIPS mode on the AP. This accomplished by going to the Configuration > Wireless > AP
Configuration > AP Group page. There, you click the Edit button for the appropriate AP group,
and then select AP > AP System Profile. Then, check the “FIPS Enable” box, check “Apply”,
and save the configuration.
6.
If the staging controller does not provide PoE, either ensure the presence of a PoE injector for the
LAN connection between the module and the controller, or ensure the presence of a DC power
supply appropriate to the particular model of the module.
7.
Connect the module via an Ethernet cable to the staging controller; note that this should be a direct
connection, with no intervening network or devices; if PoE is being supplied by an injector, this
represents the only exception. That is, nothing other than a PoE injector should be present between
the module and the staging controller.
8.
Once the module is connected to the controller by the Ethernet cable, navigate to the
Configuration > Wireless > AP Installation page, where you should see an entry for the AP.
Select that AP, click the “Provision” button, which will open the provisioning window. Now
provision the AP as Remote Mesh Portal by filling in the form appropriately. Detailed steps are
listed in Section “Provisioning an Individual AP” of Chapter “The Basic User-Centric Networks”
of the Aruba OS User Guide. Click “Apply and Reboot” to complete the provisioning process.
44
9.
a.
During the provisioning process as Remote Mesh Portal, if Pre-shared key is selected to
be the Remote IP Authentication Method, the IKE pre-shared key (which is at least 8
characters in length) is input to the module during provisioning. Generation of this key is
outside the scope of this policy. In the initial provisioning of an AP, this key will be
entered in plaintext; subsequently, during provisioning, it will be entered encrypted over
the secure IPSec session. If certificate based authentication is chosen, AP’s RSA key pair
is used to authenticate AP to controller during IPSec. AP’s RSA private key is contained
in the AP’s non volatile memory and is generated at manufacturing time in factory.
b.
During the provisioning process as Remote Mesh Portal, the WPA2 PSK is input to the
module via the corresponding Mesh cluster profile. This key is stored on flash encrypted.
Via the logging facility of the staging controller, ensure that the module (the AP) is successfully
provisioned with firmware and configuration
10. Terminate the administrative session
11. Disconnect the module from the staging controller, and install it on the deployment network; when
power is applied, the module will attempt to discover and connect to an Aruba Mobility Controller
on the network.
To verify that the module is in FIPS mode, do the following:
1.
Log into the administrative console of the Aruba Mobility Controller
2.
Verify that the module is connected to the Mobility Controller
3.
Verify that the module has FIPS mode enabled by issuing command “show ap ap-name <apname> config”
4.
Terminate the administrative session
8.1.4
Configuring Remote Mesh Point FIPS Mode
1.
Apply TELs according to the directions in section 3.2
2.
Log into the administrative console of the staging controller
3.
Deploying the AP in Remote Mesh Point mode, create the corresponding Mesh Profiles on the
controller as described in detail in Section “Mesh Points” of Chapter “Secure Enterprise Mesh” of
the Aruba OS User Manual.
a.
For mesh configurations, configure a WPA2 PSK which is 16 ASCII characters or 64
hexadecimal digits in length; generation of such keys is outside the scope of this policy.
4.
Enable FIPS mode on the controller. This is accomplished by going to the Configuration >
Network > Controller > System Settings page (this is the default page when you click the
Configuration tab), and clicking the FIPS Mode for Mobility Controller Enable checkbox.
5.
Enable FIPS mode on the AP. This accomplished by going to the Configuration > Wireless > AP
Configuration > AP Group page. There, you click the Edit button for the appropriate AP group,
and then select AP > AP System Profile. Then, check the “Fips Enable” box, check “Apply”, and
save the configuration.
6.
If the staging controller does not provide PoE, either ensure the presence of a PoE injector for the
LAN connection between the module and the controller, or ensure the presence of a DC power
supply appropriate to the particular model of the module.
7.
Connect the module via an Ethernet cable to the staging controller; note that this should be a direct
connection, with no intervening network or devices; if PoE is being supplied by an injector, this
represents the only exception. That is, nothing other than a PoE injector should be present between
the module and the staging controller.
45
8.
9.
Once the module is connected to the controller by the Ethernet cable, navigate to the
Configuration > Wireless > AP Installation page, where you should see an entry for the AP.
Select that AP, click the “Provision” button, which will open the provisioning window. Now
provision the AP as Remote Mesh Portal by filling in the form appropriately. Detailed steps are
listed in Section “Provisioning an Individual AP” of Chapter “The Basic User-Centric Networks”
of the Aruba OS User Guide. Click “Apply and Reboot” to complete the provisioning process.
a.
During the provisioning process as Remote Mesh Point, if Pre-shared key is selected to
be the Remote IP Authentication Method, the IKE pre-shared key (which is at least 8
characters in length) is input to the module during provisioning. Generation of this key is
outside the scope of this policy. In the initial provisioning of an AP, this key will be
entered in plaintext; subsequently, during provisioning, it will be entered encrypted over
the secure IPSec session. If certificate based authentication is chosen, AP’s RSA key pair
is used to authenticate AP to controller during IPSec. AP’s RSA private key is contained
in the AP’s non volatile memory and is generated at manufacturing time in factory.
b.
During the provisioning process as Mesh Point, the WPA2 PSK is input to the module via
the corresponding Mesh cluster profile. This key is stored on flash encrypted.
Via the logging facility of the staging controller, ensure that the module (the AP) is successfully
provisioned with firmware and configuration
10. Terminate the administrative session
11. Disconnect the module from the staging controller, and install it on the deployment network; when
power is applied, the module will attempt to discover and connect to an Aruba Mobility Controller
on the network.
8.1.5
Verify that the module is in FIPS mode
For all the approved modes of operations in either Remote AP FIPS mode, Control Plane Security AP FIPS
Mode, Remote Mesh Portal FIPS mode or Mesh Point FIPS Mode do the following to verify the module is
in FIPS mode:
1.
Log into the administrative console of the Aruba Mobility Controller
2.
Verify that the module is connected to the Mobility Controller
3.
Verify that the module has FIPS mode enabled by issuing command “show ap ap-name <apname> config”
4.
Terminate the administrative session
46
Download PDF
Similar pages