Wireless Access

Reply
Occasional Contributor II

AP-134-F1 vs AP-134

Does anyone know, or can they explain, the difference between say an AP-134-F1 and an AP-134?

 

I realize the F1 is utilized for OCONUS sites and the non-F1 is used for CONUS, but what makes them different? And can an non-F1 be used with an F1 3000 WLC without issue?

 

"Rumors" I hear say that the non-F1 can 'tunnel' back to the WLC, whereas the F1 'terminates' users on the AP thus holding encryption.

 

Is this a substantiated claim?

 

Please advise soonest!!!!

Guru Elite

Re: AP-134-F1 vs AP-134

Aruba devices with the F1 designation are FIPS/TAA compliant APs and require "F1" controllers and code.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: AP-134-F1 vs AP-134

Take a look here:

http://www.arubanetworks.com/pdf/support/EOS_notice_Legacy_FIPS.pdf

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: AP-134-F1 vs AP-134

But would an AP-134 (non-F1) be able to function on a F1 controller, in FIPS mode, without any issue?

 

What is the primary difference, functionally wise, between an F1 and a non-F1 AP?

Re: AP-134-F1 vs AP-134

Hi,

Good evening, :smileyhappy:

here some relvent info for u: (say thanks to Jon Green)

 

Two parts to this answer - FIPS and DoD 8100.2.  For FIPS 140-2, you would be required to:

  • Purchase specific FIPS models of controllers, and possibly APs.  These part numbers are similar to the standard part numbers, but end in F1.  There are specific hardware and firmware differences in these products from the standard versions which were required for FIPS compliance.  In addition, -F1 products are TAA compliant (made in USA, or made in Singapore) which is a requirement for many government customers.
  • Run the FIPS software versions, which you can find on the support site.  Only specific versions of software are FIPS validated.  You can find the complete list at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm (search for Aruba).  For recent AOS software, version 6.1.2.3-FIPS is on the list.  The next version will be 6.1.4.1-FIPS (highly recommended over 6.1.2.3).
  • Operate the software in FIPS mode.  This is a configuration knob in the software which disables all non-FIPS approved encryption algorithms.

Without using the correct hardware and software together, with the software in FIPS mode, the solution is not considered FIPS validated.  All three are required together.

 

You MAY not need to purchase the FIPS model of APs.  If your customer needs TAA compliant hardware, then you'll want the -F1 variant.  If TAA is not important, and you plan to operate the APs with centralized encryption (the standard mode of operation for Aruba) then FIPS validated APs are technically not required, since the AP doesn't participate in encryption.

 

 

Second, DoD 8100.2.  If you need a copy of the actual memo, it's here:  https://acc.dau.mil/CommunityBrowser.aspx?id=18141.  It doesn't take too long to read.  Basically, it requires that you use encryption, and that the encryption must be FIPS 140-2 validated.  Connections must be authenticated using a personally-identifiable credential (i.e. you can trace the session back to a specific user).  And you must use a wireless IDS to detect DoS attacks and to detect unauthorized devices.  Other requirements in the document are less obvious - you must be in compliance with DoD 8500.2 and 5200.40 which deal with certification and accreditation (this is more of an installation/deployment requirement than a product requirement, although it does want you to use products that are Common Criteria certified and are listed on the UC-APL, both of which Aruba has).

 

The more important DoD directive for WLAN is 8420.01.  This is a newer document than 8100.2 and in many ways supersedes it.  It was published in 2009, when the WLAN industry was much more mature than in 2004 when the first one came out.  There's a very key requirement in there:

 

Validated Physical Security. APs used in unclassified WLANs should not be installed in unprotected environments due to an increased risk of tampering and/or theft. If installed in unprotected environments, APs that store plaintext cryptographic keying information shall be protected with added physical security to mitigate risks. DoD Components may choose products that meet FIPS 140-2 Overall Level 2, or higher, validation (to ensure that the AP provides validated tamper evidence, at a minimum). Alternatively, DoD Components may physically secure APs by placing them inside of securely mounted, pick-resistant, lockable enclosures.

 

This means that if you use an AP that does encryption/decryption, the AP must be inside a tamper-resistent enclosure.  In addition, you must have an inspection schedule where each AP is checked every 30 days to make sure nobody tampered with it - that means comparing the tamper label on the unit with the recorded serial number, etc etc etc.  It's a huge operational pain.  With Aruba, using centralized encryption, the APs are OUTSIDE the security boundary and this is not applicable, since the APs contain no cleartext crypto keys.

 

So.. summary of advantages:

1. Certifications and accreditations (FIPS 140-2, Common Criteria EAL4, and UC-APL listing)

2. Centralized encryption

3. Integrated wireless IDS

 

More government information and materials at http://www.arubanetworks.com/solutions/government/.  Unfortunately, I don't believe there's much on casinos, although we do have a number of customers in that industry.  Maybe one of them will read this thread and reply. :smileyhappy:

---
Jon Green, ACMX, CISSP
Aruba Networks Government Solutions
*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Occasional Contributor II

Re: AP-134-F1 vs AP-134

Yep! Well aware of FIPS and the DoD requirements, as we have FIPS WLCs getting ready to deploy, but have non-F1 APs we would like to deploy and operate on the WLCs with v6.1.4.5-FIPS code

 

Just so I understand that which you wrote, F1 APs terminate users/encryption on the AP itself, whereas non-F1 APs run as a 'thin' AP and all encryption is on the WLC, correct?

 

So to clarify, there would be no issue at all with running a non-F1 AP on a F1 WLC, as all encryption would take place on the WLC anyway, correct?

Re: AP-134-F1 vs AP-134

Hi, You  better get  an official Aruba answer from your SE in Aruba,but,Yep u can connect non-fips AP'S to FIPS controller.

 

You MAY not need to purchase the FIPS model of APs.  If your customer needs TAA compliant hardware, then you'll want the -F1 variant.  If TAA is not important, and you plan to operate the APs with centralized encryption (the standard mode of operation for Aruba) then FIPS validated APs are technically not required, since the AP doesn't participate in encryption

 

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
New Contributor

Re: AP-134-F1 vs AP-134

MVP,

 

You seem very knowledgable, and you made a comment about when an AP isn't participating in the encryption, so I thought I'd ask this question:

 

If all I am doing is using wifi APs to act as strictly transport (no services, not on GIG, etc), and I put Type 1 encryptors (KG-175D) on each end to extended a classified network to a distant location, do my APs have to be FIPS/TAA/8100.2 compliant?

 

Of course on the APs that are acting as transport, everything is locked down, pw protected, AES PSK used, etc. But they are strictly used as a "black" backhaul wds trasport for the cipher text from the Type 1 encryptors.

 

Doable?

 

 

Occasional Contributor II

Re: AP-134-F1 vs AP-134

When an AP (eg. USF1) is not participating in the encryption by NOT terminating the end-users encryption on the AP, like how Cisco does it, the AP is strictly a 'thin' AP. That means it's very, very limited in it's capabilities and just passes traffic from the user to the WLC where all encryption takes place.

 

You can do all the encryption you want on the back-end and have the end-user decrypt it, if you want to go that route. But otherwise, the traffic 'seen' will all be jibberish when inside the tunnels.

 

As for FIPS/TAA Compliance, all you would need to do is put FIPS code on the WLC (eg. 6.1.4.5-FIPS) and that would make the WLAN compliant, at least from a code standpoint. As for the encryption of the cleints, you would have to utilize two-factor authentication (eg. CaC Card with a PIN entered) in order to get authorization and access to the network. Associating does nothing as long as you are in an unauthenticated mode as you will be put in the 'dead' VLAN and not go anywhere. 

 

Using the same type of APs with the same type of two-factor authentication with FIPS code is fine for tunneling your APs from acrossed layer 3 boundaries as your APs will pull from within the IP subnet on the other side of that boundary. Your clients will pull an IP address from the Master WLC based on the subnet of WLAN users you are to have once you are authenticated and will be placed in a tunnerl acrossed the APs, passed the layer 3 boundary, back to the WLC.

 

One more thing - WPA2-PSK is NOT FIPS authorized. The only authorized encryption is WPA2-AES-Enterprise which produces randomized keys to the client during the authentication process. All your traffic, once authenticated, travels in a trunked tunnel (if you have it setup that way) from the client through the AP back to the WLC where everything is unencrypted and put 'on the wire.' 

 

Hope this helps.

Moderator

Re: AP-134-F1 vs AP-134

Just in case there's any confusion left on this thread:

- ALL Aruba APs can perform encryption in the AP, and they can ALL use tunnel mode as well, where the encryption is done in the controller.  This is a configuration option you select in the virtual-ap profile and has nothing to do with whether or not an AP or controller is a FIPS model.

 

- Where a customer is subject to FIPS requirements (basically, if you are the US Government) you don't need to use FIPS-validated APs if you're deploying the network in tunnel mode.  However, your procurement people are required to buy TAA-compliant products.  Since Aruba uses the same part number for both, you'll end up buying -F1 model APs anyway.  So at this point, it's sort of a meaningless distinction.

 

- AP models that end in -F1 are FIPS and TAA compliant, and can be deployed anywhere in the world.  Dependent APs (those that require a mobility controller) are regulatory certified as software-defined radios, so the controller determines the regulatory domain, not the AP.  The use of -F1 in the part number only indicates FIPS/TAA - it has nothing to do with national radio regulations.

 

- You can take a controller running FIPS software, and use it to work with non-FIPS APs.  We don't enforce any sort of interoperability requirements here - all of the equipment, FIPS or non-FIPS, is able to work with each other in the normal way.

 

- There is actually zero hardware difference between FIPS and non-FIPS equipment when it comes to the actual electronics inside.  It's all the same components.  On the controllers, there are often hardware differences in the sheet metal of the enclosure - the FIPS model controllers must be "opaque in the visible spectrum" - i.e. you can't see inside.  The APs are generally identical.  The only difference for the APs is country of manufacture.  FIPS model APs will say "Made in Singapore" or "Made in USA", while non-FIPS models will say "Made in China".

 

I hope that helps...

---
Jon Green, ACMX, CISSP
Security Guy
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: