Introduction
In order for a 4400 or WiSM wireless controller to operate in a FIPS compliance mode, the following configuration must be performed on the 4400 CLI via a console connection.
Description
Enable FIPS Mode of Operation
The following CLI command places the controller in FIPS mode of operation, enabling all necessary self tests and algorithm restrictions:
config switchconfig fips-prerequisite enable
Disable Boot Break
The following CLI command prevents breaking out of the boot process. It must be executed after enabling FIPS mode of operations:
config switchconfig boot-break disable
Configure HTTPS Key
The following command configures the controller to use device key for the HTTPS server. It must be executed after enabling FIPS mode of operation:
config certificate use-device-certificate webadmin
The following security configuration can be entered via the 4400 GUI or the CLI
Configure SNMP
Non-security related remote monitoring and management of the controller can be done via SNMP. Only SNMPv3 with HMAC-SHA1 is permitted by this security policy. The user passwords shall be selected to be 8 or more characters, including numbers and letters.
The following CLI commands enable SNMPv3 with HMAC-SHA1:
config snmp version v1 disable
config snmp version v2c disable
config snmp version v3 enable
config snmo v3user create username hmacsha authkey encryptkey
Configure Management Frame Protection (MFP)
Infrastructure MFP enables one access point to validate a neighboring Access Point?s management frames. Configuring the controller to user MFP is optional. The following CLI command is used to enable infrastructure MFP:
config wps mfp infrastructure enable
Reference information on FIPS security configuration
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1059.pdf
