Manualshelf

Reference Guide

ManualsBrandsDell ManualsAccess PlatformsW-Series FIPS
28293031323334353637
Aruba 7200 Series Controllers FIPS 140-2 Level 2 Security Policy|33
Ongoing Management
The Aruba 7200 Controllers meet FIPS 140-2 Level 2 requirements. The information below describes how to keep the
controller in FIPS-approved mode of operation. The Crypto Officer must ensure that the controller is kept in a FIPS-
approved mode of operation.
Crypto Officer Management
The Crypto Officer must ensure that the controller is always operating in a FIPS-approved mode of operation. This can be
achieved by ensuring the following:
FIPS mode must be enabled on the controller before Users are permitted to use the controller (see “Enabling FIPS
Mode” on page 37)
The admin role must be root.
Passwords must be at least six characters long.
VPN services can only be provided by IPsec or L2TP over IPsec.
Access to the controller Web Interface is permitted only using HTTPS over a TLS tunnel. Basic HTTP and HTTPS
over SSL are not permitted.
Only SNMP read-only may be enabled.
Only FIPS-approved algorithms can be used for cryptographic services (such as HTTPS, L2, AES-CBC, SSH, and
IKEv1/IKEv2-IPSec), which include AES, Triple-DES, SHA-1, HMAC SHA-1, and RSA signature and verification.
TFTP can only be used to load backup and restore files. These files are: Configuration files (system setup
configuration), the WMS database (radio network configuration), and log files. (FTP and TFTP over IPsec can be used
to transfer configuration files.)
The controller logs must be monitored. If a strange activity is found, the Crypto Officer should take the controller off
line and investigate.
The Tamper-Evident Labels (TELs) must be regularly examined for signs of tampering. The Crypto Officer shall be
responsible for developing an inspection schedule in compliance with agency-specific policies.
When installing expansion or replacement modules for the Aruba 7200, use only FIPS-approved modules, replace
TELs affected by the change, and record the reason for the change, along with the new TEL locations and serial
numbers, in the security log.
The Crypto Officer shall not configure the Diffie-Hellman algorithm with 768-bits (Group 1) or 1024-bits (Group 2) in
FIPS mode for IKEv1/IKEv2-IPSec and SSHv2.
User Guidance
The User accesses the controller VPN functionality as an IPsec client. The user can also access the controller 802.11i
functionality as an 802.11 client. Although outside the boundary of the controller, the User should be directed to be careful
not to provide authentication information and session keys to others parties.