Skip to main content

 

Cisco Meraki Documentation

FIPS 140 Configuration Guide for Cisco Meraki

This article provides details about the configuration requirements and settings for your networking devices to meet the compliance standards of FIPS 140. These settings can be applied to networks in Meraki’s Commercial Cloud and Meraki’s Gov Cloud, a FedRAMP approved cloud service.

Overview

Federal Information Processing Standard (FIPS) 140 is a security standard used to validate cryptographic modules. The cryptographic modules are produced by the private sector for use by the U.S. government and other regulated industries (such as financial and healthcare institutions) that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information.

This configuration guide will help you make the required changes to your network to ensure your configurations comply with the FIPS 140 standards. These settings can be applied to networks in Meraki’s Commercial Cloud and Meraki’s Cloud for Government, a FedRAMP approved cloud service.

Check Cisco's documentation on FIPS 140 to learn more about FIPS 140 standards and Cisco's current and interim FIPS compliance reviews.

FIPS 140 Summary page in Meraki dashboard

The FIPS 140 Summary page in Meraki dashboard will help you see if your networks are configured to meet the FIPS 140-3 standards. This page checks all your devices, firmware, and configurations. You will be able to see if you have any deployed devices, firmware version or configuration settings which do not comply, as well as a quick link that takes you to where you can make any necessary configuration changes.

The firmware that shows a green or “allowed” status has been reviewed and attested to use a crypto module that has been through NIST’s Cryptographic Module Validation Program (CMVP). The hardware check will indicate a green or "allowed" status only if your network includes Meraki product models capable of operating the approved firmware versions in compliance with FIPS standards. Individual features and their configuration settings can be assumed to also use the CMVP validated modules unless otherwise stated.

Use of FIPS 140 Summary Page

The FIPS 140 Summary page in dashboard allows you to align your network with FIPS 140-3 The information on the page is meant to help you better understand your network's current status. Your organization's security posture and risk tolerance are unique and managing security and privacy risks is a complex, multifaceted undertaking. No specific or implied guarantees of FIPS 140 compliance are conveyed by the information in the FIPS 140 summary page.

FIPS 140 Summary Page Access

The FIPS 140 Summary page is a Network-level feature, so the information displayed is for a single network in your organization. To find the page, go to Network-wide > Monitor > Compliance on the dashboard.

Compliance page for Fips summary

FIPS 140-3 Summary Page Configuration

The sections on the FIPS 140-3 Summary page are explained later in this article:

Changing certain feature configurations to meet the FIPS 140 requirements may have unintended impacts to your network. We suggest that each change is carefully considered before implementation.

 

Summary Page Items Description
The toggle to view only non-compliant items on the FIPS 140 summary page. Toggle to change the list to view only non-compliant items.
Left-hand section List of unique items required to be configured in a certain way to meet the FIPS 140 standards. They are divided into the sections: All Devices, Switching, Wireless, and Security & SD-WAN.
Right-hand section A short description of what is needed for FIPS 140 compliance follows each item. A blue link under each description takes you to your dashboard location where you can change the configuration of that specific feature.
clipboard_ebcf96d7ee25b1e0e32cc2b91ade1f372.png The Download report button generates a CSV file, which is available for download, of all your FIPS 140 ststus data that shows on the page.
The documentation icon provides a link that will take you to the place in this article that best provides additional information. The documentation icon provides a link that takes you to the place in this article that best provides additional information. This is not intended to replace other knowledge base articles which help you understand how to configure your devices.  It provides guidance on the configuration settings required to meet FIPS 140 standards only. 

 

Download report is not available at this time, but is "coming soon" for Meraki for Government cloud. 

 

All Devices

The All Devices section on the FIPS 140-3 Summary page includes configuration items that are applied Org wide. Although only a single network will be checked, when you make a configuration change for one of these items, it will apply to your organization. You must have Org Admin privileges to make some of these changes.

The sub-sections under the All Devices section are explained later in this article:

Device to cloud connectivity - hardware check

The first step to implementing FIPS 140-3 in your network is to determine if the Meraki products and firmware you use can connect to the cloud in a FIPS compliant way. Legacy devices and older firmware may not be FIPS 140 compliant.

The FIPS 140 Summary Page performs a hardware check to determine if the device-to-cloud connectivity for your network is considered FIPS 140 compliant or if you need to update your hardware.

Check our documentation on FIPS 140 Compliant Meraki Devices to learn about any device that will connect to the Meraki cloud in a FIPS 140 compliant way. For these devices, you do not need to make any dashboard configurations. If your devices and firmware are on the list, you are connecting to Meraki with FIPS 140 compliant cryptography.

When using Meraki Cloud for Government, only FIPS 140 compliant devices and firmware will be allowed. In Meraki’s Commercial Cloud you are permitted to use devices which may not be FIPS 140 compliant.

If you are not using FIPS 140 compliant products and wish to connect to Meraki Cloud for Government or for your whole network to align with the FIPS standards while in Meraki Commercial Cloud, please work with your sales team to acquire suitable devices.

Your network’s FIPS 140-3 Summary page will show the status of device connectivity check as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png No device in the network is FIPS 140 compatible.
 
clipboard_ee0d320b63615880a079d6c208b9949bd.png Some of the devices in the network, but not all, are FIPS 140 compatible.
clipboard_e5767afac772c2f5e39b65898614b1c80.png All the devices in the network are FIPS 140 compatible.

Device to cloud connectivity - firmware check

The FIPS 140 Summary Page performs a firmware check to determine if the firmware is considered FIPS 140 compliant or if you need to update your firmware.  

Check our documentation on FIPS 140 Compliant Meraki Devices to learn aboutfirmware that will connect to the Meraki cloud in a FIPS 140 compliant way. If your devices and firmware are on the list, you are connecting to Meraki with FIPS 140 compliant cryptography. 

If your firmware is not on the list, you may require a firmware upgrade to bring your devices into compliance. Check our documentation on Firmware Upgrade Management for more information.

Your network’s FIPS 140-3 Summary page will show the firmware connectivity status check as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png The network is not using a FIPS 140 compatible firmware version.
clipboard_e5767afac772c2f5e39b65898614b1c80.png The network is using a FIPS 140 compatible firmware version.

SNMP Access

Your network’s SNMP configuration must use SNMPv3 with SHA and AES128 or higher AES encryption key sizes to be FIPS 140-3 compliant.
Check our documentation on SNMP Overview and Configuration to learn about the configuration options.

SNMP Access is not available in the Meraki for Government cloud.

A known issue exists where SNMP Access is incorrectly showing "green" status when it should be "red".  This will be resolved in a future Meraki Dashboard update.  

Your network’s SNMP configuration must use SNMPv3 with SHA and AES128 or higher AES encryption key sizes to be FIPS 140-3 compliant. 

If you are allowing SNMP access, you must select V3 (username/passwords) and make sure that V1/V2c (community string) is not selected in the Reporting section of Network-wide > Configure > General page in the dashboard.

To check the SNMP Access configuration of your network, do the following:

  1. Click the SNMP Access settings link on your network's FIPS 140-3 Summary page to go to the SNMP access settings.
  2. Check that V3 (username/passwords) option for SNMP access is selected from the drop-down and not V1/V2c (community string).
  3. Check that SNMP users Passphrase is greater than or equal to 14 characters in length.

The following image shows the required settings:

fips summary reporting.png

Your network’s FIPS 140-3 Summary page will show the status of SNMP Access as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png V1/V2c (community string) is not selected.
clipboard_e5767afac772c2f5e39b65898614b1c80.png V3 (username/passwords) is selected.
clipboard_ef94d63e5a4fa48ccc043951a70a96a2e.png SNMP access is disabled for your network

SNMP

Your network’s SNMP configuration must use SNMPv3 with SHA and AES128 and higher AES algorithm key lengths to be FIPS 140-3 compliant.
Check our documentation on SNMP Overview and Configuration to learn about the configuration options.

SNMP is not available in the Meraki for Government cloud.

Your network’s FIPS 140-3 Summary page will show the status of SNMP as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png SMNMP V2C is selected instead of SNMPv3.
clipboard_e5767afac772c2f5e39b65898614b1c80.png  SNMPv3 is selected.
clipboard_e32d974a22d9adcd47f129827bae418b6.png SNMP is not being used in the network.

To further check the SNMP configuration of your network, do the following:

  1. Click the SNMP settings link on your network's FIPS 140-3 Summary page to go to the SNMP settings section under Organization > Configure > Settings page in the dashboard.
  2. Check that SNMP V2C disabled option for Version 2C is selected from the drop-down menu.
  3. Check that SNMP V3 enabled option for Version 3 is selected from the drop-down menu.
  4. Check that SHA option for Authentication mode is selected from the drop-down menu. 
  5. Check that Authentication password is greater than or equal to 14 characters in length.
  6. Check that AES128 option for Privacy mode is selected from the drop-down menu.
  7. Check that Privacy password is greater than or equal to 14 characters in length.

fips summary snmp

Syslog

Check our documentation on Syslog Server Overview and Configuration to learn about Syslog servers and configuration.

Syslog uses MD5 shared secrets which is insecure and not allowed per the FIPS 140-3 standards. To be FIPS 140 compliant, your network must disable Syslog. 

To check that there are no syslog servers for your network, do the following:

  • Click the Syslog settings link on your network's FIPS 140-3 Summary page to go to the Reporting section of Network-wide > Configure > General page in the dashboard.
  • Make sure there are no syslog servers for your network in the Syslog servers field.

The following image shows there are no syslog servers for the network:

fips summary syslog

Your network’s FIPS 140-3 Summary page will show the status of Syslog as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png A syslog server has been added.
clipboard_ef94d63e5a4fa48ccc043951a70a96a2e.png Syslog server is not in use in the network.

Security & SD-WAN

Since MX devices are used for site-to-site communications, changing the VPN settings requires you to be an Organization Administrator.   

Some MX models do not use the CMVP validated firmware modules for encryption but instead use hardware-based crypto acceleration. When configuring your device to meet the settings outlined in this article, these models would be considered compatible with FIPS 140 as they only use FIPS 140 allowed cryptography but would not be considered FIPS 140 compliant because they do not use the CMVP validate firmware module.  Every organization's security posture and risk tolerance is unique. You have to assess if this is acceptable for your organization.

If you have a security & SD-WAN device in your network, you have to check whether it is compliant with FIPS 140 standards. The Security & SD-WAN section in the FIPS 140 Summary page will show whether your device is compliant with FIPS 140 standards.

The sub-sections under the Security & SD-WAN section are explained later in this article:

 

Access Control

If you are using Access Control with the MX Splash page, certain settings are not compliant with FIPS 140. Sign-on with my RADIUS Server, Facebook log-in, and 3rd party credentials are not allowed.   

If a Facebook user or 3rd party credentials has set up 2-factor authentication, then it could possibly be FIPS-140 compatible, but since it is unknown if this is the case for any given user, these options must not be implemented in your network.

Your network’s FIPS 140-3 Summary page will show the status of Access Control as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png my RADIUS Server, Facebook log-in, or 3rd party credentials is selected.
clipboard_ef94d63e5a4fa48ccc043951a70a96a2e.png

None or Click-through is selected.

The image below shows an example of a FIPS 140 compliant setting.

The image shows the Network Access for Splash page set to None (direct access).

AnyConnect Authentication and Access

RADIUS and Active Directory are not allowed due to non-compliance with FIPS 140. Meraki Cloud Authentication is FIPS 140 compliant.

Your network’s FIPS 140-3 Summary page will show the status of AnyConnect Authentication and Access as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png RADIUS or Active Directory is selected.
clipboard_e5767afac772c2f5e39b65898614b1c80.png Meraki Cloud Authentication is selected.

The image below shows the FIPS 140 compliant Authentication and Access settings.

fips summary authentication and access settings

Client VPN 

A known issue exists where Client VPN is incorrectly showing "green" status when it should be "red".  Client VPN currently allows IKEv1 to be used. In a future MX firmware update IKEv1 will be deprecated and IKEv2 will be added and Client VPN will become FIPS 140 compliant.  

Client VPN Authentication

RADIUS and Active Directory are not allowed due to non-compliance with FIPS 140. Meraki Cloud Authentication is FIPS 140 compliant.

Your network’s FIPS 140-3 Summary page will show the status of Client VPN Authentication as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png RADIUS or Active Directory is selected.
clipboard_e5767afac772c2f5e39b65898614b1c80.png Meraki Cloud Authentication is selected.

Client VPN Shared Secret

The shared secret that is used must be a minimum of 14 characters.

Your network’s FIPS 140-3 Summary page will show the status of Client VPN Shared Secret as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png Shared secret is less than 14 characters.
clipboard_e5767afac772c2f5e39b65898614b1c80.png Shared secret is 14 characters or greater.

The image below shows the FIPS 140 compliant Shared Secret and Authentication settings.

fips_summary_shared_secret_and_authentication_settings.png

Non-Meraki VPN IKE Version – Site to site VPN

If you are using Non-Meraki VPNs, you must ensure that your IKE version and IPSec Policies are configured in a FIPS 140 compatible way.   

For Non-Meraki VPN peers, IKEv2 must be selected.  IKEv1 does not use cryptographic algorithms that are validated for FIPS 140, thus you must use IKEv2. 

The IKE version section is in the Site-to-site VPN page in dashboard. To go to the Site-to-site VPN page, do the following:

  1. Click the Site-to-site VPN link in Security & SD-WAN section on your network's FIPS 140-3 Summary page.
  2. The Site-to-site VPN page opens under Security & SD-WAN > Site-to-site VPN section in the dashboard.
    • Look for IKE version under Non-Meraki VPN Peers. IKEv2 must be selected.

The image shows Non-Meraki peers with IKEv2 selected.

Your network’s FIPS 140-3 Summary page will show the status of Non-Meraki VPN IKE Version as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png IKEv1 is used.
clipboard_e5767afac772c2f5e39b65898614b1c80.png IKEv2 is used.

Non-Meraki VPN IPsec Policies – Site to site VPN

When you first navigate to the Site-to-site VPN page in the dashboard by clicking on the IPsec policies Setting link in your network's FIPS 140-3 Summary page, IPsec policies (look for IPsec policies in the table under Non-Meraki VPN Peers) will either be set to Default or Custom. To change your settings to meet FIPS 140 standards you must go into the Custom menu, by hovering over the green underlined text (either Default or Custom) to bring up the policies window and make the following changes: 

  • Select Custom for “Choose a Preset” option. 

Your network’s FIPS 140-3 Summary page will show the status of Non-Meraki VPN IPsec Policies as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png Default is used. 
clipboard_e5767afac772c2f5e39b65898614b1c80.png Custom is used.

Phase 1 IPsec policies Encryption - Site to site VPN

For Non-Meraki VPN peers, IPsec policies Encryption must only use FIPS 140 allowed encryption. AES encryption is a symmetric encryption algorithm. AES cryptographic key lengths of 128 and higher, to include 128, 192, and 256 are compliant with FIPS 140. 3DES is not compliant and must not be used.

Your network’s FIPS 140-3 Summary page will show the status of Phase 1 IPsec policies Encryption as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png 3DES is used.
clipboard_e5767afac772c2f5e39b65898614b1c80.png AES cryptographic key lengths of 128, 192, or 256 are used.

Phase 1 IPsec policies Authentication - Site to site VPN

For Non-Meraki VPN peers, IPsec policies Authentication must only use FIPS 140 allowed encryption. SHA256 is compliant with FIPS 140. SHA1 and MD5 are not compliant and must not be used.

Your network’s FIPS 140-3 Summary page will show the status of Phase 1 IPsec policies Authentication as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png Either SHA1 or MD5 is used.
clipboard_e5767afac772c2f5e39b65898614b1c80.png SHA256 is used.

Phase 1 IPsec policies Diffe-Hellman group - Site to site VPN

For Non-Meraki VPN peers, IPsec policies Diffe-Hellman group must only use FIPS 140 allowed key lengths. A key length of 14 is compliant with FIPS 140.  Lengths of 1, 2 and 5 are not compliant and must not be used.

Your network’s FIPS 140-3 Summary page will show the status of Phase 1 IPsec policies Diffe-Hellman group as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png A key length of 1, 2, or 5 is used.
clipboard_e5767afac772c2f5e39b65898614b1c80.png A key length of 14 is used.

Phase 2 IPsec policies Encryption - Site to site VPN

For Non-Meraki VPN peers, IPsec policies Encryption must only use FIPS 140 allowed encryption. AES encryption is a symmetric encryption algorithm. AES cryptographic key lengths of 128, 192, and 256 are compliant with FIPS 140. 3DES and NULL are not compliant and must not be used.

Your network’s FIPS 140-3 Summary page will show the status of Phase 2 IPsec policies Encryption as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png 3DES or NULL is used.
clipboard_e5767afac772c2f5e39b65898614b1c80.png AES cryptographic key lengths of 128, 192, or 256 is used.

Phase 2 IPsec policies Authentication - Site to site VPN

For Non-Meraki VPN peers, IPsec policies Authentication must only use FIPS 140 allowed encryption. SHA256 is compliant with FIPS 140. SHA1 and MD5 are not compliant and must not be used.

Your network’s FIPS 140-3 Summary page will show the status of Phase 2 IPsec policies Authentication as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png SHA1 or MD5 is used.
clipboard_e5767afac772c2f5e39b65898614b1c80.png SHA256 is used.

Phase 2 IPsec policies PFS - Site to site VPN

For Non-Meraki VPN peers, IPsec policies PFS must only use FIPS 140 allowed key lengths. A key length of 14 is compliant with FIPS 140. Lengths of 1, 2 and 5 are not compliant and must not be used.

Your network’s FIPS 140-3 Summary page will show the status of Phase 2 IPsec policies PFS as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png A key length of 1, 2, or 5 is used.
clipboard_e5767afac772c2f5e39b65898614b1c80.png A key length of 14 is used.

The image below shows how your Settings pop-up window should look like when all the FIPS 140 compliant settings are selected:

The image shows custom settings for Phase 1 and Phase 2 IP Sec policies.

SSID Security

When your MX device has wireless networking enabled, you must ensure that your SSID Security is using FIPS 140 allowed cryptography. You must use the following settings to meet FIPS 140 standards: 

  • Meraki Authentication
  • WPA Key must be 14 characters or more
  • WPA encryption mode must be WPA2 only

For your SSID Security, WEP is not allowed. You must use WPA2 PSK or WPA2 Enterprise to ensure you are using FIPS 140 compliant cryptography.

Open networks are allowed as there is no encryption used that is non-compliant with the FIPS 140 standards however it is best practice to secure your wireless network. You may also select the Open option and be compliant with FIPS 140, although it is not recommended.

Your network’s FIPS 140-3 Summary page will show the status of SSID Security as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png WEP is selected.
clipboard_e5767afac772c2f5e39b65898614b1c80.png WPA2 PSK or WPA2 is selected.

The image below shows the available selections and WPA2 Enterprise, a FIPS 140 compliant, option being selected. 

The image shows Wireless settings with WPA2 Enterprise selected for Security.

SSID Authentication

For your SSID Authentication, RADIUS is not allowed. You must use Meraki Authentication to ensure you are compatible with FIPS 140 standards.

Your network’s FIPS 140-3 Summary page will show the status of SSID Authentication as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png RADIUS is selected.
clipboard_e5767afac772c2f5e39b65898614b1c80.png Meraki Authentication is selected.

SSID WPA Key

For your SSID WPA key, you must use 14 characters or more to ensure you are compatible with FIPS 140 standards.

Your network’s FIPS 140-3 Summary page will show the status of SSID WPA Key as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png A key length less than 14 characters is used.
clipboard_e5767afac772c2f5e39b65898614b1c80.png A key length of 14 or greater characters is used.

SSID WPA Encryption mode

For your SSID WPA Encryption mode, WPA is not allowed. You must use WPA2 only to ensure you are compatible with FIPS 140 standards.

Your network’s FIPS 140-3 Summary page will show the status of SSID WPA Encryption mode as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png WEP is selected.
clipboard_e5767afac772c2f5e39b65898614b1c80.png WPA2 is selected.

You must ensure that you select FIPS compliant settings for every SSID that you have in your network.  

The image below shows FIPS 140 compliant settings for SSID 1 and SSID 2 in this network example.

This image shows SSID1 and SSID2 with FIPS 140 compliant configurations.  SSID1 is configured with WPA2 PSK, a 14 character WPA key and WPA encryption mode set to WPA2 only. SSID2 is configured with WPA2 Enterprise, Meraki Authentication and WPA encryption mode set to WPA2.

Routing

Security & SD-WAN routing may use OSPF protocol with MD5 authentication. MD5 authentication is insecure and not allowed per the FIPS 140-3 standards.

If your network uses OSPF, then MD5 Authentication must be unselected. The image below shows OSPF routing Enabled and Authentication Disabled.

The image shows Routing protocol OSPF enabled with Authentication method Disabled.

Check our documentation on MX Routing Behavior to learn about MX routing.

Your network’s FIPS 140-3 Summary page will show the status of Routing as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png OSPF is enabled and Authentication is set to MD5.
clipboard_e5767afac772c2f5e39b65898614b1c80.png

OSPF is enabled and Authentication is set to disabled.

clipboard_ef94d63e5a4fa48ccc043951a70a96a2e.png OSPF is not in use.

Switching

If you have a switching device in your network, you have to check whether it is compliant with FIPS 140 standards. The Switching section in the FIPS 140 Summary page will show whether your device is compliant with FIPS 140 standards.

The sub-sections under the Switching section are explained later in this article:

OSPF

Check our documentation on OSPF Overview  to learn about OSPF configuration.

Open Shortest Path First (OSPF) routing may use MD5 authentication which is insecure and not allowed as per the FIPS 140-3 standards.   

If your network uses OSPF, then MD5 authentication must be disabled to be compliant with FIPS 140-3 standards. 

The following image shows the scenario when OSPF routing is enabled:

ospf_routing.png

The following image shows the scenario when MD5  authentication is disabled:

md5_authentication.png

To check whether MD5 authentication is disabled, do the following:

  1. Click the OSPF setting link on your network's FIPS 140-3 Summary page to go to the OSPF routing section of Switching > Configure page in the dashboard.
  2. Make sure OSPF field is enabled.
  3. Make sure MD5 authentication field under Authentication section is disabled.

Your network’s FIPS 140-3 Summary page will show the status of Syslog as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png OSPF routing is enabled in the network and MD5 Authentication is also enabled.
clipboard_e5767afac772c2f5e39b65898614b1c80.png OSPF routing is enabled in the network and MD5 Authentication is disabled. 
clipboard_ef94d63e5a4fa48ccc043951a70a96a2e.png OSPF routing is not in use and is disabled.

Access Policies

Check our documentation on MS Switch Access Policies  to learn about authentication method for switching.

To be compliant with FIPS 140 standards, you must choose Meraki Authentication as the authentication method in your switch access policy. Using my RADIUS server as an authentication method will fail to be FIPS 140 compliant.

The following image shows the setting when Meraki Authentication is selected:

authentication_enabled.png

To check the authentication method, do the following:

  • Click the Authentication method setting link on your network's FIPS 140-3 Summary page to go to the Access policies section of Switching > Configure page in the dashboard.
  • Make sure that Meraki Authentication is selected from the drop-down menu in the Authentication method field.

Your network’s FIPS 140-3 Summary page will show the status of Access Policies as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png my RADIUS server is selected.
clipboard_e5767afac772c2f5e39b65898614b1c80.png Meraki authentication is selected.
clipboard_ef94d63e5a4fa48ccc043951a70a96a2e.png Access polices are not in use in the network.

Wireless

If you have a wireless device in your network, you have to check whether it is compliant with FIPS 140 standards. The Wireless section in the FIPS 140 Summary page will show whether your device is compliant with FIPS 140 standards.

The sub-sections under the Wireless section are explained later in this article:

Security

The Security section under Wireless on the FIPS 140 Summary page states that if any RADIUS selections are made in your network, you must verify that the RadSec option is enabled. This ensures that RADIUS traffic is being sent using FIPS 140 compatible encryption method.

The options for the RADIUS-based authentication methods are available in the Access control page of the dashboard.

To go to the Access control page, do the following:

  1. Click the RADIUS settings link in Security section on your network's FIPS 140-3 Summary page.
  2. On the SSIDs Configuration overview page that opens, click on edit settings
  3. The Access control page opens under Wireless > Configure section page in the dashboard.
    • Security is one of the sections on the Access control page.

The compatible settings are as follows:

  • Opportunistic Wireless Encryption (OWE)
  • Password
  • Enterprise with Meraki Cloud Authentication
  • Identity PSK without RADIUS

Open (no encryption) setting does not use cryptographic algorithms, so it is not scrutinized for adherence to FIPS 140-3 standards.

Authentication methods such as MAC-based access control (no encryption), and Enterprise with my RADIUS server must be disabled because RADIUS uses MD5 shared secrets and MD5 is considered weak and not not compliant with FIPS-140. 

The image below shows all RADIUS options unselected and “Opportunistic Wireless Encryption (OWE)” has been selected, showing a compatible setting with FIPS 140-3.

fips_summary_security.png

The image below shows the 3 selections that could be chosen for Enterprise. If using Enterprise, you must choose Meraki Cloud Authentication as it is the only selection which is FIPS 140-3 compatible.

enterprise_fips_summary.png

Your network’s FIPS 140-3 Summary page will show the status of Access control as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png MAC based access control (no encryption), or Enterprise with my RADIUS server, or Enterprise with Local Auth, or Identity PSK with RADIUS without RadSec is selected. 
clipboard_e5767afac772c2f5e39b65898614b1c80.png Opportunistic Wireless Encryption (OWE), or Password, or Enterprise with Meraki Cloud Authentication, or Identity PSK without RADIUS, or  Enterprise with my RADIUS server with RadSec, or Identity PSK with RADIUS with RadSec is seclected.
clipboard_ef94d63e5a4fa48ccc043951a70a96a2e.png Open (no encryption) is selected.

Check our documentation on Access Control to learn about Wireless Access controls.

WPA Encryption

The WPA Encryption section under Wireless on the FIPS 140 Summary page states that WPA key length must be greater than or equal to 14 characters, and WPA2 or WPA3 must be used.

You must select WPA2 only, WPA3 only, or WPA3 Transition Mode when configuring your SSID to be FIPS 140 compliant. Since TKIP is not FIPS 140 compliant, WPA1 must not be used. The WPA key length must be at least 14 characters.

The WPA encryption section is in the Access control page in dashboard. To go to the Access control page, do the following:

  1. Click the SSID settings link in WPA encryption section on your network's FIPS 140-3 Summary page.
  2. On the SSIDs Configuration overview page that opens, click on edit settings
  3. The Access control page opens under Wireless > Configure section page in the dashboard.
    • WPA encryption is one of the sections on the Access control page.

The image below shows WPA2 only selected which is an acceptable option.

wpa2_fips_summary.png

Your network’s FIPS 140-3 Summary page will show the status of WPA Encryption as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png WPA or WPA1 and WPA2 is selected.
clipboard_e5767afac772c2f5e39b65898614b1c80.png WPA2 only, or WPA3 Transition mode, or WPA3 only is selected.
clipboard_ef94d63e5a4fa48ccc043951a70a96a2e.png None of the options are selected or are in use.

Check our documentation on Access Control to learn about WPA Encryption.

Splash Page

When choosing a suitable Splash Page configuration which are compatible with FIPS 140-3, you must select options where RADIUS authentication is disabled, and which do not use MD5 encryption.   

The following setting for Splash Page is compatible with FIPS 140-3:

  • Sign on with Meraki Cloud Authentication

The following settings do not use cryptographic algorithms, so they are not scrutinized for adherence to FIPS 140-3 standards: 

  • None
  • Click-through
  • Sponsored guest login
  • Sign-on with SMS Authentication
  • Billing

“Cisco Identity Services Engine (ISE) authentication” is an additional setting that may be FIPS 140 compliant but managing the configuration to ensure compliance is not done through the Meraki dashboard. Cisco ISE can be run in “FIPS mode” to assure FIPS 140 compliance but Meraki Dashboard is unable to determine if that has been done. For purposes of the FIPS 140 Summary Page, we will treat Cisco ISE as a non-compliant method of Splash page authentication. 

The image below shows “Sign on with Meraki Cloud Authentication” which is a FIPS 140 compatible setting.

splash_page_fips_summary.png

Your network’s FIPS 140-3 Summary page will show the status of Splash Page as follows:

Status Indicator Description
clipboard_ed2035fb6ba30447c00db872b95d792de.png Sign on with my RADIUS server without RadSec, or Sign on with my LDAP server, or Sign on with Active Directory, or Sign on with Google OAuth is selected.
clipboard_e5767afac772c2f5e39b65898614b1c80.png Sign on with Meraki Cloud Authentication or Sign on with my RADIUS server with RadSec is selected.
clipboard_ef94d63e5a4fa48ccc043951a70a96a2e.png None, or Click-through, or Sponsored guest login, or Sign-on with SMS Authentication or Billing is selected. 

Check our documentation on Access Control to learn about Splash Page.

RADSec

If you are using a RADIUS server, you must implement RADSec to be FIPS 140 compliant. The FIPS 140 summary page checks for use of RADSec whenever a RADIUS server is also being used. There is no listing for RADSec as a stand-alone FIPS check item, however any RADIUS server setting not also using RADSec will show up as Red status in your table. 

The image below shows RADSec selected which the only FIPS 140 acceptable option for RADIUS.

radsec_fips_summary.png

Check our documentation on RADSec authentication to learn about using and configuring RADSec in your network.