Reference Guide

18|

Aruba 3000, 6000/M3 Mobility Controller FIPS 140-2 Level 2 Security Policy

ECDSA-based authentication

(IKEv1/IKEv2)

User

ECDSA signing and verification is used to authenticate to the module

during IKEv1/IKEv2. Both P-256 and P-384 curves are supported.

ECDSA P-256 provides 128 bits of equivalent security, and P-384

provides 192 bits of equivalent security. Assuming the low end of

that range, the associated probability of a successful random attempt

is 1 in 2^128, which is less than 1 in 1,000,000 required by FIPS

140-2.

Pre-shared key-based

authentication (IKEv1/IKEv2)

User

Same mechanism strength as Password-based authentication

above.

Pre-shared key based

authentication (802.11i)

User Same mechanism strength as IKEv1/IKEv2 shared secret above.

EAP-TLS authentication User

If RSA is used, 2048 bit RSA keys correspond to effective strength of

112

; If ECDSA (P-256 and P-384) is used, curve P-256 provides 128

bits of equivalent security, and P-384 provides 192 bits of equivalent

security.

Unauthenticated Services

The Aruba Controller can perform VLAN, bridging, firewall, routing, and forwarding functionality without

authentication. These services do not involve any cryptographic processing.

Additional unauthenticated services include performance of the power-on self-test and system status

indication via LEDs.



Non-Approved Services

Thefollowingnon‐approvedservicesarealsoavailabletotheunauthenticatedoperators.

 Network Time Protocol (NTP) service

 Internet Control Message Protocol (ICMP) service

 VLAN service

 Network bridging service

 Network Address Resolution Protocol (ARP) service

 Packets routing, switching and forwarding

