Reference Guide
20|
Aruba 600 Series Controllers FIPS 140-2 Level 2 Security Policy
140-2.
RSA-based authentication
(IKEv1/IKEv2)
User
When using RSA based authentication, RSA key pair has modulus
size of 2048 bits, thus providing 112 bits of strength. Assuming the
low end of that range, the associated probability of a successful
random attempt is 1 in 2^112, which is less than 1 in 1,000,000
required by FIPS 140-2.
ECDSA-based authentication
(IKEv1/IKEv2)
User
ECDSA signing and verification is used to authenticate to the module
during IKEv1/IKEv2. Both P-256 and P-384 curves are supported.
ECDSA P-256 provides 128 bits of equivalent security, and P-384
provides 192 bits of equivalent security. Assuming the low end of
that range, the associated probability of a successful random attempt
is 1 in 2^128, which is less than 1 in 1,000,000 required by FIPS
140-2.
Pre-shared key-based
authentication (IKEv1/IKEv2)
User
Same mechanism strength as Password-based authentication
above.
Pre-shared key based
authentication (802.11i)
User Same mechanism strength as IKEv1/IKEv2 shared secret above.
EAP-TLS authentication User
If RSA is used, 2048 bit RSA keys correspond to effective strength of
2
112
; If ECDSA (P-256 and P-384) is used, curve P-256 provides 128
bits of equivalent security, and P-384 provides 192 bits of equivalent
security.
Unauthenticated Services
The Aruba Controller can perform VLAN, bridging, firewall, routing, and forwarding functionality without
authentication. These services do not involve any cryptographic processing.
Additional unauthenticated services include performance of the power-on self-test and system status
indication via LEDs.
Non-Approved Services
Thefollowingnon‐approvedservicesarealsoavailabletotheunauthenticatedoperators.
Network Time Protocol (NTP) service
Internet Control Message Protocol (ICMP) service