Description
There are data channel encryption settings on both the FortiGate unit and the FortiAP. At both ends, it is possible to enable Clear Text, DTLS encryption, or both. The settings must agree, or the FortiAP will not be able to join the WiFi network.
By default, both Clear Text and DTLS-encrypted communication are enabled on the FortiAP, allowing the FortiGate setting to determine whether data channel encryption is used. If the FortiGate also enables both Clear Text and DTLS, Clear Text is used.
Solution
Configuring encryption on the FortiGate:
In the CLI, the wireless wtp-profile command contains a new field, dtls-policy, with options clear-text and dtls-enabled. To enable encryption in profile1 for example, enter:
config wireless-controller wtp-profile
edit profile1
set dtls-policy dtls-enabled
end
Configuring encryption on the FortiAP:
The FortiAP has its settings for data channel encryption. Enabling CAPWAP encryption - FortiAP web-based manager
- On the System Information page, in WTP Configuration -> AC Data Channel Security, select one of:
• Clear Text
• DTLS Enabled
• Clear Text or DTLS Enabled (default)
- Select Apply: System performance: Data channel encryption is software-based and can affect performance. Verify that the system meets performance requirements once encryption has been enabled.
Related Article:
Technical Tip: How to disable CAPWAP offloading for FortiAPs without disrupting wireless traffic
