New Member

Solved

FortiAP is negotiating Clear-text, ignoring better options

Forum|Forum|6 months ago
November 26, 2025
4 replies
444 views

I have a new deployment, using:

Fortigate 120G Controller v7.4.9 build2829

and
FP231F-v7.6.0-build0894

After a lot testing, I got that the FortiAP GUI is "click sensitive", as the click order of the checkboxes, affects the dtls encryption policies, so I stick with the cfg -a AP_DATA_CHAN_SEC=ipsec-sn,ipsec,dtls,clear in AP

But in the controller...
Im typing : set dtls-policy ipsec-sn-vpn ipsec-vpn dtls-enabled clear-text

And still, showing clear-text first (in fact, the exact reverse oder I want)

config wireless-controller wtp-profile

edit "MyCustomProfile"

set dtls-policy clear-text dtls-enabled ipsec-vpn ipsec-sn-vpn

end

Ok, this could be only a "quirck", being ignored by the internal logic of using the most secure option first, regardless of the order shown in the CLI

But... the sad story .. the channel is CLEAR-TEXT!!!!!!!!!

Why is that?

What I want?
1) Use all options available on AP
2) use all options Available on Controller
3) use the most secure option possible and use clear-text only as last resort

Why, it´s not working properly?

FortiAP profile

Best answer by FBTheconstellation

In a recent support call, the responsible for the case told me that despite what KBs states, the "clear-text" takes precedence over ALL options

In my mind, it´s weird, a "Security-focused Company" like Fortinet choosing the path of "Compatibility" or "Speed" above the security.

Quoting the support answer:

"...

Yes, Clear text stands out above any other option; if clear text is enabled as an option, it will be selected over IPSec or IPSec sn

..."

and

"...

This can be seen on this link (oficial documentation)

https://docs.fortinet.com/document/fortiap/7.6.4/fortiwifi-and-fortiap-configuration-guide/350248/wifi-data-channel-encryption

In several tests performed in the laboratory, if you disable clear text on the FortiGate and/or the FortiAP, IPsec VPN is selected first and DTLS as the last option.

In short, if you want to have an encrypted data channel using DTLS or IPsec and leave clear text as an alternative option (last resort) that automatically switches in case of failure, it's not possible; if you enable clear text, it will always be selected over the other options.

..."

Anthony_E

Staff

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Best Regards

Anthony_E

Staff

Hello,

We are still looking for someone to help you.

We will come back to you ASAP.

Thanks

Best Regards

FBTheconstellationAuthorAnswer

New Member

In a recent support call, the responsible for the case told me that despite what KBs states, the "clear-text" takes precedence over ALL options

In my mind, it´s weird, a "Security-focused Company" like Fortinet choosing the path of "Compatibility" or "Speed" above the security.

Quoting the support answer:

"...

Yes, Clear text stands out above any other option; if clear text is enabled as an option, it will be selected over IPSec or IPSec sn

..."

and

"...

This can be seen on this link (oficial documentation)

https://docs.fortinet.com/document/fortiap/7.6.4/fortiwifi-and-fortiap-configuration-guide/350248/wifi-data-channel-encryption

In several tests performed in the laboratory, if you disable clear text on the FortiGate and/or the FortiAP, IPsec VPN is selected first and DTLS as the last option.

In short, if you want to have an encrypted data channel using DTLS or IPsec and leave clear text as an alternative option (last resort) that automatically switches in case of failure, it's not possible; if you enable clear text, it will always be selected over the other options.

..."

Anthony_E

Staff

Thank you for sharing :)!

Best Regards

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded