Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2 Version 1.9 October 2023 2 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Copyright © 2023 Hewlett Packard Enterprise Company. Hewlett Packard Enterprise Company trademarks include , Aruba Networks® , Aruba Wireless Networks® , the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System® , Mobile Edge Architecture® , People Move. Networks Must Follow® , RFProtect® , Green Island® . All rights reserved. All other trademarks are the property of their respective owners. Open Source Code Certain Hewlett Packard Enterprise Company products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. The Open Source code used can be found at this site: http://www.arubanetworks.com/open_source Legal Notice The use of Aruba switching platforms and software, by all individuals or corporations, to terminate other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors. Warranty This hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information, refer to the ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS. Altering this device (such as painting it) voids the warranty. www.arubanetworks.com 6280 America Center Dr San Jose, CA, USA 95002 Phone: 408.227.4500 Fax 408.227.4550 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |3 Contents Contents ................................................................................................................................................................................................3 1. Purpose of this Document.................................................................................................................................................................7 1.1. Related Documents ..................................................................................................................................................................7 1.1.1. Additional Product Information.......................................................................................................................................7 2. Overview ...........................................................................................................................................................................................8 2.1. Physical Description..................................................................................................................................................................9 2.1.1. Cryptographic Module Boundaries..................................................................................................................................9 2.1.2. Aruba 7005 Controller .....................................................................................................................................................9 2.1.3. Aruba 7008 Controller ...................................................................................................................................................10 2.1.4. Aruba 7010 Controller ...................................................................................................................................................12 2.1.5. Aruba 7024 Controller ...................................................................................................................................................13 2.1.6. Aruba 7030 Controller ...................................................................................................................................................15 2.1.7. Aruba 7205 Controller ...................................................................................................................................................16 2.1.8. Aruba 7200 Series Controllers .......................................................................................................................................18 2.2. Intended Level of Security......................................................................................................................................................21 3. Physical Security..............................................................................................................................................................................21 4. Operational Environment................................................................................................................................................................21 5. Logical Interfaces.............................................................................................................................................................................22 6. Roles and Services...........................................................................................................................................................................23 6.1. Crypto Officer Role.................................................................................................................................................................23 6.2. User Role ................................................................................................................................................................................27 6.3. Authentication Mechanisms ..................................................................................................................................................28 6.4. Unauthenticated Services ......................................................................................................................................................30 6.5. Services Available in Non-FIPS Mode .....................................................................................................................................30 6.6. Non-Approved Services Non-Approved in FIPS Mode ...........................................................................................................30 7. Cryptographic Key Management ....................................................................................................................................................31 7.1. FIPS Approved Algorithms......................................................................................................................................................31 7.2. Non-FIPS Approved but Allowed Cryptographic Algorithms..................................................................................................36 7.3. Non-FIPS Approved Cryptographic Algorithms ......................................................................................................................36 8. Critical Security Parameters............................................................................................................................................................37 9. Self-Tests.........................................................................................................................................................................................44 9.1. Alternating Bypass State ........................................................................................................................................................46 10. Installing the Controller...................................................................................................................................................................47 10.1. Pre-Installation Checklist........................................................................................................................................................47 10.2. Precautions.............................................................................................................................................................................47 10.3. Product Examination ..............................................................................................................................................................47 10.4. Package Contents ...................................................................................................................................................................48 4 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy 11. Tamper-Evident Labels....................................................................................................................................................................49 11.1. Reading TELs...........................................................................................................................................................................49 11.2. Required TEL Locations ..........................................................................................................................................................50 11.3. Applying TELs..........................................................................................................................................................................61 11.4. Inspection/Testing of Physical Security Mechanisms.............................................................................................................61 12. Ongoing Management ....................................................................................................................................................................62 12.1. Crypto Officer Management ..................................................................................................................................................62 13. User Guidance.................................................................................................................................................................................63 13.1. Setup and Configuration.........................................................................................................................................................63 13.2. Setting Up Your Controller .....................................................................................................................................................63 13.3. Enabling FIPS Mode................................................................................................................................................................63 13.3.1. Enabling FIPS Mode with the CLI...............................................................................................................................63 13.3.2. Disabling the LCD.......................................................................................................................................................64 13.4. Disallowed FIPS Mode Configurations....................................................................................................................................64 13.5. Full Documentation................................................................................................................................................................64 Figures Figure 1 - Aruba 7005 Controller ...............................................................................................................................................................9 Figure 2 - Aruba 7008 Controller .............................................................................................................................................................10 Figure 3 - Aruba 7010 Controller .............................................................................................................................................................12 Figure 4 - Aruba 7024 Controller .............................................................................................................................................................13 Figure 5 - Aruba 7030 Controller .............................................................................................................................................................15 Figure 6 - Aruba 7205 Controller .............................................................................................................................................................16 Figure 7 - Aruba 7200 Series Controller (Front).......................................................................................................................................18 Figure 8 - Aruba 7200 Series Controller (Rear) ........................................................................................................................................18 Figure 9 – Tamper Evident Labels ............................................................................................................................................................49 Figure 10 - Required TELs for the Aruba 7005 Mobility Controller – Bottom..........................................................................................50 Figure 11 - Required TELs for the Aruba 7005 Mobility Controller – Front .............................................................................................50 Figure 12 - Required TELs for the Aruba 7008 Mobility Controller – Bottom..........................................................................................51 Figure 13 - Required TELs for the Aruba 7008 Mobility Controller – Front .............................................................................................51 Figure 14 - Required TELs for the Aruba 7010 Mobility Controller – Top................................................................................................52 Figure 15 - Required TELs for the Aruba 7010 Mobility Controller – Front .............................................................................................53 Figure 16 - Required TELs for the Aruba 7010 Mobility Controller – Bottom..........................................................................................53 Figure 17 - Required TELs for the Aruba 7024 Mobility Controller – Front .............................................................................................54 Figure 18 - Required TELs for the Aruba 7024 Mobility Controller – Top................................................................................................54 Figure 19 - Required TELs for the Aruba 7024 Mobility Controller – Rear ..............................................................................................55 Figure 20 - Required TELs for the Aruba 7024 Mobility Controller – Bottom..........................................................................................55 Figure 21 - Required TELs for the Aruba 7030 Mobility Controller – Top................................................................................................56 Figure 22 - Required TELs for the Aruba 7030 Mobility Controller – Front .............................................................................................56 Figure 23 - Required TELs for the Aruba 7030 Mobility Controller – Bottom..........................................................................................57 Figure 24 - Required TELs for the Aruba 7205 Mobility Controller – Top................................................................................................58 Figure 25 - Required TELs for the Aruba 7205 Mobility Controller – Front .............................................................................................58 Figure 26 - Required TELs for the Aruba 7205 Mobility Controller – Bottom..........................................................................................58 Figure 27 - Required TELs for the Aruba 7200 Mobility Controller – Top................................................................................................59 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |5 Figure 28 - Required TELs for the Aruba 7200 Mobility Controller – Front .............................................................................................60 Figure 29 - Required TELs for the Aruba 7200 Mobility Controller – Rear ..............................................................................................60 Figure 30 - Required TELs for the Aruba 7200 Mobility Controller – Right Side......................................................................................60 Figure 31 - Required TELs for the Aruba 7200 Mobility Controller – Left Side........................................................................................60 Figure 32 - Required TELs for the Aruba 7200 Mobility Controller – Bottom..........................................................................................60 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Tables Table 1 – 7005 Controller System Status and Power Indicator LEDs (Front) ...........................................................................................10 Table 2 – 7005 Controller Status Indicator LEDs for Each Ethernet Port (Front).....................................................................................10 Table 3 – 7008 Controller System Status and Power Indicator LEDs (Front) ...........................................................................................11 Table 4 – 7008 Controller Status Indicator LEDs for Each Ethernet Port (Rear) ......................................................................................11 Table 5 – 7010 Controller System Status and Power Indicator LEDs (Front) ...........................................................................................13 Table 6 – 7010 Controller Status Indicator LEDs for Each Ethernet Port (Front).....................................................................................13 Table 7 – 7010 Controller Status Indicator LEDs for Each Uplink (SFP) Port (Front)................................................................................13 Table 8 – 7024 Controller System Status and Power Indicator LEDs (Front)...........................................................................................14 Table 9 – 7024 Controller Status Indicator LEDs for Each Ethernet Port (Front).....................................................................................14 Table 10 – 7024 Controller Status Indicator LEDs for Each Uplink (SFP/SFP+) Port (Front) ....................................................................14 Table 11 – 7030 Controller System Status and Power Indicator LEDs (Front).........................................................................................16 Table 12 – 7030 Controller Status Indicator LEDs for Each Ethernet Port (Front)...................................................................................16 Table 13 – 7030 Controller Status Indicator LEDs for Each Uplink (SFP) Port (Front)..............................................................................16 Table 14 – 7205 Controller System Status and Power Indicator LEDs (Front).........................................................................................17 Table 15 – 7205 Controller Status Indicator LEDs for Each Ethernet Port (Front)...................................................................................17 Table 16 – 7205 Controller Status Indicator LEDs for Each SFP/SFP+ Port (Front) ..................................................................................17 Table 17 – 7205 Controller CPU Module Status and Power Indicator LEDs (Rear)..................................................................................18 Table 18 – 7200 Series Controller System Status and Power Indicator LEDs (Front) ..............................................................................19 Table 19 – 7200 Series Controller Status Indicator LEDs for Each Ethernet Port (Front) ........................................................................19 Table 20 – 7200 Series Controller Status Indicator LEDs for Each Uplink (SFP/SFP+) Port (Front)..........................................................20 Table 21 – 7200 Series Controller AC Power Supply Module Status Indicator LEDs (Rear).....................................................................20 Table 22 – 7200 Series Controller DC Power Supply Module Status Indicator LEDs (Rear).....................................................................20 Table 23 – Intended Level of Security......................................................................................................................................................21 Table 24 – FIPS 140-2 Logical Interfaces..................................................................................................................................................22 Table 25 – Crypto-Officer Services...........................................................................................................................................................23 Table 26 – User Services ..........................................................................................................................................................................27 Table 27 – Estimated Strength of Authentication Mechanisms ..............................................................................................................28 Table 28 – Hardware CAVP Certificates...................................................................................................................................................31 Table 29 – ArubaOS OpenSSL Module CAVP Certificates ........................................................................................................................32 Table 30 – ArubaOS Crypto Module CAVP Certificates............................................................................................................................34 Table 31 – ArubaOS Bootloader CAVP Certificates..................................................................................................................................35 Table 32 – CSPs/Keys Used in the Module...............................................................................................................................................37 Table 33 – Inspection/Testing of Physical Security Mechanisms.............................................................................................................61 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |7 Preface This document may be freely reproduced and distributed whole and intact including the copyright notice. Products identified herein contain confidential commercial firmware. Valid license required. 1. Purpose of this Document This release supplement provides information regarding the Aruba 7XXX Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 validation from Aruba Networks. The material in this supplement modifies the general Aruba hardware and firmware documentation included with this product and should be kept with your Aruba product documentation. This supplement primarily covers the non-proprietary Cryptographic Module Security Policy for the Aruba 7XXX Controllers with ArubaOS FIPS Firmware. This security policy describes how the Controller meets the security requirements of FIPS 140-2 Level 2 and how to place and maintain the Controller in a secure FIPS 140-2 mode. This policy was prepared as part of the FIPS 140-2 Level 2 validation of the product. FIPS 140-2 (Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) website at: https://csrc.nist.gov/projects/cryptographic-module-validation-program In addition, in this document, the Aruba 7XXX Controllers with ArubaOS FIPS Firmware are referred to as the Controller, the module, Aruba 7XXX series Mobility Controllers, Aruba 7XXX Controllers, 7XXX Controller, and 7XXX Series. 1.1.Related Documents The following items are part of the complete installation and operations documentation included with this product: • Aruba 7XXX Mobility Controller Installation Guide • Aruba 7XXX Series Mobility Controller Installation Guide • ArubaOS 8.X.0.0 User Guide, where X = 6, 5, or 2 • ArubaOS 8.X.0.x CLI Reference Guide, where X = 6, 5, or 2 • ArubaOS 8.X.0.0 Getting Started Guide, where X = 6, 5, or 2 • ArubaOS 8.X.0.0 Migration Guide, where X = 6, 5, or 2 • Aruba AP Installation Guides 1.1.1. Additional Product Information More information is available from the following sources: • The Aruba Networks Web-site contains information on the full line of products from Aruba Networks: http://www.arubanetworks.com • The NIST Validated Modules Web-site contains contact information for answers to technical or sales-related questions for the product: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Validated-Modules/Search Enter Aruba in the Vendor field then select Search to see a list of FIPS certified Aruba products. Select the Certificate Number for the Module Name ‘Aruba 7XXX Controllers with ArubaOS FIPS Firmware’. 8 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy 2. Overview Aruba 7XXX series Mobility Controllers are optimized for 802.11ac and mobile app delivery. Fully application-aware, the 7XXX series prioritizes mobile apps based on user identity and offers exceptional scale for BYOD transactions and device densities. With a new central processor employing eight CPU cores and four virtual cores, the 7XXX series supports over 32,000 wireless devices and performs stateful firewall policy enforcement at speeds up to 40 Gbps – plenty of capacity for BYOD and 802.11ac devices. New levels of visibility, delivered by Aruba AppRF on the controller, allow IT to see applications by user, including top web-based applications like Facebook and Box. The 7XXX series also manages authentication, encryption, VPN connections, IPv4 and IPv6 services, the Aruba Policy Enforcement Firewall™ with AppRF Technology, Aruba Adaptive Radio Management™, and Aruba RFProtect™ spectrum analysis and wireless intrusion protection. The Aruba controller configurations validated during the cryptographic module testing included: • Aruba 7005-RWF1 (HPE SKU JW635A) • Aruba 7005-USF1 (HPE SKU JW636A) • Aruba 7008-RWF1 (HPE SKU JX931A) • Aruba 7008-USF1 (HPE SKU JX932A) • Aruba 7010-RWF1 (HPE SKU JW702A) • Aruba 7010-USF1 (HPE SKU JW703A) • Aruba 7024-RWF1 (HPE SKU JW706A) • Aruba 7024-USF1 (HPE SKU JW707A) • Aruba 7030-RWF1 (HPE SKU JW710A) • Aruba 7030-USF1 (HPE SKU JW711A) • Aruba 7205-RWF1 (HPE SKU JW739A) • Aruba 7205-USF1 (HPE SKU JW740A) • Aruba 7210-RWF1 (HPE SKU JW745A) • Aruba 7210-USF1 (HPE SKU JW746A) • Aruba 7220-RWF1 (HPE SKU JW753A) • Aruba 7220-USF1 (HPE SKU JW754A) • Aruba 7240-RWF1 (HPE SKU JW761A) • Aruba 7240-USF1 (HPE SKU JW762A) • Aruba 7240XM-RWF1 (HPE SKU JW829A) • Aruba 7240XM-USF1 (HPE SKU JW830A) ▪ FIPS Kit: 4011570-01 (HPE SKU JY894A). Part number for Tamper Evident Labels. The firmware versions validated are ArubaOS 8.10.0.2-FIPS. Aruba's development processes are such that future releases under ArubaOS 8.10 should be FIPS validate-able and meet the claims made in this document. Only the versions that explicitly appear on the certificate, however, are formally validated. The CMVP makes no claim as to the correct operation of the module or the security strengths of the generated keys when operating under a version that is not listed on the validation certificate. Note: For radio regulatory reasons, part numbers ending with -USF1 are to be sold in the US only. Part numbers ending with -RWF1 are considered ‘rest of the world’ and must not be used for deployment in the United States. From a FIPS perspective, both -USF1 and -RWF1 models are identical and fully FIPS compliant. Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |9 2.1.Physical Description 2.1.1. Cryptographic Module Boundaries For FIPS 140-2 Level 2 validation, the Controller has been validated as a multi-chip standalone cryptographic module. The opaque hard plastic (Aruba 7005/7008 Controllers only) or metal chassis physically encloses the complete set of hardware and firmware components and represents the cryptographic boundary of the module. The cryptographic boundary is defined as encompassing the top, front, left, right, rear, and bottom surfaces of the chassis. 2.1.2. Aruba 7005 Controller Figure 1 - Aruba 7005 Controller Figure 1 shows the front of the Aruba 7005 Controller, and illustrates the following: • Four Gigabit Ethernet ports (each with two LEDs) • One Type A USB port • LINK/ACT and Status LEDs • Management/Status LED • Console Connections - RJ-45 and Mini-USB (Disabled in FIPS mode by TELs) Dimensions/Weight The 7005 Controller has the following physical dimensions: • Dimensions: 4.1 cm (H) x 20 cm (W) x 20 cm (D) / 1.6” (H) x 7.9” (W) x 7.9” (D) • Weight: 0.92 kg / 2.03 lbs Environmental The 7005 Controller has the following environmental range: • Operating: o Temperature: 0° C to +40° C (+32° F to +104° F) o Humidity: 5% to 95% non-condensing • Storage and transportation: o Temperature: -40° C to +70° C (-40° F to +158° F) o Humidity: 5% to 95% non-condensing 10 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Interfaces The 7005 Controller has the following interfaces (in addition to those shown in Figure 1 above): • Network Interface: o E0-E3: Four Gigabit Ethernet ports (RJ-45, Auto-sensing link speed 10/100/1000BASE-T and MDI/MDX) o 802.3az Energy Efficient Ethernet (EEE) o PoE-PD (E0 only): 48 Vdc (nominal) 802.3af/at POE (class 3 or 4) • DC Power Interface: o 12Vdc nominal, +/- 5% o 1.7mm/4.0mm center-positive circular plug with 9.5mm length Table 1 – 7005 Controller System Status and Power Indicator LEDs (Front) LED Type LED Function Color/State Meaning System System Status Off No Power Green - Solid Powered and Operational Green - Blinking Loading Firmware Amber - Solid Critical alarm Amber - Blinking Major alarm Power Power Status Off Power Off Green - Solid Powered from DC adaptor Amber - Solid Powered from PoE source Table 2 – 7005 Controller Status Indicator LEDs for Each Ethernet Port (Front) LED Type LED Function Color/State Meaning LINK/ACT Link Status Off No link on port Green - Solid Link established Green - Blinking Port is transmitting or receiving data STATUS Port Status Off Link at 10/100 Mbps Green - Solid Link at 1000 Mbps 2.1.3. Aruba 7008 Controller Figure 2 - Aruba 7008 Controller Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |11 Figure 2 shows the rear of the Aruba 7008 Controller, and illustrates the following: • Eight Gigabit Ethernet ports with POE (each with two LEDs) • Two Type A USB ports • LINK/ACT and Status LEDs • Management/Status LED • Console Connections - RJ-45 and Mini-USB (Disabled in FIPS mode by TELs) Dimensions/Weight The 7008 Controller has the following physical dimensions: • Dimensions: 4.2 cm (H) x 20.32 cm (W) x 20.32 cm (D) / 1.65” (H) x 8” (W) x 8” (D) • Weight: 1.0 kg / 2.2 lbs Environmental The 7008 Controller has the following environmental range: • Operating: o Temperature: 0° C to +40° C (+32° F to +104° F) o Humidity: 5% to 95% non-condensing • Storage and transportation: o Temperature: -40° C to +70° C (-40° F to +158° F) o Humidity: 5% to 95% non-condensing Interfaces The 7008 Controller has the following interfaces (in addition to those shown in Figure 2 above): • Network Interface: o E0-E7: Eight Gigabit Ethernet ports (RJ-45, Auto-sensing link speed 10/100/1000BASE-T and MDI/MDX) o 802.3az Energy Efficient Ethernet (EEE) o PoE-PSE (E0-E7): 54 Vdc (nominal) 802.3af/at POE/POE+ (class 3 or 4) • DC Power Interface: o 54Vdc nominal, 2.78A AC-to-DC power adaptor, 150-watt power supply • Reset Config recessed button (on front) Table 3 – 7008 Controller System Status and Power Indicator LEDs (Front) LED Type LED Function Color/State Meaning System System Status Off No Power Green - Solid Powered and Operational Green - Blinking Loading Firmware Amber - Solid Critical alarm Amber - Blinking Major alarm Power Power Status Off Power Off Green - Solid Powered from DC adaptor Amber - Solid Powered from PoE source Table 4 – 7008 Controller Status Indicator LEDs for Each Ethernet Port (Rear) LED Type LED Function Color/State Meaning LINK/ACT Link Status Off No link on port Green - Solid Link established Green - Blinking Port is transmitting or receiving data STATUS Port Status Off Link at 10/100 Mbps 12 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Green - Solid Link at 1000 Mbps 2.1.4. Aruba 7010 Controller Figure 3 - Aruba 7010 Controller Figure 3 shows the front of the Aruba 7010 Controller, and illustrates the following: • Sixteen 10/100/1000 Ethernet ports (each with two LEDs) • Two Small Form-Factor Pluggable (SFP) Uplink ports (each with two LEDs) • Two Type A USB ports • LINK/ACT and Status LEDs • Management/Status LED • LCD Panel • Navigation Buttons (Functionally disabled in FIPS mode) • Console Connections - RJ-45 and Mini-USB (Disabled in FIPS mode by TELs) Dimensions/Weight The 7010 Controller has the following physical dimensions: • Dimensions: 4.42 cm (H) x 31.75 cm (W) x 33.7 cm (D) / 1.74” (H) x 12.75” (W) x 13.3” (D) • Weight: 3.4 kg / 7.5 lbs Environmental The 7010 Controller has the following environmental range: • Operating: o Temperature: 0° C to +40° C (+32° F to +104° F) o Humidity: 5% to 95% non-condensing • Storage and transportation: o Temperature: -40° C to +70° C (-40° F to +158° F) o Humidity: 5% to 95% non-condensing Interfaces The 7010 Controller has the following interfaces (in addition to those shown in Figure 3 above): • Network Interface: o E0-E15: Sixteen Gigabit Ethernet ports (RJ-45, Auto-sensing link speed 10/100/1000BASE-T and MDI/MDX) o 802.3az Energy Efficient Ethernet (EEE) o PoE-PSE (E0-E11): 802.3af/at POE/POE+ (class 3 or 4) o S16-S17: Two uplink ports (SFP, 1000BASE-X) • AC Power Interface: o integrated 225-watt AC power supply (Rear connector) Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |13 Table 5 – 7010 Controller System Status and Power Indicator LEDs (Front) LED Type LED Function Color/State Meaning System System Status Off No Power Green - Solid Powered and Operational Green - Blinking Loading Firmware Amber - Solid Critical alarm Amber - Blinking Major alarm Power Power Status Off Power Off Green - Solid Power On Peered N/A N/A N/A – Reserved for future use Table 6 – 7010 Controller Status Indicator LEDs for Each Ethernet Port (Front) LED Type LED Function Color/State Meaning LINK/ACT Link Status Off No link on port Green - Solid Link established Green - Blinking Port is transmitting or receiving data STATUS Port Status Off Link at 10/100 Mbps Green - Solid Link at 1000 Mbps Table 7 – 7010 Controller Status Indicator LEDs for Each Uplink (SFP) Port (Front) LED Type LED Function Color/State Meaning LINK/ACT Link Status Off No link on port Green - Solid Link established Green - Blinking Port is transmitting or receiving data STATUS Port Status Off N/A Green - Solid Link at 1 Gbps 2.1.5. Aruba 7024 Controller Figure 4 - Aruba 7024 Controller Figure 4 shows the front of the Aruba 7024 Controller, and illustrates the following: • Twenty-four 10/100/1000 Ethernet ports (each with two LEDs) • Two Enhanced Small Form-Factor Pluggable (SFP+) Uplink ports (each with two LEDs) • One Type A USB ports • LINK/ACT and Status LEDs • Management/Status LED • LCD Panel • Navigation Buttons (Functionally disabled in FIPS mode) 14 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy • Console Connections - RJ-45 and Mini-USB (Rear, Disabled in FIPS mode by TELs) Dimensions/Weight The 7024 Controller has the following physical dimensions: • Dimensions: 4.37 cm (H) x 44.2 cm (W) x 31.3 cm (D) / 1.72” (H) x 17.4” (W) x 12.32” (D) • Weight: 5.127 kg / 11.303 lbs Environmental The 7024 Controller has the following environmental range: • Operating: o Temperature: 0° C to +40° C (+32° F to +104° F) o Humidity: 10% to 95% non-condensing • Storage and transportation: o Temperature: -40° C to +70° C (-40° F to +158° F) o Humidity: 10% to 95% non-condensing Interfaces The 7024 Controller has the following interfaces (in addition to those shown in Figure 4 above): • Network Interface: o E0-E23: Twenty-four Gigabit Ethernet ports (RJ-45, Auto-sensing link speed 10/100/1000BASE-T and MDI/MDX) o 802.3az Energy Efficient Ethernet (EEE) o PoE-PSE (E0-E23): 802.3af/at POE/POE+ (class 3 or 4) o S24-S25: Two uplink ports (SFP/SFP+, 10GBASE-X) • AC Power Interface: o integrated 580-watt AC power supply (Rear connector) Table 8 – 7024 Controller System Status and Power Indicator LEDs (Front) LED Type LED Function Color/State Meaning System System Status Off No Power Green - Solid Powered and Operational Green - Blinking Loading Firmware Amber - Solid Critical alarm Amber - Blinking Major alarm Power Power Status Off Power Off Green - Solid Power On Peered N/A N/A N/A – Reserved for future use Table 9 – 7024 Controller Status Indicator LEDs for Each Ethernet Port (Front) LED Type LED Function Color/State Meaning LINK/ACT Link Status Off No link on port Green - Solid Link established Green - Blinking Port is transmitting or receiving data STATUS Port Status Off Link at 10/100 Mbps Green - Solid Link at 1000 Mbps Table 10 – 7024 Controller Status Indicator LEDs for Each Uplink (SFP/SFP+) Port (Front) LED Type LED Function Color/State Meaning LINK/ACT Link Status Off No link on port Green - Solid Link established Green - Blinking Port is transmitting or receiving data STATUS Port Status Off Link at 1 Gbps Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |15 Green - Solid Link at 10 Gbps 2.1.6. Aruba 7030 Controller Figure 5 - Aruba 7030 Controller Figure 5 shows the front of the Aruba 7030 Controller, and illustrates the following: • Eight 10/100/1000 Ethernet ports (each with two LEDs) • Eight Small Form-Factor Pluggable (SFP) Uplink ports (each with two LEDs) • One Type A USB port • LINK/ACT and Status LEDs • Management/Status LED • LCD Panel • Navigation Buttons (Functionally disabled in FIPS mode) • Console Connections - RJ-45 and Mini-USB (Disabled in FIPS mode by TELs) Dimensions/Weight The 7030 Controller has the following physical dimensions: • Dimensions: 4.37 cm (H) x 30.48 cm (W) x 21.08 cm (D) / 1.72” (H) x 12.0” (W) x 8.3” (D) • Weight: 2.06 kg / 4.54 lbs Environmental The 7030 Controller has the following environmental range: • Operating: o Temperature: 0° C to +40° C (+32° F to +104° F) o Humidity: 5% to 95% non-condensing • Storage and transportation: o Temperature: -40° C to +70° C (-40° F to +158° F) o Humidity: 5% to 95% non-condensing Interfaces The 7030 Controller has the following interfaces (in addition to those shown in Figure 5 above): • Network Interface: o E0-E7: Eight Gigabit Ethernet ports (RJ-45, Auto-sensing link speed 10/100/1000BASE-T and MDI/MDX) o S0-S7: Eight uplink ports (SFP, 1000BASE-X) • AC Power Interface: o integrated 80-watt AC power supply (Rear connector) 16 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Table 11 – 7030 Controller System Status and Power Indicator LEDs (Front) LED Type LED Function Color/State Meaning System System Status Off No Power Green - Solid Powered and Operational Green - Blinking Loading Firmware Amber - Solid Critical alarm Amber - Blinking Major alarm Power Power Status Off Power Off Green - Solid Power On Peered N/A N/A N/A – Reserved for future use Table 12 – 7030 Controller Status Indicator LEDs for Each Ethernet Port (Front) LED Type LED Function Color/State Meaning LINK/ACT Link Status Off No link on port Green - Solid Link established Green - Blinking Port is transmitting or receiving data STATUS Port Status Off Link at 10/100 Mbps Green - Solid Link at 1000 Mbps Table 13 – 7030 Controller Status Indicator LEDs for Each Uplink (SFP) Port (Front) LED Type LED Function Color/State Meaning LINK/ACT Link Status Off No link on port Green - Solid Link established Green - Blinking Port is transmitting or receiving data STATUS Port Status Off N/A Green - Solid Link at 1 Gbps 2.1.7. Aruba 7205 Controller Figure 6 - Aruba 7205 Controller Figure 6 shows the front of the Aruba 7205 Controller, and illustrates the following: • Four 10/100/1000 Ethernet ports (each with two LEDs) • Four Small Form-Factor Pluggable (SFP) Uplink ports (each with two LEDs) • Two Dual-Purpose Gigabit Uplink Ports (each with two LEDs) • Two Type A USB ports (one is on the front and one is on the back) • LINK/ACT and Status LEDs • Management/Status LED • LCD Panel • Navigation Buttons (Functionally disabled in FIPS mode) • Console Connections - RJ-45 and Mini-USB (Disabled in FIPS mode by TELs) Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |17 Dimensions/Weight The 7205 Controller has the following physical dimensions: • Dimensions: 4.4 cm (H) x 44.2 cm (W) x 33.4 cm (D) / 1.75” (H) x 17.38” (W) x 13.13” (D) • Weight: 4.95 kg / 10.19 lbs Environmental The 7205 Controller has the following environmental range: • Operating: o Temperature: 0° C to +40° C (+32° F to +104° F) o Humidity: 10% to 95% non-condensing • Storage and transportation: o Temperature: -40° C to +70° C (-40° F to +158° F) o Humidity: 10% to 95% non-condensing Interfaces The 7205 Controller has the following interfaces (in addition to those shown in Figure 6 above): • Network Interface: o E0-E3: Four Gigabit Ethernet ports (RJ-45, Auto-sensing link speed 10/100/1000BASE-T) o S0-S3: Four SFP ports (SFP, 1000BASE-X) o S4-S5: Two SFP+ ports (SFP/SFP+, 10GBASE-X) • AC Power Interface: o integrated 180-watt AC power supply (Rear connector) Table 14 – 7205 Controller System Status and Power Indicator LEDs (Front) LED Type LED Function Color/State Meaning System System Status Off No Power Green - Solid Powered and Operational Green - Blinking Loading Firmware Amber - Solid Critical alarm Amber - Blinking Major alarm Power Power Status Off Power Off Green - Solid Power On Peered N/A N/A N/A – Reserved for future use Table 15 – 7205 Controller Status Indicator LEDs for Each Ethernet Port (Front) LED Type LED Function Color/State Meaning LINK/ACT Link Status Off No link on port Green - Solid Link established Green - Blinking Port is transmitting or receiving data STATUS Port Status Off Link at 10/100 Mbps Green - Solid Link at 1000 Mbps Table 16 – 7205 Controller Status Indicator LEDs for Each SFP/SFP+ Port (Front) LED Type LED Function Color/State Meaning LINK/ACT Link Status Off No link on port Green - Solid Link established Green - Blinking Port is transmitting or receiving data STATUS Port Status Off N/A (SFP) or Link at 1 Gbps (SFP+) Green - Solid Link at 1 Gbps (SFP) or 10 Gbps (SFP+) 18 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Table 17 – 7205 Controller CPU Module Status and Power Indicator LEDs (Rear) LED Type LED Function Color/State Meaning Status CPU Module Status Off No Power Green - Solid Powered and Operational Green - Blinking Loading Firmware Power CPU Module Power Status Off Power Off Green - Solid Power On 2.1.8. Aruba 7200 Series Controllers Figure 7 - Aruba 7200 Series Controller (Front) Figure 7 shows the front of the Aruba 7200 Series Controller, and illustrates the following: • Four 10GBase-X (SFP+) Ethernet ports (each with two LEDs) • Two Dual-Purpose Gigabit Uplink Ports (each with two LEDs) • LINK/ACT and Status LEDs • Management/Status LED • USB 2.0 Port • LCD Panel and Navigation Buttons (Functionally disabled in FIPS mode) • Console Connections - RJ-45 and Mini-USB (Disabled in FIPS mode by TELs) • Expansion Slot (Functionally disabled in FIPS mode). Figure 8 - Aruba 7200 Series Controller (Rear) Figure 8 shows the rear of the Aruba 7200 Series Controller, and illustrates the following: • Two hot-swappable AC power supply modules (each with three LEDs) in PSU0 and PSU1 • One hot-swappable fan tray with four individual fans. Note: The Aruba 7200 Series Controllers include the 7210, 7220, 7240 and 7240XM which are identical in terms of outward appearance and definition of the cryptographic boundary. Differences between the models are internal and are related to CPU capacity and speed. Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |19 Dimensions/Weight The 7200 Series Controllers have the following physical dimensions (without mounting brackets): • Dimensions: 4.4 cm (H) x 44.5 cm (W) x 44.5 cm (D) / 1.75” (H) x 17.5” (W) x 17.5” (D) • Weight (with one AC power supply installed): 7.45 kg / 16.43 lbs Environmental The 7200 Series Controllers have the following environmental range: • Operating: o Temperature: 0° C to +40° C (+32° F to +104° F) o Humidity: 5% to 95% non-condensing • Storage and transportation: o Temperature: 0° C to +50° C (+32° F to +122° F) o Humidity: 5% to 95% non-condensing Interfaces The 7200 Series Controllers have the following interfaces (in addition to those shown in Figures 7 and 8 above): • Network Interface: o E0-E1: Two Gigabit Ethernet ports (RJ-45, Auto-sensing link speed 10/100/1000BASE-T) o S0-S1: Two SFP ports (SFP, 1000BASE-X) o S2-S5: Four SFP+ ports (SFP/SFP+, 10GBASE-X) • AC or DC Power Interface: o 12VDC, Autosensing, load-sharing, redundant 350W AC power supply or 350W DC power supply Table 18 – 7200 Series Controller System Status and Power Indicator LEDs (Front) LED Type LED Function Color/State Meaning System System Status Off No Power Green - Solid Powered and Operational Green - Blinking Loading Firmware Amber - Solid Critical alarm Amber - Blinking Major alarm Power Power Status Off Power Off Green - Solid Power On Peered N/A N/A N/A – Reserved for future use Table 19 – 7200 Series Controller Status Indicator LEDs for Each Ethernet Port (Front) LED Type LED Function Color/State Meaning LINK/ACT Link Status Off No link on port Green - Solid Link established Green - Blinking Port is transmitting or receiving data STATUS Port Status Off Link at 10/100 Mbps Green - Solid Link at 1000 Mbps 20 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Table 20 – 7200 Series Controller Status Indicator LEDs for Each Uplink (SFP/SFP+) Port (Front) LED Type LED Function Color/State Meaning LINK/ACT Link Status Off No link on port Green - Solid Link established Green - Blinking Port is transmitting or receiving data STATUS Port Status Off Link speed mismatch (SFP) or Link at 1 Gbps (SFP+) Green - Solid Link at 1 Gbps (SFP) or 10 Gbps (SFP+) Table 21 – 7200 Series Controller AC Power Supply Module Status Indicator LEDs (Rear) LED Type LED Function Color/State Meaning AC AC Status Green - Solid Operating Normally. AC voltage is OK. Red - Solid Power Supply Failure DC DC Status Green - Solid Operating Normally Red - Solid Power Supply Failure TEMP Power Supply Temperature Green - Solid Operating Normally Red - Solid Temperature Alarm in PSU Table 22 – 7200 Series Controller DC Power Supply Module Status Indicator LEDs (Rear) LED Type LED Function Color/State Meaning DC IN DC Input Status Green - Solid Operating Normally. Red - Solid Power Supply Failure DC OUT DC Output Status Green - Solid Operating Normally Red - Solid Power Supply Failure TEMP Power Supply Temperature Green - Solid Operating Normally Red - Solid Temperature Alarm in PSU Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |21 2.2.Intended Level of Security The 7XXX Controller and associated modules are intended to meet overall FIPS 140-2 Level 2 requirements. Table 23 – Intended Level of Security Section Section Title Security Level 1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles, Services, and Authentication 2 4 Finite State Model 2 5 Physical Security 2 6 Operational Environment N/A 7 Cryptographic Key Management 2 8 EMI/EMC 2 9 Self-tests 2 10 Design Assurance 2 11 Mitigation of Other Attacks N/A Overall Overall module validation level 2 3. Physical Security The Aruba Controller is a scalable, multi-processor standalone network device and is enclosed in a robust steel or plastic housing. The enclosure of the module has been designed to satisfy FIPS 140-2 Level 2 physical security requirements. The Aruba 7XXX Controller requires Tamper-Evident Labels (TELs) to allow the detection of the opening of the chassis cover and to block the Serial console port. To protect the Aruba 7XXX Controller from any tampering with the product, TELs should be applied by the Crypto Officer as covered under “Tamper-Evident Labels”. 4. Operational Environment The operational environment is non-modifiable. The control plane Operating System (OS) is Linux, a real- time, multi-threaded operating system that supports memory protection between processes. Access to the underlying Linux implementation is not provided directly. Only Aruba Networks provided interfaces are used, and the CLI is a restricted command set. The module only allows the loading of trusted and verified firmware that is signed by Aruba. Any firmware loaded into this module that is not shown on the module certificate is out of the scope of this validation and requires a separate FIPS 140-2 validation. 22 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy 5. Logical Interfaces All of these physical interfaces are separated into logical interfaces defined by FIPS 140-2, as described in the following table. Table 24 – FIPS 140-2 Logical Interfaces FIPS 140-2 Logical Interface Module Physical Interface Data Input Interface • 10/100/1000 Ethernet Ports • SFP/SFP+ Uplink Ports • USB Port Data Output Interface • 10/100/1000 Ethernet Ports • SFP/SFP+ Uplink Ports • USB Port Control Input Interface • 10/100/1000 Ethernet Ports • SFP/SFP+ Uplink Ports • Reset Switch Status Output Interface • 10/100/1000 Ethernet Ports • SFP/SFP+ Uplink Ports • USB Port • LEDs Power Interface • Power Supply Data input and output, control input, status output, and power interfaces are defined as follows: • Data input and output are the packets that use the firewall, VPN, and routing functionality of the modules. • Control input consists of manual control inputs reset through the reset switch. It also consists of all of the data that is entered into the controller while using the management interfaces. • Status output consists of the status indicators displayed through the LEDs, the status data that is output from the controller while using the management interfaces, and the log file. o LEDs indicate the physical state of the module, such as power-up (or rebooting), utilization level, activation state (including fan, ports, and power). The log file records the results of self-tests, configuration errors, and monitoring data. • A power supply is used to connect the electric power cable. The controller distinguishes between different forms of data, control, and status traffic over the network ports by analyzing the packets header information and contents. Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |23 6. Roles and Services The Aruba Controller supports role-based authentication. There are two roles in the module (as required by FIPS 140-2 Level 2) that operators may assume: a Crypto Officer role and a User role. The Administrator maps to the Crypto-Officer role and the client Users map to the User role 6.1.Crypto Officer Role The Crypto Officer role has the ability to configure, manage, and monitor the controller. This role can be present on the controller in a standalone configuration or provided through the Aruba Mobility Master when the controller is operating as a managed device. Crypto Officer Users can be created with predefined roles whose services are a subset of the administrator role. Four management interfaces can be used for this purpose: • SSHv2 CLI The Crypto Officer can use the CLI to perform non-security-sensitive and security-sensitive monitoring and configuration. The CLI can be accessed remotely by using the SSHv2 secured management session over the Ethernet ports or locally over the serial port. In FIPS mode, the serial port is disabled. • Web Interface The Crypto Officer can use the Web Interface as an alternative to the CLI. The Web Interface provides a highly intuitive, graphical interface for a comprehensive set of controller management tools. The Web Interface can be accessed from a TLS-enabled Web browser using HTTPS (HTTP with Secure Socket Layer) on logical port 4343. • SNMPv3 The Crypto Officer can also use SNMPv3 to remotely perform non-security-sensitive monitoring and use ‘get’ and ‘getnext’ commands. • Mobility Master The Crypto Officer can use the Mobility Master interface to configure the controller when operating as a managed device. See the table below for descriptions of the services available to the Crypto Officer role. Table 25 – Crypto-Officer Services Service Description Input Output CSP/Algorithm Access (please see Table 32 below for details) SSHv2 Provide authenticated and encrypted remote management sessions while using the CLI SSHv2 key agreement parameters, SSH inputs, and data SSHv2 outputs and data 26, 27 (read/write/delete) SNMPv3 Provides ability to query management information SNMPv3 requests SNMPv3 responses 34, 35, 36 (read/write/delete) 24 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Table 25 – Crypto-Officer Services IKEv1/IKEv2- IPSec Access the module's IPSec services in order to secure network traffic IKEv1/IKEv2 inputs and data; IPSec inputs, commands, and data IKEv1/IKEv2 outputs, status, and data; IPSec outputs, status, and data 1,18 (read) 6, 7, 8, 9, 10, 11 (read/write/delete) 19, 20, 21, 22, 23, 24 and 25 (read/delete) Configuring Network Management Create management Users and set their password and privilege level; configure the SNMP agent Commands and configuration data Status of commands and configuration data 1, 34, 35 (read) 36 (delete) Configuring the module Define synchronization features for module Commands and configuration data Status of commands and configuration data None Configuring Internet Protocol Set IP functionality Commands and configuration data Status of commands and configuration data None Configuring Quality of Service (QoS) Configure QOS values for module Commands and configuration data Status of commands and configuration data None Configuring VPN Configure Public Key Infrastructure (PKI); configure the Internet Key Exchange (IKEv1/IKEv2) Security Protocol; configure the IPSec protocol Commands and configuration data Status of commands and configuration data 1, 18 (read) 14,15, 16, 17 (read) 18, 19, 20, 21, 22, 23, 24 and 25 (delete) Configuring DHCP Configure DHCP on module Commands and configuration data Status of commands and configuration data None Configuring Security Define security features for module, including Access List, Authentication, Authorization and Accounting (AAA), and firewall functionality Commands and configuration data Status of commands and configuration data 12, 13 (read/write/delete) 1 (read) Manage Certificates Install, and delete X.509 certificates Commands and configuration data; Certificates and keys Status of certificates, commands, and configuration 14, 15, 16, 17 (write/delete) NTP Authentication Service Configure and connect to NTP server using authentication key Commands and data NTP output, status, and data 42 (write/delete) HTTP over TLS Secure browser connection over Transport Layer Security acting as a Crypto Officer service (web management interface) TLS inputs, commands, and data TLS outputs, status, and data 6, 7, 8, 28, 29, 30 and 31 (read/write/delete ) 4, 5 (read/write) 2, 3 (read) Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |25 Table 25 – Crypto-Officer Services Openflow Agent Agent run on device for use with Mobility Master SDN. Leveraged by the SDN for discovering of hosts and networks, configuration of networks, and collection of statistics. Configuration Data and statistic collection Status of commands and configuration data None Status Function Cryptographic officer may use CLI “show” commands or view WebUI via TLS to view the controller configuration, routing tables, and active sessions; view health, temperature, memory status, voltage, and packet statistics; review accounting logs, and view physical interface status Commands and configuration data Status of commands and configurations None IPSec tunnel establishment for RADIUS protection Provided authenticated/encrypted channel to RADIUS server IKEv1/IKEv2 inputs and data; IPSec inputs, commands, and data IKEv1/IKEv2 outputs, status, and data; IPSec outputs, status, and data 12 and 18 (read/write/delete) 19, 20, 21, 22, 23, 24 and 25 (write/delete) 1 (read) 4, 5 (read/write) 2, 3 (read) Self-Test Perform FIPS start-up tests on demand None Error messages logged if a failure occurs None Configuring Bypass Operation Configure bypass operation on the module Commands and configuration data Status of commands and configuration data None Updating Firmware1 Updating firmware on the module Commands and configuration data Status of commands and configuration data 1, 41 (read) Configuring Online Certificate Status Protocol (OCSP) Responder Configuring OCSP responder functionality OCSP inputs, commands, and data OCSP outputs, status, and data 26, 27, 28, 29, 30 (read) Configuring Control Plane Security (CPSec) Configuring Control Plane Security mode to protect communication with APs using IPSec and issue self signed certificates to APs. Hybrid CPSec allows for the ability to enable or disable independently for each zone and allow zones to contain Commands and configuration data, IKEv1/IKEv2 inputs and data; IPSec inputs, commands, and data Status of commands, IKEv1/ IKEv2 outputs, status, and data; IPSec outputs, status, and data and configuration data, self signed 12 and 18 (read/write/delete) 19, 20, 21, 22, 23, 24, 25 (write/delete) 1, 2, 3 (read) 4, 5 (read/write) 1 Any firmware loaded into this module that is not shown on the module certificate is out of the scope of this validation and requires a separate FIPS 140-2 validation. 26 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Table 25 – Crypto-Officer Services different configurations. Can interact with hardware and virtual appliances through multizone/mesh when CPSec is enabled. certificates Zeroization The cryptographic keys stored in SDRAM memory can be zeroized by rebooting the module. The cryptographic keys (IKEv1 Pre- shared key and 802.11i Pre- Shared Key) stored in the flash can be zeroized by using the command ‘wipe out flash’ or overwriting with a new secret. The ‘no’ command in the CLI can be used to zeroize IKE, IPSec and CA CSPs. Please See CLI guide for details. The other keys/CSPs (RSA/ECDSA public key/private key and certificate) stored in Flash memory can be zeroized by using the appropriate command. The "wipe out flash" command formats the configuration flash partition. Additionally, the zeroize TPM command ‘zeroize-tpm-keys’ may be issued to erase the stored TPM keys. NOTE: The effect of the zeroize TPM command is not reversible. The action will void the warranty on the controller and nullify the RMA. The command will wipe the contents of the TPM and render the controller permanently inoperable. Command Progress information All CSPs will be destroyed. Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |27 6.2.User Role The table below lists the services available to User role: Table 26 – User Services Service Description Input Output CSP Access (please see Table 32 below for CSP details) IKEv1/IKEv2- IPSec Access the module’s IPSec services in order to secure network traffic IPSec inputs, commands, and data IPSec outputs, status, and data 6, 7, 8, 9, 10, 11 (read, write, delete) 14, 15, 16, 17 (read) 19, 20, 21, 22, 23, 24 and 25 (read/delete) 4, 5 (read/write) 2, 3 (read) HTTP over TLS Access the module’s TLS services in order to secure network traffic TLS inputs, commands, and data TLS outputs, status, and data 6, 7, 8, 9, 10, 11, 28, 29, 30 and 31 (read/write/delete) 4, 5 (read/write) 2, 3 (read) 802.11i Shared Key Mode Access the module’s 802.11i services in order to secure network traffic 802.11i inputs, commands and data 802.11i outputs, status and data 37, 38, 39 and 40 (create/read/delete) 4, 5 (read/write) 802.11i with EAP- TLS Access the module’s 802.11i services in order to secure network traffic 802.11i inputs, commands and data 802.11i outputs, status, and data 14, 15, 16, 17 (read) 37, 38, 39 and 40 (read/delete) 4, 5 (read/write) 28 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy 6.3.Authentication Mechanisms The Aruba Controller supports role-based authentication. Role-based authentication is performed before the Crypto Officer enters privileged mode using admin password via Web Interface or SSHv2. Role-based authentication is also performed for User authentication. This includes password and RSA/ECDSA-based authentication mechanisms. The strength of each authentication mechanism is described below. Table 27 – Estimated Strength of Authentication Mechanisms Authentication Type Role Strength Password-based authentication (SSH and Web Interface) Crypto Officer Passwords are required to be a minimum of eight ASCII characters and a maximum of 32 with a minimum of one letter and one number. Given these restrictions, the probability of randomly guessing the correct sequence is one (1) in 3,608,347,333,959,680 (this calculation is based on the assumption that the typical standard American QWERTY computer keyboard has 10 Integer digits, 52 alphabetic characters, and 32 special characters providing 94 characters to choose from in total. The calculation should be 94^8 (Total number of 8-digit passwords) – 84^8 (Total number of 8-digit passwords without numbers) – 42^8 (Total number of 8-digit passwords without letters) + 32^8 (Total number of 8-digit passwords without letters or numbers, added since it is double-counted in the previous two subtractions) = 3,608,347,333,959,680). At optimal network conditions (assuming 1ms round-trip latency), an attacker would only get 60,000 guesses per minute. Therefore the associated probability of a successful random attempt during a one- minute period is 60,000/3,608,347,333,959,680, which is less than 1 in 100,000 required by FIPS 140-2. RSA-based authentication (IKEv1/IKEv2/TLS/EAP-TLS) User The module supports 2048-bit RSA key authentication during IKEv1, IKEv2, TLS, and EAP-TLS. RSA 2048 bit keys correspond to 112 bits of security. Assuming the low end of that range, the associated probability of a successful random attempt is 1 in 2^112, which is less than 1 in 1,000,000 required by FIPS 140-2. At optimal network conditions (assuming 1ms round-trip latency), an attacker would only get 60,000 guesses per minute. Therefore the associated probability of a successful random attempt during a one-minute period is 60,000/2^112, which is less than 1 in 100,000 required by FIPS 140- 2. RSA-based authentication (SSH/HTTP over TLS) Crypto Officer The module supports 2048-bit RSA key authentication during IKEv1, IKEv2, TLS, and EAP-TLS. RSA 2048 bit keys correspond to 112 bits of security. Assuming the low end of that range, the associated probability of a successful random attempt is 1 in 2^112, which is less than 1 in 1,000,000 required by FIPS 140-2. At optimal network conditions (assuming 1ms round-trip latency), an attacker would only get 60,000 guesses per minute. Therefore the associated probability of a successful random attempt during a one-minute period is 60,000/2^112, which is less than 1 in 100,000 required by FIPS 140- 2. These keys can be used for admin authentication. Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |29 ECDSA-based authentication (IKEv1/IKEv2/TLS/EAP-TLS) User ECDSA signing and verification is used to authenticate to the module during IKEv1/IKEv2, TLS, and EAP-TLS. Both P-256 and P-384 curves are supported. ECDSA P-256 provides 128 bits of equivalent security, and P-384 provides 192 bits of equivalent security. Assuming the low end of that range, the associated probability of a successful random attempt is 1 in 2^128, which is less than 1 in 1,000,000 required by FIPS 140-2. At optimal network conditions (assuming 1ms round-trip latency), an attacker would only get 60,000 guesses per minute. Therefore the associated probability of a successful random attempt during a one-minute period is 60,000/2^128, which is less than 1 in 100,000 required by FIPS 140- 2. ECDSA-based authentication (SSH/HTTP over TLS) Crypto Officer ECDSA signing and verification is used to authenticate to the module during IKEv1/IKEv2, TLS, and EAP-TLS. Both P-256 and P-384 curves are supported. ECDSA P-256 provides 128 bits of equivalent security, and P-384 provides 192 bits of equivalent security. Assuming the low end of that range, the associated probability of a successful random attempt is 1 in 2^128, which is less than 1 in 1,000,000 required by FIPS 140-2. At optimal network conditions (assuming 1ms round-trip latency), an attacker would only get 60,000 guesses per minute. Therefore the associated probability of a successful random attempt during a one-minute period is 60,000/2^128, which is less than 1 in 100,000 required by FIPS 140- 2. These keys can be used for admin authentication. Pre-shared key-based authentication (RADIUS) User The password requirements are the same as the CO role above, except that the maximum ASCII characters can be 128. Assuming the weakest option of 8 ASCII characters, the authentication mechanism strength is the same as the CO role above. Pre-shared key-based authentication (IKEv1/IKEv2) User The password requirements are the same as the CO role above, except that the maximum ASCII characters can be 64. Additionally, exactly 64 HEX characters can be entered. Assuming the weakest option of 8 ASCII characters, the authentication mechanism strength is the same as the CO role above. Pre-shared key based authentication (802.11i) User The password requirements are the same as the IKEv1/IKEv2 shared secret above, except that the maximum ASCII characters can be 63. Assuming the weakest option of 8 ASCII characters, the authentication mechanism strength is the same as the IKEv1/IKEv2 shared secret above. SSH Master Public Certificate (SSH) Crypto Officer RSA-based certificate used for authentication by the CO to connect to the Mobility Master which provides interface to the controller if running as a managed device. Same authentication mechanism strength as RSA-based authentication above. 30 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy 6.4.Unauthenticated Services The Aruba Controller can perform VLAN, bridging, firewall, routing, and forwarding functionality without authentication. These services do not involve any cryptographic processing. • Internet Control Message Protocol (ICMP) service • Network Time Protocol (NTP) service • Network Address Resolution Protocol (ARP) service Additional unauthenticated services include performance of the power-on self-test and system status indication via LEDs. 6.5.Services Available in Non-FIPS Mode • All of the services that are available in FIPS mode are also available in non-FIPS mode. • If not operating in the Approved mode as per the procedures in sections 13.1, 13.2 and 13.3, then non-Approved algorithms and/or sizes are available. • Upgrading the firmware via the console port (non-Approved). • Debugging via the console port (non-Approved). 6.6.Non-Approved Services Non-Approved in FIPS Mode • WPA3 • WPA-2 Multiple Pre-Shared Key (MPSK), where every client connected to the WLAN SSID may have its own unique PSK. • IPSec/IKE using Triple-DES • Diffie-Hellman Group 14 with SHA-256 (added for SSH) • HMAC-SHA-256 as used in SSH Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |31 7. Cryptographic Key Management 7.1.FIPS Approved Algorithms The firmware in each module contains the following cryptographic algorithm implementations/crypto libraries to implement the different FIPS approved cryptographic algorithms that will be used for the corresponding security services supported by the module in FIPS mode: • ArubaOS OpenSSL Module algorithm implementation • ArubaOS Crypto Module algorithm implementation • ArubaOS Bootloader algorithm implementation • Aruba Hardware Crypto Accelerator algorithm implementation Below are the detailed lists for the FIPS approved algorithms and the associated certificate implemented by each algorithm implementation. Note that not all algorithm modes that appear on the module’s CAVP certificates are utilized by the module, and the tables below list only the algorithm modes that are utilized by the module. Table 28 – Hardware CAVP Certificates Aruba Hardware Crypto Accelerators (Broadcom XLP CPU) CAVP Certificate # Algorithm Standard Mode/Method Key Lengths, Curves, Moduli Use 2477 2479 3014 AES FIPS 197, SP 800-38A SP 800-38D ECB, CBC, CFB8, CFB128, OFB, CTR (ext only) 128, 192, 256 Data Encryption/Decryption 2477 2479 3014 AES FIPS 197, SP 800-38A, SP 800-38D GCM, CCM 128, 256 Data Encryption/Decryption 1520 1522 1906 HMAC FIPS 198-1 HMAC-SHA1, HMAC-SHA- 256, HMAC- SHA-384, HMAC-SHA-512 112, 126, 160, 256 Message Authentication 2096 2098 2522 SHS FIPS 180-4 SHA-1, SHA- 256, SHA-384, SHA-512 Byte Only Message Digest 1516 1518 1770 Triple-DES SP 800-67 TEBC, TCBC 192 Data Encryption/Decryption 1266 1268 1573 RSA FIPS 186-4 SHA-1, SHA- 256, SHA-384, SHA-512 PKCS1 v1.5 2048 Digital Signature Generation and Verification Note: • In FIPS Mode, Triple-DES is only used in the Self-Tests. The above hardware algorithm certificates were tested on Broadcom XLP series processors by Broadcom Corporation. Aruba Networks purchased the processors and put them in the Aruba modules to support bulk cryptographic operations. Please be aware that there is no partnership between Aruba Networks and Broadcom Corporation. 32 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Table 29 – ArubaOS OpenSSL Module CAVP Certificates ArubaOS OpenSSL Module CAVP Certificate # Algorithm Standard Mode/Method Key Lengths, Curves, Moduli Use A2690 AES FIPS 197, SP 800-38A ECB, CBC, CTR (ext only, encryption only) 128, 192, 256 Data Encryption/Decryption A2690 AES FIPS 197, SP 800-38A SP 800-38D GCM, CCM (used in self- tests only) 128, 256 Data Encryption/Decryption Vendor Affirmed CKG SP 800-133 CTR_DRBG N/A Cryptographic Key Generation (using output from DRBG2 as per IG D.12) A2690 CVL3 IKEv1, TLS, SSH, SNMP SP800-135 IKEv1: DSA, PSK TLS: v1.0/1.1, v1.2 IKEv1: DH 2048- bit; SHA-1, SHA- 256, SHA-384 SSH: SHA-1 TLS: SHA-256, SHA-384, SHA-512 Key Derivation A2690 DRBG SP 800-90A AES CTR 256 Deterministic Random Bit Generation A2690 DSA FIPS 186-4 keyGen, pqgGen L=2048, N=256, SHA2-256 Key Generation, Digital Key Generation A2690 ECDSA 186-4 PKG, PKV, SigGen, SigVer P256, P384 Digital Key Generation and Verification, Digital Signature Generation and Verification A2690 HMAC FIPS 198-1 HMAC-SHA1, HMAC-SHA- 256, HMAC- SHA-384, HMAC-SHA- 512 Key Size < Block Size Message Authentication A2690 KAS-SSC SP 800-56A Rev3 FFC: dhEphem, ECC: Ephemeral Unified FFC: FC with SHA2-256 ECC: P-256 with SHA2-256 KAS Roles - initiator, responder Key Agreement Scheme – Shared Secret Computation N/A KAS SP 800-56A Rev3 SP 800-135 KAS-SSC Cert A2690 CVL Cert A2690 N/A Key Agreement Scheme – IG D.8, scenario X1 (2) N/A KAS SP 800-56A Rev3 SP 800-56C Rev1 KAS-SSC Cert A2690 KDA Cert A2690 N/A Key Agreement Scheme – IG D.8, scenario X1 (2) A2690 KDA SP 800-56C Rev1 Two-step key derivation HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-384 Key Derivation Algorithm A2690 KBKDF SP 800-108 CTR HMAC-SHA1, HMAC-SHA256, HMAC-SHA384 Deriving Keys 2 Resulting symmetric keys and seeds used for asymmetric key generation are unmodified output from SP 800-90A DRBG. 3 IKEv1, TLS, SSH and SNMP protocols have not been reviewed or tested by the CAVP and CMVP Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |33 A2690 RSA FIPS 186-2 SHA-1 PKCS1 v1.5 2048 Digital Signature Verification A2690 RSA FIPS 186-4 SHA-1, SHA- 256, SHA-384 PKCS1 v1.5 2048 Digital Key Generation, Signature Generation and Verification A2690 SHS FIPS 180-4 SHA-1, SHA- 256, SHA-384, SHA-512 Byte Only 160, 256, 384, 512 Message Digest A2690 Triple-DES4 SP 800-67 TEBC, TCBC 192 Data Encryption/Decryption A2690 KTS SP 800-38F AES-GCM5 128, 256 Key Wrapping/Key Transport via IKE/IPSec AES A2690 HMAC A2690 KTS SP 800-38F AES-CBC6 HMAC-SHA-1, HMAC-SHA- 256, HMAC- SHA-384, HMAC-SHA- 512 128, 192, 256 Key Size < Block Size Key Wrapping/Key Transport via IKE/IPSec 4 In FIPS Mode, Triple-DES is only used in the Self-Tests and with the KEK 5 key establishment methodology provides 128 or 256 bits of encryption strength 6 key establishment methodology provides between 128 and 256 bits of encryption strength 34 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Table 30 – ArubaOS Crypto Module CAVP Certificates ArubaOS Crypto Module CAVP Certificate # Algorithm Standard Mode/Method Key Lengths, Curves, Moduli Use A2689 AES FIPS 197, SP 800-38A SP 800-38D CBC, GCM 128, 192, 256 Data Encryption/Decryption A2689 CVL7 IKEv2 (KDF) SP800-135 IKEv2 IKEv2: DH 2048-bit; SHA- 256, SHA-384 Key Derivation A2689 CVL IKEv2 (KDF) SP800-135 IKEv2 IKEv2: SHA-1 Key Derivation A2689 DSA FIPS 186-4 keyGen, pqgGen L=2048, N=256, SHA2-256 Key Generation, Digital Key Generation A2689 ECDSA 186-4 PKG, SigGen, SigVer P256, P384 Digital Key Generation, Signature Generation and Verification A2689 ECDSA 186-4 PKV P256, P384 Key Verification A2689 HMAC FIPS 198-1 HMAC-SHA1, HMAC-SHA- 256, HMAC- SHA-384, HMAC-SHA- 5128 HMAC-SHA-1- 96, HMAC-SHA- 256-128, HMAC-SHA- 384-192 Key Size < Block Size Message Authentication A2689 KAS-SSC SP 800-56A Rev3 FFC: dhEphem, ECC: Ephemeral Unified FFC: FC with SHA2-256 ECC: P-256 with SHA2-256 KAS Roles - initiator, responder Key Agreement Scheme – Shared Secret Computation N/A KAS SP 800-56A Rev3 SP 800-135 KAS-SSC Cert A2689 CVL Cert A2689 N/A Key Agreement Scheme – IG D.8, scenario X1 (2) A2689 RSA FIPS 186-2 SHA-1, SHA- 256, SHA-384 PKCS1 v1.5 2048 Digital Signature Verification A2689 RSA FIPS 186-4 SHA-1, SHA- 256, SHA-384 PKCS1 v1.5 2048 Digital Key Generation, Signature Generation and Verification 7 IKEv2 protocol has not been reviewed or tested by the CAVP and CMVP 8 In FIPS Mode, HMAC-SHA-512 is only used in the Self-Tests. Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |35 A2689 SHS FIPS 180-4 SHA-1, SHA- 256, SHA-384, SHA-5129 Byte Only 160, 256, 384, 512 Message Digest A2689 Triple-DES10 SP 800-67 TCBC 192 Data Encryption/Decryption A2689 KTS SP 800-38F AES-GCM11 128, 256 Key Wrapping/Key Transport via IKE/IPSec AES A2689 HMAC A2689 KTS SP 800-38F AES-CBC12 HMAC-SHA1, HMAC-SHA- 256, HMAC- SHA-384, HMAC-SHA- 51213 128, 192, 256 Key Size < Block Size Key Wrapping/Key Transport via IKE/IPSec Table 31 – ArubaOS Bootloader CAVP Certificates ArubaOS Bootloader CAVP Certificate # Algorithm Standard Mode/Method Key Lengths, Curves, Moduli Use A2688 RSA FIPS 186-4 SHA-1, SHA-256 2048 Digital Signature Verification A2688 SHS FIPS 180-4 SHA-1, SHA-256 Byte Only 160, 256 Message Digest Note: • Only Firmware signed with SHA-256 is permitted in the Approved mode. Digital signature verification with SHA-1, while available within the module, shall only be used while in the non-Approved mode. 9 In FIPS Mode, SHA-512 is only used in the Self-Tests. 10 In FIPS Mode, Triple-DES is only used in the Self-Tests 11 key establishment methodology provides 128 or 256 bits of encryption strength 12 key establishment methodology provides between 128 and 256 bits of encryption strength 13 In FIPS Mode, HMAC-SHA-512 is only used in the Self-Tests. 36 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy 7.2.Non-FIPS Approved but Allowed Cryptographic Algorithms The cryptographic module implements the following non-FIPS Approved algorithms that are Allowed for use in the FIPS 140-2 mode of operations: • MD5 (used for older versions of TLS) • NDRNG (used solely to seed the approved DRBG) • RSA (key wrapping; key establishment methodology provides 112 bits of encryption strength) Note: RSA key wrapping is used in TLS protocol implementation. 7.3.Non-FIPS Approved Cryptographic Algorithms The cryptographic module implements the following non-approved algorithms that are not permitted for use in the FIPS 140-2 mode of operations: • DES • HMAC-MD5 • MD5 (as used in services other than older versions of TLS) • RC4 • RSA (non-compliant less than 112 bits or when used with SHA-1) • Null Encryption • ECDSA (non-compliant when using 186-2 signature generation) • Triple-DES as used in IKE/IPSec Note: • DES, MD5, HMAC-MD5 and RC4 are used for older versions of WEP in non-FIPS mode Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |37 8. Critical Security Parameters The following are the Critical Security Parameters (CSPs) used in the module. The user is responsible for zeroizing all CSPs when switching modes. Table 32 – CSPs/Keys Used in the Module # Name Algorithm/Key Size Generation/Use Storage Zeroization General Keys/CSPs 1 Key Encryption Key (KEK) – Not Considered as a CSP Triple-DES (192 bits) Hardcoded during manufacturing. This is used to obfuscate keys. Stored in Flash memory (plaintext). The zeroization requirements do not apply to this key as it is not considered a CSP. 2 DRBG Entropy Input SP800-90A CTR_DRBG (512 bits) Entropy inputs to the DRBG function used to construct the DRBG seed. 64 bytes are gotten from the entropy source on each call by any service that requires a random number. Stored in SDRAM memory (plaintext) Zeroized by rebooting the module 3 DRBG Seed SP800-90A CTR_DRBG (384-bits) Input to the DRBG that determines the internal state of the DRBG. Generated using DRBG derivation function that includes the entropy input from the entropy source, by any service that requires a random number. Stored in SDRAM memory (plaintext) Zeroized by rebooting the module 4 DRBG Key SP800-90A CTR_DRBG (256 bits) This is the DRBG key used for SP800-90A CTR_DRBG. Stored in SDRAM memory (plaintext) Zeroized by rebooting the module 5 DRBG V SP800-90A CTR_DRBG V (128 bits) Internal V value used as part of SP800-90A CTR_DRBG. Stored in SDRAM memory (plaintext) Zeroized by rebooting the module 6 Diffie-Hellman Private Key Diffie-Hellman Group 14 (224 bits) Generated internally by calling FIPS approved DRBG during Diffie- Hellman Exchange. Used for establishing DH shared secret. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 38 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Table 32 – CSPs/Keys Used in the Module 7 Diffie-Hellman Public Key Diffie-Hellman Group 14 (2048 bits) Generated internally by calling FIPS approved DRBG during Diffie- Hellman Exchange. Used for establishing DH shared secret. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 8 Diffie-Hellman Shared Secret Diffie-Hellman Group 14 (2048 bits) Established during Diffie- Hellman Exchange. Used for deriving IPSec/IKE and SSH cryptographic keys. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 9 EC Diffie-Hellman Private Key EC Diffie-Hellman (Curves: P-256 or P-384). Generated internally by calling FIPS approved DRBG during EC Diffie- Hellman Exchange. Used for establishing ECDH shared secret. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 10 EC Diffie-Hellman Public Key EC Diffie-Hellman (Curves: P-256 or P-384). Generated internally by calling FIPS approved DRBG during EC Diffie- Hellman Exchange. Used for establishing ECDH shared secret. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 11 EC Diffie-Hellman Shared Secret EC Diffie-Hellman (Curves: P-256 or P-384) Established during EC Diffie-Hellman Exchange. Used for deriving IPSec/IKE and TLS cryptographic keys. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 12 RADIUS server Shared Secret Shared Secret (8-128 characters) Entered by CO role. Used for RADIUS server authentication. Stored in Flash memory obfuscated with KEK. Zeroized by using command ‘wipe out flash’ or by overwriting with a new secret 13 Crypto Officer Password Password (8-32 characters) Entered by CO role. Used for CO role authentication. Stored in Flash memory obfuscated with KEK Zeroized by using command ‘wipe out flash’ or by overwriting with a new secret 14 RSA Private Key RSA Private Key (2048 bits) This key is generated by calling FIPS approved DRBG in the module. Used for IKEv1, IKEv2, TLS, OCSP (signing OCSP messages) and EAP-TLS peers authentication. This key can also be entered by the CO. Stored in Flash memory obfuscated with KEK. Zeroized by using command ‘wipe out flash’ Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |39 Table 32 – CSPs/Keys Used in the Module 15 RSA Public Key RSA Public Key (2048 bits) This key is generated by calling FIPS approved DRBG in the module. This key can also be entered by the CO. Used for IKEv1, IKEv2, TLS, OCSP (verifying OCSP messages) and EAP-TLS peers authentication. Stored in Flash memory obfuscated with KEK. Zeroized by using command ‘wipe out flash’ 16 ECDSA Private Key ECDSA suite B (P-256 and P-384 curves) This key is generated by calling FIPS approved DRBG in the module. Used for IKEv1, IKEv2, TLS and EAP-TLS peers authentication. This key can also be entered by the CO. Stored in Flash memory obfuscated with KEK. Zeroized by using command ‘wipe out flash’ 17 ECDSA Public Key ECDSA suite B (P-256 and P-384 curves) This key is generated by calling FIPS approved DRBG in the module. This key can also be entered by the CO. Used for IKEv1, IKEv2, TLS and EAP-TLS peers authentication. Stored in Flash memory obfuscated with KEK. Zeroized by using command ‘wipe out flash’ IPSec/IKE 18 IKE Pre-Shared Secret Shared Secret (8 - 64 ASCII or 64 HEX characters) Entered by CO role. Used for IKEv1 and IKEv2 peers authentication. Stored in Flash memory obfuscated with KEK. Zeroized by using command ‘wipe out flash’ or by overwriting with a new secret 19 skeyid Shared Secret (160/256/384 bits) A shared secret known only to IKE peers. It was established via key derivation function defined in SP800-135 KDF (IKEv1). Used for deriving other keys in IKE protocol implementation. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module. 20 skeyid_d Shared Secret (160/256/384 bits) A shared secret known only to IKE peers. It was derived via key derivation function defined in SP800-135 KDF (IKEv1). Used for deriving IKE session authentication key. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 40 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Table 32 – CSPs/Keys Used in the Module 21 SKEYSEED Shared Secret (160/256/384 bits) A shared secret known only to IKE peers. It was derived via key derivation function defined in SP800-135 KDF (IKEv2) and it will be used for deriving IKE session authentication key. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 22 IKE Session Authentication Key HMAC-SHA-1/256/384 (160/256/384 bits) The IKE session (IKE Phase I) authentication key. This key is derived via key derivation function defined in SP800-135 KDF (IKEv1/IKEv2). Used for IKEv1/IKEv2 payload integrity verification. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 23 IKE Session Encryption Key AES (CBC) (128/192/256 bits) The IKE session (IKE Phase I) encrypt key. This key is derived via key derivation function defined in SP800-135 KDF (IKEv1/IKEv2). Used for IKE payload protection. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 24 IPSec Session Encryption Key AES (CBC) (128/192/256 bits) and AES-GCM (128/256 bits) The IPSec (IKE phase II) encryption key. This key is derived via a key derivation function defined in SP800-135 KDF (IKEv1/IKEv2). Used for IPSec traffics protection. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 25 IPSec Session Authentication Key HMAC-SHA-1 (160 bits) The IPSec (IKE Phase II) authentication key. This key is derived via using the KDF defined in SP800-135 KDF (IKEv1/IKEv2). Used for IPSec traffics integrity verification. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module SSHv2 26 SSHv2 Session Key AES (CBC Mode, CTR Mode) (128/192/256 bits) This key is derived via a key derivation function defined in SP800-135 KDF (SSHv2). Used for SSHv2 traffics protection. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |41 Table 32 – CSPs/Keys Used in the Module 27 SSHv2 Session Authentication Key HMAC-SHA-1, HMAC- SHA1-96 (160-bit) This key is derived via a key derivation function defined in SP800-135 KDF (SSHv2). Used for SSHv2 traffics integrity verification. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module TLS 28 TLS Pre-Master Secret Secret (48 bytes) This key is transferred into the module, protected by TLS RSA public key. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 29 TLS Master Secret Secret (48 bytes) This key is derived via the key derivation function defined in SP800-135 KDF (TLS) using the TLS Pre- Master Secret. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 30 TLS Session Encryption Key AES (CBC Mode, GCM Mode) (128/256 bits) This key is derived via a key derivation function defined in SP800-135 KDF (TLS). Used for TLS traffics protection. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 31 TLS Session Authentication Key HMAC-SHA-1/256/384 (160/256/384 bits) This key is derived via a key derivation function defined in SP800-135 KDF (TLS). Used for TLS traffic integrity verification. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module SNMPv3 32 SNMPv3 Authentication Password Password (8-31 characters) Entered by CO role. User for SNMPv3 authentication. Stored in Flash memory obfuscated with KEK. Zeroized by using command ‘wipe out flash’ or by overwriting with a new secret 33 SNMPv3 Authentication Key AES-CFB Key (128 bits) This key is derived via a key derivation function defined in SP800-135 KDF (SNMPv3). Used for SNMPv3 authentication. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 34 SNMPv3 Engine ID Password (10 – 24 hex characters) Entered by CO role. A unique string used to identify the SNMP engine. Stored in Flash memory obfuscated with KEK. Zeroized by using command ‘wipe out flash’ or by overwriting with a new secret 42 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Table 32 – CSPs/Keys Used in the Module 35 SNMPv3 Privacy Key AES-CFB Key (128 bits) This key is derived via a key derivation function defined in SP800-135 KDF (SNMPv3). Used for SNMPv3 traffics protection. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module 36 SNMPv3 Privacy Protocol Password Password (8 - 31 characters) Entered by CO role. A unique string used to protect SNMP privacy protocol. Stored in Flash memory (ciphertext) obfuscated with KEK. Zeroized by using command ‘wipe out flash’ or by overwriting with a new secret 802.11i 37 802.11i Pre-Shared Secret Shared Secret (8-63 ASCII or 64 HEX characters) Entered by CO role. Used for 802.11i client/server authentication. Stored in Flash memory obfuscated with KEK. Zeroized by using command ‘wipe out flash’ or by overwriting with a new secret 38 802.11i Pair-Wise Master Key (PMK) Shared Secret (256 bits) The PMK is transferred to the module, protected by IPSec secure tunnel. Used to derive the Pairwise Transient Key (PTK) for 802.11i communications. Stored in SDRAM (plaintext). Zeroized by rebooting the module 39 802.11i Pairwise Transient Key (PTK) HMAC (384 bits) This key is used to derive WPA2/WPA3 session key by using the KDF defined in SP800- 108 and SP800-56C Rev1. Stored in SDRAM memory (plaintext) Zeroized by rebooting the module 40 802.11i Session Key AES-CCM (128 bits) Derived during WPA2/WPA3 4-way handshake by using the KDF defined in SP800- 108 and SP800-56C Rev1 then used as the session key. Stored in SDRAM memory (plaintext). Zeroized by rebooting the module Factory Key 41 Factory CA Public Key RSA (2048 bits) This is RSA public key. Loaded into the module during manufacturing. Used for Firmware verification. Stored in TPM Zeroized by using command ‘zeroize-tpm- keys’ NTP Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |43 Table 32 – CSPs/Keys Used in the Module 42 NTP Authentication Key SHA-1 (160-bit) Entered by CO role. A unique string used for authentication to the NTP server. Stored in Flash memory (ciphertext) obfuscated with KEK. Zeroized by using command ‘wipe out flash’ or by deleting the NTP configuration. Mobility Master 43 Master Public Certificate RSA (2048 bits) This key is generated by calling FIPS approved DRBG in the module. Used for SSH to the Mobility Master when connecting to the controllers for management. Stored in Flash memory (ciphertext) obfuscated with KEK. Zeroized by using command ‘wipe out flash’ Notes: • AES GCM IV generation is performed in compliance with the Implementation Guidance A.5 scenario 1. The AES-GCM IV is used in the TLS and IPSec/IKEv2 protocols. o When used with TLS, it is internally generated deterministically in compliance with TLSv1.2 GCM cipher suites as described in SP 800-52 Rev 2, Section 3.3.1. Per RFC 5246, when the nonce_explicit part of the IV exhausts the maximum number of possible values for a given session key, the module will trigger a handshake to establish a new encryption key. o When used with IPSec/IKEv2, it is internally generated deterministically in compliance with RFCs 4106 and 5282. Additionally, the module uses RFC 7296 compliant IKEv2 to establish the shared secret SKEYSEED from which the AES GCM encryption keys are derived. Per RFC 7296, when the IV exhausts the maximum number of possible values for a given security association the module will trigger a rekeying with IKEv2 to establish a new encryption key for the security association. • CKG (vendor affirmed to SP 800-133 Rev2): For keys identified as being “Generated internally by calling FIPS approved DRBG", the generated seed used in the asymmetric key generation is an unmodified output from the DRBG. • Aruba believes the module generates a minimum of 256 bits of entropy for use in key generation through two primary entropy noise sources. The min-entropy rates claimed by the entropy noise source vendors are 70% and 75%. Testing with the NIST SP800-90B test suite of raw data samples from one of the noise sources resulted in significantly better min-entropy than claimed by its vendor, but due to lack of access to unconditioned entropy samples from the other entropy noise source at the time of the evaluation, Aruba has included the following entropy caveat. The module generates cryptographic keys whose strengths are modified by available entropy. • CSPs labeled as “Entered by CO” are entered into the module via SSH/TLS. • CSPs generated in FIPS mode cannot be used in non-FIPS mode, and vice versa. 44 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy 9. Self-Tests The module performs Power On Self-Tests regardless the modes (non-FIPS mode and FIPS mode). In addition, the module also performs Conditional tests after being configured into the FIPS mode. In the event any self-test fails, the module will enter an error state, log the error, and reboot automatically. The module performs the following Power On Self-Tests (POSTs): • ArubaOS OpenSSL Module: o AES (Encrypt/Decrypt) KATs o DRBG KATs o ECDSA (P-256, P-384) (Sign/Verify) KATs o HMAC (HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-384 and HMAC-SHA2-512) KATs o KAS-SSC (SP 800-56A Rev3) KATs (FFC and ECC) o KDA (SP 800-56C Rev1) KAT (two-step KDF with HMAC) o KBKDF KAT o KDF135 KATs (IKEv1 KDF, TLS KDF, SSH KDF, SNMP KDF) o RSA (2048) (Sign/Verify) KATs o SHS (SHA-1, SHA2-256, SHA2-384 and SHA2-512) KATs o Triple-DES (Encrypt/Decrypt) KATs • ArubaOS Crypto Module: o AES (Encrypt/Decrypt) KATs o AES-GCM (Encrypt/Decrypt) KATs o KAS-SSC (SP 800-56A Rev3) KATs (FFC and ECC) o ECDSA (Sign/Verify) KATs o HMAC (HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384 and HMAC-SHA-512) KATs o RSA (Sign/Verify) KATs o SHS (SHA-1, SHA-256, SHA-384 and SHA-512) KATs o Triple-DES (Encrypt/Decrypt) KATs Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |45 • ArubaOS Bootloader: o Firmware Integrity Test: RSA PKCS#1 v1.5 (2048 bits) signature verification with SHA-256 • Aruba Hardware Crypto Accelerator (Hardware): o AES encrypt KAT o AES decrypt KAT o AES-CCM encrypt KAT o AES-CCM decrypt KAT o AES-GCM encrypt KAT o AES-GCM decrypt KAT o HMAC (HMAC-SHA1, HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512) KATs o RSA sign KAT o RSA verify KAT o Triple-DES encrypt KAT o Triple-DES decrypt KAT The module performs the following Conditional Tests: • ArubaOS OpenSSL Module: o Bypass Tests (Wired Bypass Test and Wireless Bypass Test) o CRNG Test on Approved DRBG o CRNG Test for NDRNG o Firmware Load Test - RSA PKCS#1 v1.5 (2048 bits) signature verification with SHA-256 o ECDSA Pairwise Consistency Test o RSA Pairwise Consistency Test o SP800-90A Section 11.3 Health Tests for DRBG (Instantiate, Generate and Reseed). o DSA Pairwise Consistency Test o SP800-56A Rev3 assurances as per SP 800-56A Rev3 Sections 5.5.2, 5.6.2 and 5.6.3. • ArubaOS Crypto Module: o ECDSA Pairwise Consistency Test o RSA Pairwise Consistency Test o Diffie-Hellman Pairwise Consistency Test o DSA Pairwise Consistency Test o SP800-56A Rev3 assurances as per SP 800-56A Rev3 Sections 5.5.2, 5.6.2 and 5.6.3. • ArubaOS BootLoader: o Firmware Load Test - RSA PKCS#1 v1.5 (2048 bits) signature verification with SHA2-256 (this test is applied by the ArubaOS Bootloader on boot). Self-test results are logged in a log file. Upon successful completion of the power-up self tests, the module logs a KATS: passed message into a log file. Confirm the file update by checking the associated time of the file. 46 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy 9.1.Alternating Bypass State The controller implements an alternating bypass state when: • If the VLAN is one that is associated with an IPSec map, then traffic will be encrypted, otherwise it will not be • A configuration provides wireless access without encryption The alternating bypass status can be identified by retrieving whether or not the VLAN association is with an IPSec map, or the wireless network configuration. Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |47 10.Installing the Controller This chapter covers the physical installation of the 7XXX Controllers with FIPS 140-2 Level 2 validation. The Crypto Officer is responsible for ensuring that the following procedures are used to place the controller in a FIPS-approved mode of operation. This chapter covers the following installation topics: • Precautions to be observed during installation • Requirements for the controller components and rack mounting gear • Selecting a proper environment for the controller • Mounting the controller in a rack • Connecting power to the controller 10.1. Pre-Installation Checklist You will need the following during installation: • Aruba 7XXX Controller components. • Phillips or cross-head screwdriver. • Equipment rack. • Aruba power cord for each power supply, rated to at least 10 A with IEC320 connector. • Adequate power supplies and electrical power. • Cool, non-condensing air 0 to 40 ºC (32 to 104 ºF). May require air conditioning. • Management Station (PC) with 10/100 Mbps Ethernet port and SSHv2 software. • A 4- or 8-conductor Category 5 UTP Ethernet cable. 10.2. Precautions • Installation should be performed only by a trained technician. • Dangerous voltage in excess of 240 VAC is always present while the Aruba power supply is plugged into an electrical outlet. Remove all rings, jewelry, and other potentially conductive material before working with this product. • Never insert foreign objects into the chassis, the power supply, or any other component, even when the power supplies have been turned off, unplugged, or removed. • Main power is fully disconnected from the controller only by unplugging all power cords from their power outlets. For safety reasons, make sure the power outlets and plugs are within easy reach of the operator. • Do not handle electrical cables that are not insulated. This includes any network cables. • Keep water and other fluids away from the product. • Comply with electrical grounding standards during all phases of installation and operation of the product. Do not allow the controller chassis, network ports, power supplies, or mounting brackets to contact any device, cable, object, or person attached to a different electrical ground. Also, never connect the device to external storm grounding sources. • Installation or removal of the chassis or any module must be performed in a static-free environment. The proper use of anti-static body straps and mats is strongly recommended. • Keep modules in anti-static packaging when not installed in the chassis. • Do not ship or store this product near strong electromagnetic, electrostatic, magnetic or radioactive fields. • Do not disassemble chassis or modules. They have no internal user-serviceable parts. When service or repair is needed, contact Aruba Networks. 10.3. Product Examination The units are shipped to the Crypto Officer in factory-sealed boxes using trusted commercial carrier shipping companies. The Crypto Officer should examine the carton for evidence of tampering. Tamper-evidence includes tears, scratches, and other irregularities in the packaging. 48 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy 10.4. Package Contents The product carton should include the following: • 7XXX Controller • Rack mounting kit (optional) • Aruba User Documentation CD • Tamper-Evident Labels Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |49 11.Tamper-Evident Labels After testing, the Crypto Officer must apply Tamper-Evident Labels (TELs) to the Controller. When applied properly, the TELs allow the Crypto Officer to detect the opening of the chassis cover, the removal or replacement of modules or cover plates, or physical access to restricted ports. Vendor provides FIPS 140 designated TELs which have met the physical security testing requirements for tamper evident labels under the FIPS 140-2 Standard. TELs are not endorsed by the Cryptographic Module Validation Program (CMVP). The tamper-evident labels shall be installed for the module to operate in a FIPS Approved mode of operation. Aruba Provides double the required amount of TELs. If a customer requires replacement TELs, please call customer support and Aruba will provide the TELs (Part # 4011570-01 - HPE SKU JY894A). The Crypto officer shall be responsible for keeping the extra TELs at a safe location and managing the use of the TELs. 11.1. Reading TELs Once applied, the TELs included with the Controller cannot be surreptitiously broken, removed, or reapplied without an obvious change in appearance: Figure 9 – Tamper Evident Labels Each TEL also has a unique serial number to prevent replacement with similar labels. 50 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy 11.2. Required TEL Locations The Aruba 7005 Mobility Controller requires a minimum of 4 TELs to be applied as follows: To Detect Opening the Chassis Lid • Spanning the front left side and right rear corners of the chassis lid where it meets the chassis bottom, as shown in Figures 10 and 11 (Labels 1 & 2). To Detect Access to Restricted Ports • Two labels spanning the RJ-45 and mini-USB serial ports, as shown in Figure 11. Press down on this label to ensure that it adheres to a sufficient area of the front bezel. The RJ-45 port is raised relative to the bezel so there will be some air gap under the label in this area. However, the air gap should not be larger than 2-3mm. Figure 10 - Required TELs for the Aruba 7005 Mobility Controller – Bottom Figure 11 - Required TELs for the Aruba 7005 Mobility Controller – Front Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |51 The Aruba 7008 Mobility Controller requires a minimum of 8 TELs to be applied as follows: To Detect Opening the Chassis Lid • Spanning the front left side and right rear corners of the chassis lid where it meets the chassis bottom, as shown in Figures 12 and 13 (Labels 1 & 2). To Detect Access to Restricted Ports • One label spanning the RJ-45 and mini-USB serial ports, as shown in Figure 13. Press down on this label to ensure that it adheres to a sufficient area of the front bezel. The RJ-45 port is raised relative to the bezel so there will be some air gap under the label in this area. However, the air gap should not be larger than 2-3mm. Figure 12 - Required TELs for the Aruba 7008 Mobility Controller – Bottom Figure 13 - Required TELs for the Aruba 7008 Mobility Controller – Front 52 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy The Aruba 7010 Mobility Controller requires a minimum of 6 TELs to be applied as follows: To Detect Opening the Chassis Lid Top • Spanning the front bezel and the chassis lid, as shown in Figure 14 (Label 1). To Detect Opening the Chassis Lid Bottom • Spanning the bottom and the chassis lid, as shown in Figures 15 and 16 (Labels 3, 4, 5 and 6). To Detect Access to Restricted Ports • One label (label 2) spanning the RJ-45 and mini-USB serial ports, as shown in Figure 14. Press down on this label to ensure that it adheres to a sufficient area of the front bezel. The RJ-45 port is raised relative to the bezel so there will be some air gap under the label in this area. However, the air gap should not be larger than 2-3mm. Figure 14 - Required TELs for the Aruba 7010 Mobility Controller – Top Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |53 Figure 15 - Required TELs for the Aruba 7010 Mobility Controller – Front Figure 16 - Required TELs for the Aruba 7010 Mobility Controller – Bottom 54 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy The Aruba 7024 Mobility Controller requires a minimum of 7 TELs to be applied as follows: To Detect Opening the Chassis Lid Top • Spanning the front bezel and the chassis lid, as shown in Figures 17 and 18 (Label 1). To Detect Opening the Chassis Lid Bottom • Spanning the bottom and the chassis lid, as shown in Figure 19 and 20 (Labels 4, 5, 6 and 7). To Detect Access to Restricted Ports • One label (label 3) spanning the RJ-45 serial port and one spanning the mini-USB port (label 2) as shown in Figure 17 and 19 (labels 2 & 3). Press down on this label to ensure that it adheres to a sufficient area of the front bezel. The RJ-45 port is raised relative to the bezel so there will be some air gap under the label in this area. However, the air gap should not be larger than 2-3mm. Figure 17 - Required TELs for the Aruba 7024 Mobility Controller – Front Figure 18 - Required TELs for the Aruba 7024 Mobility Controller – Top Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |55 Figure 19 - Required TELs for the Aruba 7024 Mobility Controller – Rear Figure 20 - Required TELs for the Aruba 7024 Mobility Controller – Bottom 56 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy The Aruba 7030 Mobility Controller requires a minimum of 6 TELs to be applied as follows: To Detect Opening the Chassis Lid Top • Spanning the front bezel and the chassis lid, as shown in Figures 21 & 22 (Label 1). To Detect Opening the Chassis Lid Bottom • Spanning the bottom and the chassis lid, as shown in Figures 23 (Labels 3, 4, 5 and 6). To Detect Access to Restricted Ports • One label (label 2) spanning the RJ-45 and mini-USB serial ports, as shown in Figure 22 (Label 2). Press down on this label to ensure that it adheres to a sufficient area of the front bezel. The RJ-45 port is raised relative to the bezel so there will be some air gap under the label in this area. However, the air gap should not be larger than 2- 3mm. Figure 21 - Required TELs for the Aruba 7030 Mobility Controller – Top Figure 22 - Required TELs for the Aruba 7030 Mobility Controller – Front Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |57 Figure 23 - Required TELs for the Aruba 7030 Mobility Controller – Bottom The Aruba 7205 Mobility Controller requires a minimum of 6 TELs to be applied as follows: To Detect Opening the Chassis Lid Top • Spanning the front bezel and the chassis lid, as shown in Figure 24 (Label 1). To Detect Opening the Chassis Lid Bottom • Spanning the bottom and the chassis lid, as shown in Figures 25 and 26 (Labels 3, 4, 5 and 6). To Detect Access to Restricted Ports • One label (label 2) spanning the RJ-45 and mini-USB serial ports, as shown in Figure 25 (label 2). Press down on this label to ensure that it adheres to a sufficient area of the front bezel. The RJ-45 port is raised relative to the bezel so there will be some air gap under the label in this area. However, the air gap should not be larger than 2- 3mm. 58 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Figure 24 - Required TELs for the Aruba 7205 Mobility Controller – Top Figure 25 - Required TELs for the Aruba 7205 Mobility Controller – Front Figure 26 - Required TELs for the Aruba 7205 Mobility Controller – Bottom Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |59 The Aruba 7200 (including the 7210, 7220, and 7240 which use the same chassis) Mobility Controller requires a minimum of 15 TELs to be applied as follows: To Detect Opening the Chassis Lid • Spanning the left side and right side of the chassis lid where it meets the chassis bottom, as shown in Figures 27, 30, and 31. • Spanning the front bezel and the chassis lid, as shown in Figures 28 and 29. • Spanning the expansion slot cover plate and the top of the chassis, as shown in Figures 28 and 29. To Detect the Removal of Any Module or Cover Plate • Spanning power supply 1 and the top of the chassis, as shown in Figures 29. If a second power supply is installed, a TEL should be applied to it in an identical way to power supply 1. • Spanning power supply 2 (if installed) and the top of the chassis, or spanning the power supply 2 cover plate and the top and bottom of the chassis, as shown in Figures 27, 31, and 32. • Spanning the fan try and the top and bottom of the chassis, as shown in Figures 27, 28, and 29. To Detect Access to Restricted Ports • Two labels spanning the RJ-45 and mini-USB serial ports, as shown in Figure 28. Press down on this label to ensure that it adheres to a sufficient area of the front bezel. The RJ-45 port is raised relative to the bezel so there will be some air gap under the label in this area. However, the air gap should not be larger than 2-3mm. Figure 27 - Required TELs for the Aruba 7200 Mobility Controller – Top 60 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Figure 28 - Required TELs for the Aruba 7200 Mobility Controller – Front Figure 29 - Required TELs for the Aruba 7200 Mobility Controller – Rear Figure 30 - Required TELs for the Aruba 7200 Mobility Controller – Right Side Figure 31 - Required TELs for the Aruba 7200 Mobility Controller – Left Side Figure 32 - Required TELs for the Aruba 7200 Mobility Controller – Bottom Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |61 11.3. Applying TELs The Crypto Officer should employ TELs as follows: • Before applying a TEL, make sure the target surfaces are clean and dry. Clean with alcohol and let dry. • Do not cut, trim, punch, or otherwise alter the TEL. • Apply the wholly intact TEL firmly and completely to the target surfaces. • Press down firmly across the entire label surface, making several back-and-forth passes to ensure that the label securely adheres to the chassis. • Ensure that TEL placement is not defeated by simultaneous removal of multiple modules. • Allow 24 hours for the TEL adhesive seal to completely cure. • Record the position and serial number of each applied TEL in a security log. • To obtain additional or replacement TELS, please call customer support and request FIPS Kit, part number 4011570-01 (HPE SKU JY894A). Once the TELs are applied, the Crypto Officer (CO) should perform initial setup and configuration as described in the next chapter. 11.4. Inspection/Testing of Physical Security Mechanisms The Crypto Officer should inspect/test the physical security mechanisms according to the recommended test frequency. Table 33 – Inspection/Testing of Physical Security Mechanisms Physical Security Mechanism Recommended Test Frequency Guidance Tamper-evident labels (TELs) Once per month Examine for any sign of removal, replacement, tearing, etc.. See images above for locations of TELs. If any TELS are found to be missing or damaged, contact a system administrator immediately. Opaque module enclosure Once per month Examine module enclosure for any evidence of new openings or other access to the module internals. If any TELS are found to be missing or damaged, contact a system administrator immediately. 62 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy 12.Ongoing Management The Aruba 7XXX Controllers meet FIPS 140-2 Security Level 2 requirements. The information below describes how to keep the Controller in FIPS-Approved mode of operation. The Crypto Officer must ensure that the Controller is kept in a FIPS-Approved mode of operation. 12.1. Crypto Officer Management The Crypto Officer must ensure that the Controller is always operating in a FIPS-Approved mode of operation. This can be achieved by ensuring the following: • FIPS mode must be enabled on the Controller before Users are permitted to use the Controller (see section 13.3, Enabling FIPS Mode). • The admin role must be root. • Passwords must be at least eight (8) characters long. • VPN services can only be provided by IPSec or L2TP over IPSec. • Access to the Controller Web Interface is permitted only using HTTP over a TLS tunnel. Basic HTTP and HTTP over SSL are not permitted. • Only SNMP read-only may be enabled. • Only FIPS-Approved algorithms can be used for cryptographic services. Please refer to section 7.1, FIPS Approved Algorithms, for the list of Approved algorithms. • TFTP can only be used to load backup and restore files. These files are: Configuration files (system setup configuration), the WMS database (radio network configuration), and log files. (FTP and TFTP over IPSec can be used to transfer configuration files.) • The Controller logs must be monitored. If a strange activity is found, the Crypto Officer should take the Controller offline and investigate. • The Tamper-Evident Labels (TELs) must be regularly examined for signs of tampering. Refer to Table 33 in section 11.4, Inspection/Testing of Physical Security Mechanisms, for the recommended frequency. • When installing expansion or replacement modules for the Aruba 7XXX Controllers, use only FIPS-Approved modules, replace TELs affected by the change, and record the reason for the change, along with the new TEL locations and serial numbers, in the security log. • All configuration performed through the Mobility Master when configured as a managed device must ensure that only the approved algorithms and services are enabled on the FIPS-enabled Controller. • Refer to section 13.4, Non-Approved FIPS Mode Configurations for non-Approved configurations in FIPS-Approved mode. • The user is responsible for zeroizing all CSPs when switching modes. • The guidelines in this SP’s section 7.3, Error! Reference source not found., section 12, Error! Reference source not found., and section 13, Error! Reference source not found. must be adhered to. Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy |63 13.User Guidance The User accesses the Controller VPN functionality as an IPSec client. The user can also access the Controller 802.11i functionality as an 802.11 client. Although outside the boundary of the Controller, the User should be directed to be careful not to provide authentication information and session keys to others parties. 13.1. Setup and Configuration The Aruba 7XXX Controllers meet FIPS 140-2 Security Level 2 requirements. The sections below describe how to place and keep the Controller in FIPS-Approved mode of operation. The Crypto Officer (CO) must ensure that the Controller is kept in a FIPS-Approved mode of operation. The Controller can operate in two modes: the FIPS-Approved mode, and the standard non-FIPS mode. By default, the Controller operates in non-FIPS mode. 13.2. Setting Up Your Controller To set up your Controller: 1. Make sure that the Controller is not connected to any device on your network. 2. Boot up the Controller. 3. Connect your PC or workstation to a line port on the Controller. For further details, see the ArubaOS 8.X Getting Started Guide. When running as a managed device: 1. Make sure that the Controller is connected only to the Mobility Master on your network. 2. Boot up the Controller. 3. Connect to the Mobility Master. 4. Follow the procedures as discussed in the ArubaOS 8.X Getting Started Guide. 13.3. Enabling FIPS Mode For FIPS compliance, users cannot be allowed to access the Controller until the CO changes the mode of operation to FIPS mode. The CO can enable FIPS mode through the CLI via SSHv2 as identified under Section 13.3.1 below. For more information on using the CLI, refer to the ArubaOS 8.X Command-Line Interface Reference Guide. 13.3.1. Enabling FIPS Mode with the CLI Login to the controller using an SSHv2 client. Enable FIPS mode using the following commands: #configure terminal Enter Configuration commands, one per line. End with CNTL/Z (config) #fips enable (config) #exit #write memory Saving Configuration... Configuration Saved. To verify that FIPS mode has been enabled, issue the command “show fips”. If logging in to the Controller via the Mobility Master, please reference the ArubaOS 8.X User Guide on how to access a managed device. Once connected to the managed Controller, the above commands will successfully execute. 64 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware FIPS 140-2 Level 2 Security Policy Please abide by sections 12.1, Crypto Officer Management and 13.4, Non-Approved FIPS Mode Configurations. 13.3.2. Disabling the LCD Configuration through the front-panel LCD should be disabled. To disable the LCD screen, use the following CLI commands: (host) #configure terminal (host) (config) #lcd-menu (host) (lcd-menu) #disable menu 13.4. Disallowed FIPS Mode Configurations When you enable FIPS mode, the following configuration options are disallowed: o All WEP features o WPA o TKIP mixed mode o Any combination of DES, MD5, and PPTP o Firmware images signed with SHA-1 o Enhanced PAPI Security o Null Encryption o TLS with Diffie-Hellman Group 2 o Certificates with less than 112 bits security strength as used with IKEv1, IKEv2, IPSec, TLS/EAP-TLS, SSH, and/or user authentication o Telnet o EAP-TLS Termination o Diffie-Hellman Group14 with SHA-256 o IPSec/IKE using Triple-DES. o HMAC-SHA-256 as used in SSH o WPA3 o WPA2-MPSK 13.5. Full Documentation Full ArubaOS documentation can be found at the link provided below. https://asp.arubanetworks.com/downloads;fileTypes=DOCUMENT;products=Aruba%20Mobility%20Controllers%20%28A OS%29