WIXLIB

Aruba IAP-303H, IAP-304, IAP-305,IAP-314, IAP-315, IAP-324, AP-325,IAP-334, and IAP-335 WirelessAccess Pointswith Aruba Instant FirmwareNon-Proprietary Security PolicyFIPS 140-2 Level 2Version 4.9February 2021Aruba IAP-3XX Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 Security Policy

Copyright 2020 Hewlett Packard Enterprise Company. Hewlett Packard Enterprise Company trademarks include,Aruba Networks , Aruba Wireless Networks , the registered Aruba the Mobile Edge Company logo, Aruba Mobility ManagementSystem , Mobile Edge Architecture , People Move. Networks Must Follow , RFProtect , Green Island . All rights reserved. Allother trademarks are the property of their respective owners.Open Source CodeCertain Hewlett Packard Enterprise Company products include Open Source software code developed by third parties, includingsoftware code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other OpenSource Licenses. The Open Source code used can be found at this site:http://www.arubanetworks.com/open sourceLegal NoticeThe use of Aruba switching platforms and software, by all individuals or corporations, to terminate other vendors’ VPN clientdevices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba.from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors.WarrantyThis hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information, refer to theARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS.Altering this device (such as painting it) voids the warranty.www.arubanetworks.com3333 Scott BlvdSanta Clara, CA, USA 95054Phone: 408.227.4500Fax 408.227.4550Aruba IAP-3XX Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 Security Policy

Contents1.2.3.4.5.6.7.8.Purpose of this Document . 61.1.Related Documents . 61.2.Additional Product Information . 61.3.Acronyms and Abbreviations . 7Product Overview . 82.1IAP-303H . 82.1.1Physical Description . 92.1.2Dimensions/Weight . 92.1.3Environmental . 92.1.4Interfaces . 92.2IAP-300 Series . 122.2.1Physical Description . 132.2.2Dimensions/Weight . 132.2.3Environmental . 132.2.4Interfaces . 132.3IAP-310 Series . 152.3.1Physical Description . 162.3.2Dimensions/Weight . 162.3.3Environmental . 162.3.4Interfaces . 162.4IAP-320 Series . 182.4.1Physical Description . 192.4.2Dimensions/Weight . 192.4.3Environmental . 192.4.4Interfaces . 192.5IAP-330 Series . 212.5.1Physical Description . 222.5.2Dimensions/Weight . 222.5.3Environmental . 222.5.4Interfaces . 22Module Objectives . 243.1.Security Levels . 24Physical Security . 25Operational Environment . 25Logical Interfaces . 25Roles, Authentication and Services . 267.1Roles . 267.1.1Crypto Officer Role . 267.1.2User Role . 267.1.3Authentication Mechanisms . 277.2Services . 287.2.1Crypto Officer Services . 287.2.2User Services . 307.2.3Non-Approved Services . 317.2.4Unauthenticated Services . 317.2.5Services Available in Non-FIPS Mode . 31Cryptographic Algorithms . 328.1.FIPS Approved Algorithms . 328.2.Non-FIPS Approved Algorithms Allowed in FIPS Approved Mode. 35Aruba IAP-3XX Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 Security Policy 3

8.3.Non-FIPS Approved Algorithms . 359. Critical Security Parameters . 3610.Self-Tests . 4011.Installing the Wireless Access Point . 4211.1.Pre-Installation Checklist . 4211.2.Identifying Specific Installation Locations . 4211.3.Precautions . 4311.4.Product Examination . 4311.5.Package Contents . 4312.Tamper-Evident Labels . 4412.1.Reading TELs . 4412.2.Required TEL Locations . 4512.2.1TELs Placement on the IAP-303H . 4512.2.2TELs Placement on the IAP-304 . 4612.2.3TELs Placement on the IAP-305 . 4712.2.4TELs Placement on the IAP-314 . 4812.2.5TELs Placement on the IAP-315 . 4912.2.6TELs Placement on the IAP-324 . 5012.2.7TELs Placement on the IAP-325 . 5112.2.8TELs Placement on the IAP-334 . 5212.2.9TELs Placement on the IAP-335 . 5312.3.Applying TELs . 5412.4.Inspection/Testing of Physical Security Mechanisms . 5413.User Guidance . 5513.1.Crypto Officer Management . 5513.2.Configuring FIPS Approved Mode . 5513.3.Full Documentation . 5614.Mitigation of Other Attacks . 57FiguresFigure 1 - Aruba IAP-303H (with stand). 8Figure 2 - Aruba IAP-303H Wireless Access Point – Interfaces (Front View) . 10Figure 3 - Aruba IAP-303H Wireless Access Point – Interfaces (Rear View) . 10Figure 4 - Aruba IAP-303H Wireless Access Point – Interfaces (Bottom View) . 11Figure 5 - Aruba IAP-303H Wireless Access Point – Interfaces (Side View) . 11Figure 6 - Aruba IAP-304 . 12Figure 7 - Aruba IAP-305 . 12Figure 8 - Aruba IAP-300 Series Access Point – Interfaces . 13Figure 9 - Aruba IAP-314 . 15Figure 10 - Aruba IAP-315 . 15Figure 11 - Aruba IAP-310 Series Access Point – Interfaces . 17Figure 12 - Aruba IAP-324 . 18Figure 13 - Aruba IAP-325 . 18Figure 14 - Aruba IAP-320 Series Access Point – Interfaces . 20Figure 15 - Aruba IAP-334 . 21Figure 16 - Aruba IAP-335 . 21Figure 17 - Aruba IAP-330 Series Access Point – Interfaces . 23Figure 18 - Tamper-Evident Labels . 444 Aruba IAP-3XX Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 Security Policy

Figure 19 – Right View of IAP-303H with TELs . 45Figure 20 – Left View of IAP-303H with TELs. 45Figure 21 – Bottom View of IAP-303H with TELs. 45Figure 22 – Top View of IAP-304 with TELs . 46Figure 23 – Bottom View of IAP-304 with TELs . 46Figure 24 – Top View of IAP-305 with TELs . 47Figure 25 – Bottom View of IAP-305 with TELs . 47Figure 26 – Top View of IAP-314 with TELs . 48Figure 27 – Bottom View of IAP-314 with TELs . 48Figure 28 – Top View of IAP-315 with TELs . 49Figure 29 – Bottom View of IAP-315 with TELs . 49Figure 30 – Top View of IAP-324 with TELs . 50Figure 31 – Bottom View of IAP-324 with TELs . 50Figure 32 – Top View of IAP-325 with TELs . 51Figure 33 – Bottom View of IAP-325 with TELs . 51Figure 34 – Top View of IAP-334 with TELs . 52Figure 35 – Bottom View of IAP-334 with TELs . 52Figure 36 – Top View of IAP-335 with TELs . 53Figure 37 – Bottom View of IAP-335 with TELs . 53TablesTable 1 - IAP-303H Status Indicator LEDs (Front) . 11Table 2 - IAP-303H Status Indicator LEDs (Bottom) . 11Table 3 - IAP-300 Series Status Indicator LEDs . 14Table 4 - IAP-310 Series Status Indicator LEDs . 17Table 5 - IAP-320 Series Status Indicator LEDs . 20Table 6 - IAP-330 Series Status Indicator LEDs . 23Table 7 - Intended Level of Security . 24Table 8 - FIPS 140-2 Logical Interfaces . 25Table 9 – Estimated Strength of Authentication Mechanisms . 27Table 10 – Crypto Officer Services . 28Table 11 - User Services . 30Table 12 – Aruba Instant VPN Module CAVP Certificates . 32Table 13 – Aruba Instant Crypto Module CAVP Certificates . 33Table 14 – ArubaInstant UBOOT Bootloader CAVP Certificates. 34Table 15 – Aruba IAP Hardware CAVP Certificates . 34Table 16 – Critical Security Parameters . 36Table 17 - Inspection/Testing of Physical Security Mechanisms . 54Aruba IAP-3XX Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 Security Policy 5

PrefaceThis document may be freely reproduced and distributed whole and intact including the copyright notice.Products identified herein contain confidential commercial firmware. Valid license required.1. Purpose of this DocumentThis release supplement provides information regarding the Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP-315, IAP324, IAP-325, IAP-334, and IAP-335 Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 validationfrom Aruba Networks. The material in this supplement modifies the general Aruba hardware and firmwaredocumentation included with this product and should be kept with your Aruba product documentation.This supplement primarily covers the non-proprietary Cryptographic Module Security Policy for the Aruba IAP-303H,IAP-304, IAP-305, IAP-314, IAP-315, IAP-324, IAP-325, IAP-334, and IAP-335 Wireless Access Points with ArubaInstant Firmware. This security policy describes how the Instant Access Point (IAP) meets the security requirements ofFIPS 140-2 Level 2 and how to place and maintain the IAP in the secure FIPS 140-2 mode. This policy was prepared aspart of the FIPS 140-2 Level 2 validation of the product.FIPS 140-2 (Federal Information Processing Standards Publication 140-2, Security Requirements for CryptographicModules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2standard and validation program is available on the National Institute of Standards and Technology (NIST) website dule-validation-programIn addition, in this document, the Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP-315, IAP-324, IAP-325, IAP-334,and IAP-335 Wireless Access Points with Aruba Instant Firmware are referred to as the Wireless Access Point, the AP,the IAP, the module, the cryptographic module, Aruba Wireless Access Points, Aruba Wireless APs, Aruba AccessPoints, and IAP-3XX Wireless APs.1.1.Related DocumentsThe following items are part of the complete installation and operations documentation included with this product: 1.2.Aruba AP-300 Series Access Points Installation GuideAruba AP-310 Series Access Points Installation GuideAruba AP-320 Series Access Points Installation GuideAruba AP-330 Series Access Points Installation GuideAruba Instant 8.5.0.x User GuideAruba Instant 8.5.0.x CLI Reference GuideAruba Instant 8.5.0.x REST API GuideAruba Instant 8.5.0.x Syslog Messages Reference GuideAruba AP Software Quick Start GuideAdditional Product InformationMore information is available from the following sources: The Aruba Networks Web-site contains information on the full line of products from Aruba Networks:http://www.arubanetworks.com The NIST Validated Modules Web-site contains contact information for answers to technical or salesrelated questions for the rchEnter Aruba in the Vendor field then select Search to see a list of FIPS certified Aruba products.Select the Certificate Number for the Module Name ‘Aruba IAP-303H, IAP-304, IAP-305, IAP-314, IAP315, IAP-324, IAP-325, IAP-334, and IAP-335 Wireless Access Points with Aruba Instant Firmware’.6 Aruba IAP-3XX Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 Security Policy

1.3.Acronyms and TPWLANAdvanced Encryption StandardAccess PointCipher Block ChainingCommand Line InterfaceCrypto OfficerControl Plane Security protectedCommunications Security Establishment CanadaCritical Security ParameterExternal Crypto OfficerElectromagnetic CompatibilityElectromagnetic InterferenceFast EthernetGigabit EthernetGigahertzHashed Message Authentication CodeHertzInternet Key ExchangeInternet Protocol securityKnown Answer TestKey Encryption KeyLayer-2 Tunneling ProtocolLocal Area NetworkLight Emitting DiodeSecure Hash AlgorithmSimple Network Management ProtocolSerial & Power Over EthernetTamper-Evident LabelTrivial File Transfer ProtocolWireless Local Area NetworkAruba IAP-3XX Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 Security Policy 7