DescriptionThere are data channel encryption settings on both the FortiGate unit and the FortiAP unit. At both ends, it is possible to enable Clear Text, DTLS encryption, or both. The settings must agree or the FortiAP unit will not be able to join the WiFi network. By default, both Clear Text and DTLS-encrypted communication are enabled on the FortiAP unit, allowing the FortiGate setting to determine whether data channel encryption is used. If the FortiGate unit also enables both Clear Text and DTLS, Clear Text is used.
SolutionConfiguring encryption on the FortiGate unit
In the CLI, the wireless wtp-profile command contains a new field, dtls-policy, with options clear-text and dtls-enabled. To enable encryption in profile1 for example, enter:
config wireless-controller wtp-profile
edit profile1
set dtls-policy dtls-enabled
end
Configuring encryption on the FortiAP unit
The FortiAP unit has its own settings for data channel encryption.
Enabling CAPWAP encryption - FortiAP web-based manager
1. On the System Information page, in WTP Configuration > AC Data Channel Security, select one of:
• Clear Text
• DTLS Enabled
• Clear Text or DTLS Enabled (default)
2. Select Apply.
System performance: Data channel encryption is software-based and can affect performance. Verify that the system meets performance requirements once encryption has been enabled.
