Hewlett Packard Enterprise Aruba IAP-303H Manual

Hewlett Packard Enterprise Aruba IAP-303H Manual

With aruba instant firmware
Table of Contents

Advertisement

Aruba IAP-303H, IAP-304, IAP-305,
IAP-314, IAP-315, IAP-324, AP-325,
IAP-334, and IAP-335 Wireless
Access Points
with Aruba Instant Firmware
Non-Proprietary Security Policy
FIPS 140-2 Level 2
Version 4.9
February 2021
Aruba IAP-3XX Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 Security Policy

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Aruba IAP-303H and is the answer not in the manual?

Questions and answers

Summary of Contents for Hewlett Packard Enterprise Aruba IAP-303H

  • Page 1 Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP-315, IAP-324, AP-325, IAP-334, and IAP-335 Wireless Access Points with Aruba Instant Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2 Version 4.9 February 2021 Aruba IAP-3XX Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 Security Policy...
  • Page 2 Open Source Code Certain Hewlett Packard Enterprise Company products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses.
  • Page 3: Table Of Contents

    Contents Purpose of this Document ..............................6 1.1. Related Documents ..............................6 1.2. Additional Product Information ............................ 6 1.3. Acronyms and Abbreviations ............................7 Product Overview .................................. 8 IAP-303H ..................................8 2.1.1 Physical Description ............................. 9 2.1.2 Dimensions/Weight ............................. 9 2.1.3 Environmental ..............................
  • Page 4 Figures Figure 1 - Aruba IAP-303H (with stand)............................8 Figure 2 - Aruba IAP-303H Wireless Access Point – Interfaces (Front View) ................10 Figure 3 - Aruba IAP-303H Wireless Access Point – Interfaces (Rear View) ................. 10 Figure 4 - Aruba IAP-303H Wireless Access Point – Interfaces (Bottom View) ................11 Figure 5 - Aruba IAP-303H Wireless Access Point –...
  • Page 5 Figure 19 – Right View of IAP-303H with TELs ..........................45 Figure 20 – Left View of IAP-303H with TELs..........................45 Figure 21 – Bottom View of IAP-303H with TELs.......................... 45 Figure 22 – Top View of IAP-304 with TELs ..........................46 Figure 23 –...
  • Page 6: Purpose Of This Document

    National Institute of Standards and Technology (NIST) website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program In addition, in this document, the Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP-315, IAP-324, IAP-325, IAP-334, and IAP-335 Wireless Access Points with Aruba Instant Firmware are referred to as the Wireless Access Point, the AP, the IAP, the module, the cryptographic module, Aruba Wireless Access Points, Aruba Wireless APs, Aruba Access Points, and IAP-3XX Wireless APs.
  • Page 7: Acronyms And Abbreviations

    1.3. Acronyms and Abbreviations Advanced Encryption Standard Access Point Cipher Block Chaining Command Line Interface Crypto Officer CPSec Control Plane Security protected CSEC Communications Security Establishment Canada Critical Security Parameter External Crypto Officer Electromagnetic Compatibility Electromagnetic Interference Fast Ethernet Gigabit Ethernet Gigahertz HMAC Hashed Message Authentication Code...
  • Page 8: Product Overview

    States. From a FIPS perspective, both –US TAA and –RW TAA models are identical and fully FIPS compliant. 2.1 IAP-303H This section introduces the Aruba IAP-303H Wireless Access Point (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP-303H IAP, its physical attributes, and its interfaces.
  • Page 9: Physical Description

    PoE power to the attached device. 2.1.1 Physical Description The Aruba IAP-303H Access Point is a multi-chip standalone cryptographic modules consisting of hardware and software, all contained in a hard, opaque plastic case. The module contains 802.11 a/b/g/n/ac transceivers and support two internal dual-band antennas.
  • Page 10: Figure 2 - Aruba Iap-303H Wireless Access Point - Interfaces (Front View)

     Bluetooth: up to 4 dBm transmit power (class 2) and -93 dBm receive sensitivity Figure 2 - Aruba IAP-303H Wireless Access Point – Interfaces (Front View) Figure 3 - Aruba IAP-303H Wireless Access Point – Interfaces (Rear View) Aruba IAP-3XX Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 Security Policy...
  • Page 11: Figure 4 - Aruba Iap-303H Wireless Access Point - Interfaces (Bottom View)

    Figure 4 - Aruba IAP-303H Wireless Access Point – Interfaces (Bottom View) Figure 5 - Aruba IAP-303H Wireless Access Point – Interfaces (Side View) Other Interfaces:  Visual indicators (multi-color LEDs): for System, Radio (5 and 2.4 GHz) and Ethernet status ...
  • Page 12: Iap-300 Series

    2.2 IAP-300 Series This section introduces the Aruba IAP-300 Series Wireless Access Points (APs) with FIPS 140-2 Level 2 validation. It describes the purpose of the IAP-304 and IAP-305 APs, their physical attributes, and their interfaces. Figure 6 - Aruba IAP-304 Figure 7 - Aruba IAP-305 These compact and cost-effective dual-radio IAPs implement a dual radio 802.11ac Access Point with Multi-User MIMO - Supports up to 1,300 Mbps in the 5GHz band (with 3SS/VHT80 clients) and up to 300 Mbps in the 2.4GHz...
  • Page 13: Physical Description

    2.2.1 Physical Description The Aruba IAP-304 and IAP-305 Access Points are multi-chip standalone cryptographic modules consisting of hardware and software, all contained in a hard, opaque plastic case. Each module contains 802.11 a/b/g/n/ac transceivers and support three external antennas through three N-type female connectors for external antennas for the IAP-304, or three internal antennas for the IAP-305.
  • Page 14: Table 3 - Iap-300 Series Status Indicator Leds

    Bluetooth Low Energy (BLE) radio:  Bluetooth: up to 3dBm transmit power (class 2) and -92dBm receive sensitivity DC power interface:  12V DC (nominal, +/- 5%)  2.1mm/5.5-mm center-positive circular plug with 9.5-mm length Antenna interfaces:  802.11a/b/g/n/ac three external antenna (IAP-304) or three internal antenna (IAP-305) Other Interfaces: ...
  • Page 15: Iap-310 Series

    2.3 IAP-310 Series This section introduces the Aruba IAP-310 Series Wireless Access Points (APs) with FIPS 140-2 Level 2 validation. It describes the purpose of the IAP-314 and IAP-315 APs, their physical attributes, and their interfaces. Figure 9 - Aruba IAP-314 Figure 10 - Aruba IAP-315 These compact and cost-effective dual-radio APs implement a dual radio 802.11ac access point with Multi-User MIMO - Supports up to 1,733Mbps in the 5GHz band (with 4SS/VHT80 or 2SS/VHT160 clients) and up to 300 Mbps...
  • Page 16: Physical Description

    2.3.1 Physical Description The Aruba IAP-314 and IAP-315 Access Points are multi-chip standalone cryptographic modules consisting of hardware and software, all contained in hard, opaque plastic cases. Each module contains 802.11 a/b/g/n/ac transceivers and support four external antennas through four N-type female connectors for external antennas for the IAP-314, or four internal antennas for the IAP-315.
  • Page 17: Figure 11 - Aruba Iap-310 Series Access Point - Interfaces

    Figure 11 - Aruba IAP-310 Series Access Point – Interfaces Other Interfaces:  Visual indicators (two multi-color LEDs): for System and Radio status  Reset button: factory reset (during device power up)  Serial console interface (proprietary; optional adapter cable available; disabled in FIPS mode by TEL) Table 4 - IAP-310 Series Status Indicator LEDs LED Type...
  • Page 18: Iap-320 Series

    2.4 IAP-320 Series This section introduces the Aruba IAP-320 Series Wireless Access Points (APs) with FIPS 140-2 Level 2 validation. It describes the purpose of the IAP-324 and IAP-325 APs, their physical attributes, and their interfaces. Figure 12 - Aruba IAP-324 Figure 13 - Aruba IAP-325 With a maximum concurrent data rate of 1,733 Mbps in the 5 GHz band and 600 Mbps in the 2.4 GHz band (for an aggregate peak data rate of 2.3Gbps), the IAP-320 Series Access Points deliver a best-in-class, next-generation...
  • Page 19: Physical Description

    2.4.1 Physical Description The Aruba IAP-324 and IAP-325 Access Points are multi-chip standalone cryptographic modules consisting of hardware and software, all contained in hard, opaque plastic cases. Each module contains 802.11 a/b/g/n/ac transceivers and support four external antennas through four N-type female connectors for external antennas for the IAP-324, or eight integrated omni-directional downtilt internal antennas for the IAP-325.
  • Page 20: Figure 14 - Aruba Iap-320 Series Access Point - Interfaces

    Figure 14 - Aruba IAP-320 Series Access Point – Interfaces Antenna interfaces: • 802.11a/b/g/n/ac four external antenna (IAP-324) or eight internal antenna (IAP-325) Other Interfaces:  Visual indicators (two multi-color LEDs): for System and Radio status  Reset button: factory reset (during device power up) ...
  • Page 21: Iap-330 Series

    2.5 IAP-330 Series This section introduces the Aruba IAP-330 Series Wireless Access Points (APs) with FIPS 140-2 Level 2 validation. It describes the purpose of the IAP-334 and IAP-335 APs, their physical attributes, and their interfaces. Figure 15 - Aruba IAP-334 Figure 16 - Aruba IAP-335 With a maximum concurrent data rate of 1,733 Mbps in the 5 GHz band and 600 Mbps in the 2.4 GHz band (for an aggregate peak data rate of 2.3Gbps), the 330 Series Access Points deliver a best-in-class, next-generation...
  • Page 22: Physical Description

    per antenna. Each 5 GHz radio chain has both a vertically and a horizontally polarized antenna element; IAP firmware automatically and dynamically selects the best set of elements for each data packet transmitted or received. Four integrated vertically polarized 5 GHz downtilt omni-directional antennas for 4x4 MIMO with peak antenna gain of 4.9 dBi per antenna, plus four integrated horizontally polarized 5 GHz downtilt omni-directional antennas for 4x4 MIMO with peak antenna gain of 5.7 dBi per antenna.
  • Page 23: Figure 17 - Aruba Iap-330 Series Access Point - Interfaces

    Figure 17 - Aruba IAP-330 Series Access Point – Interfaces DC power interface:  48V DC (nominal, +/- 5%)  1.35mm/3.5-mm center-positive circular plug with 9.5-mm length Antenna interfaces: • 802.11a/b/g/n/ac four external antenna (IAP-334) or twelve internal antenna (IAP-335) USB 2.0 host interface (Type A connector) Bluetooth Low Energy (BLE) radio: ...
  • Page 24: Module Objectives

    This section describes the assurance levels for each of the areas described in the FIPS 140-2 Standard. 3.1. Security Levels The Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP-315, IAP-324, IAP-325, IAP-334, and IAP-335 Wireless Access Points and associated modules are intended to meet overall FIPS 140-2 Level 2 requirements as shown in the following table.
  • Page 25: Physical Security

    (on the bottom of the device) block the Serial console port To protect the Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP-315, IAP-324, IAP-325, IAP-334, and IAP-335 Wireless Access Points from any tampering with the product, TELs should be applied by the Crypto Officer as...
  • Page 26: Roles, Authentication And Services

    Data input and output, control input, status output, and power interfaces are defined as follows:  Data input and output are the packets that use the networking functionality of the module.  Control input consists of manual control inputs for power and reset through the power interfaces (power supply or POE).
  • Page 27: Authentication Mechanisms

    7.1.3 Authentication Mechanisms The IAP supports role-based authentication. Role-based authentication is performed before the Crypto Officer is given privileged access using the admin password via SSHv2 and the WebUI. Role-based authentication is also performed for User authentication. The strength of each authentication mechanism is described below. Table 9 –...
  • Page 28: Services

    RSA-based authentication User The module supports 2048-bit RSA key authentication during EAP- (EAP-TLS/PEAP/IKEv2/SSH) TLS/PEAP/IKEv2/SSH. RSA 2048 bit keys correspond to 112 bits of security. Assuming the low end of that range, the associated probability of a successful random attempt is 1 in 2^112, which is less than 1 in 1,000,000 required by FIPS 140-2.
  • Page 29 22, 9 (read) Configuring Set IP functionality Commands and Status of Internet Protocol configuration data commands and configuration data 22, 9 (read) Configuring Configure QOS values for module Commands and Status of Quality of Service configuration data commands and (QoS) configuration data 22, 9 (read) Configuring DHCP...
  • Page 30: User Services

    partition. Additionally, the zeroize TPM command ‘zeroize-tpm-keys’ may be issued to erase the stored TPM keys. NOTE: The effect of the zeroize TPM command is not reversible. The action will void the warranty on the IAP and nullify the RMA. The command will wipe the contents of the TPM and render the IAP permanently inoperable.
  • Page 31: Non-Approved Services

    7.2.3 Non-Approved Services In the Non-FIPS mode of operation, TLS, SSH, and 802.11i services utilizing the non-Approved algorithms listed in the “Non-FIPS Approved Algorithms” section at the end of section 8 are available. Additionally, the use of Slave IAPs, TFTP, FTP and HTTP are non-Approved under the FIPS mode of operation. 7.2.4 Unauthenticated Services The module provides the following unauthenticated services, which are available regardless of role.
  • Page 32: Cryptographic Algorithms

    8. Cryptographic Algorithms 8.1. FIPS Approved Algorithms The firmware (ArubaInstant 8.5.0.12) in the module contains the following cryptographic algorithm implementations/crypto libraries to implement the different FIPS approved cryptographic algorithms that will be used for the corresponding security services supported by the module in FIPS Approved Mode: Note that not all algorithm modes that appear on the module’s CAVP certificates are utilized by the module, and the tables below list only the algorithm modes that are utilized by the module.
  • Page 33: Table 13 - Aruba Instant Crypto Module Cavp Certificates

    SHA-1, SHA-256, 160, 256, 384, C564 SHA-384, SHA- FIPS 180-4 Message Digest 512 Byte Only C564 SP 800-67 TCBC Data Encryption/Decryption Triple-DES AES-CBC HMAC-SHA1, HMAC-SHA2-256, 128, 256 C564 HMAC-SHA2-384 Key Wrapping/Key Transport SP 800-38F Key Size < Block via IKE/IPSec HMAC C564 HMAC-SHA-1-96,...
  • Page 34: Table 14 - Arubainstant Uboot Bootloader Cavp Certificates

    SHA-1, SHA-256, 160, 256, 384, C565 SHA-384, SHA- FIPS 180-4 Message Digest 512 Byte Only C565 Triple-DES SP 800-67 TCBC Data Encryption/Decryption AES-CBC 128, 192, 256 HMAC-SHA-1, C565 SP 800-38F Key Transport HMAC-SHA-256, Key Size < Block HMAC C565 HMAC-SHA-384, Size HMAC-SHA-512 Table 14 –...
  • Page 35: Non-Fips Approved Algorithms Allowed In Fips Approved Mode

    8.2. Non-FIPS Approved Algorithms Allowed in FIPS Approved Mode  Diffie-Hellman (key agreement; key establishment methodology provides 112 bits of encryption strength.  EC Diffie-Hellman (key agreement; key establishment methodology provides 128 or 192 bits of encryption strength).  NDRNG (entropy source, used solely for seeding the SP 800-90A approved DRBG). ...
  • Page 36: Critical Security Parameters

    9. Critical Security Parameters The following Critical Security Parameters (CSPs) are used by the module: Table 16 – Critical Security Parameters Storage and Name CSPs type Generation Zeroization DRBG Entropy Input SP800-90A DRBG Entropy inputs to the Stored in plaintext in DRBG initialization DRBG function used to volatile memory.
  • Page 37 Table 16 – Critical Security Parameters Storage and Name CSPs type Generation Zeroization Crypto Officer Password CO configured Stored in Flash and Authentication for Passwords obfuscated by the accessing the (12 -32 characters) KEK. Zeroized by management executing the CO interfaces command ‘write erase all reboot’.
  • Page 38 Table 16 – Critical Security Parameters Storage and Name CSPs type Generation Zeroization 802.11i Pre-Shared 802.11i Pre-Shared CO configured Stored in Flash and Used by the 802.11i Key (PSK) Secret for use in obfuscated by KEK. protocol 802.11i (SP 800‐108) Zeroized by the CO key derivation command “write erase...
  • Page 39 Table 16 – Critical Security Parameters Storage and Name CSPs type Generation Zeroization EC Diffie-Hellman EC Diffie-Hellman Established during EC Stored in SDRAM Used for deriving Shared Secret Diffie-Hellman memory (plaintext). SSH/TLS (Curves: P-256 or P- Exchange. Zeroized by rebooting cryptographic keys.
  • Page 40: Self-Tests

    Notes:  CSPs labeled as "entered by CO” (as well as the RSA public and private keys) are entered into the module via SSH or TLS.  CSPs labelled as “obfuscated” are obfuscated in accordance to FIPS IG 1.23  CKG (vendor affirmed to SP 800-133 Rev2): For keys identified as being “Generated internally", the generated seed used in the asymmetric key generation is an unmodified output from the DRBG.
  • Page 41 The following Conditional Self-Tests are performed in the module:  Aruba Instant Crypto Module: CRNG Test to Approved RNG (DRBG) CRNG Test to non-approved NDRNG Firmware Load Test - RSA PKCS#1 v1.5 (2048 bits) signature verification with SHA-256 (this test is applied by the main code for firmware load during operation) SP800-90A Section 11.3 Health Tests for HASH_DRBG (Instantiate, Generate and Reseed) ...
  • Page 42: Installing The Wireless Access Point

    11. Installing the Wireless Access Point This chapter covers the physical installation of the Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP-315, IAP-324, IAP-325, IAP-334, and IAP-335 Wireless Access Points with FIPS 140-2 Level 2 validation. The Crypto Officer is responsible for ensuring that the following procedures are used to place the Wireless Access Point in a FIPS-Approved mode of operation.
  • Page 43: Precautions

    11.3. Precautions  All Aruba access points should be professionally installed by an Aruba-Certified Mobility Professional (ACMP).  Electrical power is always present while the device is plugged into an electrical outlet. Remove all rings, jewelry, and other potentially conductive material before working with this product. ...
  • Page 44: Tamper-Evident Labels

    12. Tamper-Evident Labels After testing, the Crypto Officer must apply Tamper-Evident Labels (TELs) to the Wireless Access Point. When applied properly, the TELs allow the Crypto Officer to detect the opening of the device, or physical access to restricted ports (i.e. the serial console port on the bottom of each IAP-3XX). Aruba Networks provides FIPS 140 designated TELs which have met the physical security testing requirements for tamper evident labels under the FIPS 140-2 Standard.
  • Page 45: Required Tel Locations

    12.2. Required TEL Locations This section displays the locations of all TELs on each module (IAP-303H, IAP-304, IAP-305, IAP-314, IAP-315, IAP-324, IAP-325, IAP-334, and IAP-335 Wireless Access Points). Refer to the next section for guidance on applying the TELs. 12.2.1 TELs Placement on the IAP-303H The IAP-303H requires 3 TELs: one on each side and bottom edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port.
  • Page 46: Tels Placement On The Iap-304

    12.2.2 TELs Placement on the IAP-304 The IAP-304 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 22 and 23 for placement. Figure 22 –...
  • Page 47: Tels Placement On The Iap-305

    12.2.3 TELs Placement on the IAP-305 The IAP-305 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 24 and 25 for placement. Figure 24 –...
  • Page 48: Tels Placement On The Iap-314

    12.2.4 TELs Placement on the IAP-314 The IAP-314 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 26 and 27 for placement. Figure 26 –...
  • Page 49: Tels Placement On The Iap-315

    12.2.5 TELs Placement on the IAP-315 The IAP-315 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 28 and 29 for placement. Figure 28 –...
  • Page 50: Tels Placement On The Iap-324

    12.2.6 TELs Placement on the IAP-324 The IAP-324 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 30 and 31 for placement. Figure 30 –...
  • Page 51: Tels Placement On The Iap-325

    12.2.7 TELs Placement on the IAP-325 The IAP-325 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 32 and 33 for placement. Figure 32 –...
  • Page 52: Tels Placement On The Iap-334

    12.2.8 TELs Placement on the IAP-334 The IAP-334 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 34 and 35 for placement. Figure 34 –...
  • Page 53: Tels Placement On The Iap-335

    12.2.9 TELs Placement on the IAP-335 The IAP-335 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 36 and 37 for placement. Figure 36 –...
  • Page 54: Applying Tels

    12.3. Applying TELs The Crypto Officer should employ TELs as follows:  Before applying a TEL, make sure the target surfaces are clean and dry. Clean with alcohol and let dry.  Do not cut, trim, punch, or otherwise alter the TEL. ...
  • Page 55: User Guidance

     When installing expansion or replacement modules for the Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP- 315, IAP-324, IAP-325, IAP-334, and IAP-335 Wireless Access Points, use only FIPS-Approved modules, replace TELs affected by the change, and record the reason for the change, along with the new TEL locations and serial numbers, in the security log.
  • Page 56: Full Documentation

    6. Execute action command “fips-mode on” in the CLI and enter “y” after reading the warning. Executing this command will cause the module to automatically reboot. 7. Execute CLI action command “show version” in the CLI and check that the value of “FIPS mode” is “enabled”...
  • Page 57: Mitigation Of Other Attacks

    14. Mitigation of Other Attacks Mitigation of other attacks involves multiple defensive techniques including identification of connected devices not meeting administrator approved configurations and taking actions to resolve, use of administrator approved methods to block unauthorized connection attempts to the network, detection and reporting of intrusion attempts, and use of policies with administrator approved methods to identify and defend against network attack attempts.
  • Page 58  Infrastructure Protection Policies — Specifies the policy for protecting access points from wireless attacks. Attack attempts protected against include ad hoc networks using VALID SSID misuse (Valid SSID list is autoconfigured based on Instant AP configuration) and Instant AP impersonation, plus Rogue devices are contained ...

Table of Contents