manualshive.com logo in svg

Hewlett Packard Enterprise Aruba AP-325, Manual

Share
Download
Hewlett Packard Enterprise Aruba AP-325 Manual Download Page 26

 

26|

Aruba IAP-3XX Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 Security Policy

Data input and output, control input, status output, and power interfaces are defined as follows: 

 

Data input and output are the packets that use the networking functionality of the module. 

 

Control input consists of manual control inputs for power and reset through the power interfaces (power 
supply or POE). It also consists of all of the data that is entered into the access point while using the 
management interfaces.  A reset button is present which is used to reset the AP to factory default settings. 

 

Status output consists of the status indicators displayed through the LEDs, the status data that is output 
from the module while using the management interfaces, and the log file. 

o

 

LEDs indicate the physical state of the module, such as power-up (or rebooting), utilization level, 
and activation state. The log file records the results of self-tests, configuration errors, and 
monitoring data.  

 

The module may be powered by an external power supply. Operating power may also be provided via a 
Power Over Ethernet (POE) device, when connected, the power is provided through the connected 
Ethernet cable. 

 

The Console port is disabled when operating in FIPS mode by a TEL.  

The module distinguishes between different forms of data, control, and status traffic over the network ports by 
analyzing the packets header information and contents. 

7. Roles, Authentication and Services 

7.1 

Roles 

The module supports role-based authentication. There are two roles in the module (as required by FIPS 140-2 Level 2) 
that operators may assume: a Crypto Officer role and a User role. The Administrator maps to the Crypto-Officer role 
and the wireless client maps to the User role. A Slave IAP can also function under User role. Slave IAPs are non-
Approved by policy in FIPS mode. 

7.1.1  Crypto Officer Role 

The Crypto Officer role has the ability to configure, manage, and monitor the controller. One management interface 
can be used for this purpose: 

• 

SSHv2 CLI 

The Crypto Officer can use the CLI to perform non-security-sensitive and security-sensitive monitoring and 
configuration. The CLI can be accessed remotely by using the SSHv2 secured management session over 
the Ethernet ports or locally over the serial port. In FIPS Approved Mode, the serial port is disabled. The 
Crypto Officer can also create another “View Only” Crypto Officer User, which would have view only access 
to the CLI and would authenticate in the same manner. 

• 

Web Interface 

The Crypto Officer can use the Web Interface as an alternative to the CLI. The Web Interface provides a 
highly intuitive, graphical interface for a comprehensive set of management tools. The Web Interface can 
be accessed from a TLS-enabled Web browser using HTTPS (HTTP with Secure Socket Layer). 

7.1.2  User Role 

The User role can access the module’s wireless services using WPA2. 

Summary of Contents for Aruba AP-325

Page 1: ...Firmware FIPS 140 2 Level 2 Security Policy Aruba IAP 303H IAP 304 IAP 305 IAP 314 IAP 315 IAP 324 AP 325 IAP 334 and IAP 335 Wireless Access Points with Aruba Instant Firmware Non Proprietary Securi...

Page 2: ...esser General Public License LGPL or other Open Source Licenses The Open Source code used can be found at this site http www arubanetworks com open_source Legal Notice The use of Aruba switching platf...

Page 3: ...2 4 IAP 320 Series 18 2 4 1 Physical Description 19 2 4 2 Dimensions Weight 19 2 4 3 Environmental 19 2 4 4 Interfaces 19 2 5 IAP 330 Series 21 2 5 1 Physical Description 22 2 5 2 Dimensions Weight 22...

Page 4: ...Applying TELs 54 12 4 Inspection Testing of Physical Security Mechanisms 54 13 User Guidance 55 13 1 Crypto Officer Management 55 13 2 Configuring FIPS Approved Mode 55 13 3 Full Documentation 56 14...

Page 5: ...View of IAP 334 with TELs 52 Figure 35 Bottom View of IAP 334 with TELs 52 Figure 36 Top View of IAP 335 with TELs 53 Figure 37 Bottom View of IAP 335 with TELs 53 Tables Table 1 IAP 303H Status Indi...

Page 6: ...e of Standards and Technology NIST website at https csrc nist gov projects cryptographic module validation program In addition in this document the Aruba IAP 303H IAP 304 IAP 305 IAP 314 IAP 315 IAP 3...

Page 7: ...r ECO External Crypto Officer EMC Electromagnetic Compatibility EMI Electromagnetic Interference FE Fast Ethernet GE Gigabit Ethernet GHz Gigahertz HMAC Hashed Message Authentication Code Hz Hertz IKE...

Page 8: ...n this document Only the versions that explicitly appear on the certificate however are formally validated The CMVP makes no claim as to the correct operation of the module or the security strengths o...

Page 9: ...y encloses the complete set of hardware and software components and represents the cryptographic boundary of the module The IAP 303H Access Point configuration validated during the cryptographic modul...

Page 10: ...802 11a b g n ac two internal antenna USB 2 0 host interface Type A connector Bluetooth Low Energy BLE radio Bluetooth up to 4 dBm transmit power class 2 and 93 dBm receive sensitivity Figure 2 Aruba...

Page 11: ...mber Solid Device ready power save mode 802 3af PoE Single radio USB disabled Green or Amber Flashing Device ready restricted mode Uplink negotiated in sub optimal speed or Radio in non high throughpu...

Page 12: ...2 Level 2 validation It describes the purpose of the IAP 304 and IAP 305 APs their physical attributes and their interfaces Figure 6 Aruba IAP 304 Figure 7 Aruba IAP 305 These compact and cost effecti...

Page 13: ...oints configuration validated during the cryptographic modules testing included IAP 304 HW IAP 304 US TAA HPE SKU JX944A IAP 305 HW IAP 305 US TAA HPE SKU JX950A 2 2 2 Dimensions Weight The IAP 300 Se...

Page 14: ...nsole interface proprietary optional adapter cable available disabled in FIPS mode by TEL Table 3 IAP 300 Series Status Indicator LEDs LED Type Color State Meaning System Status Left Off AP powered of...

Page 15: ...2 validation It describes the purpose of the IAP 314 and IAP 315 APs their physical attributes and their interfaces Figure 9 Aruba IAP 314 Figure 10 Aruba IAP 315 These compact and cost effective dua...

Page 16: ...W IAP 315 US TAA HPE SKU JW814A 2 3 2 Dimensions Weight The IAP 310 Series have the following physical dimensions unit excluding mount accessories Dimensions 182 mm W x 180 mm D x 48 mm H Weight 650 g...

Page 17: ...ED Type Color State Meaning System Status Left Off AP powered off Green Amber Alternating Device booting not ready Green Solid Device ready Amber Solid Device ready power save mode 802 3af PoE Single...

Page 18: ...Aruba IAP 324 Figure 13 Aruba IAP 325 With a maximum concurrent data rate of 1 733 Mbps in the 5 GHz band and 600 Mbps in the 2 4 GHz band for an aggregate peak data rate of 2 3Gbps the IAP 320 Serie...

Page 19: ...have the following physical dimensions unit excluding mount accessories Dimensions 203mm W x 203mm D x 57mm H 8 0 W x 8 0 D x 2 2 H Weight 950 g 34 oz 2 4 3 Environmental Operating o Temperature 0 C...

Page 20: ...5 IAP 320 Series Status Indicator LEDs LED Type Color State Meaning System Status Left Off AP powered off Green Amber Alternating Device booting not ready Green Solid Device ready Amber Solid Device r...

Page 21: ...a best in class next generation 802 11ac Wi Fi infrastructure that is ideal for lecture halls auditoriums public venues and high density office environments The high performance and high density 802...

Page 22: ...al antennas through four N type female connectors for external antennas for the IAP 334 or twelve integrated omni directional downtilt internal antennas for the IAP 335 The case physically encloses th...

Page 23: ...tory reset during device power up Serial console interface standard RJ 45 female connector disabled in FIPS mode by TEL Table 6 IAP 330 Series Status Indicator LEDs LED Type Color State Meaning System...

Page 24: ...Points and associated modules are intended to meet overall FIPS 140 2 Level 2 requirements as shown in the following table Table 7 Intended Level of Security Section Section Title Security Level 1 Cry...

Page 25: ...ational environment is non modifiable The control plane Operating System OS is Linux a real time multi threaded operating system that supports memory protection between processes Access to the underly...

Page 26: ...fic over the network ports by analyzing the packets header information and contents 7 Roles Authentication and Services 7 1 Roles The module supports role based authentication There are two roles in t...

Page 27: ...Therefore the associated probability of a successful random attempt during a one minute period is 60 000 3 5e23 which is less than 1 in 100 000 required by FIPS 140 2 Pre shared key based authenticati...

Page 28: ...two modes of operation listed in section 13 Table 10 Crypto Officer Services Service Description Input Output CSP Access SSH v2 0 Provide authenticated and encrypted remote management sessions while u...

Page 29: ...ryptographic officer may use CLI show or view WebUI via TLS to view the module configuration routing tables and active sessions view health temperature memory status voltage and packet statistics revi...

Page 30: ...reless client role Table 11 User Services Service Description Input Output CSP Access 802 11i Shared Key Mode Access the module s 802 11i services in order to secure network traffic 802 11i inputs com...

Page 31: ...d services which are available regardless of role System status module LEDs Reboot module by removing replacing power Self test and initialization at power on Internet Control Message Protocol ICMP se...

Page 32: ...Below are the detailed lists for the FIPS approved algorithms and the associated certificates implemented by each algorithm implementation Table 12 Aruba Instant VPN Module CAVP Certificates Aruba In...

Page 33: ...nly encryption only 128 192 256 Data Encryption Decryption C565 CVL SSH TLS4 SP800 135 Rev1 TLS SSH TLS SHA 256 SHA 384 SSH SHA 1 SHA 256 SHA 384 SHA 512 Key Derivation for SSH TLS EAP TLS C565 DRBG S...

Page 34: ...l Signature Verification only C563 SHS FIPS 180 4 SHA 1 SHA 256 160 256 Message Digest Note o Only Firmware signed with SHA 256 is permitted in the Approved mode Digital signature verification with SH...

Page 35: ...DRNG entropy source used solely for seeding the SP 800 90A approved DRBG RSA key wrapping key establishment methodology provides 112 bits of encryption strength Triple DES used with the KEK no securit...

Page 36: ...Zeroized on reboot DRBG 4 DRBG V SP800 90A 440 bits Generated per SP800 90A Stored in plaintext in volatile memory Zeroized on reboot DRBG 5 Diffie Hellman Private Key Diffie Hellman Group 14 224 bit...

Page 37: ...LS Master Secret Secret 48 bytes This key is derived via the key derivation function defined in SP800 135 KDF TLS using the TLS Pre Master Secret Stored in SDRAM memory plaintext Zeroized by rebooting...

Page 38: ...plaintext Zeroized by rebooting the module Used for 802 11i encryption 22 Factory CA Public Key RSA 2048 bits This is an RSA public key Loaded into the module during manufacturing Stored in Flash and...

Page 39: ...ncryption Key AES CBC 128 256 bits Derived in the module using SP800 135 KDF during IKEv2 service implementation Stored in plaintext in volatile memory Zeroized when session is closed IKEv2 payload en...

Page 40: ...entropy calculation of 215 04 bits so Aruba has included the following entropy caveat The module generates cryptographic keys whose strengths are modified by available entropy 10 Self Tests The modul...

Page 41: ...during operation o SP800 90A Section 11 3 Health Tests for HASH_DRBG Instantiate Generate and Reseed ArubaInstant UBOOT BootLoader Module Firmware Load Test RSA PKCS 1 v1 5 2048 bits signature verifi...

Page 42: ...reless Access Point components A mount kit compatible with the AP and mount surface sold separately A compatible Category 5 UTP Ethernet cable External antennas when using the IAP 304 IAP 314 IAP 324...

Page 43: ...act any device cable object or person attached to a different electrical ground Also never connect the device to external storm grounding sources Installation or removal of the device or any module mu...

Page 44: ...operate in a FIPS Approved mode of operation Aruba Networks provides double the required amount of TELs If a customer requires replacement TELs please call customer support and Aruba Networks will pro...

Page 45: ...reless Access Points Refer to the next section for guidance on applying the TELs 12 2 1 TELs Placement on the IAP 303H The IAP 303H requires 3 TELs one on each side and bottom edge labels 1 and 2 to d...

Page 46: ...lacement on the IAP 304 The IAP 304 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Page 47: ...lacement on the IAP 305 The IAP 305 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Page 48: ...lacement on the IAP 314 The IAP 314 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Page 49: ...lacement on the IAP 315 The IAP 315 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Page 50: ...lacement on the IAP 324 The IAP 324 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Page 51: ...lacement on the IAP 325 The IAP 325 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Page 52: ...lacement on the IAP 334 The IAP 334 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Page 53: ...lacement on the IAP 335 The IAP 335 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Page 54: ...t TELS please call Aruba Networks customer support and request FIPS Kit part number 4011570 01 HPE SKU JY894A Once the TELs are applied the Crypto Officer CO should perform initial setup and configura...

Page 55: ...trange activity is found the Crypto Officer should take the Wireless Access Point offline and investigate The Tamper Evident Labels TELs must be regularly examined for signs of tampering Refer to Tabl...

Page 56: ...aging BLE Beacons pages 403 405 for setting BLE Operation Mode to disabled 10 Via the logging facility of the IAP ensure that the IAP is successfully provisioned with firmware and configuration 11 Ter...

Page 57: ...n about the client that is connected to the Instant network to find the operating system that the client is running on to allow Identifying rogue clients Helps to identify clients that are running on...

Page 58: ...generate ARP packets on the wired network to contain wireless attacks from Rogue Instant APs with invalid MAC addresses Instant APs can attempt to disconnect all clients that are connected or attempt...

Reviews:

No comments

Brands by name

Popular brands

Load more brands