Fortinet white logo
Fortinet white logo

Handbook

6.0.0

WiFi data channel encryption

WiFi data channel encryption

Optionally, you can apply DTLS encryption to the data channel between the wireless controller and FortiAP units. This enhances security.

There are data channel encryption settings on both the FortiGate unit and the FortiAP units. At both ends, you can enable Clear Text, DTLS encryption, or both. The settings must agree or the FortiAP unit will not be able to join the WiFi network. By default, both Clear Text and DTLS-encrypted communication are enabled on the FortiAP unit, allowing the FortiGate setting to determine whether data channel encryption is used. If the FortiGate unit also enables both Clear Text and DTLS, Clear Text is used.

Data channel encryption settings are located in the FortiAP profile. By default, only Clear Text is supported.

note icon

Data channel encryption is software-based and can affect performance. Verify that the system meets your performance requirements with encryption enabled.

Configuring encryption on the FortiGate unit

You can use the CLI to configure data channel encryption.

Enabling encryption

In the CLI, the wireless wtp-profile command contains a new field, dtls-policy, with options clear-text and dtls-enabled. To enable encryption in profile1 for example, enter:

config wireless-controller wtp-profile

edit profile1

set dtls-policy dtls-enabled

end

Configuring encryption on the FortiAP unit

The FortiAP unit has its own settings for data channel encryption.

Enabling CAPWAP encryption - FortiAP GUI
  1. On the System Information page, in WTP Configuration > AC Data Channel Security, select one of:
    • Clear Text
    • DTLS Enabled
    • Clear Text or DTLS Enabled (default)
  2. Select Apply.
Enabling encryption - FortiAP CLI

You can set the data channel encryption using the AP_DATA_CHAN_SEC variable: 'clear', or 'ipsec', or 'dtls'.

For example, to set security to DTLS and then save the setting, enter:

cfg -a AP_DATA_CHAN_SEC=dtls

cfg -c

WiFi data channel encryption

WiFi data channel encryption

Optionally, you can apply DTLS encryption to the data channel between the wireless controller and FortiAP units. This enhances security.

There are data channel encryption settings on both the FortiGate unit and the FortiAP units. At both ends, you can enable Clear Text, DTLS encryption, or both. The settings must agree or the FortiAP unit will not be able to join the WiFi network. By default, both Clear Text and DTLS-encrypted communication are enabled on the FortiAP unit, allowing the FortiGate setting to determine whether data channel encryption is used. If the FortiGate unit also enables both Clear Text and DTLS, Clear Text is used.

Data channel encryption settings are located in the FortiAP profile. By default, only Clear Text is supported.

note icon

Data channel encryption is software-based and can affect performance. Verify that the system meets your performance requirements with encryption enabled.

Configuring encryption on the FortiGate unit

You can use the CLI to configure data channel encryption.

Enabling encryption

In the CLI, the wireless wtp-profile command contains a new field, dtls-policy, with options clear-text and dtls-enabled. To enable encryption in profile1 for example, enter:

config wireless-controller wtp-profile

edit profile1

set dtls-policy dtls-enabled

end

Configuring encryption on the FortiAP unit

The FortiAP unit has its own settings for data channel encryption.

Enabling CAPWAP encryption - FortiAP GUI
  1. On the System Information page, in WTP Configuration > AC Data Channel Security, select one of:
    • Clear Text
    • DTLS Enabled
    • Clear Text or DTLS Enabled (default)
  2. Select Apply.
Enabling encryption - FortiAP CLI

You can set the data channel encryption using the AP_DATA_CHAN_SEC variable: 'clear', or 'ipsec', or 'dtls'.

For example, to set security to DTLS and then save the setting, enter:

cfg -a AP_DATA_CHAN_SEC=dtls

cfg -c