Summary of Contents for Hewlett Packard Enterprise Aruba IAP-303H
Page 1
Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP-315, IAP-324, AP-325, IAP-334, and IAP-335 Wireless Access Points with Aruba Instant Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2 Version 4.9 February 2021 Aruba IAP-3XX Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 Security Policy...
Page 2
Open Source Code Certain Hewlett Packard Enterprise Company products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses.
Page 5
Figure 19 – Right View of IAP-303H with TELs ..........................45 Figure 20 – Left View of IAP-303H with TELs..........................45 Figure 21 – Bottom View of IAP-303H with TELs.......................... 45 Figure 22 – Top View of IAP-304 with TELs ..........................46 Figure 23 –...
National Institute of Standards and Technology (NIST) website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program In addition, in this document, the Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP-315, IAP-324, IAP-325, IAP-334, and IAP-335 Wireless Access Points with Aruba Instant Firmware are referred to as the Wireless Access Point, the AP, the IAP, the module, the cryptographic module, Aruba Wireless Access Points, Aruba Wireless APs, Aruba Access Points, and IAP-3XX Wireless APs.
States. From a FIPS perspective, both –US TAA and –RW TAA models are identical and fully FIPS compliant. 2.1 IAP-303H This section introduces the Aruba IAP-303H Wireless Access Point (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP-303H IAP, its physical attributes, and its interfaces.
PoE power to the attached device. 2.1.1 Physical Description The Aruba IAP-303H Access Point is a multi-chip standalone cryptographic modules consisting of hardware and software, all contained in a hard, opaque plastic case. The module contains 802.11 a/b/g/n/ac transceivers and support two internal dual-band antennas.
2.2 IAP-300 Series This section introduces the Aruba IAP-300 Series Wireless Access Points (APs) with FIPS 140-2 Level 2 validation. It describes the purpose of the IAP-304 and IAP-305 APs, their physical attributes, and their interfaces. Figure 6 - Aruba IAP-304 Figure 7 - Aruba IAP-305 These compact and cost-effective dual-radio IAPs implement a dual radio 802.11ac Access Point with Multi-User MIMO - Supports up to 1,300 Mbps in the 5GHz band (with 3SS/VHT80 clients) and up to 300 Mbps in the 2.4GHz...
2.2.1 Physical Description The Aruba IAP-304 and IAP-305 Access Points are multi-chip standalone cryptographic modules consisting of hardware and software, all contained in a hard, opaque plastic case. Each module contains 802.11 a/b/g/n/ac transceivers and support three external antennas through three N-type female connectors for external antennas for the IAP-304, or three internal antennas for the IAP-305.
Bluetooth Low Energy (BLE) radio: Bluetooth: up to 3dBm transmit power (class 2) and -92dBm receive sensitivity DC power interface: 12V DC (nominal, +/- 5%) 2.1mm/5.5-mm center-positive circular plug with 9.5-mm length Antenna interfaces: 802.11a/b/g/n/ac three external antenna (IAP-304) or three internal antenna (IAP-305) Other Interfaces: ...
2.3 IAP-310 Series This section introduces the Aruba IAP-310 Series Wireless Access Points (APs) with FIPS 140-2 Level 2 validation. It describes the purpose of the IAP-314 and IAP-315 APs, their physical attributes, and their interfaces. Figure 9 - Aruba IAP-314 Figure 10 - Aruba IAP-315 These compact and cost-effective dual-radio APs implement a dual radio 802.11ac access point with Multi-User MIMO - Supports up to 1,733Mbps in the 5GHz band (with 4SS/VHT80 or 2SS/VHT160 clients) and up to 300 Mbps...
2.3.1 Physical Description The Aruba IAP-314 and IAP-315 Access Points are multi-chip standalone cryptographic modules consisting of hardware and software, all contained in hard, opaque plastic cases. Each module contains 802.11 a/b/g/n/ac transceivers and support four external antennas through four N-type female connectors for external antennas for the IAP-314, or four internal antennas for the IAP-315.
Figure 11 - Aruba IAP-310 Series Access Point – Interfaces Other Interfaces: Visual indicators (two multi-color LEDs): for System and Radio status Reset button: factory reset (during device power up) Serial console interface (proprietary; optional adapter cable available; disabled in FIPS mode by TEL) Table 4 - IAP-310 Series Status Indicator LEDs LED Type...
2.4 IAP-320 Series This section introduces the Aruba IAP-320 Series Wireless Access Points (APs) with FIPS 140-2 Level 2 validation. It describes the purpose of the IAP-324 and IAP-325 APs, their physical attributes, and their interfaces. Figure 12 - Aruba IAP-324 Figure 13 - Aruba IAP-325 With a maximum concurrent data rate of 1,733 Mbps in the 5 GHz band and 600 Mbps in the 2.4 GHz band (for an aggregate peak data rate of 2.3Gbps), the IAP-320 Series Access Points deliver a best-in-class, next-generation...
2.4.1 Physical Description The Aruba IAP-324 and IAP-325 Access Points are multi-chip standalone cryptographic modules consisting of hardware and software, all contained in hard, opaque plastic cases. Each module contains 802.11 a/b/g/n/ac transceivers and support four external antennas through four N-type female connectors for external antennas for the IAP-324, or eight integrated omni-directional downtilt internal antennas for the IAP-325.
Figure 14 - Aruba IAP-320 Series Access Point – Interfaces Antenna interfaces: • 802.11a/b/g/n/ac four external antenna (IAP-324) or eight internal antenna (IAP-325) Other Interfaces: Visual indicators (two multi-color LEDs): for System and Radio status Reset button: factory reset (during device power up) ...
2.5 IAP-330 Series This section introduces the Aruba IAP-330 Series Wireless Access Points (APs) with FIPS 140-2 Level 2 validation. It describes the purpose of the IAP-334 and IAP-335 APs, their physical attributes, and their interfaces. Figure 15 - Aruba IAP-334 Figure 16 - Aruba IAP-335 With a maximum concurrent data rate of 1,733 Mbps in the 5 GHz band and 600 Mbps in the 2.4 GHz band (for an aggregate peak data rate of 2.3Gbps), the 330 Series Access Points deliver a best-in-class, next-generation...
per antenna. Each 5 GHz radio chain has both a vertically and a horizontally polarized antenna element; IAP firmware automatically and dynamically selects the best set of elements for each data packet transmitted or received. Four integrated vertically polarized 5 GHz downtilt omni-directional antennas for 4x4 MIMO with peak antenna gain of 4.9 dBi per antenna, plus four integrated horizontally polarized 5 GHz downtilt omni-directional antennas for 4x4 MIMO with peak antenna gain of 5.7 dBi per antenna.
Figure 17 - Aruba IAP-330 Series Access Point – Interfaces DC power interface: 48V DC (nominal, +/- 5%) 1.35mm/3.5-mm center-positive circular plug with 9.5-mm length Antenna interfaces: • 802.11a/b/g/n/ac four external antenna (IAP-334) or twelve internal antenna (IAP-335) USB 2.0 host interface (Type A connector) Bluetooth Low Energy (BLE) radio: ...
This section describes the assurance levels for each of the areas described in the FIPS 140-2 Standard. 3.1. Security Levels The Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP-315, IAP-324, IAP-325, IAP-334, and IAP-335 Wireless Access Points and associated modules are intended to meet overall FIPS 140-2 Level 2 requirements as shown in the following table.
(on the bottom of the device) block the Serial console port To protect the Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP-315, IAP-324, IAP-325, IAP-334, and IAP-335 Wireless Access Points from any tampering with the product, TELs should be applied by the Crypto Officer as...
Data input and output, control input, status output, and power interfaces are defined as follows: Data input and output are the packets that use the networking functionality of the module. Control input consists of manual control inputs for power and reset through the power interfaces (power supply or POE).
7.1.3 Authentication Mechanisms The IAP supports role-based authentication. Role-based authentication is performed before the Crypto Officer is given privileged access using the admin password via SSHv2 and the WebUI. Role-based authentication is also performed for User authentication. The strength of each authentication mechanism is described below. Table 9 –...
RSA-based authentication User The module supports 2048-bit RSA key authentication during EAP- (EAP-TLS/PEAP/IKEv2/SSH) TLS/PEAP/IKEv2/SSH. RSA 2048 bit keys correspond to 112 bits of security. Assuming the low end of that range, the associated probability of a successful random attempt is 1 in 2^112, which is less than 1 in 1,000,000 required by FIPS 140-2.
Page 29
22, 9 (read) Configuring Set IP functionality Commands and Status of Internet Protocol configuration data commands and configuration data 22, 9 (read) Configuring Configure QOS values for module Commands and Status of Quality of Service configuration data commands and (QoS) configuration data 22, 9 (read) Configuring DHCP...
partition. Additionally, the zeroize TPM command ‘zeroize-tpm-keys’ may be issued to erase the stored TPM keys. NOTE: The effect of the zeroize TPM command is not reversible. The action will void the warranty on the IAP and nullify the RMA. The command will wipe the contents of the TPM and render the IAP permanently inoperable.
7.2.3 Non-Approved Services In the Non-FIPS mode of operation, TLS, SSH, and 802.11i services utilizing the non-Approved algorithms listed in the “Non-FIPS Approved Algorithms” section at the end of section 8 are available. Additionally, the use of Slave IAPs, TFTP, FTP and HTTP are non-Approved under the FIPS mode of operation. 7.2.4 Unauthenticated Services The module provides the following unauthenticated services, which are available regardless of role.
8. Cryptographic Algorithms 8.1. FIPS Approved Algorithms The firmware (ArubaInstant 8.5.0.12) in the module contains the following cryptographic algorithm implementations/crypto libraries to implement the different FIPS approved cryptographic algorithms that will be used for the corresponding security services supported by the module in FIPS Approved Mode: Note that not all algorithm modes that appear on the module’s CAVP certificates are utilized by the module, and the tables below list only the algorithm modes that are utilized by the module.
9. Critical Security Parameters The following Critical Security Parameters (CSPs) are used by the module: Table 16 – Critical Security Parameters Storage and Name CSPs type Generation Zeroization DRBG Entropy Input SP800-90A DRBG Entropy inputs to the Stored in plaintext in DRBG initialization DRBG function used to volatile memory.
Page 37
Table 16 – Critical Security Parameters Storage and Name CSPs type Generation Zeroization Crypto Officer Password CO configured Stored in Flash and Authentication for Passwords obfuscated by the accessing the (12 -32 characters) KEK. Zeroized by management executing the CO interfaces command ‘write erase all reboot’.
Page 38
Table 16 – Critical Security Parameters Storage and Name CSPs type Generation Zeroization 802.11i Pre-Shared 802.11i Pre-Shared CO configured Stored in Flash and Used by the 802.11i Key (PSK) Secret for use in obfuscated by KEK. protocol 802.11i (SP 800‐108) Zeroized by the CO key derivation command “write erase...
Page 39
Table 16 – Critical Security Parameters Storage and Name CSPs type Generation Zeroization EC Diffie-Hellman EC Diffie-Hellman Established during EC Stored in SDRAM Used for deriving Shared Secret Diffie-Hellman memory (plaintext). SSH/TLS (Curves: P-256 or P- Exchange. Zeroized by rebooting cryptographic keys.
Notes: CSPs labeled as "entered by CO” (as well as the RSA public and private keys) are entered into the module via SSH or TLS. CSPs labelled as “obfuscated” are obfuscated in accordance to FIPS IG 1.23 CKG (vendor affirmed to SP 800-133 Rev2): For keys identified as being “Generated internally", the generated seed used in the asymmetric key generation is an unmodified output from the DRBG.
Page 41
The following Conditional Self-Tests are performed in the module: Aruba Instant Crypto Module: CRNG Test to Approved RNG (DRBG) CRNG Test to non-approved NDRNG Firmware Load Test - RSA PKCS#1 v1.5 (2048 bits) signature verification with SHA-256 (this test is applied by the main code for firmware load during operation) SP800-90A Section 11.3 Health Tests for HASH_DRBG (Instantiate, Generate and Reseed) ...
11. Installing the Wireless Access Point This chapter covers the physical installation of the Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP-315, IAP-324, IAP-325, IAP-334, and IAP-335 Wireless Access Points with FIPS 140-2 Level 2 validation. The Crypto Officer is responsible for ensuring that the following procedures are used to place the Wireless Access Point in a FIPS-Approved mode of operation.
11.3. Precautions All Aruba access points should be professionally installed by an Aruba-Certified Mobility Professional (ACMP). Electrical power is always present while the device is plugged into an electrical outlet. Remove all rings, jewelry, and other potentially conductive material before working with this product. ...
12. Tamper-Evident Labels After testing, the Crypto Officer must apply Tamper-Evident Labels (TELs) to the Wireless Access Point. When applied properly, the TELs allow the Crypto Officer to detect the opening of the device, or physical access to restricted ports (i.e. the serial console port on the bottom of each IAP-3XX). Aruba Networks provides FIPS 140 designated TELs which have met the physical security testing requirements for tamper evident labels under the FIPS 140-2 Standard.
12.2. Required TEL Locations This section displays the locations of all TELs on each module (IAP-303H, IAP-304, IAP-305, IAP-314, IAP-315, IAP-324, IAP-325, IAP-334, and IAP-335 Wireless Access Points). Refer to the next section for guidance on applying the TELs. 12.2.1 TELs Placement on the IAP-303H The IAP-303H requires 3 TELs: one on each side and bottom edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port.
12.2.2 TELs Placement on the IAP-304 The IAP-304 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 22 and 23 for placement. Figure 22 –...
12.2.3 TELs Placement on the IAP-305 The IAP-305 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 24 and 25 for placement. Figure 24 –...
12.2.4 TELs Placement on the IAP-314 The IAP-314 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 26 and 27 for placement. Figure 26 –...
12.2.5 TELs Placement on the IAP-315 The IAP-315 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 28 and 29 for placement. Figure 28 –...
12.2.6 TELs Placement on the IAP-324 The IAP-324 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 30 and 31 for placement. Figure 30 –...
12.2.7 TELs Placement on the IAP-325 The IAP-325 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 32 and 33 for placement. Figure 32 –...
12.2.8 TELs Placement on the IAP-334 The IAP-334 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 34 and 35 for placement. Figure 34 –...
12.2.9 TELs Placement on the IAP-335 The IAP-335 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See Figures 36 and 37 for placement. Figure 36 –...
12.3. Applying TELs The Crypto Officer should employ TELs as follows: Before applying a TEL, make sure the target surfaces are clean and dry. Clean with alcohol and let dry. Do not cut, trim, punch, or otherwise alter the TEL. ...
When installing expansion or replacement modules for the Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP- 315, IAP-324, IAP-325, IAP-334, and IAP-335 Wireless Access Points, use only FIPS-Approved modules, replace TELs affected by the change, and record the reason for the change, along with the new TEL locations and serial numbers, in the security log.
6. Execute action command “fips-mode on” in the CLI and enter “y” after reading the warning. Executing this command will cause the module to automatically reboot. 7. Execute CLI action command “show version” in the CLI and check that the value of “FIPS mode” is “enabled”...
14. Mitigation of Other Attacks Mitigation of other attacks involves multiple defensive techniques including identification of connected devices not meeting administrator approved configurations and taking actions to resolve, use of administrator approved methods to block unauthorized connection attempts to the network, detection and reporting of intrusion attempts, and use of policies with administrator approved methods to identify and defend against network attack attempts.
Page 58
Infrastructure Protection Policies — Specifies the policy for protecting access points from wireless attacks. Attack attempts protected against include ad hoc networks using VALID SSID misuse (Valid SSID list is autoconfigured based on Instant AP configuration) and Instant AP impersonation, plus Rogue devices are contained ...
Need help?
Do you have a question about the Aruba IAP-303H and is the answer not in the manual?
Questions and answers