Optionally, you can apply DTLS encryption to the data channel between the wireless controller and FortiAP units to enhance security.
There are data channel encryption settings on both the FortiGate unit and the FortiAP units. At both ends, you can enable Clear Text, DTLS encryption, or both. The settings must agree or the FortiAP unit will not be able to join the WiFi network. By default, both Clear Text and DTLS-encrypted communication are enabled on the FortiAP unit, allowing the FortiGate setting to determine whether data channel encryption is used. If the FortiGate unit also enables both Clear Text and DTLS, Clear Text is used.
Data channel encryption settings are located in the FortiAP profile. By default, only Clear Text is supported.
Data channel encryption is software-based and can affect performance. Verify that the system meets your performance requirements with encryption enabled.
Configuring encryption on a FortiGate unit
You can use the CLI to configure data channel encryption.
To enable encryption
In the CLI, the
wireless wtp-profile command contains a new field,
dtls-policy, with options
dtls-enabled. To enable encryption in profile1 for example, enter:
config wireless-controller wtp-profile
set dtls-policy dtls-enabled
The FortiAP unit has its own settings for data channel encryption.
To enable CAPWAP encryption - FortiAP GUI
- On the System Information page, in WTP Configuration > AC Data Channel Security, select one of:
- Clear Text
- DTLS Enabled
- Clear Text or DTLS Enabled (default)
- Select Apply.
To enable encryption - FortiAP CLI
You can set the data channel encryption using the AP_DATA_CHAN_SEC variable: 'clear', or 'ipsec', or 'dtls'.
For example, to set security to DTLS and then save the setting, enter:
cfg -a AP_DATA_CHAN_SEC=dtls