Backward compatibility with FortiAP models that uses weaker ciphers 7.0.1
FortiAP connections with weak cipher encryption (legacy FortiAP models with names ending in B, C, CR, or D, and FortiAP devices that cannot be upgraded) can be managed by FortiGates that are running FortiOS 7.0.1 by using compatibility mode. This allows for backwards compatibility with 3DES, SHA1, and Strong list ciphers, and is the default tunnel mode.
Set the tunnel mode to strict to follow system level strong-crypto ciphers.
To configure the tunnel mode:
config wireless-controller global
set tunnel-mode {compatible | strict}
end
To check the available ciphers in the different tunnel modes:
-
Enable compatibility mode:
config wireless-controller global set tunnel-mode compatible end -
Verify that the legacy FortiAP ciphers AES128-SHA and DES-CBC3-SHA are present:
# diagnose wireless-controller wlac -c ciphers Supported cipher list: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 DHE-RSA-AES256-SHA256 AES256-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 DHE-RSA-AES128-SHA256 AES128-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 AES128-SHA DES-CBC3-SHA Total: 18
-
Set the tunnel mode to strict and verify that the legacy ciphers are not present:
config wireless-controller global set tunnel-mode strict end# diagnose wireless-controller wlac -c ciphers Supported cipher list: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 DHE-RSA-AES256-SHA256 AES256-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 DHE-RSA-AES128-SHA256 AES128-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 Total: 16