Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Backward compatibility with FortiAP models that uses weaker ciphers 7.0.1

FortiAP connections with weak cipher encryption (legacy FortiAP models with names ending in B, C, CR, or D, and FortiAP devices that cannot be upgraded) can be managed by FortiGates that are running FortiOS 7.0.1 by using compatibility mode. This allows for backwards compatibility with 3DES, SHA1, and Strong list ciphers, and is the default tunnel mode.

Set the tunnel mode to strict to follow system level strong-crypto ciphers.

To configure the tunnel mode:
config wireless-controller global
    set tunnel-mode {compatible | strict}
end

To check the available ciphers in the different tunnel modes:
  1. Enable compatibility mode:

    config wireless-controller global
        set tunnel-mode compatible
    end
  2. Verify that the legacy FortiAP ciphers AES128-SHA and DES-CBC3-SHA are present:

    # diagnose wireless-controller wlac -c ciphers
    
    Supported cipher list:
    
    TLS_AES_256_GCM_SHA384
    TLS_CHACHA20_POLY1305_SHA256
    TLS_AES_128_GCM_SHA256
    DHE-RSA-AES256-SHA256
    AES256-SHA256
    ECDHE-RSA-AES256-GCM-SHA384
    ECDHE-ECDSA-AES256-GCM-SHA384
    ECDHE-RSA-AES256-SHA384
    ECDHE-ECDSA-AES256-SHA384
    DHE-RSA-AES128-SHA256
    AES128-SHA256
    ECDHE-RSA-AES128-GCM-SHA256
    ECDHE-ECDSA-AES128-GCM-SHA256
    DHE-RSA-AES128-GCM-SHA256
    ECDHE-RSA-AES128-SHA256
    ECDHE-ECDSA-AES128-SHA256
    AES128-SHA
    DES-CBC3-SHA
    
    Total: 18
  3. Set the tunnel mode to strict and verify that the legacy ciphers are not present:

    config wireless-controller global
        set tunnel-mode strict
    end
    # diagnose wireless-controller wlac -c ciphers
    
    Supported cipher list:
    
    TLS_AES_256_GCM_SHA384
    TLS_CHACHA20_POLY1305_SHA256
    TLS_AES_128_GCM_SHA256
    DHE-RSA-AES256-SHA256
    AES256-SHA256
    ECDHE-RSA-AES256-GCM-SHA384
    ECDHE-ECDSA-AES256-GCM-SHA384
    ECDHE-RSA-AES256-SHA384
    ECDHE-ECDSA-AES256-SHA384
    DHE-RSA-AES128-SHA256
    AES128-SHA256
    ECDHE-RSA-AES128-GCM-SHA256
    ECDHE-ECDSA-AES128-GCM-SHA256
    DHE-RSA-AES128-GCM-SHA256
    ECDHE-RSA-AES128-SHA256
    ECDHE-ECDSA-AES128-SHA256
    
    Total: 16

Backward compatibility with FortiAP models that uses weaker ciphers 7.0.1

FortiAP connections with weak cipher encryption (legacy FortiAP models with names ending in B, C, CR, or D, and FortiAP devices that cannot be upgraded) can be managed by FortiGates that are running FortiOS 7.0.1 by using compatibility mode. This allows for backwards compatibility with 3DES, SHA1, and Strong list ciphers, and is the default tunnel mode.

Set the tunnel mode to strict to follow system level strong-crypto ciphers.

To configure the tunnel mode:
config wireless-controller global
    set tunnel-mode {compatible | strict}
end

To check the available ciphers in the different tunnel modes:
  1. Enable compatibility mode:

    config wireless-controller global
        set tunnel-mode compatible
    end
  2. Verify that the legacy FortiAP ciphers AES128-SHA and DES-CBC3-SHA are present:

    # diagnose wireless-controller wlac -c ciphers
    
    Supported cipher list:
    
    TLS_AES_256_GCM_SHA384
    TLS_CHACHA20_POLY1305_SHA256
    TLS_AES_128_GCM_SHA256
    DHE-RSA-AES256-SHA256
    AES256-SHA256
    ECDHE-RSA-AES256-GCM-SHA384
    ECDHE-ECDSA-AES256-GCM-SHA384
    ECDHE-RSA-AES256-SHA384
    ECDHE-ECDSA-AES256-SHA384
    DHE-RSA-AES128-SHA256
    AES128-SHA256
    ECDHE-RSA-AES128-GCM-SHA256
    ECDHE-ECDSA-AES128-GCM-SHA256
    DHE-RSA-AES128-GCM-SHA256
    ECDHE-RSA-AES128-SHA256
    ECDHE-ECDSA-AES128-SHA256
    AES128-SHA
    DES-CBC3-SHA
    
    Total: 18
  3. Set the tunnel mode to strict and verify that the legacy ciphers are not present:

    config wireless-controller global
        set tunnel-mode strict
    end
    # diagnose wireless-controller wlac -c ciphers
    
    Supported cipher list:
    
    TLS_AES_256_GCM_SHA384
    TLS_CHACHA20_POLY1305_SHA256
    TLS_AES_128_GCM_SHA256
    DHE-RSA-AES256-SHA256
    AES256-SHA256
    ECDHE-RSA-AES256-GCM-SHA384
    ECDHE-ECDSA-AES256-GCM-SHA384
    ECDHE-RSA-AES256-SHA384
    ECDHE-ECDSA-AES256-SHA384
    DHE-RSA-AES128-SHA256
    AES128-SHA256
    ECDHE-RSA-AES128-GCM-SHA256
    ECDHE-ECDSA-AES128-GCM-SHA256
    DHE-RSA-AES128-GCM-SHA256
    ECDHE-RSA-AES128-SHA256
    ECDHE-ECDSA-AES128-SHA256
    
    Total: 16