Reference Guide

ManualsBrandsDell ManualsAccess PlatformsW-Series FIPS

Aruba 7200 Series Controllers FIPS 140-2 Level 2 Security Policy|15

Authentication Mechanisms

The Aruba Controller supports role-based authentication. Role-based authentication is performed before

the Crypto Officer enters privileged mode using admin password via Web Interface or SSHv2 or by

entering enable command and password in console. Role-based authentication is also performed for

User authentication.

This includes password and RSA/ECDSA-based authentication mechanisms. The strength of each

authentication mechanism is described below.

Table 5 Estimated Strength of Authentication Mechanisms

Authentication Type Role Strength

Password-based authentication

(CLI and Web Interface)

Crypto Officer

Passwords are required to be a minimum of eight characters and a

maximum of 32 with a minimum of one letter and one number. If six

(6) integers, one (1) special character and one (1) alphabet are used

without repetition for an eight (8) digit PIN, the probability of

randomly guessing the correct sequence is one (1) in 251,596,800

(this calculation is based on the assumption that the typical standard

American QWERTY computer keyboard has 10 Integer digits, 52

alphabetic characters, and 32 special characters providing 94

characters to choose from in total. The calculation should be 10 x 9 x

8 x 7 x 6 x 5 x 32 x 52 = 251, 595, 800). Therefore, the associated

probability of a successful random attempt during a one-minute

period is approximate 1 in 251,596,800, which is less than 1 in

100,000 required by FIPS 140-2.

RSA-based authentication

(IKEv1/IKEv2)

User

When using RSA based authentication, RSA key pair has modulus

size of 2048 bits, thus providing 112 bits of strength. Assuming the

low end of that range, the associated probability of a successful

random attempt is 1 in 2^112, which is less than 1 in 1,000,000

required by FIPS 140-2.

ECDSA-based authentication

(IKEv1/IKEv2)

User

ECDSA signing and verification is used to authenticate to the module

during IKEv1/IKEv2. Both P-256 and P-384 curves are supported.

ECDSA P-256 provides 128 bits of equivalent security, and P-384

provides 192 bits of equivalent security. Assuming the low end of

that range, the associated probability of a successful random attempt

during a one-minute period is 1 in 2^128, which is less than 1 in

100,000 required by FIPS 140-2.

Pre-shared key-based

authentication (IKEv1/IKEv2)

User

Same mechanism strength as Password-based authentication

above.

Pre-shared key based

authentication (802.11i)

User Same mechanism strength as IKEv1/IKEv2 shared secret above.