Reference Guide
27
8 Secure Operation
The module can be configured to be in the following FIPS approved modes of operations via corresponding
Aruba Mobility Controllers that have been certificated to FIPS level 2:
• Remote AP FIPS mode – When the module is configured as a Remote AP, it is intended to be
deployed in a remote location (relative to the Mobility Controller). The module provides
cryptographic processing in the form of IPSec for all traffic to and from the Mobility Controller.
• Control Plane Security (CPSec) protected AP FIPS mode – When the module is configured as a
Control Plane Security protected AP it is intended to be deployed in a local/private location (LAN,
WAN, MPLS) relative to the Mobility Controller. The module provides cryptographic processing
in the form of IPSec for all Control traffic to and from the Mobility Controller.
In addition, the module also supports a non-FIPS mode – an un-provisioned AP, which by default does not
serve any wireless clients. The Crypto Officer must first enable and then provision the AP into a FIPS AP
mode of operation.
This section explains how to place the module in each FIPS mode and how to verify that it is in FIPS mode.
An important point in the Aruba APs is that to change configurations from any one mode to any other mode
requires the module to be re-provisioned and rebooted before any new configured mode can be enabled.
The access point is managed by an Aruba Mobility Controller in FIPS mode, and access to the Mobility
Controller’s administrative interface via a non-networked general purpose computer is required to assist in
placing the module in FIPS mode. The controller used to provision the AP is referred to below as the
“staging controller”. The staging controller must be provisioned with the appropriate firmware image for
the module, which has been validated to FIPS 140-2, prior to initiating AP provisioning. The Crypto
Officer shall perform the following steps:
8.1.1 Configuring Remote AP FIPS Mode
1. Apply TELs according to the directions in section 3.2
2. Log into the administrative console of the staging controller
3. Deploying the AP in Remote FIPS mode configure the controller for supporting Remote APs, For
detailed instructions and steps, see Section “Configuring the Secure Remote Access Point Service”
in Chapter “Remote Access Points” of the Aruba OS User Manual.
4. Enable FIPS mode on the controller. This is accomplished by going to the Configuration >
Network > Controller > System Settings page (this is the default page when you click the
Configuration tab), and clicking the FIPS Mode for Mobility Controller Enable checkbox.
5. Enable FIPS mode on the AP. This accomplished by going to the Configuration > Wireless > AP
Configuration > AP Group page. There, you click the Edit button for the appropriate AP group,
and then select AP > AP System Profile. Then, check the “Fips Enable” box, check “Apply”, and
save the configuration.
6. If the staging controller does not provide PoE, either ensure the presence of a PoE injector for the
LAN connection between the module and the controller, or ensure the presence of a DC power
supply appropriate to the particular model of the module.
7. Connect the module via an Ethernet cable to the staging controller; note that this should be a direct
connection, with no intervening network or devices; if PoE is being supplied by an injector, this
represents the only exception. That is, nothing other than a PoE injector should be present between
the module and the staging controller.
8. Once the module is connected to the controller by the Ethernet cable, navigate to the
Configuration > Wireless > AP Installation page, where you should see an entry for the AP.