Reference Guide

8 Secure Operation

The module can be configured to be in the following FIPS approved modes of operations via corresponding

Aruba Mobility Controllers that have been certificated to FIPS level 2:

• Remote AP FIPS mode – When the module is configured as a Remote AP, it is intended to be

deployed in a remote location (relative to the Mobility Controller). The module provides

cryptographic processing in the form of IPSec for all traffic to and from the Mobility Controller.

• Control Plane Security (CPSec) protected AP FIPS mode – When the module is configured as a

Control Plane Security protected AP it is intended to be deployed in a local/private location (LAN,

WAN, MPLS) relative to the Mobility Controller. The module provides cryptographic processing

in the form of IPSec for all Control traffic to and from the Mobility Controller.

• Remote Mesh Portal FIPS mode – When the module is configured in Mesh Portal mode, it is

intended to be connected over a physical wire to the mobility controller. These modules serve as

the connection point between the Mesh Point and the Mobility Controller. Mesh Portals

communicate with the Mobility Controller through IPSec and with Mesh Points via 802.11i

session. The Crypto Officer role is the Mobility Controller that authenticates via IKEv1/IKEv2

pre-shared key or RSA/ECDSA certificate authentication method, and Users are the "n" Mesh

Points that authenticate via 802.11i preshared key.

• Remote Mesh Point FIPS mode – an AP that establishes all wireless path to the Remote Mesh

portal in FIPS mode over 802.11 and an IPSec tunnel via the Remote Mesh Portal to the

controller.

In addition, the module also supports a non-FIPS mode – an un-provisioned AP, which by default does not

serve any wireless clients. The Crypto Officer must first enable and then provision the AP into a FIPS AP

mode of operation.

This section explains how to place the module in each FIPS mode and how to verify that it is in FIPS mode.

An important point in the Aruba APs is that to change configurations from any one mode to any other mode

requires the module to be re-provisioned and rebooted before any new configured mode can be enabled.

The access point is managed by an Aruba Mobility Controller in FIPS mode, and access to the Mobility

Controller’s administrative interface via a non-networked general purpose computer is required to assist in

placing the module in FIPS mode. The controller used to provision the AP is referred to below as the

“staging controller”. The staging controller must be provisioned with the appropriate firmware image for

the module, which has been validated to FIPS 140-2, prior to initiating AP provisioning. The Crypto

Officer shall perform the following steps:

8.1 Pre-Configuration for RAP-3WN, RAP-3WNP, RAP-108, and

RAP-109

The RAP-3WN, RAP-3WNP, RAP-108, and RAP-109 ship from the factory in standalone “Instant AP”

mode, which is a non-approved mode. The Crypto Officer shall follow the steps below to appropriately pre-

configure the modules.

1. Power up the RAP.

2. Connect wirelessly to Instant SSID.

3. Login to the RAP by navigating to http://instant.arubanetworks.com and login to the Instant UI.

The default username is admin and the default password is admin.

4. Navigate to the Maintenance tab in the top right.

5. Click on the Convert tab.