Dell AP-135 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of Dell AP-135, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Dell AP-135 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of Dell AP-135. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of Dell AP-135 should contain:
- informations concerning technical data of Dell AP-135
- name of the manufacturer and a year of construction of the Dell AP-135 item
- rules of operation, control and maintenance of the Dell AP-135 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Dell AP-135 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Dell AP-135, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Dell service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Dell AP-135.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the Dell AP-135 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    1 FIPS 140-2 Non-Proprietary Security Policy for Aruba AP-13 4, AP -135 and Dell W- AP 134, W - A P1 35 Wireless A ccess Points Version 1.2 February 20 12 Aruba Networks™ 1322 Crossman Ave. Sunnyvale, C A 94089- 1113[...]

  • Page 2

    2[...]

  • Page 3

    3 1 INTRODUCTION .................................................................................................................................. 5 1.1 A RUBA D ELL R ELATIONSHIP ............................................................................................................. 5 1.2 A CRONYMS A ND A BBREVIATION S ......................[...]

  • Page 4

    4 4.1.3 Wireless Clien t Authenticatio n ................................................................................................. 23 4.1.4 Strength of Authentication Mech anisms ................................................................................... 23 4.2 S ERVICES ..............................................................[...]

  • Page 5

    5 1 Introduction This document constitutes t he non-prop rietary Cryptographic Mod ule Security Policy for the AP - 134 , AP- 135 Wireless Access Points with FIP S 140 -2 Level 2 validation fro m Aruba Networks. This securit y policy describes how the AP meets the securit y requirements of FIPS 1 40 -2 Level 2, and how to place and maintain the AP [...]

  • Page 6

    6 SHA Secure Hash Algorithm SN MP Sim ple Network Management Protocol SPOE Serial & Power Over Ethernet TEL Tamper-Evident Label TFTP Trivial File Transfer Proto col WLAN Wireless Local Area Network[...]

  • Page 7

    7 2 Product O v er v iew This section i ntroduces the var ious Aruba Wireless Access P oin ts, providing a brief overview and sum mary of the physical features of eac h model covered b y this FIPS 140 -2 security polic y. 2.1 AP - 134 This section introduces t he Aruba AP- 134 Wireless Access Po int (AP) with FIPS 140 -2 Level 2 validation. It desc[...]

  • Page 8

    8 The module provides the foll owing po wer interfaces:  48V DC 802.3af or 80 2.3at or P oE + interoperable Po w er -over-Ethernet (Po E) with i ntelli-source PSE sourcing intelligence  12V DC for external AC s upplied power (adapter so ld separately) 2.1.1.3 Indicator LEDs There are 5 bicolor (power, EN ET and WLAN) LEDs which o perate as fo[...]

  • Page 9

    9 2.2 AP -1 35 This section introduces t he Aruba AP- 13 5 W ireless Access P oint (AP) with FIPS 140 -2 Level 2 validation. It describes the purp ose of the AP, its physical a ttributes, and its interfaces. The Aruba AP- 13 5 is hi gh-performance 802.1 1n (3x3:3) MIMO, dual-radio (concurrent 8 02.11a/n + b/g/n) indoor wireless access point s capab[...]

  • Page 10

    10  5V DC for external AC supplied power (adapter sold separately) 2.2.1.3 Indicator LEDs There are 5 b icolor (power, ENET and WLAN) LEDs which oper ate as follows: Table 2- AP -1 35 Indicator LEDs Label Function Action Status PWR AP power / read y status Off No power to AP Red Initial power-up co ndition Flashing – Green Device booting, not [...]

  • Page 11

    11 3 Module Objecti v es This section d escribes th e a ssurance level s for each o f the areas described in the FIPS 140 -2 Standar d. In addition, it pro vides information on placing the module i n a FIPS 140 -2 approved configuration. 3.1 Security Levels Section Section Title Level 1 Cryptographic Module Sp ecification 2 2 Cryptographic Module P[...]

  • Page 12

    12 3.2.2 AP - 134 TEL Placement This section displays all the TEL locations of the Aruba AP -134. T he A P-134 requires a minimum o f 5 TELs to be applied as follo ws: 3.2.2.1 To detect openin g of the chassis cover: 1. Spanning the bottom and top chassis covers and placed in the front left corner 2. Spanning the bottom and top chassis covers and p[...]

  • Page 13

    13 Figure 4 : AP -134 Top View Figure 5: AP -134 Right View Figure 6: AP -134 Bottom View 3.2.3 AP - 135 TEL Placement This section displays all the T EL locations of the Aruba A P- 135 . The A P-134 requires a m inimum of 5 TELs to be applied as follows: 3.2.3.1 To detect openi ng of the chassis cov er: 1. Spanning the bottom and top chassis cover[...]

  • Page 14

    14 2. Spanning the bottom and top chassis covers and placed in the back left corner 3. Spanning the chassis scre w on the botto m left corner 4. Spanning the chassis screw on the botto m right corner 3.2.3.2 To detect access to re stricted ports 5. Spanning the serial por t Following is the T EL placement for the AP - 135 : Figure 7 : AP -135 Front[...]

  • Page 15

    15 Figure 11: AP -135 Top view Figure 12: AP - 135 Bottom View 3.2.4 Inspection/Testing of Physical Security Mechanisms Physical Security M echanism Recommended Te st Frequency Guidance Tamper-evident labels (T ELs) Once per month Examine for any sign of remo val, replacement, tearing, etc. See images above for locations of TELs Opaque module enclo[...]

  • Page 16

    16 3.3 Modes of Operat ion The module has the following FIP S approved modes of operations: • Remote AP (RAP) FIPS mode – W hen the module is configured as a Remote AP, it is intended to be deploy ed in a remote location (relative to the Mobility Controller ). T he module pro vides cryptographic processing i n the for m of IPSec for all traffic[...]

  • Page 17

    17 6. If the staging contro ller does not p rovide PoE, either ensure the presence of a P oE injector for the LAN connection bet ween the module and the co ntroller, or ensure t he presence o f a DC po wer supply appropriate to the particular model of the module. 7. Connect the module via an Ethernet cable to the sta ging contr oller ; note that th[...]

  • Page 18

    18 7. Connect the module via an Ethernet cable to the sta ging controller; no te that this should b e a direc t connection, with no intervening net work or devices; i f Po E is being supplied by an inj ector, th is represents the o nly exception. That is, nothing o ther than a P oE injector should b e present b etween the module and the sta ging co[...]

  • Page 19

    19 Section “ Pr ovisioning an Indi vidual AP ” o f Chapter “ The Basic User-Centric Net works ” o f the Aruba OS User Guide. Click “Apply and Reboot” to complete the provisioning pro cess. a. During the provisioning proce ss as Remote Mesh Portal, if Pre -shared ke y is selected to be the Re mote IP Authentication Me thod, the IKE pre-s[...]

  • Page 20

    20 represents the o nly exception. That is, nothing o ther than a P oE injector should b e present b etween the module and the sta ging controller. 8. Once t he module is co nnected to the co ntroller by the Ethernet cable, navigate to the Configuration > Wireless > AP Installation page, where you sho uld see an entr y for the AP. Select that[...]

  • Page 21

    21 3.5 Logical Interfaces The ph ysical interfaces are d ivided into logical interface s defined b y FIP S 140 -2 as described in the following table. FI PS 140-2 Logical Interface Module Physical Interfa ce Data Input Interface 10/100/1000 Ethernet P orts 802.11a/b/g/n Radio T ransceiver Data Output Interface 10/100/1000 Ethernet P orts 802.11a/b/[...]

  • Page 22

    22 4 Roles, A u thentication an d Services 4.1 Roles The module s upports the roles of Cr ypto Officer, User , and Wireless Client; no additio nal roles ( e.g., Maintenance) are suppo rted. Ad ministrative op erations car ried out by the Aruba Mobility C ontroller map to the Crypto Officer role. The Cr ypto Officer ha s t he ability to co nfigure, [...]

  • Page 23

    23 4.1.2 User Authentication Authentication for the User role depends on the module configuration. When the module is configured as a Remote Mesh Portal FIP S mode and Re mote Mesh P oint FIP S mode, the U ser role is authenticated via t he WPA2 p re-shared ke y. When the mod ule i s co nfigured as a Remote A P FIPS mode and CPSec protected AP FIP [...]

  • Page 24

    24 Authentication Mechanis m Mechanis m Strength Wireless Client WPA2-PSK (Wireless Client role) For WPA2 -PSK there are at least 95^1 6 (=4.4 x 10^31) possible combinations. In order to test a guessed key, the attac ker must complete the 4-way handshake with the AP. Pr ior to completing the 4 -way handshake, t he attacker must co mplete the 802.11[...]

  • Page 25

    25 4.2 Services The module provides vario us services depending o n role. These are descr ib ed below. 4.2.1 Crypto Officer Services The CO role in each of FIP S modes defi ned in section 3.3 has the same services Service Description CSPs Accessed ( see secti on 6 below for complete descrip tion of CSPs) FIPS mode enable/di sable The CO selects/de [...]

  • Page 26

    26 Service Description CSPs Accessed ( see secti on 6 below for complete descrip tion of CSPs) Creation/use of secure management session bet ween module and CO The module supports use of IPSec for securing the management channel.  IKEv1/IKEv2 Preshared Secret  DH Private Ke y  DH Public Ke y  IPSec session encr yption keys  IPSec ses[...]

  • Page 27

    27 Service Description CSPs Accessed ( see secti on 6 below for complete descrip tion of CSPs)  802.11i AES-C CM key  802.11i GMK  802.11i GTK Use of WPA pre -shared key for establishment of IEEE 802.11i keys When the module is i n mesh configuration, the inter -module mesh links are secured with 802.11i. This is authe nticated with a shar[...]

  • Page 28

    28  System status – SYSLOG and module LEDs  802.11 a/b/g/n  FTP  TFTP  NTP  GRE tunneling of 802 .11 wireless user frames ( when acting as a “Local AP”)  Reboot module b y removing/replacing power  Self-test and initializatio n at power-on[...]

  • Page 29

    29 5 Cryptographic Algorith ms FIPS-approved cryptographic algorithms have bee n implemented in hard w are and firmware. The firmware suppo rts the following cryptographic imple mentations.  ArubaOS OpenSSL AP Module implements the follo wing FIPS -app roved algorithms: o AES (Cert. #18 51) o HMAC (Cert. #109 9) o RNG (Cert. #970 ) o RSA (Cert. [...]

  • Page 30

    30 6 Critical Securit y Parameters The following Critical Sec urity Parameters (CSPs) are used by the module: CSP CSP TYPE GENERATION STORAGE And ZEROIZATI ON USE Key Encryption Ke y (KEK) Triple-DES 168 -bits key Hard-coded Stored in flash, zeroized b y th e ‘ap wipe out flash’ command. Encrypts IKEv1/IKEv2 preshared keys and configuration par[...]

  • Page 31

    31 CSP CSP TYPE GENERATION STORAGE And ZEROIZATI ON USE IKEv1/IKEv2 Diffie - Hellman Private key 1024 -bit Diffie- Hellman private key Generated internall y during IKEv1/IKEv2 negotiation Stored in plaintext in volatile memory; zeroized when session is closed or system is powered off Used in establishing the session key for IPSec IKEv1/IKEv2 Diffie[...]

  • Page 32

    32 CSP CSP TYPE GENERATION STORAGE And ZEROIZATI ON USE WPA2 PSK 16 - 64 character shared secret used to authenticate mesh connections and in remote AP advanced configuration CO configured Encrypted in flash using the KEK; zeroized by updating through administrative interface, or by the ‘ap wipe out flash’ command. Used to derive the PMK for 80[...]

  • Page 33

    33 CSP CSP TYPE GENERATION STORAGE And ZEROIZATI ON USE 802.11i Gro up Master Key (GMK) 256 -bit secret used to derive GTK Generated from appro ved RNG Stored in plaintext in volatile memory; zeroized o n reboot Used to derive Group Transient Key (GTK) 802.11i Gro up Transient Ke y (GTK) 256 -bit shared secret used to derive group (multicast) encry[...]

  • Page 34

    34 7 Self T es t s The module perfor ms the follo wing Self Tests af ter being config ured into either Re mote AP mode or Remote Mesh P ortal mode. The module perfor ms both po wer-up and co nditional self -tests. In t he event an y self-test fails, the module enters an error state, lo gs the error, and reboo ts automatically. The module performs t[...]

  • Page 35

    35 Self-test results are written to the serial console. In the event of a K ATs failure, the AP logs different messages, dep ending on the error. For an ArubaOS OpenSS L AP module and ArubaOS c ryptographic m odule KAT failure: AP rebooted [DATE][TIME] : Restarting System, SW FIPS KAT failed For an AES Atheros hardware POST failure: Starting HW SHA[...]