background image

Aruba AP-5XX Wireless Access Points with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy 

Aruba AP-504, AP-505, AP-514, AP-

515, AP-534, AP-535 and AP-555 

Wireless Access Points 

with ArubaOS FIPS Firmware

Non-Proprietary Security Policy  

FIPS 140-2 Level 2

Version 1.1 

February 2021

Summary of Contents for AP-504

Page 1: ...ArubaOS FIPS Firmware FIPS 140 2 Level 2 Security Policy Aruba AP 504 AP 505 AP 514 AP 515 AP 534 AP 535 and AP 555 Wireless Access Points with ArubaOS FIPS Firmware Non Proprietary Security Policy FIPS 140 2 Level 2 Version 1 1 February 2021 ...

Page 2: ...esser General Public License LGPL or other Open Source Licenses The Open Source code used can be found at this site http www arubanetworks com open_source Legal Notice The use of Aruba switching platforms and software by all individuals or corporations to terminate other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and in...

Page 3: ...ironmental 19 2 3 4 Interfaces 19 2 4 AP 550 Series 21 2 4 1 Physical Description 22 2 4 2 Dimensions Weight 22 2 4 3 Environmental 22 2 4 4 Interfaces 22 3 Module Objectives 24 3 1 Security Levels 24 4 Physical Security 25 5 Operational Environment 25 6 Logical Interfaces 25 7 Roles Authentication and Services 26 7 1 Crypto Officer Role 26 7 2 User Role 28 7 3 Authentication Mechanisms 28 7 4 Una...

Page 4: ... on the AP 514 44 12 2 4 TELs Placement on the AP 515 45 12 2 5 TELs Placement on the AP 534 46 12 2 6 TELs Placement on the AP 535 47 12 2 7 TELs Placement on the AP 555 48 12 3 Applying TELs 49 12 4 Inspection Testing of Physical Security Mechanisms 49 13 Secure Operation 50 13 1 Crypto Officer Management 51 13 2 User Guidance 51 13 3 Setup and Configuration 51 13 4 Setting Up Your Wireless Acce...

Page 5: ... Point Front 17 Figure 14 Aruba AP 535 Campus Access Point Back 18 Figure 15 Aruba AP 530 Series Campus Access Point Interfaces 19 Figure 16 Aruba AP 555 Campus Access Point Front 21 Figure 17 Aruba AP 555 Campus Access Point Back 21 Figure 18 Aruba AP 550 Series Campus Access Point Interfaces 23 Figure 19 Tamper Evident Labels 41 Figure 20 Top View of AP 504 with TELs 42 Figure 21 Bottom View of ...

Page 6: ...ded Level of Security 24 Table 6 FIPS 140 2 Logical Interfaces 25 Table 7 Crypto Officer Services 27 Table 8 Estimated Strength of Authentication Mechanisms 28 Table 9 ArubaOS OpenSSL Module CAVP Certificates 30 Table 10 ArubaOS Crypto Module CAVP Certificates 31 Table 11 ArubaOS UBOOT Bootloader CAVP Certificates 32 Table 12 CSPs Keys Used in the Module 34 Table 13 Inspection Testing of Physical ...

Page 7: ...echnology NIST website at https csrc nist gov projects cryptographic module validation program In addition in this document the Aruba AP 504 AP 505 AP 514 AP 515 AP 534 AP 535 and AP 555 Wireless Access Points are referred to as the Wireless Access Point the AP the module the cryptographic module Aruba Wireless Access Points Aruba Wireless APs Aruba Campus Access Points and AP 5XX Wireless Access ...

Page 8: ...r ECO External Crypto Officer EMC Electromagnetic Compatibility EMI Electromagnetic Interference FE Fast Ethernet GE Gigabit Ethernet GHz Gigahertz HMAC Hashed Message Authentication Code Hz Hertz IKE Internet Key Exchange IPsec Internet Protocol security KAT Known Answer Test KEK Key Encryption Key L2TP Layer 2 Tunneling Protocol LAN Local Area Network LED Light Emitting Diode SHA Secure Hash Alg...

Page 9: ...should be FIPS validate able and meet the claims made in this document Only the versions that explicitly appear on the certificate however are formally validated The CMVP makes no claim as to the correct operation of the module or the security strengths of the generated keys when operating under a version that is not listed on the validation certificate 2 1 AP 500 Series This section introduces th...

Page 10: ...al Frequency Division Multiple Access OFDMA for increased user data rates and reduced latency downlink Multi User Multiple Input Multiple Output MU MIMO for improved network capacity with multiples devices capable to transmit simultaneously 2x2 MIMO with up to two spatial streams 2SS in both the 5 GHz and 2 4 GHz bands channel bandwidths up to 80 MHz in 5 GHz 40 MHz in 2 4 GHz and 1024 QAM modulat...

Page 11: ...ographic modules consisting of hardware and software all contained in hard opaque plastic cases The modules contain 802 11 a b g n ac ax transceivers and support two integrated omni directional downtilt antennas each The case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module The Access Point configurations validated dur...

Page 12: ...erial console interface proprietary optional adapter cable available disabled in FIPS mode Table 1 AP 500 Series Status Indicator LEDs LED Type Color State Meaning System Status Left Off AP powered off Green Blinking Device booting not ready Green Solid Device ready Amber Solid Device ready power save mode 802 3af PoE Single radio USB disabled Green or Amber Flashing Device ready restricted mode U...

Page 13: ...troduces the Aruba AP 510 Series Campus Access Points APs with FIPS 140 2 Level 2 validation It describes the purpose of the AP 514 and AP 515 APs their physical attributes and their interfaces Figure 6 Aruba AP 514 Campus Access Point Front Figure 7 Aruba AP 514 Campus Access Point Back Figure 8 Aruba AP 515 Campus Access Point Front ...

Page 14: ... per radio and has a total of four dual band antennas In addition to 802 11ax standard capabilities the Wi Fi 6 510 Series supports unique features like Aruba ClientMatch radio management and additional radios Bluetooth 5 and Zigbee for location services asset tracking services security solutions and IoT sensors as well as ArubaOS 8 features like Aruba Activate and AirMatch with machine learning t...

Page 15: ...ions Dimensions weight AP 515 unit excluding mount bracket 200mm W x 200mm D x 46mm H 7 9 W x 7 9 D x 1 8 H 810g 28 5oz Dimensions weight AP 515 shipping 230mm W x 220mm D x 72mm H 9 1 W x 8 7 D x 2 8 H 1 010g 35 5oz 2 2 3 Environmental Operating o Temperature 0 C to 50 C 32 F to 122 F o Humidity 5 to 93 non condensing Storage and transportation o Temperature 40 C to 70 C 40 F to 158 F o Humidity ...

Page 16: ...ial console interface proprietary optional adapter cable available disabled in FIPS mode Table 2 AP 510 Series Status Indicator LEDs LED Type Color State Meaning System Status Left Off AP powered off Green Blinking Device booting not ready Green Solid Device ready Amber Solid Device ready power save mode 802 3af PoE Single radio USB disabled Green or Amber Flashing Device ready restricted mode Upl...

Page 17: ...oduces the Aruba AP 530 Series Campus Access Points APs with FIPS 140 2 Level 2 validation It describes the purpose of the AP 534 and AP 535 APs their physical attributes and their interfaces Figure 11 Aruba AP 534 Campus Access Point Front Figure 12 Aruba AP 534 Campus Access Point Back Figure 13 Aruba AP 535 Campus Access Point Front ...

Page 18: ...agement and additional radios Bluetooth 5 and Zigbee for location services asset tracking services security solutions and IoT sensors as well as ArubaOS 8 features like Aruba Activate and AirMatch with machine learning technology to automatically optimize the wireless network performance The AP 534 has four female RP SMA connectors for external dual band antennas A0 through A3 corresponding with r...

Page 19: ...nvironmental Operating o Temperature 0 C to 50 C 32 F to 122 F o Humidity 5 to 93 non condensing Storage and transportation o Temperature 40 C to 70 C 40 F to 158 F o Humidity 5 to 93 non condensing 2 3 4 Interfaces The module provides the following network interfaces E0 One HPE Smart Rate port RJ 45 Auto sensing link speed 100 1000 2500 5000BASE T and MDI MDX o 802 3az Energy Efficient Ethernet E...

Page 20: ...ary optional adapter cable available disabled in FIPS mode Table 3 AP 530 Series Status Indicator LEDs LED Type Color State Meaning System Status Left Off AP powered off Green Blinking Device booting not ready Green Solid Device ready Amber Solid Device ready power save mode 802 3at PoE Single radio USB disabled Green or Amber Flashing Device ready restricted mode Uplink negotiated in sub optimal ...

Page 21: ...s which include up and downlink Orthogonal Frequency Division Multiple Access OFDMA with up to 37 resource units for increased user data rates and reduced latency up and downlink Multi User Multiple Input Multiple Output MU MIMO for improved network capacity with multiples devices capable to transmit simultaneously 8x8 MIMO with up to eight spatial streams 8SS in the 5 GHz band and 4x4 MIMO with u...

Page 22: ...g n ac ax transceivers and support eight integrated omni directional downtilt antennas The case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module The Access Point configuration validated during the cryptographic module testing included HW AP 555 USF1 HPE SKU JZ367A 2 4 2 Dimensions Weight The AP has the following physic...

Page 23: ...onal adapter cable available disabled in FIPS mode Table 4 AP 550 Series Status Indicator LEDs LED Type Color State Meaning System Status Left Off AP powered off Green Blinking Device booting not ready Green Solid Device ready Amber Solid Device ready power save mode 802 3at PoE Single radio USB disabled Green or Amber Flashing Device ready restricted mode Uplink negotiated in sub optimal speed or...

Page 24: ...and associated modules are intended to meet overall FIPS 140 2 Level 2 requirements as shown in Table 3 Table 5 Intended Level of Security Section Section Title Security Level 1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles Services and Authentication 2 4 Finite State Model 2 5 Physical Security 2 6 Operational Environment N A 7 Cryptographic Key Manage...

Page 25: ...threaded operating system that supports memory protection between processes Access to the underlying Linux implementation is not provided directly Only Aruba Networks provided interfaces are used and the Command Line Interface CLI is a restricted command set The module only allows the loading of trusted and verified firmware that is signed by Aruba Any firmware loaded into this module that is not ...

Page 26: ...Crypto Officer role and a User role as required by FIPS 140 2 Level 2 There are no additional roles e g Maintenance supported Administrative operations carried out by the Aruba Mobility Controller or Aruba Mobility Master map to the Crypto Officer role Defining characteristics of the roles depend on whether the module is configured in either Remote AP mode Control Plane Security CPSec Protected AP...

Page 27: ... commands and configuration data None Update module firmware1 The CO can trigger a module firmware update Commands and configuration data Status of commands and configuration data 1 12 read Configure non security related module parameters CO can configure various operational parameters that do not relate to security Commands and configuration data Status of commands and configuration data None Cre...

Page 28: ...ble 8 Estimated Strength of Authentication Mechanisms Authentication Type Role s Strength RSA Certificate based authentication Crypto Officer User The module supports 2048 bit RSA key authentication during IKEv2 RSA 2048 bit keys correspond to 112 bits of security Assuming the low end of that range the associated probability of a successful random attempt is 1 in 2 112 which is less than 1 in 1 00...

Page 29: ...re available in FIPS mode are also available in non FIPS mode If not operating in the Approved mode as per the procedures in sections 13 1 Crypto Officer Management 13 4 Setting Up Your Wireless Access Point and 13 5 Enabling FIPS Mode on the Staging Controller then non Approved algorithms and or sizes are available Upgrading the firmware via the console port Debugging via the console port IPSec I...

Page 30: ...lgorithm modes that are utilized by the module The firmware supports the following cryptographic implementations Table 9 ArubaOS OpenSSL Module CAVP Certificates ArubaOS OpenSSL Module CAVP Certificate Algorithm Standard Mode Method Key Lengths Curves Moduli Use C1253 AES FIPS 197 SP 800 38A ECB CTR 256 ext only 128 256 Data Encryption Decryption C1253 DRBG SP 800 90A AES CTR 256 Deterministic Ran...

Page 31: ... IKEv2 DH 2048 bit SHA2 256 SHA2 384 Key Derivation C1254 ECDSA FIPS 186 4 PKG SigGen SigVer P 256 P 384 Digital Key Generation Signature Generation and Verification C1254 HMAC FIPS 198 1 HMAC SHA 1 HMAC SHA2 256 HMAC SHA2 384 HMAC SHA2 5124 HMAC SHA 1 96 HMAC SHA 256 128 HMAC SHA 384 192 Key Size Block Size Message Authentication C1254 RSA FIPS 186 2 SHA 1 SHA2 256 SHA2 384 PKCS1 v1 5 2048 Digita...

Page 32: ...ificates ArubaOS UBOOT Bootloader CAVP Certificate Algorithm Standard Mode Method Key Lengths Curves Moduli Use C1255 RSA FIPS 186 4 SHA 1 SHA2 256 PKCS1 v1 5 2048 Digital Signature Verification C1255 SHS FIPS 180 4 SHA 1 SHA 256 Byte Only 160 256 Message Digest Note Only Firmware signed with SHA 256 is permitted in the Approved mode Digital signature verification with SHA 1 while available within...

Page 33: ...greement key establishment methodology provides 128 or 192 bits of encryption strength Note IKEv2 protocol has not been reviewed or tested by the CAVP and CMVP 8 3 Non FIPS Approved Cryptographic Algorithms The cryptographic module implements the following non FIPS Approved algorithms that are Not Permitted for use in the FIPS 140 2 mode of operations DES HMAC MD5 MD5 RC4 RSA non compliant less th...

Page 34: ...requires a random number Stored in SDRAM memory plaintext Zeroized by rebooting the module 3 DRBG Seed SP800 90A CTR_DRBG 384 bits Input to the DRBG that determines the internal state of the DRBG Generated using DRBG derivation function that includes the entropy input from the entropy source Stored in SDRAM memory plaintext Zeroized by rebooting the module 4 DRBG Key SP800 90A CTR_DRBG 256 bits Th...

Page 35: ...llman Exchange Used for deriving IPSec IKE cryptographic keys Stored in SDRAM memory plaintext Zeroized by rebooting the module 12 Factory CA Public Key RSA 2048 bits This is RSA public key Loaded into the module during manufacturing Used for Firmware verification Stored in TPM Since this is a public key the zeroization requirements do not apply IPSec IKE 13 SKEYSEED Shared Secret 160 256 384 bits...

Page 36: ...in IKEv2 This key can also be entered by the CO Stored in Flash memory obfuscated with KEK Zeroized by using command ap wipe out flash 19 IKE RSA Public Key RSA Public Key 2048 bits This is the RSA public key This key is derived in compliance with FIPS 186 4 RSA key pair generation method in the module It is used for RSA signature verification in IKEv2 This key can also be entered by the CO Stored...

Page 37: ...rms Conditional tests after being configured into either FIPS approved mode with Control Plane Security CPSec Protected AP FIPS mode or non FIPS mode with the non Approved Remote AP mode Mesh Portal mode or Mesh Point mode In the event any self test fails the module will enter an error state log the error and reboot automatically The module performs the following POSTs Power On Self Tests ArubaOS ...

Page 38: ...onsistency Test ArubaOS UBOOT BootLoader Module algorithm implementation o Firmware Load Test RSA PKCS 1 v1 5 2048 bits signature verification with SHA 256 These self tests are run for the Aruba OpenSSL and ArubaOS cryptographic module implementations Self test results are written to the serial console In the event of a KATs failure the AP logs different messages depending on the error For an Arub...

Page 39: ...a AP 5XX Wireless Access Point components A mount kit compatible with the AP and mount surface sold separately A compatible Category 5 UTP Ethernet cable External antennas when using the AP 504 AP 514 or AP 534 Phillips or cross head screwdriver Optional a compatible 12V AP 504 AP 505 AP 514 or AP 515 or 48V AP 534 AP 535 or AP 555 AC to DC power adapter with power cord Optional a compatible PoE m...

Page 40: ...act any device cable object or person attached to a different electrical ground Also never connect the device to external storm grounding sources Installation or removal of the device or any module must be performed in a static free environment The proper use of anti static body straps and mats is strongly recommended Keep modules in anti static packaging when not installed in the chassis Do not s...

Page 41: ...operate in a FIPS Approved mode of operation Aruba Networks provides double the required amount of TELs If a customer requires replacement TELs please call customer support and Aruba Networks will provide the TELs Part 4011570 01 HPE SKU JY894A The Crypto officer shall be responsible for keeping the extra TELs at a safe location and managing the use of the TELs 12 1 Reading TELs Once applied the T...

Page 42: ...AP 535 and AP 555 Wireless Access Points Refer to the next section for guidance on applying the TELs 12 2 1 TELs Placement on the AP 504 The AP 504 requires 4 TELs one on each side edge labels 1 2 and 3 to detect opening the device and one covering the console port label 4 to detect access to a restricted port See figures 20 and 21 for placement Figure 20 Top View of AP 504 with TELs Figure 21 Bot...

Page 43: ...cement on the AP 505 The AP 505 requires 4 TELs one on each side edge labels 1 2 and 3 to detect opening the device and one covering the console port label 4 to detect access to a restricted port See figures 22 and 23 for placement Figure 22 Top View of AP 505 with TELs Figure 23 Bottom View of Aruba AP 505 with TELs ...

Page 44: ...acement on the AP 514 The AP 514 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port See figures 24 and 25 for placement Figure 24 Top View of AP 514 with TELs Figure 25 Bottom View of Aruba AP 514 with TELs ...

Page 45: ...cement on the AP 515 The AP 515 requires 4 TELs one on each side edge labels 1 2 and 3 to detect opening the device and one covering the console port label 4 to detect access to a restricted port See figures 26 and 27 for placement Figure 26 Top View of AP 515 with TELs Figure 27 Bottom View of Aruba AP 515 with TELs ...

Page 46: ...acement on the AP 534 The AP 534 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port See figures 28 and 29 for placement Figure 28 Top View of AP 534 with TELs Figure 29 Bottom View of Aruba AP 534 with TELs ...

Page 47: ...acement on the AP 535 The AP 535 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port See figures 30 and 31 for placement Figure 30 Top View of AP 535 with TELs Figure 31 Bottom View of Aruba AP 535 with TELs ...

Page 48: ...acement on the AP 555 The AP 555 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port See figures 32 and 33 for placement Figure 32 Top View of AP 555 with TELs Figure 33 Bottom View of Aruba AP 555 with TELs ...

Page 49: ...t TELS please call Aruba Networks customer support and request FIPS Kit part number 4011570 01 HPE SKU JY894A Once the TELs are applied the Crypto Officer CO should perform initial setup and configuration as described in the next chapter 12 4 Inspection Testing of Physical Security Mechanisms The Crypto Officer should inspect test the physical security mechanisms according to the recommended test ...

Page 50: ...sh Portal mode and Mesh Point mode Table 15 Non Approved Modes of Operation Non Approved Mode of Operation Description Remote AP mode When the module is configured as a Remote AP it is intended to be deployed in a remote location relative to the Mobility Controller The module provides cryptographic processing in the form of IPSec for all traffic to and from the Mobility Controller Mesh Portal mode...

Page 51: ...efer to section 13 6 Non Approved Mode Configurations for non Approved configurations in a FIPS Approved mode The user is responsible for zeroizing all CSPs when switching modes 13 2 User Guidance Although outside the boundary of the Wireless Access Point the User should be directed to be careful not to provide authentication information and session keys to others parties 13 3 Setup and Configurat...

Page 52: ...of the staging controller ensure that the module the AP is successfully provisioned with firmware and configuration To verify that the image is being run the CO can enter show ap image on the controller to verify the correct image is present on the device 7 Terminate the administrative session 8 Disconnect the module from the staging controller and install it on the deployment network When power i...

Page 53: ...ved The following configurations are forcibly disabled by the module o All WEP features o WPA o TKIP mixed mode o Any combination of DES MD5 and PPTP The following configurations are non Approved by policy only o Firmware images signed with SHA 1 o Enhanced PAPI Security o Null Encryption o USB CSR Key Storage o Telnet o EAP TLS Termination o IPSec IKE using Triple DES o Remote AP mode o Mesh Port...

Reviews: