Optionally, you can apply DTLS encryption to the data channel between the wireless controller and FortiAP units. This enhances security.
There are data channel encryption settings on both the FortiGate unit and the FortiAP units. At both ends, you can enable Clear Text, DTLS encryption, or both. The settings must agree or the FortiAP unit will not be able to join the WiFi network. By default, both Clear Text and DTLS-encrypted communication are enabled on the FortiAP unit, allowing the FortiGate setting to determine whether data channel encryption is used. If the FortiGate unit also enables both Clear Text and DTLS, Clear Text is used.
Data channel encryption settings are located in the Custom AP profile. If you use Automatic profile, only Clear Text is supported.
|Data channel encryption is software-based and can affect performance. Verify that the system meets your performance requirements with encryption enabled.|
Configuring encryption on the FortiGate unit
You can use the CLI to configure data channel encryption.
In the CLI, the
wireless wtp-profile command contains a new field, dtls-policy, with options
dtls-enabled. To enable encryption in profile1 for example, enter:
config wireless-controller wtp-profile
set dtls-policy dtls-enabled
Configuring encryption on the FortiAP unit
The FortiAP unit has its own settings for data channel encryption.
Enabling CAPWAP encryption - FortiAP web-based manager
- On the System Information page, in WTP Configuration > AC Data Channel Security, select one of:
- Clear Text
- DTLS Enabled
- Clear Text or DTLS Enabled (default)
- Select Apply.
Enabling encryption - FortiAP CLI
You can set the data channel encryption using the AC_DATA_CHAN_SEC variable: 0 is Clear Text, 1 is DTLS Enabled, 2 (the default) is Clear Text or DTLS Enabled.
For example, to set security to DTLS and then save the setting, enter
cfg -a AC_DATA_CHAN_SEC=1