Non-Proprietary 1| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy AP-514, AP-515, AP-534, AP-535, AP-584, AP-585, AP-587, AP-635 and AP-655 Access Points with ArubaOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-3 Level 2 Document Version 1.0 October 2024 Non-Proprietary 2| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Copyright © 2024 Hewlett Packard Enterprise Company. Hewlett Packard Enterprise Company trademarks include , HPE Aruba Wireless Networks, HPE Aruba Networking, the registered HPE Aruba Networking the Mobile Edge Company logo, HPE Aruba Networking Mobility Management System, Mobile Edge Architecture® , People Move. Networks Must Follow® , RFProtect® , Green Island® . All rights reserved. All other trademarks are the property of their respective owners. HPE Aruba Networking is a Hewlett Packard Enterprise company. The resource assets in this firmware may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names. Open Source Code Certain Hewlett Packard Enterprise Company products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. The Open Source code used can be found at this site: https://www.arubanetworks.com/open_source Legal Notice The use of Hewlett Packard Enterprise Company switching platforms and software or firmware, by all individuals or corporations, to terminate other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Hewlett Packard Enterprise Company, from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors. Warranty This hardware product is protected by the standard HPE Aruba Networking warranty of one year parts/labor. For more information, refer to the ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS. Altering this device (such as painting it) voids the warranty. www.arubanetworks.com 6280 America Center Dr San Jose, CA, USA 95002 Phone: 408.941.4300 Non-Proprietary 3| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Contents 1 General.............................................................................................................................................................................6 1.1 Purpose of this Document......................................................................................................................................6 1.2 Additional HPE Aruba Networking Product Information........................................................................................6 1.3 Acronyms and Abbreviations..................................................................................................................................7 1.4 Security Levels........................................................................................................................................................8 2 Cryptographic Module Specification................................................................................................................................9 2.1 Description .............................................................................................................................................................9 2.1.1 Cryptographic Module Boundary ....................................................................................................................9 2.2 Version Information ...............................................................................................................................................9 2.3 Operating Environments ......................................................................................................................................10 2.3.1 AP-510 Series.................................................................................................................................................11 2.3.2 AP-530 Series.................................................................................................................................................15 2.3.3 AP-580 Series.................................................................................................................................................19 2.3.4 AP-630 Series.................................................................................................................................................23 2.3.5 AP-650 Series.................................................................................................................................................26 2.4 Excluded Components..........................................................................................................................................28 2.5 Modes of Operation .............................................................................................................................................29 2.6 Approved Algorithms............................................................................................................................................29 2.7 Non-Approved Cryptographic Algorithms Allowed in the Approved Mode of Operation....................................33 2.8 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed..................33 2.9 Non-Approved Algorithms Not Allowed in the Approved Mode of Operation ....................................................33 3 Cryptographic Module Interfaces ..................................................................................................................................34 4 Roles, Services, and Authentication...............................................................................................................................35 4.1 Roles.....................................................................................................................................................................35 4.2 Authentication......................................................................................................................................................37 4.2.1 Crypto Officer Authentication .......................................................................................................................37 4.2.2 User Authentication ......................................................................................................................................37 4.2.3 Wireless Client Authentication......................................................................................................................37 4.2.4 Strength of Authentication Mechanisms.......................................................................................................38 4.3 Services.................................................................................................................................................................39 4.3.1 Approved Services.........................................................................................................................................39 4.3.2 Non-Approved Services .................................................................................................................................43 5 Software / Firmware Security ........................................................................................................................................45 6 Operational Environment...............................................................................................................................................45 7 Physical Security.............................................................................................................................................................46 7.1 Reading TELs.........................................................................................................................................................46 7.2 Applying TELs........................................................................................................................................................47 7.3 Required TEL Locations.........................................................................................................................................47 7.3.1 TELs Placement on the AP-514 and AP-515...................................................................................................48 7.3.2 TELs Placement on the AP-534 and AP-535...................................................................................................49 7.3.3 TELs Placement on the AP-584, AP-585, and AP-587 ....................................................................................50 7.3.4 TELs Placement on the AP-584......................................................................................................................51 7.3.5 TELs Placement on the AP-585......................................................................................................................52 7.3.6 TELs Placement on the AP-587......................................................................................................................53 7.3.7 TELs Placement on the AP-635......................................................................................................................54 7.3.8 TELs Placement on the AP-655......................................................................................................................55 7.4 Inspection/Testing of Physical Security Mechanisms...........................................................................................56 8 Non-Invasive Security.....................................................................................................................................................56 9 Sensitive Security Parameters (SSP) Management ........................................................................................................57 9.1 Non-Deterministic Random Number Generation Specification ...........................................................................65 10 Self-Tests........................................................................................................................................................................66 11 Life-Cycle Assurance.......................................................................................................................................................71 11.1 Product Examination ............................................................................................................................................71 11.2 Package Contents .................................................................................................................................................71 11.3 Pre-Installation Checklist......................................................................................................................................71 11.4 Identifying Specific Installation Locations ............................................................................................................71 11.5 Precautions...........................................................................................................................................................72 11.6 Secure Operation..................................................................................................................................................72 11.6.1 Crypto Officer Management ....................................................................................................................72 Non-Proprietary 4| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 11.6.2 User Guidance..........................................................................................................................................73 11.6.3 Set-up and Configuration .........................................................................................................................73 11.7 Non-Approved Approved Mode Configurations...................................................................................................75 11.8 Full Documentation..............................................................................................................................................75 11.8.1 Related HPE Aruba Networking Documents ............................................................................................75 11.9 End of Life.............................................................................................................................................................76 12 Mitigation of Other Attacks............................................................................................................................................76 Figures Figure 1 - AP-514 Campus Access Point – Front ......................................................................................................................11 Figure 2 - AP-514 Campus Access Point – Back........................................................................................................................11 Figure 3 - AP-515 Campus Access Point – Front ......................................................................................................................11 Figure 4 - AP-515 Campus Access Point – Back........................................................................................................................12 Figure 5 - AP-510 Series Campus Access Point – Interfaces.....................................................................................................14 Figure 6 - AP-534 Campus Access Point – Front ......................................................................................................................15 Figure 7 - AP-534 Campus Access Point – Back........................................................................................................................15 Figure 8 - AP-535 Campus Access Point – Front ......................................................................................................................15 Figure 9 - AP-535 Campus Access Point – Back........................................................................................................................16 Figure 10 - AP-530 Series Campus Access Point – Interfaces...................................................................................................18 Figure 11 - AP-585 Outdoor Access Point – Side......................................................................................................................19 Figure 12 - AP-584 Outdoor Access Point – Bottom (without cover).......................................................................................19 Figure 13 - AP-585 Outdoor Access Point – Top ......................................................................................................................19 Figure 14 - AP-587 Outdoor Access Point – Rear.....................................................................................................................19 Figure 15 - AP-584 Outdoor Access Point – Interfaces (with aesthetic cover).........................................................................21 Figure 16 - AP-585 Outdoor Access Point – Interfaces (with aesthetic cover).........................................................................22 Figure 17 - AP-587 Outdoor Access Point – Interfaces (with aesthetic cover).........................................................................22 Figure 18 - AP-635 Campus Access Point – Front.....................................................................................................................23 Figure 19 - AP-635 Campus Access Point – Back......................................................................................................................23 Figure 20 - AP-630 Series Campus Access Point – Interfaces...................................................................................................25 Figure 21 - AP-655 Campus Access Point – Front.....................................................................................................................26 Figure 22 - AP-655 Campus Access Point – Back......................................................................................................................26 Figure 23 - AP-650 Series Campus Access Point – Interfaces...................................................................................................28 Figure 24 –AP Physical and Cryptographic Boundaries with Interfaces and Components Block Diagram...............................34 Figure 25 - Tamper-Evident Labels...........................................................................................................................................46 Figure 26 – Top View of AP-514 with TELs...............................................................................................................................48 Figure 27 – Bottom View of Aruba AP-514 with TELs ..............................................................................................................48 Figure 28 – Top View of AP-535 with TELs...............................................................................................................................49 Figure 29 – Bottom View of Aruba AP-535 with TELs ..............................................................................................................49 Figure 30 – Placement of TELs 1 and 2 on AP-580 Series APs..................................................................................................50 Figure 31 – Placement of TEL 3 on AP-580 Series APs .............................................................................................................50 Figure 32 – Right Side View of AP-584 with TEL.......................................................................................................................51 Figure 33 – Front View of AP-584 with TEL..............................................................................................................................51 Figure 34 – Left Side View of AP-584 with TELs.......................................................................................................................51 Figure 35 – Right Side View of AP-585 with TEL.......................................................................................................................52 Figure 36 – Front View of AP-585 with TEL..............................................................................................................................52 Figure 37 – Left Side View of AP-585 with TELs.......................................................................................................................52 Figure 38 – Right Side View of AP-587 with TEL.......................................................................................................................53 Figure 39 – Front View of AP-587 with TEL..............................................................................................................................53 Figure 40 – Left Side View of AP-587 with TELs.......................................................................................................................53 Figure 41 – Top View of AP-635 with TELs...............................................................................................................................54 Figure 42 – Bottom View of Aruba AP-635 with TELs ..............................................................................................................54 Figure 43 – Top View of AP-655 with TELs...............................................................................................................................55 Figure 44 – Bottom View of Aruba AP-655 with TELs ..............................................................................................................55 Non-Proprietary 5| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Tables Table 1 – Document Revision History........................................................................................................................................5 Table 2 – Security Levels............................................................................................................................................................8 Table 3 – Cryptographic Components........................................................................................................................................9 Table 4 – Version Information ...................................................................................................................................................9 Table 5 – Cryptographic Module Tested Configurations..........................................................................................................10 Table 6 - AP-510 Series Status Indicator LEDs..........................................................................................................................14 Table 7 - AP-530 Series Status Indicator LEDs..........................................................................................................................18 Table 8 - AP-580 Series Status Indicator LEDs..........................................................................................................................22 Table 9 - AP-630 Series Status Indicator LEDs..........................................................................................................................25 Table 10 - AP-650 Series Status Indicator LEDs........................................................................................................................28 Table 11 – Modes List and Description....................................................................................................................................29 Table 12 – Approved Algorithms - ArubaOS OpenSSL Module................................................................................................29 Table 13 - Approved Algorithms - Aruba CPU Jitter Entropy Source .......................................................................................31 Table 14 - Approved Algorithms - ArubaOS Crypto Module....................................................................................................31 Table 15 - Approved Algorithms - ArubaOS Bootloader Module.............................................................................................32 Table 16 – Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed....................33 Table 17 – Non-Approved Algorithms Not Allowed in the Approved Mode of Operation ......................................................33 Table 18 – Ports and Interfaces ...............................................................................................................................................34 Table 19 – Roles, Service Commands, Input and Output.........................................................................................................35 Table 20 – Characteristics of Roles by AP Configuration when Module is in Approved Mode of Operation...........................36 Table 21 – Roles and Authentication.......................................................................................................................................38 Table 22 – Approved Services..................................................................................................................................................39 Table 23 – Approved Services Not Using Any Approved Security Functions ...........................................................................41 Table 24 – Non-Approved Services..........................................................................................................................................44 Table 25 - Physical Security Inspection Guidelines ..................................................................................................................56 Table 26 – SSPs and Keys .........................................................................................................................................................57 Table 27 – Non-Deterministic Random Number Generation Specification .............................................................................65 Table 28 – Pre-Operational Self-Tests......................................................................................................................................66 Table 29 – Conditional Cryptographic Algorithm Tests............................................................................................................66 Table 30 – Conditional Pairwise Consistency Tests..................................................................................................................69 Table 31 – Conditional Software/Firmware Load Tests ...........................................................................................................70 Preface This document may be freely reproduced and distributed whole and intact including the copyright notice. Products identified herein contain confidential commercial firmware. Valid license required. Document Revision History The following table lists the history of the revisions of this document by version number and date of revision. Table 1 – Document Revision History Version Date Description 1.0 October 2024 Initial FIPS 140-3 Release for HPE Aruba Networking AP-514, AP-515, AP-534, AP-535, AP-584, AP-585, AP-587, AP-635 and AP-655 Access Points with ArubaOS version 8.10 Firmware Non-Proprietary 6| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 1 General This section describes: • The purpose of this document. • HPE Aruba Networking documents related to this document contents. • Where to go for additional HPE Aruba Networking product information. • Acronyms and abbreviations. • The assurance security levels for each of the areas described in the FIPS 140-3 Standard. 1.1 Purpose of this Document This release supplement provides information regarding the HPE Aruba Networking AP-514, AP-515, AP-534, AP-535, AP-584, AP-585, AP-587, AP-635 and AP-655 Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 validation from HPE Aruba Networking. HPE Aruba Networking is a Hewlett Packard Enterprise company. The material in this supplement modifies the general HPE Aruba Networking hardware and firmware documentation included with this product and should be kept with your HPE Aruba Networking product documentation. This supplement primarily covers the non-proprietary Cryptographic Module Security Policy for the HPE Aruba Networking AP-514, AP-515, AP-534, AP-535, AP-584, AP-585, AP-587, AP-635 and AP- 655 Access Points with ArubaOS FIPS Firmware. This security policy describes how the Wireless Access Points (APs) meet the security requirements of FIPS 140-3 Level 2 and how to place and maintain the APs in the secure FIPS 140-3 mode. This policy was prepared as part of the FIPS 140-3 Level 2 validation of the product. FIPS 140-3 (Federal Information Processing Standards Publication 140-3, Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. FIPS 140-3 aligns with ISO/IEC 19790:2012(E) and includes modifications of the Annexes that are allowed to the Cryptographic Module Validation Program (CMVP), as a validation authority. The testing for these requirements will be in accordance with ISO/IEC 24759:2017(E), with the modifications, additions or deletions of vendor evidence and testing allowed as a validation authority under paragraph 5.2. More information about the FIPS 140-3 standard and validation program is available on the National Institute of Standards and Technology (NIST) website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program In addition, in this document, the HPE Aruba Networking AP-514, AP-515, AP-534, AP-535, AP-584, AP-585, AP-587, AP-635 and AP-655 Access Points with ArubaOS FIPS Firmware are referred to as the Wireless Access Point, the AP, the module, the cryptographic module, HPE Aruba Networking Wireless Access Points, HPE Aruba Networking Wireless APs, HPE Aruba Networking Access Points, HPE Aruba Networking APs, and AP-5XX and AP-6XX Wireless APs. 1.2 Additional HPE Aruba Networking Product Information More information is available from the following sources: • See the HPE Aruba Networking web site for the full line of products from HPE Aruba Networking: https://www.arubanetworks.com • The NIST Validated Modules web site contains contact information for answers to technical or sales-related questions for the product: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search Enter HPE Aruba Networking in the Vendor field then select Search to see a list of FIPS validated HPE Aruba Networking products. Select the Certificate Number for the Module Name ‘HPE Aruba Networking AP-5xx and AP-6xx Access Points’. Non-Proprietary 7| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 1.3 Acronyms and Abbreviations AES Advanced Encryption Standard AP Access Point CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CCCS Canadian Centre for Cyber Security, a branch of CSE CLI Command Line Interface CMVP Cryptographic Module Validation Program CO Crypto Officer CPSec Control Plane Security protected CSE Communications Security Establishment CSP Critical Security Parameter ECO External Crypto Officer EMC Electromagnetic Compatibility EMI Electromagnetic Interference ESV Entropy Source Validation FE Fast Ethernet GE Gigabit Ethernet GHz Gigahertz HMAC Hashed Message Authentication Code Hz Hertz IKE Internet Key Exchange IPsec Internet Protocol security KAT Known Answer Test KEK Key Encryption Key L2TP Layer-2 Tunneling Protocol LAN Local Area Network LED Light Emitting Diode PCT Pairwise Consistency Test PSP Public Security Parameter SFTP Secure File Transfer Protocol SHA Secure Hash Algorithm SNMP Simple Network Management Protocol SSP Sensitive Security Parameter SPOE Serial & Power Over Ethernet TEL Tamper-Evident Label or seal TFTP Trivial File Transfer Protocol WLAN Wireless Local Area Network Non-Proprietary 8| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 1.4 Security Levels The HPE Aruba Networking AP-514, AP-515, AP-534, AP-535, AP-584, AP-585, AP-587, AP-635 and AP-655 Access Points and associated modules are intended to meet overall FIPS 140-3 Level 2 requirements as shown in the following table. Table 2 – Security Levels ISO/IEC 24759 Section 6 [Number Below] FIPS 140-3 Section Title Security Level 1 General 2 2 Cryptographic Module Specification 2 3 Cryptographic Module Interfaces 2 4 Roles, Services, and Authentication 2 5 Software/Firmware Security 2 6 Operational Environment N/A 7 Physical Security 2 8 Non-Invasive Security N/A 9 Sensitive Security Parameter Management 2 10 Self-Tests 2 11 Life-Cycle Assurance 2 12 Mitigation of Other Attacks N/A Overall Overall Security Rating of the Module 2 Non-Proprietary 9| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 2 Cryptographic Module Specification 2.1 Description Purpose and Use: The HPE Aruba Networking AP-514, AP-515, AP-534, AP-535, AP-584, AP-585, AP-587, AP-635 and AP-655 Access Points (each also referred to as ‘the module’ and ‘AP’) are hardware type cryptographic modules with ArubaOS version 8.10 FIPS Firmware, all contained in hard, opaque plastic cases. Each HPE Aruba Networking Access Point (AP) with ArubaOS version 8.10 FIPS Firmware was validated under FIPS 140-3 Level 2 requirements. ArubaOS is the operating system for HPE Aruba Networking Mobility Conductors, Mobility Controllers/Gateways, and controller-managed HPE Aruba Networking Access Points (APs). Cryptographic services are provided by components of ArubaOS. An access point is a hardware device that creates a wireless local area network (WLAN), connects to a wired router, switch, or hub via an Ethernet cable, and projects a Wi-Fi signal to a designated area. See the diagram and tables below and in following sub-sections for AP details. Module Type: Hardware Module Embodiment: Multiple-chip Standalone Module Characteristics: None 2.1.1 Cryptographic Module Boundary Each access point’s case physically encloses the complete set of hardware and firmware components and represents the cryptographic boundary of the module. Refer to section 2.3, Operating Environments, for information on each HPE Aruba Networking AP’s hardware, including the processor for each listed in Table 5, Cryptographic Module Tested Configurations. The cryptographic services available to each HPE Aruba Networking AP are provided by the following components: Table 3 – Cryptographic Components Component Type Versions CAVP Cert. # ArubaOS OpenSSL Module Firmware 1.0 A2690 Aruba CPU Jitter Entropy Source Firmware 3.3.1 A2738 ArubaOS Crypto Module Firmware 1.0 A2689 ArubaOS Bootloader Module Firmware 1.0 A2688 2.2 Version Information Table 4 – Version Information Type Versions Hardware HPE Aruba Networking AP-514, AP-515, AP-534, AP-535, AP-584, AP-585, AP-587, AP-635 and AP-655 Access Points (APs) Firmware ArubaOS 8.10.0.5-FIPS Non-Proprietary 10| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 2.3 Operating Environments The module contains a limited operational environment. The HPE Aruba Networking operating system runs on the HPE Aruba Networking access point hardware with cryptographic services provided by the ArubaOS operating system. See the following table of Cryptographic Module Tested Configurations for details. Only the versions that explicitly appear on the validation certificate are formally validated. Table 5 – Cryptographic Module Tested Configurations Access Point Model Part Number Firmware Version Processor - PAA Acceleration Section Below with the Access Point Distinguishing Features AP-514-USF1 HPE SKU Q9H68A ArubaOS 8.10 Broadcom BCM (64-bit ARMv8) 2.3.1 AP-510 Series AP-515-USF1 HPE SKU Q9H73A ArubaOS 8.10 - No acceleration AP-534-USF1 HPE SKU JZ342A ArubaOS 8.10 Qualcomm IPQ (64-bit ARM Cortex A53) 2.3.2 AP-530 Series AP-535-USF1 HPE SKU JZ347A ArubaOS 8.10 - No acceleration AP-584-US TAA AP-584-RW TAA HPE SKU R7T14A HPE SKU R7T15A ArubaOS 8.10 Qualcomm IPQ (64-bit ARM Cortex A53) 2.3.3 AP-580 Series AP-585-US TAA AP-585-RW TAA HPE SKU R7T19A HPE SKU R7T20A ArubaOS 8.10 - No acceleration AP-587-US TAA AP-587-RW TAA HPE SKU R7T24A HPE SKU R7T25A ArubaOS 8.10 AP-635-RW TAA AP-635-US TAA HPE SKU R7J32A HPE SKU R7J33A ArubaOS 8.10 Qualcomm IPQ (64-bit ARM Cortex A53) - No acceleration 2.3.4 AP-630 Series AP-655-RW TAA AP-655-US TAA HPE SKU R7J43A HPE SKU R7J44A ArubaOS 8.10 Qualcomm IPQ (64-bit ARM Cortex A53) - No acceleration 2.3.5 AP-650 Series Note: • For radio regulatory reasons, HPE Aruba Networking part numbers ending with -USF1 are to be sold in the US only. Part numbers ending with -RWF1 are considered ‘rest of the world’ and must not be used for deployment in the United States. From a FIPS perspective, both -USF1 and -RWF1 models are identical and fully FIPS 140-3 compliant. Tested Operational Environment’s Physical Perimeter (TOEPP): The physical perimeter is the production grade enclosure of the hardware chassis of the HPE Aruba Networking access point hardware devices. Non-Proprietary 11| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 2.3.1 AP-510 Series This section introduces the HPE Aruba Networking AP-510 Series Campus Access Points (APs) with FIPS 140-3 Level 2 validation. It describes the purpose of the AP-514 and AP-515 APs, their physical attributes, and their interfaces. Figure 1 - AP-514 Campus Access Point – Front Figure 2 - AP-514 Campus Access Point – Back Figure 3 - AP-515 Campus Access Point – Front Non-Proprietary 12| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Figure 4 - AP-515 Campus Access Point – Back With a maximum concurrent data rate of 4.8 Gbps in the 5 GHz band and 575 Mbps in the 2.4 GHz band (for an aggregate peak data rate of 3 Gbps), the 510 Series Access Points deliver high performance 802.11ax access for mobile and IoT devices in indoor environments for any enterprise environment. The high performance and high density 802.11ax 510 Series Access Points support all mandatory and several optional 802.11ax features, which include up- and downlink Orthogonal Frequency Division Multiple Access (OFDMA) with up to 16 resource units for increased user data rates and reduced latency, bi-directional Multi- User Multiple Input Multiple Output (MU-MIMO) for improved network capacity with multiples devices capable to transmit simultaneously, 4x4 MIMO with up to four spatial streams (4SS) in the 5 GHz band and 2x2 MIMO with up to two spatial streams (2SS) in the 2.4 GHz band, channel bandwidths up to 160 MHz (in 5 GHz; 40 MHz in 2.4 GHz), and up to 1024-QAM modulation. Each AP supports up to 512 associated client devices per radio and has a total of four dual band antennas. In addition to 802.11ax standard capabilities, the Wi-Fi 6 510 Series supports unique features like Aruba ClientMatch radio management and additional radios (Bluetooth 5 and Zigbee) for location services, asset tracking services, security solutions and IoT sensors, as well as ArubaOS 8 features like Aruba Activate and AirMatch with machine learning technology to automatically optimize the wireless network performance. The AP-514 has four (female) RP-SMA connectors for external dual band antennas (A0 through A3, corresponding with radio chains 0 through 3). The AP-515 has four integrated dual-band downtilt omni- directional antennas for 4x4 MIMO with peak antenna gain of 4.2 dBi in 2.4 GHz and 7.5 dBi in 5 GHz. Built- in antennas are optimized for horizontal ceiling mounted orientation of the AP. The downtilt angle for maximum gain is roughly 30 degrees. Additionally, Advanced Cellular Coexistence (ACC) minimizes the impact of interference from 3G/4G LTE cellular networks, Dynamic Frequency Selection (DFS) maximizes the use of available RF spectrum, and Maximum Ratio Combining (MRC) improves receiver performance. When managed by HPE Aruba Networking Mobility Controllers, AP-514 and AP-515 offer centralized configuration, data encryption, policy enforcement and network services, as well as distributed and centralized traffic forwarding. 2.3.1.1 Physical Description The HPE Aruba Networking AP-514 and AP-515 Campus Access Points are multiple-chip standalone cryptographic modules consisting of hardware and firmware, all contained in hard, opaque plastic cases. The modules contain 802.11 a/b/g/n/ac/ax transceivers and support four integrated omni-directional downtilt antennas each. The case physically encloses the complete set of hardware and firmware components and represents the cryptographic boundary of the module. The Access Point configurations validated during the cryptographic module testing included: • AP-514 HW: AP-514-USF1 (HPE SKU Q9H68A) Non-Proprietary 13| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy • AP-515 HW: AP-515-USF1 (HPE SKU Q9H73A) 2.3.1.2 Dimensions / Weight The AP has the following physical dimensions: • Dimensions/weight (AP-515 unit, excluding mount bracket): o 200mm (W) x 200mm (D) x 46mm (H) / 7.9” (W) x 7.9” (D) x 1.8” (H) o 810g / 28.5oz • Dimensions/weight (AP-515; shipping): o 230mm (W) x 220mm (D) x 72mm (H) / 9.1” (W) x 8.7” (D) x 2.8” (H) o 1,010g / 35.5oz 2.3.1.3 Environmental • Operating: o Temperature: 0° C to +50° C (+32° F to +122° F) o Humidity: 5% to 93% non-condensing • Storage and transportation: o Temperature: -40° C to +70° C (-40° F to +158° F) o Humidity: 5% to 93% non-condensing 2.3.1.4 Interfaces The module provides the following network interfaces: • E0: One HPE Smart Rate port (RJ-45, Auto-sensing link speed 100/1000/2500BASE-T and MDI/MDX) o 802.3az Energy Efficient Ethernet (EEE) o PoE-PD: 48 Vdc (nominal) 802.3af/at/bt POE (class 3 or higher) • E1: One HPE Smart Rate port (RJ-45, Auto-sensing link speed 10/100/1000BASE-T and MDI/MDX) o Link Aggregation (LACP) support between both network ports for redundancy and capacity o 802.3az Energy Efficient Ethernet (EEE) Antenna interfaces: • 802.11a/b/g/n/ac/ax four external antenna (AP-514) or four internal antenna (AP-515) DC power interface: • 12Vdc nominal, +/- 5% • 2.1mm/5.5mm center-positive circular plug with 9.5-mm length USB 2.0 host interface (Type A connector) Bluetooth 5.0 Low Energy (BLE5.0) and Zigbee (802.15.4) radio: • Bluetooth 5.0: up to 8dBm transmit power (class 1) and -95dBm receive sensitivity • Zigbee: up to 8dBm transmit power and -97dBm receive sensitivity Non-Proprietary 14| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Other Interfaces: • Visual indicators (two multi-color LEDs): for System and Radio status • Reset button: factory reset (during device power up) • Serial console interface (proprietary; optional adapter cable available; disabled in Approved mode) Figure 5 - AP-510 Series Campus Access Point – Interfaces Table 6 - AP-510 Series Status Indicator LEDs LED Type Color/State Meaning System Status (Left) Off AP powered off Green - Blinking Device booting; not ready Green - Solid Device ready Amber - Solid Device ready; power-save mode (802.3af PoE): * Single radio * USB disabled Green or Amber Flashing Device ready, restricted mode: * Uplink negotiated in sub optimal speed; or * Deep sleep mode Red System error condition Radio Status (Right) Off AP powered off, or both radios disabled Green - Solid Both radios enabled in access mode Amber - Solid Both radios enabled in monitor mode Green or Amber Blinking One radio enabled in access (green) or monitor (amber) mode, other disabled Green/Amber Alternating Green: one radio enabled in access mode, Amber: one radio enabled in monitor mode Non-Proprietary 15| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 2.3.2 AP-530 Series This section introduces the HPE Aruba Networking AP-530 Series Campus Access Points (APs) with FIPS 140-3 Level 2 validation. It describes the purpose of the AP-534 and AP-535 APs, their physical attributes, and their interfaces. Figure 6 - AP-534 Campus Access Point – Front Figure 7 - AP-534 Campus Access Point – Back Figure 8 - AP-535 Campus Access Point – Front Non-Proprietary 16| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Figure 9 - AP-535 Campus Access Point – Back With a maximum concurrent data rate of 2.4 Gbps in the 5 GHz band and 1,150 Mbps in the 2.4 GHz band (for an aggregate peak data rate of 3.55 Gbps), the 530 Series Access Points deliver high performance 802.11ax access for mobile and IoT devices in indoor environments for any enterprise environment. The high performance and high density 802.11ax 530 Series Access Points support all mandatory and several optional 802.11ax features, which include up- and downlink Orthogonal Frequency Division Multiple Access (OFDMA) with up to 37 resource units for increased user data rates and reduced latency, up- and downlink Multi-User Multiple Input Multiple Output (MU-MIMO) for improved network capacity with multiples devices capable to transmit simultaneously, 4x4 MIMO with up to four spatial streams (4SS) in both the 5 GHz and 2.4 GHz bands, channel bandwidths up to 160 MHz (in 5 GHz; 40 MHz in 2.4 GHz), and up to 1024-QAM modulation. Each AP supports up to 1,024 associated client devices per radio and has a total of four dual band antennas. In addition to 802.11ax standard capabilities, the Wi-Fi 6 530 Series supports unique features like Aruba ClientMatch radio management and additional radios (Bluetooth 5 and Zigbee) for location services, asset tracking services, security solutions and IoT sensors, as well as ArubaOS 8 features like Aruba Activate and AirMatch with machine learning technology to automatically optimize the wireless network performance. The AP-534 has four (female) RP-SMA connectors for external dual band antennas (A0 through A3, corresponding with radio chains 0 through 3). The AP-535 has four integrated dual-band downtilt omni- directional antennas for 4x4 MIMO with peak antenna gain of 3.5 dBi in 2.4 GHz and 5.4 dBi in 5 GHz. Built-in antennas are optimized for horizontal ceiling mounted orientation of the AP. The downtilt angle for maximum gain is roughly 30 degrees. Additionally, Advanced Cellular Coexistence (ACC) minimizes the impact of interference from 3G/4G LTE cellular networks, Dynamic Frequency Selection (DFS) maximizes the use of available RF spectrum, and Maximum Ratio Combining (MRC) improves receiver performance. When managed by HPE Aruba Networking Mobility Controllers, AP-534 and AP-535 offer centralized configuration, data encryption, policy enforcement and network services, as well as distributed and centralized traffic forwarding. 2.3.2.1 Physical Description The HPE Aruba Networking AP-534 and AP-535 Access Points are multiple-chip standalone cryptographic modules consisting of hardware and firmware, all contained in hard, opaque plastic cases. The modules contain 802.11 a/b/g/n/ac/ax transceivers and support four integrated omni-directional downtilt antennas each. The case physically encloses the complete set of hardware and firmware components and represents the cryptographic boundary of the module. The Access Point configuration validated during the cryptographic module testing included: • AP-534 HW: AP-534-USF1 (HPE SKU JZ342A) • AP-535 HW: AP-535-USF1 (HPE SKU JZ347A) Non-Proprietary 17| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 2.3.2.2 Dimensions / Weight The AP has the following physical dimensions: • Dimensions/weight (AP-535 unit, excluding mount bracket): o 240mm (W) x 240mm (D) x 57mm (H) / 9.4” (W) x 9.4” (D) x 2.1” (H) o 1,270g / 44.8oz • Dimensions/weight (AP-535; shipping): o 285mm (W) x 300mm (D) x 105mm (H) / 11.2” (W) x 11.9” (D) x 4.1” (H) o 1,930g / 68.1oz 2.3.2.3 Environmental • Operating: o Temperature: 0° C to +50° C (+32° F to +122° F) o Humidity: 5% to 93% non-condensing • Storage and transportation: o Temperature: -40° C to +70° C (-40° F to +158° F) o Humidity: 5% to 93% non-condensing 2.3.2.4 Interfaces The module provides the following network interfaces: • E0: One HPE Smart Rate port (RJ-45, Auto-sensing link speed 100/1000/2500/5000BASE-T and MDI/MDX) o 802.3az Energy Efficient Ethernet (EEE) o PoE-PD: 48 Vdc (nominal) 802.3at/bt POE (class 4 or higher) • E1: One HPE Smart Rate port (RJ-45, Auto-sensing link speed 100/1000/2500/5000BASE-T and MDI/MDX) o Link Aggregation (LACP) support between both network ports for redundancy and capacity o 802.3az Energy Efficient Ethernet (EEE) o PoE-PD: 48 Vdc (nominal) 802.3at/bt POE (class 4 or higher) Antenna interfaces: • 802.11a/b/g/n/ac/ax four external antenna (AP-534) or four internal antenna (AP-535) DC power interface: • 48Vdc nominal, +/- 5% • 1.35mm/3.5mm center-positive circular plug with 9.5-mm length USB 2.0 host interface (Type A connector) Bluetooth 5.0 Low Energy (BLE5.0) and Zigbee (802.15.4) radio: • Bluetooth 5.0: up to 8dBm transmit power (class 1) and -95dBm receive sensitivity • Zigbee: up to 8dBm transmit power and -99dBm receive sensitivity Other Interfaces: • Visual indicators (two multi-color LEDs): for System and Radio status • Reset button: factory reset (during device power up) • Serial console interface (proprietary; optional adapter cable available; disabled in Approved mode) Non-Proprietary 18| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Figure 10 - AP-530 Series Campus Access Point – Interfaces Table 7 - AP-530 Series Status Indicator LEDs LED Type Color/State Meaning System Status (Left) Off AP powered off Green - Blinking Device booting; not ready Green - Solid Device ready Amber - Solid Device ready; power-save mode (802.3at PoE): * Single radio * USB disabled Green or Amber Flashing Device ready, restricted mode: * Uplink negotiated in sub optimal speed; or * Deep sleep mode Red System error condition Radio Status (Right) Off AP powered off, or both radios disabled Green - Solid Both radios enabled in access mode Amber - Solid Both radios enabled in monitor mode Green or Amber Blinking One radio enabled in access (green) or monitor (amber) mode, other disabled Green/Amber Alternating Green: one radio enabled in access mode, Amber: one radio enabled in monitor mode Non-Proprietary 19| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 2.3.3 AP-580 Series This section introduces the HPE Aruba Networking AP-580 Series Outdoor Access Points (APs) with FIPS 140-3 Level 2 validation. It describes the purpose of the AP-584, AP-585 and AP-587 APs, their physical attributes, and their interfaces. Figure 11 - AP-585 Outdoor Access Point – Side Figure 12 - AP-584 Outdoor Access Point – Bottom (without cover) Figure 13 - AP-585 Outdoor Access Point – Top Figure 14 - AP-587 Outdoor Access Point – Rear With a maximum concurrent data rate of 2.4 Gbps in the 5 GHz band and 574 Mbps in the 2.4 GHz band (for an aggregate peak data rate of 2.97 Gbps), the AP-580 Series Access Points deliver 802.11ax Gigabit Wi-Fi 6 performance to large scale outdoor environments including universities, large enterprises, and industrial applications. Weatherproofed, and temperature hardened to survive in the harshest outdoor environments, the 580 Series APs withstand exposure to extreme high and low temperatures, persistent moisture, and precipitation, and are fully sealed to keep out airborne contaminants. All electrical interfaces include industrial surge protection and are IP66/67 certified. Non-Proprietary 20| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy The high performance and high density 802.11ax 580 Series Access Points support all mandatory and several optional 802.11ax features, which include Uplink and Downlink Orthogonal Frequency Division Multiple Access (OFDMA) for increased user data rates and reduced latency, bi-directional Multi-User Multiple Input Multiple Output (MU-MIMO) for improved network capacity with multiples devices capable to transmit simultaneously, dual-radio 4x4 MIMO with up to four spatial streams (4SS) in 5 GHz and 4x4 with up to four spatial streams (4SS) in 2.4 GHz, and up to 1024-QAM modulation. Each AP supports up to 1,024 associated client devices per radio and up to 16 BSSIDs per radio. The AP-584 has a total of five Nf connectors for external antennas (four external dual band antennas and one BT antenna), the AP-585 has four internal dual- band omni-directional antennas for 4x4 MIMO in 2.4 GHz with peak antenna gain of 4.4 dBi and 4x4 MIMO in 5 GHz with peak antenna gain of 5.8 dBi plus a BT antenna with 4.8 dBi, and the AP-587 has four internal dual-band directional antennas for 4x4 MIMO in 2.4 GHz with peak antenna gain of 5.8 dBi and 4x4 MIMO in 5 GHz with peak antenna gain of 6.6 dBi plus a BT antenna with 6.3 dBi. In addition to 802.11ax standard capabilities, the Wi-Fi 6 AP-580 Series supports unique features like Aruba ClientMatch radio management and an additional radio (Bluetooth Low-Energy (BLE)) for location services, asset tracking services, security solutions and IoT sensors, as well as ArubaOS 8+ features like Aruba Activate and Air Slice with machine learning technology to automatically optimize the wireless network performance. Additionally, Aruba Advanced Cellular Coexistence (ACC) minimizes the impact of interference from cellular networks, distributed antenna systems (DAS), and commercial small cell or femtocell equipment, plus Dynamic Frequency Selection (DFS) maximizes the use of available RF spectrum, and Maximum Ratio Combining (MRC) improves receiver performance. When managed by HPE Aruba Networking Mobility Controllers, AP-580 Series APs offer centralized configuration, data encryption, policy enforcement and network services, as well as distributed and centralized traffic forwarding. 2.3.3.1 Physical Description The HPE Aruba Networking AP-584, AP-585 and AP-587 Outdoor Access Points are multiple-chip standalone cryptographic modules consisting of hardware and firmware, all contained in hard, opaque plastic cases. The modules contain 802.11 a/b/g/n/ac/ax transceivers and support both external antennas (AP-584) and internal integrated omni-directional antennas (AP-585 and AP-587). The case physically encloses the complete set of hardware and firmware components and represents the cryptographic boundary of the module. The AP-580 Series Access Points configurations validated during the cryptographic modules testing included: • AP-584 HW: AP-584-US TAA (HPE SKU R7T14A) • AP-584 HW: AP-584-RW TAA (HPE SKU R7T15A) • AP-585 HW: AP-585-US TAA (HPE SKU R7T19A) • AP-585 HW: AP-585-RW TAA (HPE SKU R7T20A) • AP-587 HW: AP-587-US TAA (HPE SKU R7T24A) • AP-587 HW: AP-587-RW TAA (HPE SKU R7T25A) 2.3.3.2 Dimensions / Weight The AP-580s have the following physical dimensions (with aesthetic cover): • Dimensions/weight (AP-584 unit, excluding mount bracket): o 324mm (W) x 312mm (D) x 244mm (H) / 12.6” (W) x 12.3” (D) x 9.6” (H) o 5.52 kg / 11.5 lbs • Dimensions/weight (AP-585 unit, excluding mount bracket): o 324mm (W) x 313mm (D) x 320mm (H) / 12.6” (W) x 12.3” (D) x 12.7” (H) o 5.24 kg / 11.5 lbs • Dimensions/weight (AP-587 unit, excluding mount bracket): o 302mm (W) x 300mm (D) x 174mm (H) / 11.9” (W) x 11.8” (D) x 6.9” (H) o 4.51 kg / 9.9 lbs Non-Proprietary 21| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 2.3.3.3 Environmental • Operating: o Temperature: -40° C to +65° C (-40° F to +149° F) o Humidity: 5% to 93% non-condensing • Storage and transportation: o Temperature: -40° C to +70° C (-40° F to +158° F) o Humidity: 5% to 93% non-condensing 2.3.3.4 Interfaces Each module provides the following wired network interfaces: • E0/POE+: Ethernet port (RJ-45, Auto-sensing link speed 100/1000/2500/5000BASE-T and MDI/MDX) o 5Gbps Smart Rate: NBase-T and 802.3bz o 802.3az Energy Efficient Ethernet (EEE) o Support for jumbo frames (MTU up to 9,216 bytes) Uplink o PoE-PD: 802.3bt class 6/5, 802.3af/at class 4 POE • E1/SFP+: SFP+ port (10GBASE-R SFP+) o 802.3az Energy Efficient Ethernet (EEE) o Support for jumbo frames (MTU up to 9,216 bytes) Uplink/Downlink • E2/PSE: Ethernet port (RJ-45, Auto-sensing link speed 10/100/1000BASE-T and MDI/MDX) o 802.3az Energy Efficient Ethernet (EEE) o Support for jumbo frames (MTU up to 9,216 bytes) Downlink o PoE-PSE: 802.3af/at POE AC power interface: • 100-240V 50/60Hz AC (power cord or power connector kit sold separately) Antenna interfaces: • 802.11a/b/g/n/ac/ax five external antenna (AP-584) or four (AP-585 and AP-587) internal antenna USB-C console port Bluetooth 5.0 Low Energy (BLE5.0) and Zigbee (802.15.4) radio: • Bluetooth 5.0: up to 8dBm transmit power (class 2) and -98dBm receive sensitivity • Zigbee: up to 8dBm transmit power and -96dBm receive sensitivity Other Interfaces: • Visual indicator (one multi-color LED on front): for System and Radio status • Reset button: factory reset (during device power up) or LED Toggle On/Off (during normal operation) • Serial console interface (proprietary; adapter cable included in package; disabled in Approved mode) • Grounding Point Figure 15 - AP-584 Outdoor Access Point – Interfaces (with aesthetic cover) Non-Proprietary 22| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Figure 16 - AP-585 Outdoor Access Point – Interfaces (with aesthetic cover) Figure 17 - AP-587 Outdoor Access Point – Interfaces (with aesthetic cover) Table 8 - AP-580 Series Status Indicator LEDs LED Type Color/State Meaning System Status (during Boot Up) Off AP powered off Red Initial power-up Green - Flashing AP booting; not ready Green - Solid AP ready and GbE (or better) or SFP+ connected. The LED turns off after 1200 seconds. Green / Amber Alternating, 6 seconds period AP ready and 100Mbps Ethernet link established. The LED turns off after 1200 seconds. Green – Flashing, 6 seconds period AP in deep sleep Red – Flashing AP in thermal shutdown System Status (during Operation) Red - Solid System error condition Red – One red blink every 3 seconds Radio 0 fault (5 GHz) Red – Two quick blinks 0.5 seconds apart, cycled every 3 seconds Radio 1 fault (2.4 GHz) Non-Proprietary 23| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 2.3.4 AP-630 Series This section introduces the HPE Aruba Networking AP-630 Series Campus Access Points (APs) with FIPS 140-3 Level 2 validation. It describes the purpose of the AP-635 APs, their physical attributes, and their interfaces. Figure 18 - AP-635 Campus Access Point – Front Figure 19 - AP-635 Campus Access Point – Back With a maximum concurrent data rate of 1.2 Gbps in the 5 GHz band, 574 Mbps in the 2.4 GHz band, and 2.4 Gbps in the 6 GHz band (for an aggregate peak data rate of 3.9 Gbps), the 630 Series Access Points deliver more wireless capacity and/or wider channels with less interference in indoor environments for any enterprise environment. The 630 Series Access Points with Wi-Fi 6E can better support low-latency, bandwidth hungry applications like high-definition video and artificial reality/virtual reality applications while using comprehensive tri-band coverage to meet the growing demands of Wi-Fi from increased use of video, growth in client and IoT devices, and expanded use of cloud. The AP-635 APs support 802.11ax features which include Orthogonal Frequency Division Multiple Access (OFDMA) with up to 37 resource units for increased user data rates and reduced latency, Multi-User Multiple Input Multiple Output (MU-MIMO) for improved network capacity with multiples devices capable to transmit simultaneously, 2x2 MIMO with up to two spatial streams (2SS) in all three bands, channel bandwidths up to 160 MHz (in 6 GHz; 80 MHz in 5GHz, and 20 MHz in 2.4 GHz), and up to 1024-QAM modulation. Each AP supports up to 512 associated client devices per radio and has a total of four dual band antennas. In addition to 802.11ax standard capabilities, the Wi-Fi 6E 630 Series supports unique features like Aruba ClientMatch radio management and an additional radio (for Bluetooth 5 and Zigbee) for location services, asset tracking services, security solutions and IoT sensors, as well as ArubaOS features like Air Slice and AirMatch with machine learning technology to automatically optimize the wireless network performance. The AP-635 has four integrated dual-band downtilt omni-directional antennas for 2x2 MIMO with peak antenna gain of 4.6 dBi in 2.4 GHz, 7.0 dBi in 5 GHz, and 6.3 dBi in 5 GHz. Built-in antennas are optimized for horizontal ceiling mounted orientation of the AP. The downtilt angle for maximum gain is roughly 30 to 40 degrees. Also, the BLE5.0 / Zigbee radio uses an integrated omnidirectional antenna with roughly 30 to 40 degrees downtilt and peak gain of 3.0 dBi. Non-Proprietary 24| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Additionally, Advanced Cellular Coexistence (ACC) minimizes the impact of interference from cellular networks, Dynamic Frequency Selection (DFS) optimizes the use of available RF spectrum, and Maximum Ratio Combining (MRC) improves receiver performance. When managed by HPE Aruba Networking Mobility Controllers, AP-635 offers centralized configuration, data encryption, policy enforcement and network services, as well as distributed and centralized traffic forwarding. 2.3.4.1 Physical Description The HPE Aruba Networking AP-635 Access Points are multiple-chip standalone cryptographic modules consisting of hardware and firmware, all contained in hard, opaque plastic cases. The modules contain 802.11 a/b/g/n/ac/ax transceivers and support four integrated omni-directional downtilt antennas. The case physically encloses the complete set of hardware and firmware components and represents the cryptographic boundary of the module. The Access Point configuration validated during the cryptographic module testing included: • AP-635 HW: AP-635-US TAA (HPE SKU R7J33A) • AP-635 HW: AP-635-RW TAA (HPE SKU R7J32A) 2.3.4.2 Dimensions / Weight The AP has the following physical dimensions: • Dimensions/weight (AP-635 unit, excluding mount bracket): o 220mm (W) x 220mm (D) x 51mm (H) / 8.7” (W) x 8.7” (D) x 2.0” (H) o 1,300g / 45.9oz • Dimensions/weight (AP-635; shipping): o 250mm (W) x 240mm (D) x 85mm (H) / 9.8” (W) x 9.4” (D) x 3.3” (H) o 1,650g / 58.2oz 2.3.4.3 Environmental • Operating: o Temperature: 0° C to +50° C (+32° F to +122° F) o Humidity: 5% to 95% non-condensing • Storage and transportation: o Temperature: -40° C to +70° C (-40° F to +158° F) o Humidity: 5% to 95% non-condensing 2.3.4.4 Interfaces The module provides the following network interfaces: • E0: Ethernet port (RJ-45, Auto-sensing link speed 100/1000/2500BASE-T and MDI/MDX) o 2.5Gbps speeds comply with NBase-T and 802.3bz o 802.3az Energy Efficient Ethernet (EEE) o PoE-PD: 48 Vdc (nominal) 802.3at/bt POE (class 4 or higher) • E1: Ethernet port (RJ-45, Auto-sensing link speed 100/1000/2500BASE-T and MDI/MDX) o Link Aggregation (LACP) support between both network ports for redundancy and capacity o 2.5Gbps speeds comply with NBase-T and 802.3bz o 802.3az Energy Efficient Ethernet (EEE) o PoE-PD: 48 Vdc (nominal) 802.3at/bt POE (class 4 or higher) Antenna interfaces: • 802.11a/b/g/n/ac/ax four internal antenna (AP-635) DC power interface: • 12Vdc nominal, +/- 5% • 2.1mm/5.5mm center-positive circular plug with 9.5-mm length USB 2.0 host interface (Type A connector) Non-Proprietary 25| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Bluetooth 5.0 Low Energy (BLE5.0) and Zigbee (802.15.4) radio: • Bluetooth 5.0: up to 5dBm transmit power (class 1) and -100dBm receive sensitivity • Zigbee: up to 5dBm transmit power and -97dBm receive sensitivity Other Interfaces: • Visual indicators (four multi-color LEDs): for System (1) and Radio (3) status • Reset button: factory reset (during device power up) or LED Toggle On/Off (during normal operation) • Serial console interface (proprietary; optional adapter cable available; disabled in Approved mode) Figure 20 - AP-630 Series Campus Access Point – Interfaces Table 9 - AP-630 Series Status Indicator LEDs LED Type Color/State Meaning System Status (Left) Off AP powered off Green - Blinking Device booting; not ready Green - Solid Device ready Amber - Solid Device ready; power-save mode (802.3at PoE): * Single radio * USB disabled Green or Amber Flashing Device ready, restricted mode: * Uplink negotiated in sub optimal speed; or * Deep sleep mode Red System error condition Radio Status (Right) 2GHz/5GHz/6GHz Off AP powered off, or radio disabled Green - Solid Radio enabled in access mode Amber - Solid Radio enabled in monitor or spectrum analysis mode Green Flashing Radio enabled in uplink or mesh mode Non-Proprietary 26| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 2.3.5 AP-650 Series This section introduces the HPE Aruba Networking AP-650 Series Campus Access Points (APs) with FIPS 140-3 Level 2 validation. It describes the purpose of the AP-655 APs, their physical attributes, and their interfaces. Figure 21 - AP-655 Campus Access Point – Front Figure 22 - AP-655 Campus Access Point – Back With a maximum concurrent data rate of 2.4 Gbps in the 5 GHz band, 574 Mbps in the 2.4 GHz band, and 4.8 Gbps in the 6 GHz band (for an aggregate peak data rate of 7.8 Gbps), the 650 Series Access Points deliver comprehensive tri-band coverage to meet the growing demands of Wi-Fi due to increased use of video, growth in client and IoT devices, and expanded use of cloud in indoor environments for any growing enterprise environment. The very high performance and extreme density 802.11ax 650 Series Access Points support 802.11ax features, which include up- and downlink Orthogonal Frequency Division Multiple Access (OFDMA) with up to 37 resource units for increased user data rates and reduced latency, up- and downlink Multi-User Multiple Input Multiple Output (MU-MIMO) for improved network capacity with multiples devices capable to transmit simultaneously, 4x4 MIMO with up to four spatial streams (4SS) in each of the 2.4, 5 and 6 GHz bands, channel bandwidths up to 160 MHz (in 6 GHz, 80 MHz in 5 GHz, and 20 MHz in 2.4 GHz), and up to 1024-QAM modulation. Each AP supports up to 1,024 associated client devices per radio and has eight internal dual band antennas. In addition to 802.11ax standard capabilities, the Wi-Fi 6E 650 Series supports unique features like Aruba ClientMatch radio management and additional radios (Bluetooth 5 and Zigbee) for location services, asset tracking services, security solutions and IoT sensors, as well as ArubaOS features like Aruba Air Slice and AirMatch with machine learning technology to automatically optimize the wireless network performance. The AP-655 has eight integrated dual-band downtilt omni-directional antennas for 4x4 MIMO with peak antenna gain of 4.8 dBi in 2.4 GHz, 5.3 dBi in 5GHz, and 5.4 dBi in 6GHz. Built-in antennas are optimized for horizontal ceiling mounted orientation of the AP. The downtilt angle for maximum gain is roughly 30 to 40 degrees. Also, the BLE5.0 / Zigbee radio uses an integrated omnidirectional antenna with roughly 30 to 40 degrees downtilt and peak gain of 3.6 dBi. Non-Proprietary 27| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Additionally, Advanced Cellular Coexistence (ACC) minimizes the impact of interference from cellular networks, Dynamic Frequency Selection (DFS) optimizes the use of available RF spectrum, and Maximum Ratio Combining (MRC) improves receiver performance. When managed by HPE Aruba Networking Mobility Controllers, AP-650 Series APs offer centralized configuration, data encryption, policy enforcement and network services, as well as distributed and centralized traffic forwarding. 2.3.5.1 Physical Description The HPE Aruba Networking AP-655 Access Points are multiple-chip standalone cryptographic modules consisting of hardware and firmware, all contained in hard, opaque plastic cases. The modules contain 802.11 a/b/g/n/ac/ax transceivers and support eight integrated omni-directional downtilt antennas. The case physically encloses the complete set of hardware and firmware components and represents the cryptographic boundary of the module. The Access Point configuration validated during the cryptographic module testing included: • AP-655 HW: AP-555-US TAA (HPE SKU R7J44A) • AP-655 HW: AP-555-RW TAA (HPE SKU R7J43A) 2.3.5.2 Dimensions / Weight The AP has the following physical dimensions: • Dimensions/weight (AP-655 unit, excluding mount bracket): o 260mm (W) x 260mm (D) x 60mm (H) / 10.2” (W) x 10.2” (D) x 2.4” (H) o 1,800g / 63.5oz • Dimensions/weight (AP-655; shipping): o 285mm (W) x 285mm (D) x 95mm (H) / 11.2” (W) x 11.2” (D) x 3.7” (H) o 2,300g / 81.1oz 2.3.5.3 Environmental • Operating: o Temperature: 0° C to +50° C (+32° F to +122° F) o Humidity: 5% to 95% non-condensing • Storage and transportation: o Temperature: -40° C to +70° C (-40° F to +158° F) o Humidity: 5% to 95% non-condensing 2.3.5.4 Interfaces The module provides the following network interfaces: • E0: Ethernet port (RJ-45, Auto-sensing link speed 100/1000/2500/5000BASE-T and MDI/MDX) o 2.5Gbps and 5Gbps speeds comply with NBase-T and 802.3bz o 802.3az Energy Efficient Ethernet (EEE) o PoE-PD: 48 Vdc (nominal) 802.3af/at/bt POE (class 3 or higher) • E1: Ethernet port (RJ-45, Auto-sensing link speed 100/1000/2500/5000BASE-T and MDI/MDX) o Link Aggregation (LACP) support between both network ports for redundancy and capacity o 2.5Gbps and 5Gbps speeds comply with NBase-T and 802.3bz o 802.3az Energy Efficient Ethernet (EEE) o PoE-PD: 48 Vdc (nominal) 802.3af/at/bt POE (class 3 or higher) Antenna interfaces: • 802.11a/b/g/n/ac/ax eight internal antenna (AP-655) DC power interface: • 12Vdc nominal, +/- 5% • 2.1mm/5.5mm center-positive circular plug with 9.5-mm length USB 2.0 host interface (Type A connector) Non-Proprietary 28| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Bluetooth 5.0 Low Energy (BLE5.0) and Zigbee (802.15.4) radio: • Bluetooth 5.0: up to 6dBm transmit power (class 1) and -101dBm receive sensitivity • Zigbee: up to 6dBm transmit power and -99dBm receive sensitivity Other Interfaces: • Visual indicators (four multi-color LEDs): for System (1) and Radio (3) status • Reset button: factory reset (during device power up) or LED Toggle On/Off (during normal operation) • Serial console interface (proprietary; optional adapter cable available; disabled in Approved mode) Figure 23 - AP-650 Series Campus Access Point – Interfaces Table 10 - AP-650 Series Status Indicator LEDs LED Type Color/State Meaning System Status (Left) Off AP powered off Green - Blinking Device booting; not ready Green - Solid Device ready Amber - Solid Device ready; power-save mode (802.3at PoE): * Single radio * USB disabled Green or Amber Flashing Device ready, restricted mode: * Uplink negotiated in sub optimal speed; or * Deep sleep mode Red System error condition Radio Status (Right) 2GHz/5GHz/6GHz Off AP powered off, or radio disabled Green - Solid Radio enabled in access mode Amber - Solid Radio enabled in monitor or spectrum analysis mode Green Flashing Radio enabled in uplink or mesh mode 2.4 Excluded Components There are no excluded components for the module. Non-Proprietary 29| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 2.5 Modes of Operation Table 11 – Modes List and Description Name Description Approved Mode Status Indicator Approved Mode When the module starts up successfully, after passing all the pre- operational and conditional self-tests, and has been provisioned as per the guidance in section 11.6.3, Set-up and Configuration to be managed by a Mobility Controller in its Approved mode, the module is operating in the Approved mode, provided that the guidelines on services, algorithms, physical security and key management found in this Security Policy are followed. Yes To verify Approved mode has been enabled, issue the command: show fips to see: FIPS Settings: Mode Enabled Non- Approved Mode A provisioned AP where FIPS Settings are not enabled. No To verify Approved mode has NOT been enabled, issue the command: show fips to see: FIPS Settings: Mode Disabled Notes: • To change from Approved Mode (FIPS Settings: Mode Enabled) to Non-approved Mode (FIPS Settings: Mode Disabled) requires the operator of the module to zeroize and reboot the module. • The module does not support a degraded mode of operation. • An un-provisioned AP, which by default does not serve any wireless clients, is out of scope of this validation. The Crypto Officer must ensure that the Wireless Access Point is kept in the Approved mode of operation. 2.6 Approved Algorithms The firmware in each module contains the following cryptographic algorithm implementations that will be used for the corresponding security services supported by the module in the Approved mode: • ArubaOS OpenSSL Module algorithm implementation • Aruba Jitterentropy algorithm implementation • ArubaOS Crypto Module algorithm implementation • ArubaOS Bootloader Module algorithm implementation Table 12 – Approved Algorithms - ArubaOS OpenSSL Module CAVP Cert. Algorithm and Standard Mode / Method Description / Key Size(s) / Key Strength(s) Use / Function A2690 AES [FIPS 197] [SP 800-38A] CBC, ECB, CTR (256, ext only, encryption only) 128, 192, 256 Data Encryption/Decryption A2690 AES [FIPS 197] [SP 800-38A] [SP 800-38D] GCM, CCM 128, 256 Data Encryption/Decryption Vendor Affirmed1 CKG [SP 800-133 Rev2] CTR_DRBG N/A Cryptographic Key Generation (using output from DRBG2 as per IG D.H) 1 Vendor Affirmed algorithms are approved by the CMVP but CAVP testing is not available. 2 Resulting symmetric keys and seeds used for asymmetric key generation are unmodified output from SP 800-90A Rev1 DRBG. Non-Proprietary 30| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy A2690 CVL IKEv13 KDF [SP 800-135 Rev1] IKEv1: DSA, PSK IKEv1: DH 2048-bit; SHA2-256, SHA2-384 Key Derivation A2690 DRBG [SP 800-90A Rev1] AES CTR 256 Deterministic Random Bit Generation N/A ESV program certificate #7 [SP 800-90B] Aruba CPU Jitter Entropy Source non-physical entropy source (min-entropy 427.696/512 bits) with SP 800-90B vetted Hash_df (SHA3-256) conditioning component, used solely for seeding min-entropy 256 bits to the SP 800-90A Rev1 approved AES-256 CTR_DRBG (A2690). Entropy Generation A2690 DSA [FIPS 186-4] keyGen, pqgGen L=2048, N=256, SHA2-256 Key Generation, Domain Parameter Generation A2690 ECDSA [FIPS 186-4] KeyGen, KeyVer, SigGen, SigVer KeyGen: P-256, P-384 KeyVer: P-256, P-384 SigGen: P-256, P-384 with SHA2-256, SHA2-384, SHA2-512 SigVer: P-256, P-384 with SHA-1, SHA2-256, SHA2-384, SHA2-512 Key Generation and Verification, Digital Signature Generation and Verification A2690 HMAC [FIPS 198-1] HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-384 (minimum 112 bits) Message Authentication A2690 KBKDF [SP 800-108 Rev1] CTR HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-384 Key-based Key Derivation A2690 KAS-SSC [SP 800-56A Rev3] FFC: dhEphem, ECC: Ephemeral Unified FFC: FC with SHA2-256, MODP-2048 with SHA2-256 ECC: P-256 with SHA2-256, P-384 with SHA2-384 KAS Roles - initiator, responder Key Agreement Scheme – Shared Secret Computation (as per IG D.F, Scenario 2 (2)) A2690 KDA [SP 800-56C Rev2] Two-step key derivation HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-384 Key Derivation Algorithm A2690 RSA [FIPS 186-2] SigVer: SHA-14 , SHA2-256, SHA2-384, SHA2-512 PKCS1 v1.5 1024 (for legacy SigVer only), 2048 Digital Signature Verification A2690 RSA [FIPS 186-4] KeyGen, SigGen: SHA2-256, SHA2-384, SHA2-512 PKCS1 v1.5 SigVer: SHA-15 , SHA2-256, SHA2-384, SHA2-512 PKCS1 v1.5 KeyGen: 2048 SigGen: 2048 SigVer: 1024 (for legacy SigVer only), 2048 Key Generation, Digital Signature Generation and Verification 3 No parts of the IKEv1 protocol, other than the approved cryptographic algorithms and KDF, have been tested by the CAVP and CMVP. 4 SHA-1 is only Approved for use with Signature Verification. 5 SHA-1 is only Approved for use with Signature Verification. Non-Proprietary 31| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy A2690 Safe Primes [SP 800-56A Rev3] KeyGen, KeyVer Safe Prime Groups: MODP-2048 Safe Primes Key Generation and Key Verification A2690 SHS [FIPS 180-4] SHA-1, SHA2-256, SHA2-384, SHA2-512 Byte Only 160, 256, 384, 512 Message Digest AES A2690 KTS [SP 800-38F] AES-GCM6 128, 256 Key Wrapping / Key Transport via IKE/IPSec AES A2690 HMAC A2690 KTS [SP 800-38F] [FIPS 198-1] AES-CBC7 HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-384 128, 192, 256 Key Wrapping / Key Transport via IKE/IPSec Table 13 - Approved Algorithms - Aruba CPU Jitter Entropy Source CAVP Cert. Algorithm and Standard Mode / Method Description / Key Size(s) / Key Strength(s) Use / Function A2738 SHA-3 [FIPS 202] SHA3-256 256 Entropy Generation and Conditioning Table 14 - Approved Algorithms - ArubaOS Crypto Module CAVP Cert. Algorithm and Standard Mode / Method Description / Key Size(s) / Key Strength(s) Use / Function A2689 AES [FIPS 197] [SP 800-38A] [SP 800-38D] CBC, GCM8 128, 192, 256 Data Encryption/Decryption A2689 CVL IKEv29 KDF [SP 800-135 Rev1] IKEv2 IKEv2: DH 2048-bit; SHA2-256, SHA2-384 Key Derivation A2689 DSA [FIPS 186-4] keyGen, pqgGen L=2048, N=256, SHA2-256 Key Generation, Domain Parameter Generation A2689 ECDSA [FIPS 186-4] KeyGen, KeyVer, SigGen, SigVer KeyGen: P-256, P-384 KeyVer: P-256, P-384 SigGen: P-256, P-384 with SHA2-256, SHA2-384, SHA2-512 SigVer: P-256, P-384 with SHA-1, SHA2-256, SHA2-384, SHA2-512 Key Generation and Verification, Digital Signature Generation and Verification 6 AES-GCM is an authenticated encryption algorithm that is approved for use in key transport per FIPS 140-3 IG D.G. This key establishment methodology provides 128 or 256 bits of encryption strength. 7 AES-CBC combined with HMAC is approved for use in key transport per FIPS 140-3 IG D.G. This key establishment methodology provides between 128 and 256 bits of encryption strength. 8 AES GCM IV generation is performed in compliance with IG C.H, Scenario 2. The IV is generated internally and randomly using the Approved DRBG that is internal to the module’s boundary and has a length of 96 bits. 9 No parts of the IKEv2 protocol, other than the approved cryptographic algorithms and KDF, have been tested by the CAVP and CMVP. Non-Proprietary 32| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy A2689 HMAC [FIPS 198-1] HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-384 (minimum 112 bits) Message Authentication A2689 KAS-SSC [SP 800-56A Rev3] FFC: dhEphem, ECC: Ephemeral Unified FFC: FC with SHA2-256, MODP- 2048 with SHA2-256 ECC: P-256 with SHA2-256, P- 384 with SHA2-384 KAS Roles - initiator, responder Key Agreement Scheme – Shared Secret Computation A2689 RSA [FIPS 186-2] SigVer: SHA-110 , SHA2-256, SHA2-384, SHA2-512 PKCS1 v1.5 1024 (for legacy SigVer only), 2048 Digital Signature Verification A2689 RSA [FIPS 186-4] KeyGen, SigGen: SHA2-256, SHA2-384, SHA2-512 PKCS1 v1.5 SigVer: SHA-111 , SHA2-256, SHA2-384, SHA2-512 PKCS1 v1.5 KeyGen: 2048 SigGen: 2048 SigVer: 1024 (for legacy SigVer only), 2048 Key Generation, Digital Signature Generation and Verification A2689 Safe Primes [SP 800-56A Rev3] KeyGen, KeyVer Safe Prime Groups: MODP-2048 Safe Primes Key Generation and Key Verification A2689 SHS [FIPS 180-4] SHA-1, SHA2-256, SHA2-384, SHA2-512 Byte Only 160, 256, 384, 512 Message Digest AES A2689 KTS [SP 800-38F] AES-GCM12 128, 256 Key Wrapping / Key Transport via IKE/IPSec AES A2689 HMAC A2689 KTS [SP 800-38F] [FIPS 198-1] AES-CBC13 HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-384 128, 192, 256 Key Wrapping / Key Transport via IKE/IPSec Table 15 - Approved Algorithms - ArubaOS Bootloader Module CAVP Cert. Algorithm and Standard Mode / Method Description / Key Size(s) / Key Strength(s) Use / Function A2688 RSA [FIPS 186-4] SigVer: SHA2-256 PKCS1 v1.5 SigVer: 2048 Digital Signature Verification (only) A2688 SHS [FIPS 180-4] SHA2-256 Byte Only 256 Message Digest 10 SHA-1 is only Approved for use with Signature Verification. 11 SHA-1 is only Approved for use with Signature Verification. 12 AES-GCM is an authenticated encryption algorithm that is approved for use in key transport per FIPS 140-3 IG D.G. This key establishment methodology provides 128 or 256 bits of encryption strength. 13 AES-CBC combined with HMAC is approved for use in key transport per FIPS 140-3 IG D.G. This key establishment methodology provides between 128 and 256 bits of encryption strength. Non-Proprietary 33| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 2.7 Non-Approved Cryptographic Algorithms Allowed in the Approved Mode of Operation The cryptographic module implements no non-Approved algorithms allowed for use in the Approved mode of operation. 2.8 Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed The cryptographic module implements the following non-Approved algorithms allowed in the Approved mode of operation with no security claimed. Table 16 – Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed Algorithm Caveat Use / Function Triple-DES-ECB [no security claimed] Used with the KEK only for internal key obfuscation as per IG 2.4.A 2.9 Non-Approved Algorithms Not Allowed in the Approved Mode of Operation The cryptographic module implements the following non-Approved algorithms that are not permitted for use in the Approved mode of operation. Table 17 – Non-Approved Algorithms Not Allowed in the Approved Mode of Operation Algorithm / Function Use / Function DES Used for older versions of WEP in non-Approved mode HMAC-MD5 Used for older versions of WEP in non-Approved mode MD5 Used for older versions of WEP in non-Approved mode RC4 Used for older versions of WEP in non-Approved mode Null Encryption Used for older versions of WEP in non-Approved mode RSA Non-compliant less than 112 bits, or when used with SHA-1 for signature generation, or when other than 2048-bit modulus sizes are used Diffie-Hellman key agreement; non-compliant less than 112 bits of encryption strength EC Diffie-Hellman key agreement; non-compliant less than 112 bits of encryption strength ECDSA Non-compliant when using 186-2 signature generation Triple-DES-CBC As used in IKE/IPSec Non-Proprietary 34| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 3 Cryptographic Module Interfaces The following table lists all the module’s port and interfaces (physical and logical), and the information passing over the five (5) logical interfaces defined by FIPS 140-3. Table 18 – Ports and Interfaces Physical Port Logical Interface Data That Passes Over Port/Interface • Ethernet Ports • SFP Ports (AP-584/585/587) • 802.11a/b/g/n/ac/ax Antenna Interfaces Data Input Interface • The packets that use the networking functionality of the module • Ethernet Ports • SFP Ports (AP-584/585/587) • 802.11a/b/g/n/ac/ax Antenna Interfaces Data Output Interface • The packets that use the networking functionality of the module • Ethernet Ports • SFP Ports (AP-584/585/587) • 802.11a/b/g/n/ac/ax Antenna Interfaces • Reset button Control Input Interface • Manual control inputs for power and reset through the power interfaces (power supply or POE) • All of the data that is entered into the access point while using the management interfaces • Ethernet Ports • SFP Ports (AP-584/585/587) • 802.11a/b/g/n/ac/ax Antenna Interfaces • LED Status Indicators Status Output Interface • The status indicators displayed through the LEDs (which indicate the physical state of the module, such as power- up (or rebooting), utilization level, and activation state) • The status data that is output from the module while using the management interfaces • The log file (which records the results of self-tests, configuration errors, and monitoring data) • Power Input • Power-Over-Ethernet (POE) Power Interface • The module may be powered by an external power supply (no data passes over the interface) • Operating power may also be provided via a Power Over Ethernet (POE) device (when connected), where the power is provided through the connected Ethernet cable (no data passes over the interface) Notes: • The module does not implement a control output interface. • The module distinguishes between different forms of data, control, and status traffic over the network ports by analyzing the packets header information and contents. • The Console port is disabled when operating in Approved mode by a Tamper-Evident Label (TEL) or seal. • The reset button resets the AP to factory default settings. Figure 24 –AP Physical and Cryptographic Boundaries with Interfaces and Components Block Diagram Non-Proprietary 35| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 4 Roles, Services, and Authentication The following section lists the roles supported by the module, authentication mechanisms used by the module, and services (both security and non-security, Approved and non-Approved) available from the module. 4.1 Roles The module supports the role-based authentication of Crypto Officer, User, and Wireless Client; no additional roles (e.g. Maintenance) are supported. Administrative operations carried out by the HPE Aruba Networking Mobility Controller or Mobility Conductor map to the Crypto Officer role. The Crypto Officer has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of SSPs. Configuration can be performed through a standalone Mobility Controller or by a Mobility Conductor if deployed in the environment. The Mobility Conductor also acts as a CO for the APs. The module supports multiple concurrent operators and internally maintains the separation of the roles assumed by each operator and the corresponding services. Refer to the section 4.2, Authentication below for details on the roles’ sessions authentication. Table 19 – Roles, Service Commands, Input and Output Role Service Input Output Crypto Officer, User Approved mode enable/disable from Mobility Controller14 Command Status of command Crypto Officer, User Key Management Commands and configuration data Status of commands and configuration data Crypto Officer, User Reboot module Command Progress information Crypto Officer, User Self-test triggered by CO/User reboot None Error messages logged if a failure occurs Crypto Officer, User Update module firmware Commands and configuration data Status of commands and configuration data Crypto Officer, User Configure non-security related module parameters Commands and configuration data Status of commands and configuration data Crypto Officer, User Creation/use of secure management session between module and CO IPSec inputs, commands, and data IPSec outputs, status, and data Crypto Officer, User System Status and System Status – module LEDs Commands and configuration data Status of commands and configuration data Crypto Officer, User Creation/use of secure mesh channel Commands and configuration data Status of commands and configuration data Crypto Officer, User Openflow Agent Commands and configuration data Status of commands and configuration data Crypto Officer, User Zeroization Command Progress information User, Wireless Client Generation and use of WPA2/WPA3 cryptographic keys WPA2/WPA3 inputs, commands and data WPA2/WPA3 outputs, status and data User, Wireless Client Use of WPA2/WPA3 Pre-shared secret for establishment of WPA2/WPA3 keys WPA2/WPA3 inputs, commands and data WPA2/WPA3 outputs, status and data User, Wireless Client Wireless bridging services Commands and configuration data Status of commands and configuration data 14 APs must be deployed in a controller-based network running ArubaOS. For APs to be deployed in a controllerless network, refer to the most recent Aruba Instant NIST CMVP validation for guidance on Approved modes. Non-Proprietary 36| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy The defining characteristics of the roles depend on whether the module is configured in one of the four (4) AP configurations listed in the table below. If the AP is configured via corresponding HPE Aruba Networking Mobility Controllers that are in Approved mode and have been validated against FIPS 140-3 requirements, then the module is considered to be in the Approved mode, provided that the guidelines on services, algorithms, physical security and key management found in this Security Policy are followed. The Crypto Officer must ensure that the Wireless Access Point is kept in the Approved mode of operation. Table 20 – Characteristics of Roles by AP Configuration when Module is in Approved Mode of Operation AP Configuration when the Module is in the Approved Mode of Operation Description Crypto Officer (CO) Role User Role Wireless Client Role Control Plane Security (CPSec) Protected AP configuration When the module is configured as a Control Plane Security protected AP, it is intended to be deployed in a local/private location (LAN, WAN, MPLS) relative to the Mobility Controller. The module provides cryptographic processing in the form of IPSec for all Control traffic to and from the Mobility Controller. The CO is the Mobility Controller or Mobility Conductor that has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of SSPs. In the configuration, the User operator shares the same services and authentication techniques as the Mobility Controller in the CO role. In the configuration, a wireless client can create a connection to the module using WPA2/WPA3 Pre- shared secret and access wireless network access services. Remote AP configuration When the module is configured as a Remote AP, it is intended to be deployed in a remote location (relative to the Mobility Controller). The module provides cryptographic processing in the form of IPSec for all traffic to and from the Mobility Controller. The CO is the Mobility Controller or Mobility Conductor that has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of SSPs. In the configuration, the User operator shares the same services and authentication techniques as the Mobility Controller in the CO role. In the configuration, a wireless client can create a connection to the module using WPA2/WPA3 and access wireless network access/bridging services. When the Remote AP cannot communicate with the controller, the wireless client role authenticates to the module via WPA2/WPA3 Pre- shared secret only. Mesh Portal AP configuration When the module is configured as a Mesh Portal AP, it is intended to be connected over a physical wire to the Mobility Controller. These modules serve as the connection point between the Mesh Point and the Mobility Controller. Mesh Portals communicate with the Mobility Controller through IPSec and with Mesh Points via WPA2/WPA3 session. The Crypto Officer role is the Mobility Controller that authenticates via IKEv2 pre- shared key or RSA/ECDSA certificate authentication method, and Users are the "n" Mesh Points that authenticate via WPA2/WPA3 pre-shared key. The CO is the Mobility Controller or Mobility Conductor that has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of SSPs. In the configuration, the Mesh Portal AP and adjacent Mesh Point APs are in a given mesh cluster. The Mesh Portal AP must be physically wired to the Mobility Controller. In the configuration, a wireless client can create a connection to the module using WPA2/WPA3 and access wireless network access services. Non-Proprietary 37| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Mesh Point AP configuration When the module is configured as a Mesh Point AP, it is an AP that establishes an all wireless path to the Mesh portal over WPA2/WPA3 and an IPSec tunnel via the Mesh Portal to the Controller. Note: for an AP-587 in Mesh Point AP configuration, it can only connect to another AP-587 in Mesh Portal AP configuration. The CO is the Mobility Controller or Mobility Conductor that has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of SSPs. The first mesh AP configured is the only AP with the direct wired connection. In the configuration, the Mesh Point AP and adjacent mesh APs are in a given mesh cluster. User role can be a Mesh Point AP or a Mesh Portal AP in the given mesh network. In the configuration, a wireless client can create a connection to the module using WPA2/WPA3 and access wireless network access services. Note: • To change AP configurations requires the module to be zeroized and rebooted before the module is in the new AP configuration in Approved mode. 4.2 Authentication The CO must follow the guidance below in section 11.6, Secure Operation, and in the ArubaOS 8.10 User Guide section titled Controller-based AP with AP Console Access to ensure the configured HPE Aruba Networking Access Point (AP) is connected to and managed by the Controller in the Approved mode of operation, and is running the Approved version of ArubaOS (see the following subsections for details on the authentication for each AP role). Once the AP is provisioned to be managed by the Controller, during any subsequent reboots of the AP, the AP boot process will continue automatically to boot the Approved version of ArubaOS (with the appropriate self-tests run) and the AP will be placed in the provisioned AP configuration by the Controller. Authentication for each role depends on the module AP configuration. 4.2.1 Crypto Officer Authentication With the module in the Approved mode of operation, and configured in any of the four (4) AP configurations, the HPE Aruba Networking Mobility Controller or Mobility Conductor implements the Crypto Officer role. Connections between the module and the mobility controller are protected using IPSec. The Crypto Officer’s authentication is accomplished via either Pre-shared secret (IKEv1), RSA digital certificate (IKEv1/IKEv2) or ECDSA digital certificate (IKEv2). The Mobility Conductor interacts with the APs through the Mobility Controller through provisioning of configurations. 4.2.2 User Authentication Authentication for the User role depends on the module configuration. When the module is configured as a Mesh Portal AP or Mesh Point AP, the User role is authenticated via the WPA2/WPA3 pre-shared key. When the module is configured as a Remote AP or CPSec Protected AP, the User role is authenticated via the same IKEv1 pre-shared key or RSA/ECDSA certificate that is used by the Crypto Officer. 4.2.3 Wireless Client Authentication With the module in the Approved mode of operation, the wireless client role (defined in each of the four (4) AP configurations) authenticates to the module via WPA2/WPA3. Please note that WEP and TKIP configurations are not permitted in Approved mode. When a Remote AP cannot communicate with the controller, the wireless client role authenticates to the module via WPA2/WPA3 Pre-shared secret only. Non-Proprietary 38| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 4.2.4 Strength of Authentication Mechanisms The following table describes the relative strength of each supported authentication mechanism. Each authentication mechanism has been designed such that: • The probability of a random attempt succeeding is less than 1-in-1,000,000. • During a one-minute period, the probability of any random attempt succeeding is less than 1-in- 100,000. Table 21 – Roles and Authentication Role Authentication Method Authentication Strength Crypto Officer and User IKEv1 Pre- shared secret based authentication Passwords are required to be a minimum of eight (8)15 ASCII characters and a maximum of 64 with a minimum of one letter and one number, or the password must be exactly 64 HEX characters. Assuming the weakest option of 8 ASCII characters with the listed restrictions, the probability of randomly guessing the correct sequence is one (1) in 3,608,347,333,959,680 (this calculation is based on the assumption that the typical standard American QWERTY computer keyboard has 10 Integer digits, 52 alphabetic characters, and 32 special characters providing 94 characters to choose from in total. The calculation should be 94^8 (Total number of 8-digit passwords) – 84^8 (Total number of 8-digit passwords without numbers) – 42^8 (Total number of 8-digit passwords without letters) + 32^8 (Total number of 8-digit passwords without letters or numbers, added since it’s double-counted in the previous two subtractions) = 3,608,347,333,959,680). At optimal network conditions (assuming 1ms round-trip latency), an attacker would only get 60,000 guesses per minute. Therefore, the associated probability of a successful random attempt during a one-minute period is 60,000/3,608,347,333,959,680, which meets the authentication objective. Crypto Officer and User RSA Certificate based authentication The module supports 2048-bit RSA key authentication during IKEv1 and IKEv2. RSA 2048-bit keys correspond to 112 bits of security. Assuming the low end of that range, the associated probability of a successful random attempt is one (1) in 2^112, which meets the authentication objective. At optimal network conditions (assuming 1ms round- trip latency), an attacker would only get 60,000 guesses per minute. Therefore, the associated probability of a successful random attempt during a one-minute period is 60,000/2^112, which meets the authentication objective. Crypto Officer and User ECDSA Certificate based authentication ECDSA signing and verification is used to authenticate to the module during IKEv1/IKEv2. Both P-256 and P-384 curves are supported. ECDSA P-256 provides 128 bits of equivalent security, and P-384 provides 192 bits of equivalent security. Assuming the low end of that range, the associated probability of a successful random attempt is one (1) in 2^128, which meets the authentication objective. At optimal network conditions (assuming 1ms round-trip latency), an attacker would only get 60,000 guesses per minute. Therefore, the associated probability of a successful random attempt during a one-minute period is 60,000/2^128, which meets the authentication objective. Wireless Client and Mesh AP User WPA2/WPA3 Pre-shared secret based authentication Passwords are required to be a minimum of eight (8)18 ASCII characters and a maximum of 63 with a minimum of one letter and one number, or the password must be exactly 64 HEX characters. Assuming the weakest option of 8 ASCII characters with the listed restrictions, the probability of randomly guessing the correct sequence is one (1) in 3,608,347,333,959,680 (this calculation is based on the assumption that the typical standard American QWERTY computer keyboard has 10 Integer digits, 52 alphabetic characters, and 32 special characters providing 94 characters to choose from in total. The calculation should be 94^8 (Total number of 8-digit passwords) – 84^8 (Total number of 8-digit passwords without numbers) – 42^8 (Total number of 8-digit passwords without letters) + 32^8 (Total number of 8-digit passwords without letters or numbers, added since it is double-counted in the previous two subtractions) = 3,608,347,333,959,680). At optimal network conditions (assuming 1ms round-trip latency), an attacker would only get 60,000 guesses per minute. Therefore, the associated probability of a successful random attempt during a one-minute period is 60,000/3,608,347,333,959,680, which meets the authentication objective. 15 As per SP 800-63B, in Approved mode the module checks and enforces a minimum password length of eight (8). Non-Proprietary 39| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 4.3 Services The module provides various services depending on role. These are described in the sections below. The meaning of the letters used to describe the ‘Access Rights to Keys and/or SSPs’ are: • G – Generate The module generates or derives the SSP. • R – Read The Key/SSP is read from the module (e.g. the Key/SSP is output). • W – Write The Key/SSP is updated, imported, or written to the module. • E – Execute The module uses the Key/SSP in performing a cryptographic operation. • Z – Zeroize The module zeroizes the Key/SSP. 4.3.1 Approved Services See the tables below for descriptions of the services, Approved security functions, keys and/or SSPs available to the module’s roles. All Crypto Officer role services are the same for the module in the Approved mode of operation and the AP in any of the four (4) AP configurations - Remote AP configuration, CPSec protected AP configuration, Mesh Portal AP configuration, and Mesh Point AP configuration. The User role for Remote AP configuration and Control Plane Security (CPSec) Protected AP configuration supports the same services as the Crypto Officer role services. The User role for Mesh Portal AP configuration and Mesh Point AP configuration supports the same services as the Wireless Client role services. All Wireless Client role services are the same for the module in the Approved mode of operation and the AP in any of the four (4) AP configurations - Remote AP configuration, CPSec protected AP configuration, Mesh Portal AP configuration, and Mesh Point AP configuration. Table 22 – Approved Services Service Description Approved Security Functions (applicable CAVP Certs) Keys and/or SSPs [row # in SSPs/Keys Used table] Roles Access Rights to Keys and/or SSPs Indicator Update module firmware16 The CO can trigger a module firmware update in a controller- based network by issuing related CLI commands (e.g. update) or WebGUI (e.g. Managed NetworkMaintenanceSoftware Management). RSA SigVer SHA2-256 (A2690, A2688) [11] Factory CA Public Key Crypto Officer, User17 E Successful completion of firmware update shown via output of CLI command to show updated firmware version (e.g. show ver) or related WebGUI display updates (e.g. Managed NetworkConfig urationAccess Points).. 16 Any firmware loaded into this module that is not shown on the module certificate is out of the scope of this validation and requires a separate FIPS 140-3 validation. 17 Remote AP and Control Plane Security (CPSec) Protected AP configurations only. Non-Proprietary 40| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Key Management The CO can cause the module to generate the SKEYSEED and can configure/modify the IKEv1 shared secret and the WPA2/WPA3 Pre- shared secret (used in advanced Remote AP configuration). The CO can add/overwrite IKEv1/IKEv2 certificates (the RSA and ECDSA private keys are protected by non- volatile memory and cannot be modified). Also, the CO implicitly uses the KEK to read/write configuration to non-volatile memory. AES-GCM AES-CBC HMAC-SHA2-256 HMAC-SHA2-384 (A2690, A2689) [12] IKE Pre-shared Key [15] SKEYSEED [18] IPSec Session Encryption Key [19] IPSec Session Authentication Key [21] IKE RSA Public Key [23] IKE ECDSA Public Key [24] WPA2/WPA3 Pre- shared Key Crypto Officer, User18 W W E E W W W Successful completion of key management configurations shown via output of related CLI commands (e.g. crypto CLI commands for configuring IPsec and IKE) or WebGUI updates (e.g. Managed NetworkConfig urationServices ). Creation/use of secure mesh channel19 The module requires secure connections between mesh points using WPA2/WPA3. KBKDF KDA AES-CCM AES-GCM (A2690) [24] WPA2/WPA3 Pre- shared Key [25] WPA2/WPA3 Pair- Wise Master Key (PMK) [26] WPA2/WPA3 Pairwise Transient Key (PTK) [27] WPA2/WPA3 Session Key [28] WPA2/WPA3 Group Master Key (GMK) [29] WPA2/WPA3 Group Transient Key (GTK) Crypto Officer, User20 E E G/E G/E G/E G/E Successful completion of mesh channel configurations shown via output of related CLI commands (e.g. ap mesh CLI commands for configuring AP mesh options) or WebGUI updates (e.g. Managed NetworkConfig urationAP Groups). Generation and use of WPA2/WPA3 cryptographic keys In all Approved modes, the links between the module and wireless client are secured with WPA2/WPA3. KBKDF KDA AES-CCM AES-GCM (A2690) [24] WPA2/WPA3 Pre- shared Key [25] WPA2/WPA3 Pair- Wise Master Key (PMK) [26] WPA2/WPA3 Pairwise Transient Key (PTK) [27] WPA2/WPA3 Session Key [28] WPA2/WPA3 Group Master Key (GMK) [29] WPA2/WPA3 Group Transient Key (GTK) User20 , Wireless Client E E G/E G/E G/E G/E Successful completion of wireless client configurations shown via output of related CLI commands (e.g. ap mesh CLI commands for configuring AP mesh options) or WebGUI updates (e.g. Managed NetworkConfig urationAP Groups). 18 Remote AP and Control Plane Security (CPSec) Protected AP configurations only. 19 This service is only applicable in the Mesh Portal AP and Mesh Point AP configurations. It is not applicable in Remote AP and Control Plane Security (CPSec) Protected AP configurations. 20 Mesh Portal AP configuration and Mesh Point AP configuration only. Non-Proprietary 41| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Creation/use of secure management session between module and CO21 The module supports use of IPSec for securing the management channel. CTR_DRBG KAS-FFC-SSC SafePrimes KeyGen/KeyVer KAS-ECC-SSC ECDSA KeyGen/KeyVer/ SigGen/SigVer IKEv1 KDF HMAC-SHA2-256 HMAC-SHA2-384 IKEv2 KDF AES-CBC AES-GCM RSA SigGen/SigVer (A2690, A2689) [1] DRBG Entropy Input [2] DRBG Seed [3] DRBG Key [4] DRBG V [5] DH Private Key [6] DH Public Key [7] DH Shared Secret [8] ECDH Private Key [9] ECDH Public Key [10] ECDH Shared Secret [12] IKE Pre-shared Key [13] skeyid [14] skeyid_d [15] SKEYSEED [16] IKE Session Authentication Key [17] IKE Session Encryption Key [18] IPSec Session Encryption Key [19] IPSec Session Authentication Key [20] IKE RSA Private Key [21] IKE RSA Public Key [22] IKE ECDSA Private Key [23] IKE ECDSA Public Key Crypto Officer, User22 E G/E G/E G/E G/E G/R/W/E G/E G/E G/R/W/E G/E W/E G/E G/E G/E G/E G/E G/E G/E E R/W/E E R/W/E Successful completion of management channel configurations shown via output of CLI command to show management session tunnel status (e.g. show ap database- summary) or related WebGUI display updates (e.g. Managed NetworkConfig urationServices VPNCertifica tes for VPN Clients). Use of WPA2/WPA3 Pre-shared secret for establishment of WPA2/WPA3 keys When the module is in advanced Remote AP configuration, the links between the module and the Wireless Client are secured with WPA2/WPA3. This is authenticated with a shared secret only. AES-CCM AES-GCM (A2690) [24] WPA2/WPA3 Pre- shared Key User23 , Wireless Client E Successful completion of wireless client configurations shown via output of related CLI commands (e.g. show ap mesh) or WebGUI updates (e.g. Managed NetworkConfig urationAP Groups). Table 23 – Approved Services Not Using Any Approved Security Functions Service Description Approved Security Functions Keys and/or SSPs [row # in SSPs/Keys Used table] Roles Access Rights to Keys and/or SSPs Indicator Approved mode enable/disable The CO enables Approved mode by following the procedures under the Secure Operation section to ensure the AP is configured for Secure Operations. The CO can disable Approved mode by reverting these changes. None None Crypto Officer, User22 None Successful completion of Approved mode configurations shown via output of related CLI commands (e.g. show fips). 21 This service is not available in Mesh Point AP configuration. In Mesh Point AP configuration, the IPSec tunnel will be between the Mesh Portal and the controller, not the Mesh Point and the controller. 22 Remote AP and Control Plane Security (CPSec) Protected AP configurations only. 23 Mesh Portal AP configuration and Mesh Point AP configuration only. Non-Proprietary 42| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Reboot module The CO can remotely trigger a reboot of the AP from the Mobility Controller or Mobility Conductor. The module can also reboot by removing/replacing power. None None Crypto Officer, User24 None Successful completion of module reboot shown via output of related CLI commands (e.g. reboot) or WebGUI updates (e.g. Managed Network Maintenance Software Management Reboot), and module reboots. Self-test triggered by CO/User reboot The CO can trigger a programmatic reset leading to self-test and initialization. None None Crypto Officer, User24 None Status of self- tests in log after reboot shows successful completion of self-tests. System Status CO may view system status information through the secured management channel. None [See Creation/use of secure management session above] Crypto Officer, User24 [See Creation/use of secure managemen t session above] Successful completion shown via output of CLI command to show AP status (e.g. show ap database) or related WebGUI status displays (e.g. Managed NetworkConfig urationAccess Points). System Status – module LEDs The CO may view system status by viewing the module’s LEDs. None None Crypto Officer, User None Successful completion shown via module LEDs (refer to Status Indicator LEDs tables for each AP Series in section 2.3 above). Configure non- security related module parameters CO can configure various operational parameters that do not relate to security. None None Crypto Officer, User24 None Status of command to show operational parameter settings shows successful completion of configurations. Openflow Agent Agent run on device for use with Mobility Conductor SDN. Leveraged by the SDN for discovering of hosts and networks, configuration of networks, and collection of statistics. None None Crypto Officer, User24 None Successful completion shown via output of related CLI commands (e.g. show openflow). 24 Remote AP and Control Plane Security (CPSec) Protected AP configurations only. Non-Proprietary 43| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Wireless bridging services The module bridges traffic between the wireless client and the wired network. None None User25 , Wireless Client None Successful completion shown via output of related CLI commands (e.g. ap wired-ap- profile). Zeroization The cryptographic keys stored in SDRAM memory can be zeroized by rebooting the module. The cryptographic keys (IKEv1 Pre-shared key and WPA2/WPA3 Pre-shared Key) stored in the flash can be zeroized by using command ‘ap wipe out flash’. The ‘no’ command in the CLI can be used to zeroize IKE, IPSec SSPs. Please see CLI guide for details. The other keys/SSPs (RSA/ECDSA public key/private key and certificate) stored in Flash memory can be zeroized by using command ‘ap wipe out flash’. None All SSPs (not including the Factory CA Public Key) will be destroyed. Crypto Officer, User26 Z Successful completion of module reboot shown via output of related CLI commands (e.g. reboot or ap wipe out flash) or WebGUI updates (e.g. Managed Network Maintenance Software Management Reboot), and module reboots. 4.3.2 Non-Approved Services The following table lists non-Approved services available in non-Approved mode (FIPS Settings: Mode Disabled). To indicate if the module is in Approved mode or non-Approved mode, issue the CLI command show fips (see Modes of Operation section above). To change from Approved mode (FIPS Settings: Mode Enabled) to non-Approved mode (FIPS Settings: Mode Disabled) requires the operator of the module to zeroize and reboot the module. The module does not support a degraded mode of operation. An un-provisioned AP, which by default does not serve any wireless clients, is out of scope of this validation. The Crypto Officer must ensure that the Wireless Access Point is kept in the Approved mode of operation. All of the Approved services (see Table 22 and Table 23 above) that are available in Approved mode are also available in non-Approved mode. 25 Mesh Portal AP configuration and Mesh Point AP configuration only. 26 Remote AP and Control Plane Security (CPSec) Protected AP configurations only. Non-Proprietary 44| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Table 24 – Non-Approved Services Service Description Algorithms Accessed Role(s) Indicator IPSec/IKE using Triple-DES IPSec/IKE key management using Triple-DES. This is a non-Approved service available in Approved mode but that is non-Approved for use. Triple-DES Crypto Officer, User Implicit indication via successful completion of the service. Suite-B (bSec) protocol The Suite-B (bSec) protocol is a pre-standard protocol that has been proposed to the IEEE 802.11 committee as an alternative to 802.11i. This is a non-Approved service available in Approved mode but that is non- Approved for use. Suite-B (bSec) protocol Crypto Officer, User Implicit indication via successful completion of the service. Upgrade module firmware via the console port The CO can update the module firmware using the console port if the FIPS TEL or seal is not blocking the console port and the console port has been enabled. This is a non-Approved service that is non-Approved for use in the Approved mode. Triple-DES RSA SigVer SHA2-256 Crypto Officer, User27 Status of command to enable console and to show firmware version. Debugging via the console port The CO can issue commands for debugging using the console port if the FIPS TEL or seal is not blocking the console port and the console port has been enabled. This is a non-Approved service that is non-Approved for use. None Crypto Officer, User27 Status of command to enable console and to debug. Use of non- Approved algorithms and/or sizes. If the module has not been provisioned to operate in one of the Approved modes, then non-Approved algorithms and/or sizes are available for use. This is a non-Approved service that is non-Approved for use. Non-Approved algorithms and/or sizes Crypto Officer, User Implicit indication via successful completion of the service. Note: • For additional information on services offered by the module, please refer to the ArubaOS 8.10 User Guide. 27 Remote AP and Control Plane Security (CPSec) Protected AP configurations only. Non-Proprietary 45| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 5 Software / Firmware Security The module only allows the loading of trusted and verified firmware that is signed by HPE Aruba Networking within the module’s defined cryptographic boundary. Any firmware loaded into this module that is not shown on the module certificate is out of the scope of this validation and requires a separate FIPS 140-3 validation. HPE Aruba Networking firmware in electronic form is installed by HPE Aruba Networking technical support personnel or downloaded from the HPE Networking Support Portal (NSP) by authenticated licensed customer personnel. ArubaOS (in executable binary format) is the operating system for the HPE Aruba Networking hardware-based HPE Aruba Networking Mobility Conductors, Mobility Controllers, Gateways, and controller-managed Access Points (APs). ArubaOS (in OVA File format) is also the operating system for the HPE Aruba Networking virtual-based HPE Aruba Networking Mobility Controller Virtual Appliances and Mobility Conductor Virtual Appliances. Within the same version of ArubaOS (e.g. ArubaOS version 8.10), all features are the same, but there are components of ArubaOS that are appropriate for different hardware-based or virtual-based HPE Aruba Networking devices, which is why there are different ArubaOS executable binary formats for the same ArubaOS version available. The HPE Aruba Networking ArubaOS Bootloader Module is preloaded and shipped with each HPE Aruba Networking AP device and is executed to boot the ArubaOS operating system from the image partition after performing the firmware integrity test. Rebooting also zeroizes all SSPs prior to execution of the newly loaded firmware. The operator can initiate the firmware integrity test on demand by rebooting the module. The module performs a firmware integrity test when powered on and conditionally whenever a firmware load request is received (refer below to section 10, Self-Tests for details). Both the Firmware Integrity Test and Firmware Load Test use RSA PKCS#1 v1.5 (2048 bits) signature verification with SHA2-256. All data output via the data output interface is inhibited until the software/firmware loading and load test has completed successfully. If the firmware integrity test fails, the module enters the error state (while in this state, the module provides no functionality). The temporary values generated during the firmware integrity test are zeroized upon completion of the integrity test. The operator can determine the version of the loaded firmware through reviewing the log after the firmware upgrade and by using the show status CLI command (use the link in section 1.8, Full Documentation to refer to ArubaOS 8.10 Command-Line Interface Reference Guide and ArubaOS 8.10 User Guide). 6 Operational Environment The module operates in a non-modifiable operational environment. The control plane Operating System (OS) is Linux, a real-time, multi-threaded operating system that supports memory protection between processes. Access to the underlying Linux implementation is not provided directly. Only HPE Aruba Networking provided interfaces are used, and the Command Line Interface (CLI) is a restricted command set. These operating control mechanisms protect against unauthorized execution, unauthorized modification, and unauthorized reading of SSPs, control and status data. The module only allows the loading of trusted and verified firmware that is signed by HPE Aruba Networking. Any firmware loaded into this module that is not shown on the module certificate is out of the scope of this validation and requires a separate FIPS 140-3 validation. The module was tested on the platforms listed above in section 2.3, Table 5, Cryptographic Module Tested Configurations. Non-Proprietary 46| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 7 Physical Security The HPE Aruba Networking Wireless Access Point is a scalable, multiple-chip standalone network device and is enclosed in a hard, opaque plastic case. The AP enclosure is resistant to probing (please note that this feature has not been validated as part of the FIPS 140-3 validation) and is opaque within the visible spectrum. The enclosure of the AP has been designed to satisfy FIPS 140-3 Level 2 physical security requirements. The HPE Aruba Networking AP-514, AP-515, AP-534, AP-535, AP-584, AP-585, AP-587, AP-635 and AP-655 Access Points require Tamper-Evident Labels (TELs) (also known as seals) to allow the detection of the opening of the device and to block the Serial console port. To protect the Access Points (APs) from any tampering with the product, TELs should be applied by the Crypto Officer as covered in the sections below. When applied properly, the TELs allow the Crypto Officer to detect the opening of the device, or physical access to restricted ports like the serial console port (on the bottom of the device). HPE Aruba Networking provides FIPS 140-3 designated TELs which have met the physical security testing requirements for tamper evident labels under the FIPS 140-3 Standard. TELs are not endorsed by the Cryptographic Module Validation Program (CMVP). The tamper-evident labels shall be installed for the module to operate in the Approved mode of operation. HPE Aruba Networking provides double the required amount of TELs. If a customer requires replacement TELs, please call customer support and HPE Aruba Networking will provide the TELs. The Crypto officer shall be responsible for securing the extra TELs at a safe location and managing the use of the TELs. 7.1 Reading TELs Once applied, the TELs included with the Wireless Access Point cannot be surreptitiously broken, removed, or reapplied without an obvious change in appearance: Figure 25 - Tamper-Evident Labels If evidence of tampering is found with the TELs, the module must immediately be powered down and the Crypto Officer must be made aware of a physical security breach. Each TEL also has a unique serial number to prevent replacement with similar labels. To protect the device from tampering, TELs should be applied by the Crypto Officer as pictured below. Non-Proprietary 47| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 7.2 Applying TELs The Crypto Officer should employ Tamper-Evident Labels (TELs) (also known as seals) by referencing the following general application guidance and the device specific guidance in section 7.3, Required TEL Locations: • Before applying a TEL, make sure the target surfaces are clean and dry. Clean with alcohol and let dry before TEL application. • Do not cut, trim, punch, or otherwise alter the TEL. • Apply the wholly intact TEL firmly and completely to the target surfaces. • Press down firmly across the entire label surface, making several back-and-forth passes to ensure that the label securely adheres to the device. • Record the position and serial number of each applied TEL in a security log immediately after application. • Allow 24 hours for the TEL adhesive seal to completely cure. • To obtain additional or replacement TELS, please call HPE Aruba Networking customer support and request a FIPS Kit. The Crypto Officer (CO) should perform initial setup and configuration of the device(s) as described in section 11, Life-Cycle Assurance before the TELs are applied. 7.3 Required TEL Locations This section displays the locations of all TELs on each module (AP-514, AP-515, AP-534, AP-535, AP-584, AP-585, AP-587, AP-635 and AP-655 Access Points). Non-Proprietary 48| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 7.3.1 TELs Placement on the AP-514 and AP-515 The AP-514 and AP-515 are the same device in all areas except that the AP-514 uses external antennas and the AP-515 uses internal antennas (see above section 2.3.1, AP-510 Series). The AP-514 and AP-515 each require 3 TELs placed in the same locations on each: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See figures 26 and 27 for placement (only AP-514 is shown). TELs 1 and 2 shall be placed on opposite sides of the enclosure along a segment that manifests the least curvature (as shown below). These TELs shall be applied such that between one-quarter and one-third of the TEL is adhered to the white cover of the AP enclosure. The remaining portion shall be wrapped around the side of the cover and the chassis. TELs must be firmly pressed down, removing any air bubbles or creases, to ensure proper adhesion. Figure 26 – Top View of AP-514 with TELs Figure 27 – Bottom View of Aruba AP-514 with TELs Non-Proprietary 49| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 7.3.2 TELs Placement on the AP-534 and AP-535 The AP-534 and AP-535 are the same device in all areas except that the AP-534 uses external antennas and the AP-535 uses internal antennas (see above section 2.3.2, AP-530 Series). The AP-534 and AP-535 each require 3 TELs placed in the same locations on each: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See figures 28 and 29 for placement (only AP-535 is shown). TELs 1 and 2 shall be placed on opposite sides of the enclosure along a segment that manifests the least curvature (as shown below). These TELs shall be applied such that between one-quarter and one-third of the TEL is adhered to the white cover of the AP enclosure. The remaining portion shall be wrapped around the side of the cover and the chassis. TELs must be firmly pressed down, removing any air bubbles or creases, to ensure proper adhesion. Figure 28 – Top View of AP-535 with TELs Figure 29 – Bottom View of Aruba AP-535 with TELs Non-Proprietary 50| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 7.3.3 TELs Placement on the AP-584, AP-585, and AP-587 The AP-584, AP-585, and AP-587 are all outdoor APs of different sizes (see above section 2.3.3, AP-580 Series). Each of the AP-580 Series APs (AP-584, AP-585 and AP-587) requires 3 TELs, one on each side to detect opening the device (label 1 and 2) and one covering the console port to detect access to a restricted port (label 3). The subsequent three sections illustrate the placement of each TEL by device. For all three models, TELs must be applied as described below, with the aesthetic cover removed. Once the TELs have been applied and their serial numbers recorded, the aesthetic cover should be reinstalled. Figure 30 – Placement of TELs 1 and 2 on AP-580 Series APs TELs 1 and 2 shall be applied such that approximately two-thirds of the TEL is adhered to the white chassis casting as shown above. Each TEL shall be located such that it contacts two adjacent ribs. (Wrapping the TEL around a single rib is non-compliant). Wrap the remaining length of TEL around the lip of the enclosure and affix to the plastic antenna cover. Firmly press the TEL against the chassis casing to ensure proper adhesion. Figure 31 – Placement of TEL 3 on AP-580 Series APs TEL 3 shall be placed vertically such that it completely covers the console port plug and additional length shall extends downwards. Wrap the remaining length of TEL around the lip of the enclosure and affix to the plastic antenna cover. Firmly press the TEL against the chassis casing and the console port plug to ensure proper adhesion. Non-Proprietary 51| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 7.3.4 TELs Placement on the AP-584 The AP-584 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See figures 32, 33, and 34 for placement. Figure 32 – Right Side View of AP-584 with TEL Figure 33 – Front View of AP-584 with TEL Figure 34 – Left Side View of AP-584 with TELs Non-Proprietary 52| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 7.3.5 TELs Placement on the AP-585 The AP-585 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See figures 35, 36, and 37 for placement. Figure 35 – Right Side View of AP-585 with TEL Figure 36 – Front View of AP-585 with TEL Figure 37 – Left Side View of AP-585 with TELs Non-Proprietary 53| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 7.3.6 TELs Placement on the AP-587 The AP-587 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See figures 38, 39, and 40 for placement. Figure 38 – Right Side View of AP-587 with TEL Figure 39 – Front View of AP-587 with TEL Figure 40 – Left Side View of AP-587 with TELs Non-Proprietary 54| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 7.3.7 TELs Placement on the AP-635 The AP-635 is a campus AP (see above section 2.3.4, AP-630 Series). The AP-635 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See figures 41 and 42 for placement. TELs 1 and 2 shall be placed on opposite sides of the enclosure (as shown below). These TELs shall be applied such that between one-quarter and one-third of the TEL is adhered to the white cover of the enclosure. The remaining portion shall be wrapped around the side of the cover and the chassis. TEL 1 shall be located such that it lands on the flat surface of the chassis. TEL 2 shall be placed approximately opposite TEL 1. TELs must be firmly pressed down, removing any air bubbles or creases, to ensure proper adhesion. It is especially important that TELs 2 and 3 be firmly adhered to the chassis. Figure 41 – Top View of AP-635 with TELs Figure 42 – Bottom View of Aruba AP-635 with TELs Non-Proprietary 55| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 7.3.8 TELs Placement on the AP-655 The AP-655 is a campus AP (see above section 2.3.5, AP-650 Series). The AP-655 requires 3 TELs: one on each side edge (labels 1 and 2) to detect opening the device and one covering the console port (label 3) to detect access to a restricted port. See figures 43 and 44 for placement. TELs 1 and 2 shall be placed on opposite sides of the enclosure (as shown below). These TELs shall be applied such that between one-quarter and one-third of the TEL is adhered to the white cover of the enclosure. The remaining portion shall be wrapped around the side of the cover and the chassis. TEL 2 shall be located such that it lands on the flat surface of the chassis. TEL 1 shall be placed approximately opposite TEL 2. TELs must be firmly pressed down, removing any air bubbles or creases, to ensure proper adhesion. It is especially important that TEL 1 be firmly adhered to the chassis. Figure 43 – Top View of AP-655 with TELs Figure 44 – Bottom View of Aruba AP-655 with TELs Non-Proprietary 56| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 7.4 Inspection/Testing of Physical Security Mechanisms The Crypto Officer should inspect/test the physical security mechanisms according to the recommended test frequency. Table 25 - Physical Security Inspection Guidelines Physical Security Mechanism Recommended Frequency of Inspection/Test Inspection/Test Guidance Details Tamper-evident labels (TELs) Once per month Examine for any sign of removal or tampering. See images above for locations of TELs. If any TELS are found to be missing or damaged, contact a system administrator immediately. Opaque module enclosure Once per month Examine module enclosure for any evidence of new openings or other access to the module internals. If any indication is found that indicates tampering, contact a system administrator immediately. 8 Non-Invasive Security Since the module has not been purposely designed, built and publicly documented to include non- invasive mitigation techniques, the Non-Invasive Security requirements are not applicable. Non-Proprietary 57| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 9 Sensitive Security Parameters (SSP) Management The following are the Sensitive Security Parameters (SSPs) and Keys used in the module. The operator is responsible for zeroizing all SSPs when switching modes. As specified in the Zeroization column of the following table, the majority of SSPs/Keys used in the module are zeroized implicitly by rebooting the module, indicated via the successful completion of the module reboot service. Also as specified in the Zeroization column of the following table, there are a minority of SSPs/Keys used in the module that are zeroized by using the command ‘ap wipe out flash’, indicated via the status of the ‘ap wipe out flash’ command. Table 26 – SSPs and Keys # Key / SSP Name / Type Security Strength Security Function and Cert. Number Generation Import / Export Establishment Storage Zeroization Use and Related Keys General Keys/SSPs 1 DRBG Entropy Input – CSP 512 bits SP 800-90A Rev1 CTR_DRBG AES-256 Cert. #A2690 64 bytes are retrieved from the entropy source read from entropy source on each call by any service that requires a random number. Import: N/A Export: N/A N/A Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. Entropy inputs to the DRBG function, used to construct the DRBG Seed. 2 DRBG Seed – CSP 384 bits SP 800-90A Rev1 CTR_DRBG AES-256 Cert. #A2690 Generated using DRBG derivation function that includes the entropy input from the entropy source read from entropy source. Import: N/A Export: N/A N/A Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. Input to the DRBG that determines the internal state of the DRBG (DRBG Key and V). 3 DRBG Key – CSP 256 bits SP 800-90A Rev1 CTR_DRBG AES-256 Cert. #A2690 Derived from the DRBG Seed. Import: N/A Export: N/A N/A Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. This is the internal DRBG key used for SP 800-90A Rev1 CTR_DRBG during generation of random numbers. Non-Proprietary 58| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy # Key / SSP Name / Type Security Strength Security Function and Cert. Number Generation Import / Export Establishment Storage Zeroization Use and Related Keys 4 DRBG V – CSP 128 bits SP 800-90A Rev1 CTR_DRBG AES-256 Cert. #A2690 Derived from the DRBG Seed. Import: N/A Export: N/A N/A Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. Internal V value used as part of SP 800-90A Rev1 CTR_DRBG during generation of random numbers. 5 Diffie-Hellman Private Key – CSP 224 bits Diffie- Hellman Group 14 Cert. #A2690 Cert. #A2689 Generated internally in compliance with Diffie-Hellman key agreement scheme by calling Approved DRBG (Cert. #A2690) Import: N/A Export: N/A N/A Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. Used during the IPSec handshake to establish the Diffie-Hellman Shared Secret. 6 Diffie-Hellman Public Key – PSP 2048 bits Diffie- Hellman Group 14 Cert. #A2690 Cert. #A2689 Generated internally in compliance with Diffie-Hellman key agreement scheme by calling Approved DRBG (Cert. #A2690) Import: N/A Export: in plaintext N/A Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. Used during the IPSec handshake to establish the Diffie-Hellman Shared Secret. 7 Diffie-Hellman Shared Secret – CSP 2048 bits Diffie- Hellman Group 14 Cert. #A2690 Cert. #A2689 N/A Import: N/A Export: N/A Established during Diffie- Hellman Exchange. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. Used for deriving IPSec/IKE cryptographic keys. 8 EC Diffie- Hellman Private Key – CSP Curves: P-256 or P-384 EC Diffie- Hellman Cert. #A2690 Cert. #A2689 Generated internally by calling Approved DRBG (Cert. #A2690) during EC Diffie-Hellman Exchange. Import: N/A Export: N/A N/A Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. Used for establishing EC Diffie- Hellman Shared Secret. Non-Proprietary 59| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy # Key / SSP Name / Type Security Strength Security Function and Cert. Number Generation Import / Export Establishment Storage Zeroization Use and Related Keys 9 EC Diffie- Hellman Public Key – PSP Curves: P-256 or P-384 EC Diffie- Hellman Cert. #A2690 Cert. #A2689 Generated internally by calling Approved DRBG (Cert. #A2690) during EC Diffie-Hellman Exchange. Import: N/A Export: in plaintext N/A Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. Used for establishing EC Diffie- Hellman Shared Secret. 10 EC Diffie- Hellman Shared Secret – CSP Curves: P-256 or P-384 EC Diffie- Hellman Cert. #A2690 Cert. #A2689 N/A Import: N/A Export: N/A Established during EC Diffie- Hellman Exchange. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. Used for deriving IPSec/IKE cryptographic keys. 11 Factory CA Public Key –PSP 2048 bits RSA N/A Loaded into the module during manufacturing (i.e. out of scope of module). Import: N/A Export: N/A N/A Stored in TPM Since this is a public key and protected in TPM, the zeroization requirements do not apply. This is a RSA public key. Used for Firmware verification. IPSec/IKE28 12 IKE Pre- shared Key29 – CSP 8 - 64 ASCII or 64 HEX characters Shared Secret Cert. #A2690 Entered by CO role. Import: in plaintext Export: N/A N/A Stored in Flash memory obfuscated with KEK Zeroized by using command ‘ap wipe out flash’. Used for IKEv1 peers authentication. 28 Not used in Mesh Point AP configuration. 29 Applicable only to Remote AP and Mesh Portal modes Non-Proprietary 60| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy # Key / SSP Name / Type Security Strength Security Function and Cert. Number Generation Import / Export Establishment Storage Zeroization Use and Related Keys 13 Skeyid – CSP 160 / 256 / 384 bits Shared Secret Cert. #A2690 N/A Import: N/A Export: N/A Derived via key derivation function defined in SP 800-135 Rev1 KDF (IKEv1). Stored in SDRAM memory (plaintext) Zeroized by rebooting the module. A shared secret known only to IKEv1 peers. Used for deriving other keys in IKEv1 protocol implementation. 14 skeyid_d – CSP 160 / 256 / 384 bits Shared Secret Cert. #A2690 N/A Import: N/A Export: N/A Derived via key derivation function defined in SP 800-135 Rev1 KDF (IKEv1). Stored in SDRAM memory (plaintext) Zeroized by rebooting the module. A shared secret known only to IKEv1 peers. Used for deriving IKEv1 Session Authentication Key. 15 SKEYSEED – CSP 160 / 256 / 384 bits Shared Secret Cert. #A2689 N/A Import: N/A Export: N/A Derived via key derivation function defined in SP 800-135 Rev1 KDF (IKEv2). Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. A shared secret known only to IKEv2 peers. Used for deriving other keys in IKEv2 protocol. 16 IKE Session Authentication Key – CSP 160 / 256 / 384 bits HMAC-SHA- 1/256/384 Cert. #A2690 Cert. #A2689 N/A Import: N/A Export: N/A Derived via key derivation function defined in SP 800-135 Rev1 KDF (IKEv1/IKEv2). Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. The IKE session (IKE Phase I) authentication key. Used for IKEv1/IKEv2 payload integrity verification. 17 IKE Session Encryption Key – CSP 128 / 192 / 256 bits AES (CBC) Cert. #A2690 Cert. #A2689 N/A Import: N/A Export: N/A Derived via key derivation function defined in SP 800-135 Rev1 KDF (IKEv1/IKEv2). Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. The IKE session (IKE Phase I) encrypt key. Used for IKE payload protection. Non-Proprietary 61| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy # Key / SSP Name / Type Security Strength Security Function and Cert. Number Generation Import / Export Establishment Storage Zeroization Use and Related Keys 18 IPSec Session Encryption Key – CSP 128 / 192 / 256 bits 128 / 256 bits AES (CBC) and AES (GCM) Cert. #A2690 Cert. #A2689 N/A Import: N/A Export: N/A Derived via key derivation function defined in SP 800-135 Rev1 KDF (IKEv1/IKEv2). Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. The IPSec (IKE phase II) encryption key. Used for IPSec traffics protection. IPSec session encryption keys can also be used for the Double Encrypt feature. 19 IPSec Session Authentication Key – CSP 160 bits HMAC-SHA- 1 Cert. #A2690 Cert. #A2689 N/A Import: N/A Export: N/A Derived via key derivation function defined in SP 800-135 Rev1 KDF (IKEv1/IKEv2). Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. The IPSec (IKE Phase II) authentication key. Used for IPSec traffics integrity verification. 20 IKE RSA Private Key – CSP 2048 bits RSA Private Key Cert. #A2690 Cert. #A2689 Generated by the module in compliance with FIPS 186-4 RSA key pair generation method. In both IKEv1 and IKEv2, DRBG (Cert. #A2690) is called for key generation. This key can also be entered by the CO. Import: N/A Export: N/A N/A Stored in Flash memory obfuscated with KEK Zeroized by using command ‘ap wipe out flash’. This is the RSA private key. Used for RSA signature signing in either IKEv1 or IKEv2. Non-Proprietary 62| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy # Key / SSP Name / Type Security Strength Security Function and Cert. Number Generation Import / Export Establishment Storage Zeroization Use and Related Keys 21 IKE RSA Public Key – PSP 2048 bits RSA Public Key Cert. #A2690 Cert. #A2689 Generated by the module in compliance with FIPS 186-4 RSA key pair generation method. In both IKEv1 and IKEv2, DRBG (Cert. #A2690) is called for key generation. This key can also be entered by the CO. Import: N/A Export: N/A N/A Stored in Flash memory obfuscated with KEK Zeroized by using command ‘ap wipe out flash’. This is the RSA public key. Used for RSA signature verification in either IKEv1 or IKEv2. 22 IKE ECDSA Private Key – CSP Curves: P-256 or P-384 ECDSA suite B Cert. #A2689 Generated by the module in compliance with FIPS 186-4 ECDSA key pair generation method. In IKEv2, DRBG (Cert. #A2690) is called for key generation. This key can also be entered by the CO. Import: N/A Export: N/A N/A Stored in Flash memory obfuscated with KEK Zeroized by using command ‘ap wipe out flash’. This is the ECDSA private key. Used for ECDSA signature signing in IKEv2. Non-Proprietary 63| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy # Key / SSP Name / Type Security Strength Security Function and Cert. Number Generation Import / Export Establishment Storage Zeroization Use and Related Keys 23 IKE ECDSA Public Key – PSP Curves: P-256 or P-384 ECDSA suite B Cert. #A2689 Generated by the module in compliance with FIPS 186-4 ECDSA key pair generation method. In IKEv2, DRBG (Cert. #A2690) is called for key generation. This key can also be entered by the CO. Import: N/A Export: N/A N/A Stored in Flash memory obfuscated with KEK Zeroized by using command ‘ap wipe out flash’. This is the ECDSA public key. Used for ECDSA signature verification in IKEv2. WPA2/WPA330 24 WPA2/WPA3 Pre-shared Key – CSP 8-63 ASCII or 64 HEX characters Shared Secret Cert. #A2690 Entered by CO role. Import: in plaintext Export: N/A N/A Stored in Flash memory (obfuscated with KEK). Zeroized by using command ‘ap wipe out flash’. Used for WPA2/WPA3 client/server authentication. 25 WPA2/WPA3 Pair-Wise Master Key (PMK) – CSP 256 bits Shared Secret Cert. #A2690 The PMK is transferred to the module, protected by IPSec secure tunnel. Import: in plaintext Export: N/A N/A Stored in SDRAM (plaintext). Zeroized by rebooting the module. Used to derive the Pairwise Transient Key (PTK) for WPA2/WPA3 communications. 26 WPA2/WPA3 Pairwise Transient Key (PTK) – CSP 384 bits HMAC Cert. #A2690 N/A Import: N/A Export: N/A Derived via key derivation function defined in SP 800-108 Rev1 and SP 800-56C Rev2. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. Used to derive the WPA2/WPA3 Session Key. 30 While operating in Mesh Point AP configuration or Mesh Portal AP configuration, the AP will only use PSK for WPA2/WPA3. Remote AP configuration and CPSec Protected AP configuration use both Certificate-based and PSK-based WPA2/WPA3. Non-Proprietary 64| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy # Key / SSP Name / Type Security Strength Security Function and Cert. Number Generation Import / Export Establishment Storage Zeroization Use and Related Keys 27 WPA2/WPA3 Session Key – CSP 128 bits, 128 / 256 bits AES (CCM) and AES (GCM) (WPA3 only) Cert. #A2690 N/A Import: N/A Export: N/A Derived during WPA2/WPA3 4- way handshake by using the KDF defined in SP 800-108 Rev1 and SP 800-56C Rev2. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. Used as the WPA2/WPA3 Session Key. 28 WPA2/WPA3 Group Master Key (GMK) – CSP 256 bits Shared Secret Cert. #A2690 Generated internally by calling Approved DRBG (Cert. #A2690). Import: N/A Export: N/A N/A Stored in SDRAM memory (plaintext) Zeroized by rebooting the module Used to derive WPA2/WPA3 Group Transient Key GTK. 29 WPA2/WPA3 Group Transient Key (GTK) – CSP 256 bits AES (CCM) and AES (GCM) Cert. #A2690 N/A Import: N/A Export: N/A Derived from WPA2/WPA3 GMK by using the KDF defined in SP 800-108 Rev1 and SP 800-56C Rev2. Stored in SDRAM memory (plaintext) Zeroized by rebooting the module The GTK is the WPA2/WPA3 session key used for broadcast communications protection. Non-Proprietary 65| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Notes: • AES GCM IV generation is performed in compliance with the Implementation Guidance C.H scenario 1 for IKEv2. The module is compliant with RFC 4106 and 7296. Specifically, the module uses RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES GCM encryption keys are derived. When the “nonce” (the IV in RFC 5282) for IKEv2 exhausts the maximum number of possible values for a given security association for IKEv2, either party to the security association for IKEv2 that encounters this condition triggers a rekeying with IKEv2 to establish a new encryption key. • AES GCM IV generation is performed in compliance with the Implementation Guidance C.H scenario 4 for WPA3. The session is reauthenticated by the module after 24 hours which resets the AES GCM IV counter. The 24 hour (86400 seconds) interval is the default setting and shall not be changed while in Approved mode. • In case the module’s power is lost and then restored, a new key for use with the AES-GCM encryption/decryption shall be established. • For keys identified as being “Generated internally", the module implements cryptographic key generation (CKG) compliant to SP 800-133rev2 section 4: The module generates symmetric keys and seeds for asymmetric keys using an unmodified output from the Approved DRBG (Cert. #A2690). • The Approved DRBG (Cert. #A2690) generates a minimum of 256 bits of entropy for use in key generation. • In Remote AP configuration, all SSPs are applicable. • In CPSec Protected AP configuration, the IKEv1 PSK SSPs are not applicable. • In Mesh Point AP configuration, all IPSec/IKE SSPs are not applicable. • SSPs labeled as “Entered by CO” (as well as the RSA public and private keys) are transferred into the module from the Mobility Controller via IPSec. • SSPs labelled as “obfuscated” are obfuscated in accordance to FIPS IG 2.4.A. • Sensitive Security Parameters (SSPs) can be Critical Security Parameters (CSPs) or Public Security Parameters (PSPs). • Keys established while operating in the non-Approved mode cannot be used in Approved mode, and vice versa. 9.1 Non-Deterministic Random Number Generation Specification Table 27 – Non-Deterministic Random Number Generation Specification Entropy Sources Minimum Number of Bits of Entropy Details Aruba CPU Jitter Entropy Source (see NIST Entropy Source Validation (ESV) program certificate #7) Oversampling of 512 bits is performed to ensure that 256 bits of entropy is available to the DRBG. The module employs a SP 800-90A Rev1-compliant Deterministic Random Bit Generator (DRBG) using an AES-256 CTR_DRBG mechanism with DF for random number generation (Cert. #A2690). The module performs the DRBG health tests as defined in section 11.3 of SP 800-90A Rev1. The module uses a SP 800-90B-compliant non-physical entropy source that uses CPU jitter provided by the operational environment as a noise source (Jitterentropy (JENT) with SHA-3 as the vetted conditioning component). Non-Proprietary 66| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 10 Self-Tests The module performs Cryptographic Algorithm Self-Tests (CASTs) when powered on, regardless of which of the four (4) AP configurations is selected. The module also performs Pre-Operational Self-Tests (POSTs) automatically when the module is powered on. In addition, the module performs Conditional tests in the Approved mode of operation (refer to the Modes of Operation section). When a cryptographic algorithm self-test or pre-operational self-test fails, or when a conditional self-test fails, the module enters the Critical Error state (while in this state, the module provides no functionality including inhibition of data output), logs the error, and reboots automatically. During the process when the HPE Aruba Networking Access Point (AP) is powered on and booted, RSA and SHS Conditional Cryptographic Algorithm Self-Test KATs are executed before the RSA Firmware Integrity Test Pre-Operational Self-Test signature verification KAT, then Conditional Cryptographic Algorithm Tests are executed after ArubaOS is booted. The module transitions to the operational state only after the cryptographic algorithm and pre-operational self-tests are passed successfully. All cryptographic algorithm self-tests are run when the module is powered on, prior to the first operational use of the cryptographic algorithm. The module performs the following Pre-Operational Self-Tests (POSTs): Table 28 – Pre-Operational Self-Tests Algorithm HPE Aruba Networking Cryptographic Module Component Test Properties Type Details RSA Firmware Integrity Test ArubaOS Bootloader Module 2048-bit public key, PKCS#1-v1.5, signature verification with SHA2-256 message digest SigVer The ArubaOS Bootloader Module performs the firmware integrity test when module powered on, before booting the ArubaOS operating system. The module performs the following Conditional Self-Tests: Table 29 – Conditional Cryptographic Algorithm Tests Algorithm HPE Aruba Networking Cryptographic Module Component Test Properties Type Details Condition RSA ArubaOS Bootloader Module 2048, PKCS#1-v1.5 KAT Verify Each run when module powered on, which is prior to the first operational use of the cryptographic algorithms SHS ArubaOS Bootloader Module SHA2-256 KAT Non-Proprietary 67| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Algorithm HPE Aruba Networking Cryptographic Module Component Test Properties Type Details Condition AES ECB ArubaOS OpenSSL Module AES-ECB-128 KAT Encrypt, Decrypt Each run when module powered on, which is prior to the first operational use of the cryptographic algorithms AES CCM ArubaOS OpenSSL Module AES-CCM-192 KAT Encrypt, Decrypt AES GCM ArubaOS OpenSSL Module AES-GCM-256 KAT Encrypt, Decrypt DRBG ArubaOS OpenSSL Module AES-CTR-256, CTR_DRBG with DF, with and without PR KAT SP 800-90A Rev1 Section 11.3 Health Tests for CTR_DRBG (Instantiate, Generate and Reseed) ArubaOS CPU Jitter Entropy Source RCT SP800-90B Section 4.4 Approved Continuous Health Tests (RCT and APT) Tests are applied continuously to digitized samples of the output of the non-physical noise source APT ECDSA ArubaOS OpenSSL Module P-256, P-384 KAT Sign, Verify Each run when module powered on, which is prior to the first operational use of the cryptographic algorithms HMAC ArubaOS OpenSSL Module HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512 KAT KAS-SSC-ECC ArubaOS OpenSSL Module Primitive ‘Z’ computation with P-256 curve KAT Ephemeral Unified SP 800- 56A Rev3 based KAS-SSC-FFC ArubaOS OpenSSL Module Shared secret computation, p=2048, q=256 KAT dhEphem SP 800-56A Rev3 based KDA ArubaOS OpenSSL Module Two-step KDF: HMAC-SHA-1, L=2048 KAT SP 800-56C Rev2 based KBKDF ArubaOS OpenSSL Module HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-384 KAT SP 800-108 Rev1 based KDF135 ArubaOS OpenSSL Module Key derivation KAT SP 800-135 Rev1 based: IKEv1 RSA ArubaOS OpenSSL Module 2048, PKCS#1-v1.5 KAT Sign, Verify Non-Proprietary 68| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Algorithm HPE Aruba Networking Cryptographic Module Component Test Properties Type Details Condition SHS ArubaOS OpenSSL Module SHA-1, SHA2-256, SHA2-384, SHA2-512 KAT Each run when module powered on, which is prior to the first operational use of the cryptographic algorithms Triple-DES ArubaOS OpenSSL Module TDES-ECB-192 KAT Encrypt, Decrypt, Triple-DES used with KEK only to obfuscate internal keys. No security claimed. SHA-3 ArubaOS CPU Jitter Entropy Source SHA3-256 KAT FIPS 202 based Run when module powered on, which is prior to the first operational use of the cryptographic algorithm AES CBC ArubaOS Crypto Module AES-CBC-256 KAT Encrypt, Decrypt Each run when module powered on, which is prior to the first operational use of the cryptographic algorithms AES GCM ArubaOS Crypto Module AES-GCM-256 KAT Encrypt, Decrypt ECDSA ArubaOS Crypto Module P-256 KAT Sign, Verify HMAC ArubaOS Crypto Module HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512 KAT KAS-SSC-ECC ArubaOS Crypto Module Primitive ‘Z’ computation with P-256 curve KAT Ephemeral Unified SP 800- 56A Rev3 based KAS-SSC-FFC ArubaOS Crypto Module Shared secret computation, p=2048, q=256 KAT dhEphem SP 800-56A Rev3 based KDF135 ArubaOS Crypto Module Key derivation KAT SP 800-135 Rev1 based: IKEv2 RSA ArubaOS Crypto Module 2048, PKCS#1-v1.5 KAT Sign, Verify SHS ArubaOS Crypto Module SHA-1, SHA2-256, SHA2-384, SHA2-512 KAT Non-Proprietary 69| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Algorithm HPE Aruba Networking Cryptographic Module Component Test Properties Type Details Condition Triple-DES ArubaOS Crypto Module TDES-CBC-192 KAT Encrypt, Decrypt, Triple-DES used with KEK only to obfuscate internal keys. No security claimed. Run when module powered on, which is prior to the first operational use of the cryptographic algorithm Table 30 – Conditional Pairwise Consistency Tests Algorithm HPE Aruba Networking Cryptographic Module Component Test Properties Type Details Condition ECC key pairs ArubaOS OpenSSL Module P-256, P-384 PCT Sign, Verify Each run on key pair generation FFC key pairs ArubaOS OpenSSL Module DH key pair generation PCT SP800-56A Rev3 assurances as per SP 800-56A Rev3 Section 5.6.2.1.4 for PCT RSA key pairs ArubaOS OpenSSL Module 2048, PKCS#1-v1.5 PCT Sign, Verify ECC key pairs ArubaOS Crypto Module P-256, P-384 PCT Sign, Verify FFC key pairs ArubaOS Crypto Module DH key pair generation PCT SP800-56A Rev3 assurances as per SP 800-56A Rev3 Section 5.6.2.1.4 for PCT RSA key pairs ArubaOS Crypto Module 2048, PKCS#1-v1.5 PCT Sign, Verify Non-Proprietary 70| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Table 31 – Conditional Software/Firmware Load Tests Algorithm HPE Aruba Networking Cryptographic Module Component Test Properties Type Details Condition RSA Firmware Load Test ArubaOS OpenSSL Module 2048, PKCS#1-v1.5, signature verification with SHA2-256 SigVer Test is applied by the main ArubaOS code for firmware load during operation RSA Firmware Load Test ArubaOS Bootloader Module 2048, PKCS#1-v1.5, signature verification with SHA2-256 SigVer Test is applied by the ArubaOS Bootloader Module on request to load firmware Notes: • KAT = Known Answer Test, RCT = Repetition Count Test for Entropy Source, APT = Adaptive Proportion Test for Entropy Source, PCT = Pairwise Consistency Test These self-tests are run for the hardware cryptographic implementation as well as for the ArubaOS OpenSSL Module and ArubaOS Crypto Module implementations. Self-test results are written to the serial console. The status can be viewed by using the CLI command: show log crypto all When all Cryptographic Algorithm Self-Tests (CASTs) run when the module is powered on pass, the module will enter the Normal state and the module logs the following message into a log file: KATS: passed In the event any self-test fails, the module will enter a Critical Error state (while in this state, the module provides no functionality and inhibits data output), logs the error, and reboots automatically. If the software/firmware load test fails when module powered on, the module enters the Critical Error state, where the invalid software/firmware file is deleted to clear the error. During the reboot sequence, all LEDs light up (reboot), then all LEDs turn off (power off/cycled), then all LEDs light up (power on), then the LEDs light indicating level of activity (refer to the Status Indicator LED tables for each hardware device listed above in Section 2.3, Table 5). In the event of a KATs failure, the AP logs error messages: • For an AP hardware ArubaOS OpenSSL Module and/or ArubaOS Crypto Module KAT failure: AP rebooted [DATE][TIME] : Restarting System, SW FIPS KAT failed Non-Proprietary 71| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 11 Life-Cycle Assurance This section specifies the procedures for secure installation, initialization, provisioning, start-up, configuration, and operation of the module. Guidance is provided, including references to where to find more guidance documentation. 11.1 Product Examination The units are shipped to the Crypto Officer in factory-sealed boxes using trusted commercial carrier shipping companies. The Crypto Officer should examine the carton for evidence of tampering. Tamper-evidence includes tears, scratches, and other irregularities in the packaging. 11.2 Package Contents The product carton should include the following: • HPE Aruba Networking AP-5XX or AP-6XX Wireless Access Point. • Mounting kit (sold separately). • Tamper-Evident Labels. Inform your supplier if there are any incorrect, missing, or damaged parts. If possible, retain the carton, including the original packing materials. Use these materials to repack and return the unit to the supplier if needed. 11.3 Pre-Installation Checklist You will need the following during installation: • HPE Aruba Networking AP-5XX and AP-6XX Access Point components. • A mount kit compatible with the AP and mount surface (sold separately). • A compatible Category 5 UTP Ethernet cable. • External antennas (when using the AP-514, AP-534, or AP-584). • Phillips or cross-head screwdriver. • (Optional) a compatible 12V DC (AP-514, AP-515, AP-635, or AP-655) or 48V DC (AP-534 or AP-535) or 100-240V AC (AP-584, AP-585, or AP-587) AC-to-DC power adapter with power cord. • (Optional) a compatible PoE midspan injector with power cord. • One USB 2.0 host interface Type A connector (AP-514, AP-515, AP-534, AP-535, AP-635, or AP-655) or USB Type C connector (AP-584, AP-585, or AP-587) console cable • Adequate power supplies and electrical power. • Management Station (PC) with 10/100 Mbps Ethernet port and SSHv2 client software. Also make sure that (at least) one of the following network services is supported: • Aruba Discovery Protocol (ADP) - see the Aruba AP Software Quick Start Guide. • DNS server with an “A” record. • DHCP Server with vendor-specific options. 11.4 Identifying Specific Installation Locations For detailed instructions on identifying AP installation locations, refer to the specific HPE Aruba Networking 5XX or 6XX Series Wireless Access Points Installation Guide, and the section, Identifying Specific Installation Locations. Non-Proprietary 72| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 11.5 Precautions • All HPE Aruba Networking access points should be professionally installed by an HPE Aruba Networking-Certified Mobility Professional (ACMP). • Electrical power is always present while the device is plugged into an electrical outlet. Remove all rings, jewellery, and other potentially conductive material before working with this product. • Never insert foreign objects into the device, or any other component, even when the power cords have been unplugged or removed. • Main power is fully disconnected from the Wireless Access Point only by unplugging all power cords from their power outlets. For safety reasons, make sure the power outlets and plugs are within easy reach of the operator. • Do not handle electrical cables that are not insulated. This includes any network cables. • Keep water and other fluids away from the inside of the product. • Comply with electrical grounding standards during all phases of installation and operation of the product. Do not allow the Wireless Access Point chassis, network ports, power cables, or mounting brackets to contact any device, cable, object, or person attached to a different electrical ground. Also, never connect the device to external storm grounding sources. • Installation or removal of the device or any module must be performed in a static-free environment. The proper use of anti-static body straps and mats is strongly recommended. • Keep modules in anti-static packaging when not installed in the chassis. • Do not ship or store this product near strong electromagnetic, electrostatic, magnetic or radioactive fields. • Do not disassemble chassis or modules. They have no internal user-serviceable parts. When service or repair is needed, contact HPE Aruba Networking. 11.6 Secure Operation The HPE Aruba Networking AP-514, AP-515, AP-534, AP-535, AP-584, AP-585, AP-587, AP-635 and AP-655 Access Points meet FIPS 140-3 Level 2 requirements. The information below describes how to keep the Wireless Access Point in the Approved mode of operation. The module can be configured to be in one of four (4) AP configurations and in the Approved mode of operation (see section 2.5, Modes of Operation) via corresponding HPE Aruba Networking Mobility Controllers that are in Approved mode and that have been validated against FIPS 140-3 requirements, provided that the guidelines on services, algorithms, physical security and key management found in this Security Policy are followed. 11.6.1 Crypto Officer Management The Crypto Officer must ensure that the Wireless Access Point is always operating in the Approved mode of operation. This can be achieved by ensuring the following: • The Crypto Officer must first enable and then provision the AP into the Approved mode of operation before Users are permitted to use the Wireless Access Point (see the sub-section below named, Enabling Approved Mode on the Staging Controller). • Only HPE Aruba Networking firmware updates signed with SHA2-256/RSA 2048 are permitted. • Passwords must be at least eight (8) characters long. • The Wireless Access Point logs must be monitored. If a strange activity is found, the Crypto Officer should take the Wireless Access Point offline and investigate. Non-Proprietary 73| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy • The Tamper-Evident Labels (TELs) must be regularly examined for signs of tampering. Refer to the table in the above Physical Security section named, Inspection/Testing of Physical Security Mechanisms, for the recommended frequency. • When installing expansion or replacement modules for the HPE Aruba Networking AP-514, AP- 515, AP-534, AP-535, AP-584, AP-585, AP-587, AP-635 and AP-655 Access Points, use only Approved modules, replace TELs affected by the change, and record the reason for the change, along with the new TEL locations and serial numbers, in the security log. • All configuration performed through the HPE Aruba Networking Mobility Conductor when configured as a managed device must ensure that only the Approved algorithms and services are enabled on the Wireless Access Point in Approved mode. • Refer to the sub-section below named, Non-Approved Approved Mode Configurations, for non- Approved configurations that shall not to be used in the Approved mode. • The operator is responsible for zeroizing all SSPs when switching modes. Keys established while operating in the non-Approved mode cannot be used in the Approved mode, and vice versa. • The guidelines in the above sub-section 2.9 table named, Non-Approved Algorithms Not Allowed in the Approved Mode of Operation, and this sub-section 11.6 named, Secure Operation, must be adhered to. 11.6.2 User Guidance Although outside the boundary of the Wireless Access Point, the operator should be directed to be careful not to provide authentication information and session keys to other parties. Note that the module does not possess persistent storage of SSPs. Any SSP value only exists in volatile memory and that value vanishes when the module is powered off. In the case when the module’s power is lost and then restored, a new key for use with the AES-GCM encryption/decryption shall be established. HPE Aruba Networking generally recommends that the communication between the Controller/Gateways and Access Points be restricted either by having a dedicated layer 2 segment/VLAN or, if Controller/Gateways and Access Points cross layer 3 boundaries, to have firewall policies restricting the communication of these authorized devices. 11.6.3 Set-up and Configuration The HPE Aruba Networking AP-514, AP-515, AP-534, AP-535, AP-584, AP-585, AP-587, AP-635 and AP- 655 Access Points meet FIPS 140-3 Security Level 2 requirements. The sections below describe how to place and keep the Wireless Access Point in the Approved mode of operation. The Crypto Officer (CO) must ensure that the Wireless Access Point is kept in the Approved mode of operation. The Wireless Access Point can be configured to be in one of four (4) AP configurations: Control Plane Security (CPSec) Protected AP, Remote AP and the two (2) Mesh AP configurations, Mesh Portal AP and Mesh Point AP. The module must operate in Approved mode (see Modes of Operation section above). By default, the Wireless Access Point operates in the standard non-Approved mode. The Access Point is managed by an HPE Aruba Networking Mobility Controller in Approved mode, and access to the Mobility Controller’s administrative interface via a non-networked general purpose computer is required to assist in placing the module in Approved mode. The Controller used to provision the AP is referred to as the “staging controller”. The staging controller must be provisioned with the appropriate HPE Aruba Networking firmware image for the module, which has been validated to FIPS 140-3, prior to initiating AP provisioning. Additionally, if a Mobility Conductor appliance is deployed in the environment, provisioning of the APs can be performed by passing policies down from the Mobility Conductor to the Mobility Controller which then provisions the AP. 11.6.3.1 Setting Up Your Wireless Access Point The Crypto Officer shall perform the following steps to ensure the APs are placed in the secure operational state: 1. Review the Aruba AP Software Quick Start Guide. Select the deployment scenario that best fits your installation and follow the scenario’s deployment procedures. 2. Apply TELs according to the directions in the above Physical Security section 7.2, Applying TELs. Non-Proprietary 74| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 3. Enable Approved mode on the staging controller: Log into the staging controller via an SSH client and enter the commands shown in the sub-section below named, Enabling Approved Mode on the Staging Controller. 4. Connect the module via an Ethernet cable to the staging controller - note that this should be a direct connection, with no intervening network or devices. If PoE is being supplied by an injector, this represents the only exception; that is, nothing other than a PoE injector should be present between the module and the staging controller. 5. Provision the AP into one of four (4) AP configurations following the guidance in the ArubaOS 8.10 User Guide: Remote AP configuration, CPSec protected AP configuration, Mesh Portal AP configuration, or Mesh Point AP configuration. 6. Via the logging facility of the staging controller, ensure that the module (the AP) is successfully provisioned with firmware and configuration and in Approved mode. To verify that the image is being run, the CO can enter ‘show ap image’ on the controller to verify the correct image is present on the device. To verify that Approved mode is enabled, enter ‘show fips’. 7. Terminate the administrative session. 8. Disconnect the module from the staging controller and install it on the deployment network. When power is applied, the module (the AP) will attempt to discover and connect to an HPE Aruba Networking Mobility Controller on the network. Once the AP has been provisioned, it is considered to be in Approved mode, provided that the guidelines on services, algorithms, physical security and key management found in this Security Policy are followed. 11.6.3.2 Enabling Approved Mode on the Staging Controller For FIPS 140-3 compliance, users cannot be allowed to access the Wireless Access Point until the CO changes the mode of operation on the staging controller to the Approved mode. There is only one way to enable Approved mode on the staging controller: o Use the CLI via an SSHv2 client to enter the commands in the following sub-section. o For more information on using the CLI, refer to the ArubaOS 8.10 Command-Line Interface Reference Guide. 11.6.3.2.1 Enabling Approved Mode on the Staging Controller with the CLI Login to the staging controller using an SSHv2 client. Enable Approved mode using the following commands: #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (config) #fips enable (config) #exit #write memory Saving Configuration... Configuration Saved. To verify that Approved mode has been enabled, issue the command: show fips to see: FIPS Settings: Mode Enabled If logging in to the staging controller via the Mobility Conductor, please reference the ArubaOS 8.10 User Guide on how to access a managed device. Once connected to the staging controller, the above commands will successfully execute. Non-Proprietary 75| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy Please abide by the sub-section above in this section named, Crypto Officer Management, and sub- section below named, Non-Approved Approved Mode Configurations. 11.7 Non-Approved Approved Mode Configurations When operating in the Approved mode, the following configuration options are non-Approved: • The following configurations are forcibly disabled by the module: o All WEP features. o WPA. o TKIP mixed mode. o Any combination of DES, MD5, and PPTP. o Firmware images signed with SHA- 1. o Enhanced PAPI Security. o Null Encryption. o USB CSR-Key Storage. o Certificates with less than 112 bits security strength as used with IKEv2, IPSec, and/or user authentication. o Telnet. o Extensible Authentication Protocol (EAP)-TLS Termination. o bSec. o IPSec/IKE using Triple-DES. 11.8 Full Documentation Documentation for any HPE Aruba Networking product can be found on the HPE Networking Support Portal (NSP). Filters can be used to limit the displayed results by Product(s), Product Series, Version(s), and File Category. For example, • Full ArubaOS version 8.10 documentation for HPE Aruba Networking Mobility Controllers, Virtual Mobility Controllers, Gateways, Mobility Conductors, and Access Points can be found at the link provided below after authentication. https://networkingsupport.hpe.com/downloads;pageSize=100;fileTypes=DOCUMENT;products=Aruba%20A ccess%20Points,Aruba%20Mobility%20Gateways;softwareGroups=ArubaOS;softwareMajorVersions=8.10 11.8.1 Related HPE Aruba Networking Documents The following HPE Aruba Networking documents can be referenced to ensure that ArubaOS and the HPE Aruba Networking hardware-based equipment or HPE Aruba Networking virtual appliances that run ArubaOS are installed and operated correctly in Approved mode: • Aruba Access Points Installation Guides • ArubaOS 8.10.0.x AP Software Quick Start Guide • ArubaOS 8.10.0.0 Virtual Appliance Installation Guide • ArubaOS 8.10.0.0 User Guide • ArubaOS 8.10.0.x CLI Reference Guide • ArubaOS 8.10.0.0 API Guide • ArubaOS 8.10.0.0 Getting Started Guide • ArubaOS 8.10.0.0 Syslog Reference Guide Non-Proprietary 76| HPE Aruba Networking AP-5XX and AP-6XX Access Points with ArubaOS FIPS Firmware FIPS 140-3 Level 2 Security Policy 11.9 End of Life To determine if an HPE Aruba Networking product is considered end of life, refer to the HPE Aruba Networking end-of life information at https://networkingsupport.hpe.com/end-of-life. If an HPE Aruba Networking product is deemed end-of-life, the CO should work with their HPE Aruba Networking representative to determine the appropriate HPE Aruba Networking product upgrade path to use a newer Approved version. Note that any firmware loaded into this module that is not shown on the module certificate is out of the scope of this validation and requires a separate FIPS 140-3 validation. The module does not possess persistent storage of SSPs. Any SSP value only exists in volatile memory and that value vanishes when the module is powered off. For secure sanitization, firstly the module shall be powered off. Then, if the module is deprecated, the module will be replaced with a newer Approved version with the help of an HPE Aruba Networking-Certified Mobility Professional (ACMP). 12 Mitigation of Other Attacks As per IG 12.A, since the module has not been purposely designed, built and publicly documented to mitigate one or more specific attacks, the Mitigation of Other Attacks requirements are not applicable.