Reference Guide
40
8.3 Configuring CPSec protected AP FIPS mode
1. Apply TELs according to the directions in section 3.2
2. Log into the administrative console of the staging controller
3. Configure the staging controller with CPSec under Configuration > Controller > Control Plane
Security tab. AP will authenticate to the controller using certificate based authentication (IKEv2)
to establish IPSec. The AP is configured with an RSA key pair at manufacturing. The AP’s
certificate is signed by Aruba Certification Authority (trusted by all Aruba controllers) and the
AP’s RSA private key is stored in non-volatile memory (TPM). Refer to the “Configuring Control
Plane Security” section in the ArubaOS User Manual for details on the steps.
4. Enable FIPS mode on the controller. This is accomplished by going to the Configuration >
Network > Controller > System Settings page (this is the default page when you click the
Configuration tab), and clicking the FIPS Mode for Mobility Controller Enable checkbox.
5. Enable FIPS mode on the AP. This accomplished by going to the
Configuration > Wireless > AP Configuration > AP Group page. There, you click the Edit
button for the appropriate AP group, and then select AP > AP System Profile. Then, check the
“FIPS Enable” box, check “Apply”, and save the configuration.
6. If the staging controller does not provide PoE, either ensure the presence of a PoE injector for the
LAN connection between the module and the controller, or ensure the presence of a DC power
supply appropriate to the particular model of the module
7. Connect the module via an Ethernet cable to the staging controller; note that this should be a direct
connection, with no intervening network or devices; if PoE is being supplied by an injector, this
represents the only exception. That is, nothing other than a PoE injector should be present between
the module and the staging controller.
8. Once the module is connected to the controller by the Ethernet cable, navigate to the
Configuration > Wireless > AP Installation page, where you should see an entry for the AP.
Select that AP, click the “Provision” button, which will open the provisioning window. Now
provision the CPSec Mode by filling in the form appropriately. Detailed steps are listed in Section
“Provisioning an Individual AP” of Chapter “The Basic User-Centric Networks” of the Aruba OS
User Guide. Click “Apply and Reboot” to complete the provisioning process.
a. For CPSec AP mode, the AP always uses certificate based authentication to establish
IPSec connection with controller. AP uses the RSA key pair assigned to it at
manufacturing to authenticate itself to controller during IPSec. Refer to “Configuring
Control Plane Security” Section in Aruba OS User Manual for details on the steps to
provision an AP with CPSec enabled on controller.
9. Via the logging facility of the staging controller, ensure that the module (the AP) is successfully
provisioned with firmware and configuration
10. Terminate the administrative session
11. Disconnect the module from the staging controller, and install it on the deployment network; when
power is applied, the module will attempt to discover and connect to an Aruba Mobility Controller
on the network.
8.4 Configuring Remote Mesh Portal FIPS Mode
1. Apply TELs according to the directions in section 3.2
2. Log into the administrative console of the staging controller