50|
Aruba AP-5XX Wireless Access Points with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy
13. Secure Operation
The Aruba AP-504, AP-505, AP-514, AP-515, AP-534, AP-535 and AP-555 Wireless Access Points meet FIPS
140-2 Level 2 requirements. The information below describes how to keep the Wireless Access Point in a FIPS-
Approved mode of operation.
The module can be configured to be in only the following FIPS Approved mode of operation via corresponding
Aruba Mobility Controllers that have been certified to FIPS level 2:
Table 14 - FIPS Approved Mode of Operation
FIPS-Approved Mode of
Operation
Description
Control Plane Security (CPSec)
Protected AP FIPS mode
When the module is configured as a Control Plane Security Protected AP it is
intended to be deployed in a local/private location (LAN, WAN, MPLS) relative
to the Mobility Controller. The module provides cryptographic processing in
the form of IPSec for all Control traffic to and from the Mobility Controller.
In addition, the module also supports a non-FIPS mode – an un-provisioned AP, which by default does not serve
any wireless clients. The module also supports modes that are non-Approved in the FIPS approved mode of
operation: Remote AP mode and the two (2) Mesh modes, Mesh Portal mode and Mesh Point mode.
Table 15 – Non-Approved Modes of Operation
Non-Approved Mode of Operation
Description
Remote AP mode
When the module is configured as a Remote AP, it is intended to be deployed
in a remote location (relative to the Mobility Controller). The module provides
cryptographic processing in the form of IPSec for all traffic to and from the
Mobility Controller.
Mesh Portal mode
When the module is configured in Mesh Portal mode, it is intended to be
connected over a physical wire to the Mobility Controller. These modules
serve as the connection point between the Mesh Point and the Mobility
Controller. Mesh Portals communicate with the Mobility Controller through
IPSec and with Mesh Points via 802.11i session. The Crypto Officer role is
the Mobility Controller that authenticates via IKEv2 pre-shared key or
RSA/ECDSA certificate authentication method, and Users are the "n" Mesh
Points that authenticate via 802.11i pre-shared key.
Mesh Point mode
When the module is configured in Mesh Point mode, it is an AP that
establishes an all wireless path to the Mesh portal over 802.11 and an IPSec
tunnel via the Mesh Portal to the controller.
Note
: To change configurations from any one mode to any other mode requires the module to be re-provisioned
and rebooted before any new configured mode can be enabled.
The Crypto Officer must ensure that the Wireless Access Point is kept in a FIPS-Approved mode of operation.