FIPS
Federal Information Processing Standard (FIPS) 140-2 is a security standard used to validate cryptographic modules. The cryptographic modules are produced by the private sector for use by the U.S. government and other regulated industries (such as financial and healthcare institutions) that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information.
Note |
Cisco TrustSec (CTS) is not supported when the controller is in FIPS mode. |
For more information about FIPS, see
https://www.cisco.com/c/en/us/solutions/industries/government/global-government-certifications/fips-140.html.With FIPS in enabled state, some passwords and pre-shared keys must have the following minimum lengths:
-
For Software-Defined Access Wireless, between the controller and map server, a pre-shared key (for example, the LISP authentication key) is used in authentication of all TCP messages between them. This pre-shared key must be at least 14 characters long.
-
The ISAKMP key (for example, the Crypto ISAKMP key) must be at least 14 characters long.
Limitations for FIPS
-
The console of APs get disabled when the controller is operating in FIPS mode.
-
The weak or legacy cipher like SHA1 is not supported in FIPS mode.
-
APs would not reload immediately, if you change the FIPS status.
Note |
We recommend a minimum RSA key size of 2048 bits under RADSEC when operating in FIPS mode. Otherwise, the RADSEC fails. |