FIPS Wi-Fi: What it is, how it works, and where it is used

Have you ever come across the term FIPS Wi-Fi Have you ever used FIPS in your router settings or when connecting to a corporate network? If so, you've probably wondered: what is this mode, what is it for, and why is it often required by government agencies, banks, or large companies? FIPS (Federal Information Processing Standards) isn't just an acronym; it's a whole set of security requirements that can radically change how your Wi-Fi network operates.

In this article we will look at what it is FIPS 140-2 And FIPS 140-3 In the context of wireless networks, how this standard impacts encryption, authentication, and key management, and why its use is becoming mandatory for organizations handling sensitive data. You'll learn how to enable FIPS mode on popular routers (Cisco, MikroTik, TP-Link), which security protocols it prohibits, and what pitfalls may arise when it's enabled. If you administer a network or simply want to understand why your Wi-Fi suddenly stopped supporting outdated devices, this article is for you.

What is FIPS and why is it important for Wi-Fi?

FIPS (Federal Information Processing Standards) is a set of standards developed National Institute of Standards and Technology (NIST) to ensure the security of information systems used by federal agencies. In the context of Wi-Fi, we are interested in two key documents:

  • 📜 FIPS 140-2 — a standard for cryptographic modules that defines requirements for hardware and software that processes sensitive data. This is the standard most often referred to when people talk about "FIPS Wi-Fi."
  • 🔐 FIPS 197 — describes the encryption algorithm AES (Advanced Encryption Standard), which is mandatory for use in FIPS-compliant systems.
  • 📡 FIPS 201 — a standard for identification and authentication in federal systems (including biometrics and smart cards).

When they talk about FIPS in Wi-Fi, usually imply compliance FIPS 140-2 For cryptographic operations (traffic encryption, device authentication), and the use of only approved algorithms. For example, in FIPS mode, the following are prohibited:

  • 🚫 Legacy encryption protocols: WEP, TKIP (used in WPA).
  • 🚫 Weak hashing algorithms: MD5, SHA-1.
  • 🚫 Insecure authentication methods: LEAP, PEAP-MSCHAPv1.

Instead, FIPS requires the use of:

  • AES-CCM or AES-GCM to encrypt traffic (within the framework WPA2-Enterprise or WPA3-Enterprise).
  • SHA-256 or SHA-384 for hashing.
  • EAP-TLS or EAP-TTLS with certificates for authentication.
⚠️ Attention: FIPS mode can disable support for legacy devices (e.g., older smartphones or printers) that don't support modern encryption protocols. Check your hardware's compatibility before activating!

FIPS 140-2 vs. FIPS 140-3: What's the Difference for Wi-Fi?

From September 22, 2021 FIPS 140-2 officially replaced by FIPS 140-3, but many systems still operate using the old standard. What are the key differences?

Criterion FIPS 140-2 FIPS 140-3
Year of approval 2001 (updated in 2019) 2019
Main changes Requirements for physical security of modules, vulnerability testing Stricter key generation requirements, protection against side-channel attacks, mandatory support AES-256
Support in routers Widely distributed (Cisco, Juniper, Fortinet) It is being gradually introduced (mostly in new equipment for now)
Impact on Wi-Fi Ban on WPA, mandatory use WPA2-Enterprise With AES Additionally required PMF (Protected Management Frames) and prohibits WPA2-Personal in some configurations

For most home users, the transition to FIPS 140-3 It will go unnoticed, as modern routers already support it. AES-256 And WPA3However, in corporate networks it may be necessary:

  • 🔄 Updating firmware on access points.
  • 📋 Reconfiguring the RADIUS server to support new authentication methods.
  • 📱 Replacement of legacy client devices that do not support SHA-384.
⚠️ Attention: If your organization works with government contracts in the US or EU, the transition to FIPS 140-3 May become mandatory as early as 2026–2026. Check with your regulator for requirements!
📊 Where did you first hear about FIPS?
In the router settings
At work in the IT department
In the requirements of the state institution
I read about cybersecurity in the news.
I don't remember

Where FIPS Wi-Fi Is Used: 5 Real-World Scenarios

FIPS mode in Wi-Fi isn't just a checkbox. Its use is strictly regulated in a number of industries. Here's where it's truly essential:

  1. Government agencies of the United States and NATO countries.

    Any network that processes data with a classification CUI (Controlled Unclassified Information), must comply FIPS 140-2/3This applies to schools, hospitals, military bases, and even some municipal services.

  2. Financial sector (banks, payment systems).

    Standards PCI DSS (for working with payment cards) and GLBA (Financial Services Modernization Act) require FIPS-compliant encryption for transmitting transaction data over Wi-Fi.

  3. Healthcare facilities (HIPAA).

    Law HIPAA Mandates the protection of patients' medical data. Wi-Fi networks in hospitals often operate in FIPS mode, especially if mobile devices are used to access patient records.

  4. Defense industry and aerospace sector.

    Companies working with ITAR (International Traffic in Arms Regulations) are required to use FIPS to protect technical documentation and drawings.

  5. Large corporations with high security requirements.

    Even if the law does not require it, many companies (for example, Lockheed Martin, Boeing) voluntarily implement FIPS to protect intellectual property.

In Russia and the CIS countries, FIPS is not mandatory, but may be required by:

  • 🏛️ State-owned companies working with foreign partners (for example, in joint projects with the EU or the USA).
  • 💳 Banks servicing international payment systems (Visa, Mastercard).
  • 🛡️ Organizations certified by ISO 27001, where FIPS may be part of the security policy.

How to Enable FIPS Mode on a Router: Step-by-Step Instructions

The FIPS activation process varies depending on the router model. Let's look at the most common options.

1. Cisco routers (IOS/XE)

On equipment Cisco FIPS is enabled via the CLI (command line). Example for Cisco Aironet:

enable

configure terminal

wireless profile security FIPS-PROFILE

security wpa akm dot1x

security wpa wpa2 ciphers aes-ccm

no security wpa akm psk

no security wpa akm ft-psk

no security wpa wpa2 ciphers tkip

end

Then link the profile to the access point:

interface Dot11Radio0

ssid FIPS-NETWORK

security dot1x FIPS-PROFILE

end

2. MikroTik routers (RouterOS)

IN MikroTik FIPS mode is configured via Winbox or WebFig:

  1. Go to Wireless → Security Profiles.
  2. Create a new profile or edit an existing one.
  3. In the section WPA2 select:
    • 🔒 AES-CCM as encryption.
    • 🔑 802.1X as an authentication method.
  • Turn it off WPA-PSK And TKIP.
  • 3. TP-Link/Ubiquiti (Unifi) routers

    IN TP-Link Omada or Ubiquiti Unifi FIPS is enabled via the controller:

    1. Go to your Wi-Fi network settings.
    2. Select WPA2/WPA3 Enterprise.
    3. In the section Advanced activate the option FIPS Mode (if any).
    4. Specify the address of the RADIUS server for authentication.
    5. Make sure all devices support WPA2-Enterprise|Check for certificates on the RADIUS server|Back up your router configuration|Test the connection on 1-2 devices before mass deployment-->

      After FIPS is enabled:

      • 🔄 Reboot your router and access points.
      • 📱 Connect a test device that supports WPA2-Enterprise (For example, iPhone or Android 10+).
      • 🔍 Check the logs on the RADIUS server for authentication errors.
      ⚠️ Attention: On some routers (for example, ASUS or D-Link (For the home segment) there may be no FIPS option at all. In this case, firmware with support will be required. WPA2-Enterprise (For example, OpenWRT or DD-WRT).

      Which Devices Don't Work with FIPS Wi-Fi (and What to Do)

      One of the main drawbacks of FIPS mode is incompatibility with older devicesHere are the most problematic categories:

      Device type Problem Solution
      Old smartphones (Android 7 and below, iPhone 5/5S) They don't support it. AES-CCM or SHA-256 Update the firmware or replace the device
      Printers and MFPs (HP LaserJet 2015, Canon imageRUNNER) They use WPA-PSK or TKIP Connect via cable or through a separate non-FIPS network
      Smart TVs (Samsung 2016–2018, LG WebOS 3.0) No support 802.1X Use WPA3-Personal (if allowed by security policy)
      IoT devices (Xiaomi Mi Home, Tuya Smart) Many work only with WPA2-PSK Provide them with a separate network with minimal privileges.

      If you need to support legacy devices but still comply with FIPS, consider the following options:

      • 🌐 Guest network without FIPS: Create a separate SSID with WPA2-PSK for older devices, but limit its access to internal resources.
      • 🔌 Wired connection: For printers and desktop PCs, use Ethernet.
      • 🔄 Firmware update: Some devices (eg Android 8+) may work after the update.
      What happens if I connect an incompatible device to a FIPS network?

      The device will either not see the network at all (if it's hidden from non-FIPS clients) or will receive an authentication error like "Failed to connect to the network." In the router logs, this may look like this: EAP failure or Unsupported cipher suite.

      FIPS Wi-Fi and Performance: Myths and Reality

      Many administrators fear that enabling FIPS will negatively impact Wi-Fi speed and stability. Let's explore what's true and what's a myth.

      ✅ What's true:

      • 🐢 Latency increases slightly. This involves more complex cryptographic operations (eg. SHA-384 instead of SHA-1). In real tests, the difference is ~5–15 ms.
      • 📉 Maximum throughput may be reduced. On weak routers (for example, TP-Link TL-WR841N) FIPS can "eat" up to 10-20% of CPU performance, which will affect speed with a large number of clients.
      • 🔋 Energy consumption increases. Devices have to recalculate hashes and encrypt traffic more frequently, which can reduce battery life by 5-10%.

      ❌ What is a myth:

      • 🚀 "FIPS reduces coverage radius." This is not true - the standard does not affect the transmit power or the receiver sensitivity.
      • 🌐 "FIPS blocks internet access." No, it only changes the way traffic is encrypted. If the network is configured correctly, access will remain the same.
      • 🔒 "FIPS makes the network invulnerable." The standard reduces risks, but does not protect against social engineering or vulnerabilities in router firmware.

      To minimize the impact of FIPS on performance:

      • 🔄 Use routers with hardware acceleration AES (For example, Cisco 9100 or Ubiquiti UniFi 6).
      • 📶 Divide clients by frequency: modern devices on 5 GHz, the old ones - on 2.4 GHz.
      • 🔧 Optimize your settings RADIUS-servers (for example, cache sessions EAP).

      FIPS Alternatives: When the Standard Is Redundant

      FIPS isn't the only way to secure Wi-Fi. In some cases, its requirements are excessive, and simpler solutions can be used:

      • 🔐 WPA3-Personal:

        If you don't need support for legacy devices, WPA3 With SAE (Simultaneous Authentication of Equals) provides a comparable level of security without the strict restrictions of FIPS.

      • 🛡️ IPSec or WireGuard over Wi-Fi:

        You can leave it WPA2-PSK, but encrypt all traffic through VPNThis is more difficult to set up, but more flexible.

      • 🏢 Network segmentation:

        Divide the network into VLANs: for critical data - WPA2-Enterprise, for guests - WPA2-PSK.

      • 🔑 Certificates without FIPS:

        Use EAP-TLS Without FIPS ties. This will provide strong authentication without strict restrictions on algorithms.

      When You shouldn't use FIPS:

      • 🏠 On a home network (overkill for most tasks).
      • 🛒 In a small shop or cafe (enough WPA2-PSK with a long password).
      • 🎮 For gaming consoles (PlayStation, Nintendo Switch often not supported Enterprise-modes).

      And when? FIPS is mandatory:

      • 🏛️ Working with government data (in the US - CUI, weight - GDPR for sensitive information).
      • 💳 Processing payment data (PCI DSS requires FIPS for wireless networks).
      • 🛡️ Certification by ISO 27001 or SOC 2 (may be a condition of audit).

    FAQ: Frequently Asked Questions about FIPS Wi-Fi

    ❓ Is it possible to enable FIPS on a home router?

    Technically yes, if the router supports it WPA2-Enterprise And AESBut this will require configuration. RADIUS-server (for example, on Windows Server or FreeRADIUS), which is difficult for home use. It is much easier to use WPA3-Personal.

    ❓ Why don't some devices connect after enabling FIPS?

    They most likely don't support it. AES-CCM or 802.1X. Check:

    1. What encryption protocols does the device support (in Wi-Fi settings).
    2. Does he have a certificate to authenticate on RADIUS.
    3. Does your organization's security policy block the connection of personal devices?

    ❓ How can I verify that FIPS is actually working?

    There are several ways:

    • 🔍 Check out the logs RADIUS-servers: there should be records of successful authentication by EAP-TLS.
    • 📡 In the client device settings (for example, Windows) check the connection properties: it should be specified AES And 802.1X.
    • 🛠️ Use a traffic analyzer (Wireshark) to ensure that packets are encrypted using AES-CCM.

    ❓ Are FIPS and WPA3 compatible?

    Yes, but with reservations. WPA3-Enterprise in mode 192-bit security (With AES-256 And SHA-384) meets the requirements FIPS 140-3. However, WPA3-Personal (With SAE) is not FIPS certified because it does not use 802.1X.

    ❓ Is it possible to disable FIPS temporarily and then enable it back?

    Yes, but it will violate security policy if FIPS is required by standards (e.g. PCI DSS). When disconnecting:

    • All devices will reconnect to the network.
    • A record of the configuration change will remain in the security logs.
    • At the next audit, this may be regarded as a violation.

    If you need to temporarily connect an incompatible device, it is better to create a separate network without FIPS.