Have you ever come across the term FIPS Wi-Fi Have you ever used FIPS in your router settings or when connecting to a corporate network? If so, you've probably wondered: what is this mode, what is it for, and why is it often required by government agencies, banks, or large companies? FIPS (Federal Information Processing Standards) isn't just an acronym; it's a whole set of security requirements that can radically change how your Wi-Fi network operates.
In this article we will look at what it is FIPS 140-2 And FIPS 140-3 In the context of wireless networks, how this standard impacts encryption, authentication, and key management, and why its use is becoming mandatory for organizations handling sensitive data. You'll learn how to enable FIPS mode on popular routers (Cisco, MikroTik, TP-Link), which security protocols it prohibits, and what pitfalls may arise when it's enabled. If you administer a network or simply want to understand why your Wi-Fi suddenly stopped supporting outdated devices, this article is for you.
What is FIPS and why is it important for Wi-Fi?
FIPS (Federal Information Processing Standards) is a set of standards developed National Institute of Standards and Technology (NIST) to ensure the security of information systems used by federal agencies. In the context of Wi-Fi, we are interested in two key documents:
- 📜 FIPS 140-2 — a standard for cryptographic modules that defines requirements for hardware and software that processes sensitive data. This is the standard most often referred to when people talk about "FIPS Wi-Fi."
- 🔐 FIPS 197 — describes the encryption algorithm AES (Advanced Encryption Standard), which is mandatory for use in FIPS-compliant systems.
- 📡 FIPS 201 — a standard for identification and authentication in federal systems (including biometrics and smart cards).
When they talk about FIPS in Wi-Fi, usually imply compliance FIPS 140-2 For cryptographic operations (traffic encryption, device authentication), and the use of only approved algorithms. For example, in FIPS mode, the following are prohibited:
- 🚫 Legacy encryption protocols:
WEP,TKIP(used inWPA). - 🚫 Weak hashing algorithms:
MD5,SHA-1. - 🚫 Insecure authentication methods:
LEAP,PEAP-MSCHAPv1.
Instead, FIPS requires the use of:
- ✅
AES-CCMorAES-GCMto encrypt traffic (within the frameworkWPA2-EnterpriseorWPA3-Enterprise). - ✅
SHA-256orSHA-384for hashing. - ✅
EAP-TLSorEAP-TTLSwith certificates for authentication.
⚠️ Attention: FIPS mode can disable support for legacy devices (e.g., older smartphones or printers) that don't support modern encryption protocols. Check your hardware's compatibility before activating!
FIPS 140-2 vs. FIPS 140-3: What's the Difference for Wi-Fi?
From September 22, 2021 FIPS 140-2 officially replaced by FIPS 140-3, but many systems still operate using the old standard. What are the key differences?
| Criterion | FIPS 140-2 | FIPS 140-3 |
|---|---|---|
| Year of approval | 2001 (updated in 2019) | 2019 |
| Main changes | Requirements for physical security of modules, vulnerability testing | Stricter key generation requirements, protection against side-channel attacks, mandatory support AES-256 |
| Support in routers | Widely distributed (Cisco, Juniper, Fortinet) | It is being gradually introduced (mostly in new equipment for now) |
| Impact on Wi-Fi | Ban on WPA, mandatory use WPA2-Enterprise With AES |
Additionally required PMF (Protected Management Frames) and prohibits WPA2-Personal in some configurations |
For most home users, the transition to FIPS 140-3 It will go unnoticed, as modern routers already support it. AES-256 And WPA3However, in corporate networks it may be necessary:
- 🔄 Updating firmware on access points.
- 📋 Reconfiguring the RADIUS server to support new authentication methods.
- 📱 Replacement of legacy client devices that do not support
SHA-384.
⚠️ Attention: If your organization works with government contracts in the US or EU, the transition to FIPS 140-3 May become mandatory as early as 2026–2026. Check with your regulator for requirements!
Where FIPS Wi-Fi Is Used: 5 Real-World Scenarios
FIPS mode in Wi-Fi isn't just a checkbox. Its use is strictly regulated in a number of industries. Here's where it's truly essential:
-
Government agencies of the United States and NATO countries.
Any network that processes data with a classification
CUI(Controlled Unclassified Information), must comply FIPS 140-2/3This applies to schools, hospitals, military bases, and even some municipal services. -
Financial sector (banks, payment systems).
Standards PCI DSS (for working with payment cards) and GLBA (Financial Services Modernization Act) require FIPS-compliant encryption for transmitting transaction data over Wi-Fi.
-
Healthcare facilities (HIPAA).
Law HIPAA Mandates the protection of patients' medical data. Wi-Fi networks in hospitals often operate in FIPS mode, especially if mobile devices are used to access patient records.
-
Defense industry and aerospace sector.
Companies working with ITAR (International Traffic in Arms Regulations) are required to use FIPS to protect technical documentation and drawings.
-
Large corporations with high security requirements.
Even if the law does not require it, many companies (for example, Lockheed Martin, Boeing) voluntarily implement FIPS to protect intellectual property.
In Russia and the CIS countries, FIPS is not mandatory, but may be required by:
- 🏛️ State-owned companies working with foreign partners (for example, in joint projects with the EU or the USA).
- 💳 Banks servicing international payment systems (Visa, Mastercard).
- 🛡️ Organizations certified by ISO 27001, where FIPS may be part of the security policy.
How to Enable FIPS Mode on a Router: Step-by-Step Instructions
The FIPS activation process varies depending on the router model. Let's look at the most common options.
1. Cisco routers (IOS/XE)
On equipment Cisco FIPS is enabled via the CLI (command line). Example for Cisco Aironet:
enable
configure terminal
wireless profile security FIPS-PROFILE
security wpa akm dot1x
security wpa wpa2 ciphers aes-ccm
no security wpa akm psk
no security wpa akm ft-psk
no security wpa wpa2 ciphers tkip
end
Then link the profile to the access point:
interface Dot11Radio0
ssid FIPS-NETWORK
security dot1x FIPS-PROFILE
end
2. MikroTik routers (RouterOS)
IN MikroTik FIPS mode is configured via Winbox or WebFig:
- Go to
Wireless → Security Profiles. - Create a new profile or edit an existing one.
- In the section
WPA2select:- 🔒
AES-CCMas encryption. - 🔑
802.1Xas an authentication method.
- 🔒
WPA-PSK And TKIP.3. TP-Link/Ubiquiti (Unifi) routers
IN TP-Link Omada or Ubiquiti Unifi FIPS is enabled via the controller:
- Go to your Wi-Fi network settings.
- Select
WPA2/WPA3 Enterprise. - In the section
Advancedactivate the optionFIPS Mode(if any). - Specify the address of the RADIUS server for authentication.
- 🔄 Reboot your router and access points.
- 📱 Connect a test device that supports
WPA2-Enterprise(For example, iPhone or Android 10+). - 🔍 Check the logs on the RADIUS server for authentication errors.
- 🌐 Guest network without FIPS: Create a separate SSID with
WPA2-PSKfor older devices, but limit its access to internal resources. - 🔌 Wired connection: For printers and desktop PCs, use Ethernet.
- 🔄 Firmware update: Some devices (eg Android 8+) may work after the update.
- 🐢 Latency increases slightly. This involves more complex cryptographic operations (eg.
SHA-384instead ofSHA-1). In real tests, the difference is ~5–15 ms. - 📉 Maximum throughput may be reduced. On weak routers (for example, TP-Link TL-WR841N) FIPS can "eat" up to 10-20% of CPU performance, which will affect speed with a large number of clients.
- 🔋 Energy consumption increases. Devices have to recalculate hashes and encrypt traffic more frequently, which can reduce battery life by 5-10%.
- 🚀 "FIPS reduces coverage radius." This is not true - the standard does not affect the transmit power or the receiver sensitivity.
- 🌐 "FIPS blocks internet access." No, it only changes the way traffic is encrypted. If the network is configured correctly, access will remain the same.
- 🔒 "FIPS makes the network invulnerable." The standard reduces risks, but does not protect against social engineering or vulnerabilities in router firmware.
- 🔄 Use routers with hardware acceleration
AES(For example, Cisco 9100 or Ubiquiti UniFi 6). - 📶 Divide clients by frequency: modern devices on
5 GHz, the old ones - on2.4 GHz. - 🔧 Optimize your settings
RADIUS-servers (for example, cache sessionsEAP). - 🔐 WPA3-Personal:
If you don't need support for legacy devices,
WPA3WithSAE(Simultaneous Authentication of Equals) provides a comparable level of security without the strict restrictions of FIPS. - 🛡️ IPSec or WireGuard over Wi-Fi:
You can leave it
WPA2-PSK, but encrypt all traffic through VPNThis is more difficult to set up, but more flexible. - 🏢 Network segmentation:
Divide the network into VLANs: for critical data -
WPA2-Enterprise, for guests -WPA2-PSK. - 🔑 Certificates without FIPS:
Use
EAP-TLSWithout FIPS ties. This will provide strong authentication without strict restrictions on algorithms. - 🏠 On a home network (overkill for most tasks).
- 🛒 In a small shop or cafe (enough
WPA2-PSKwith a long password). - 🎮 For gaming consoles (PlayStation, Nintendo Switch often not supported
Enterprise-modes). - 🏛️ Working with government data (in the US -
CUI, weight -GDPRfor sensitive information). - 💳 Processing payment data (PCI DSS requires FIPS for wireless networks).
- 🛡️ Certification by ISO 27001 or SOC 2 (may be a condition of audit).
Make sure all devices support WPA2-Enterprise|Check for certificates on the RADIUS server|Back up your router configuration|Test the connection on 1-2 devices before mass deployment-->
After FIPS is enabled:
⚠️ Attention: On some routers (for example, ASUS or D-Link (For the home segment) there may be no FIPS option at all. In this case, firmware with support will be required. WPA2-Enterprise (For example, OpenWRT or DD-WRT).
Which Devices Don't Work with FIPS Wi-Fi (and What to Do)
One of the main drawbacks of FIPS mode is incompatibility with older devicesHere are the most problematic categories:
| Device type | Problem | Solution |
|---|---|---|
| Old smartphones (Android 7 and below, iPhone 5/5S) | They don't support it. AES-CCM or SHA-256 |
Update the firmware or replace the device |
| Printers and MFPs (HP LaserJet 2015, Canon imageRUNNER) | They use WPA-PSK or TKIP |
Connect via cable or through a separate non-FIPS network |
| Smart TVs (Samsung 2016–2018, LG WebOS 3.0) | No support 802.1X |
Use WPA3-Personal (if allowed by security policy) |
| IoT devices (Xiaomi Mi Home, Tuya Smart) | Many work only with WPA2-PSK |
Provide them with a separate network with minimal privileges. |
If you need to support legacy devices but still comply with FIPS, consider the following options:
What happens if I connect an incompatible device to a FIPS network?
The device will either not see the network at all (if it's hidden from non-FIPS clients) or will receive an authentication error like "Failed to connect to the network." In the router logs, this may look like this: EAP failure or Unsupported cipher suite.
FIPS Wi-Fi and Performance: Myths and Reality
Many administrators fear that enabling FIPS will negatively impact Wi-Fi speed and stability. Let's explore what's true and what's a myth.
✅ What's true:
❌ What is a myth:
To minimize the impact of FIPS on performance:
FIPS Alternatives: When the Standard Is Redundant
FIPS isn't the only way to secure Wi-Fi. In some cases, its requirements are excessive, and simpler solutions can be used:
When You shouldn't use FIPS:
And when? FIPS is mandatory:
FAQ: Frequently Asked Questions about FIPS Wi-Fi
❓ Is it possible to enable FIPS on a home router?
Technically yes, if the router supports it WPA2-Enterprise And AESBut this will require configuration. RADIUS-server (for example, on Windows Server or FreeRADIUS), which is difficult for home use. It is much easier to use WPA3-Personal.
❓ Why don't some devices connect after enabling FIPS?
They most likely don't support it. AES-CCM or 802.1X. Check:
- What encryption protocols does the device support (in Wi-Fi settings).
- Does he have a certificate to authenticate on
RADIUS. - Does your organization's security policy block the connection of personal devices?
❓ How can I verify that FIPS is actually working?
There are several ways:
- 🔍 Check out the logs
RADIUS-servers: there should be records of successful authentication byEAP-TLS. - 📡 In the client device settings (for example, Windows) check the connection properties: it should be specified
AESAnd802.1X. - 🛠️ Use a traffic analyzer (Wireshark) to ensure that packets are encrypted using
AES-CCM.
❓ Are FIPS and WPA3 compatible?
Yes, but with reservations. WPA3-Enterprise in mode 192-bit security (With AES-256 And SHA-384) meets the requirements FIPS 140-3. However, WPA3-Personal (With SAE) is not FIPS certified because it does not use 802.1X.
❓ Is it possible to disable FIPS temporarily and then enable it back?
Yes, but it will violate security policy if FIPS is required by standards (e.g. PCI DSS). When disconnecting:
- All devices will reconnect to the network.
- A record of the configuration change will remain in the security logs.
- At the next audit, this may be regarded as a violation.
If you need to temporarily connect an incompatible device, it is better to create a separate network without FIPS.