Manualshelf

Reference Guide

ManualsBrandsDell ManualsAccess PlatformsW-Series FIPS
11121314151617181920
15
4.1.3 Wireless Client Authentication
The wireless client role defined in each of FIPS approved modes authenticates to the module via WPA2.
Please notice that WEP and TKIP configurations are not permitted in FIPS mode. In advanced Remote AP
configuration, when Remote AP cannot communicate with the controller, the wireless client role
authenticates to the module via WPA2-PSK only.
4.1.4 Strength of Authentication Mechanisms
The following table describes the relative strength of each supported authentication mechanism.
Table 6 - Strength of Authentication Mechanisms
Authentication
Mechanism
Mechanism Strength
IKEv1/IKEv2
shared secret (CO
role)
Passwords are required to be a minimum of eight characters and a maximum
of 32 with a minimum of one letter and one number. If six (6) integers, one
(1) special character and one (1) alphabet are used without repetition for an
eight (8) digit PIN, the probability of randomly guessing the correct sequence
is one (1) in 251,596,800 (this calculation is based on the assumption that the
typical standard American QWERTY computer keyboard has 10 Integer
digits, 52 alphabetic characters, and 32 special characters providing 94
characters to choose from in total. The calculation should be 10 x 9 x 8 x 7 x
6 x 5 x 32 x 52 = 251, 596, 800). Therefore, the associated probability of a
successful random attempt is approximately 1 in 251,596,800, which is less
than 1 in 1,000,000 required by FIPS 140-2.
Wireless Client
WPA2-PSK
(Wireless Client
role)
Same mechanism strength as IKEv1/IKEv2 shared secret above.
RSA Certificate
based authentication
(CO role)
The module supports 2048-bit RSA keys. RSA 2048 bit keys correspond to
112 bits of security. Assuming the low end of that range, the associated
probability of a successful random attempt is 1 in 2^112, which is less than 1
in 1,000,000 required by FIPS 140-2.
ECDSA-based
authentication
(IKEv2)
ECDSA signing and verification is used to authenticate to the module during
IKEv2. Both P-256 and P-384 curves are supported. ECDSA P-256 provides
128 bits of equivalent security, and P-384 provides 192 bits of equivalent
security. Assuming the low end of that range, the associated probability of a
successful random attempt is 1 in 2^128, which is less than 1 in 1,000,000
required by FIPS 140-2.