Introduction

This document provides the following information for FortiOS 5.6.1 build 1484:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 5.6.1 supports the following models.

What’s new in FortiOS 5.6.1                                                                                                                Introduction

What’s new in FortiOS 5.6.1

For a list of new features and enhancements that have been made in FortiOS 5.6.1, see the What’s New for FortiOS 5.6.1 document.

Special Notices

Built-In Certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate with the 14 DH group.

FortiGate and FortiWiFi-92D Hardware Limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:

• PPPoE failing, HA failing to form l IPv6 packets being dropped l FortiSwitch devices failing to be discovered
• Spanning tree loops may result depending on the network topology

FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:

config global set hw-switch-ether-filter <enable | disable>

When the command is enabled:

• ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed l BPDUs are dropped and therefore no STP loop results l PPPoE packets are dropped l IPv6 packets are dropped l FortiSwitch devices are not discovered l HA may fail to form depending the network topology

When the command is disabled:

• All packet types are allowed, but depending on the network topology, an STP loop may result

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN Requirements                                                                                Special Notices

FortiClient (Mac OS X) SSL VPN Requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.1, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

FortiClient Profile Changes

With introduction of the Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is now used for FortiClient deployment and provisioning.

The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web

Filter, Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn. FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use management ports for general user traffic.

Upgrade Information

Upgrading to FortiOS 5.6.1

FortiOS version 5.6.1 officially supports upgrading from version 5.4.4, 5.4.5, and 5.6.0. To upgrade from other versions, see Supported Upgrade Paths.

Before upgrading, ensure that port 4433 is not used for admin-port or adminsport (in config system global), or for SSL VPN (in config vpn ssl settings).

If you are using port 4433, you must change admin-port, admin-sport, or the SSL VPN port to another port number before upgrading.

Security Fabric Upgrade

FortiOS 5.6.1 greatly increases the interoperability between other Fortinet products. This includes:

l FortiAnalyzer 5.6.0 l FortiClient 5.6.0 l FortiClient EMS 1.2.1 l FortiAP 5.4.2 and later l FortiSwitch 3.5.2 and later

Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use manual steps.

Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

FortiClient Profiles

After upgrading from FortiOS 5.4.0 to 5.4.1 and later, your FortiClient profiles will be changed to remove a number of options that are no longer supported. After upgrading, review your FortiClient profiles to make sure they are configured appropriately for your requirements and either modify them if required or create new ones.

The following FortiClient Profile features are no longer supported by FortiOS 5.4.1 and later:

• Advanced FortiClient profiles (XML configuration)
• Advanced configuration, such as configuring CA certificates, unregister option, FortiManager updates, dashboard

Banner, client-based logging when on-net, and Single Sign-on Mobility Agent l VPN provisioning l Advanced AntiVirus settings, such as Scheduled Scan, Scan with FortiSandbox, and Excluded Paths FortiGate-VM 5.6 for VMware ESXi   Upgrade Information

• Client-side web filtering when on-net
• iOS and Android configuration by using the FortiOS GUI

With FortiOS 5.6.1, endpoints in the Security Fabric require FortiClient 5.6.0. You can use FortiClient 5.4.3 for VPN (IPsec VPN, or SSL VPN) connections to FortiOS 5.6.0, but not for Security Fabric functions.

FortiGate-VM 5.6 for VMware ESXi

Upon upgrading to FortiOS 5.6.1, FortiGate-VM v5.6 for VMware ESXi (all models) no longer supports the VMXNET2 vNIC driver.

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are retained:

l operation mode l interface IP/management IP l static route table l DNS settings l VDOM parameters/settings l admin user account l session helpers l system access profiles.

If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before downgrading:

1. Back up your configuration.
2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name. For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_ name>.
3. Restore the configuration.
4. Perform the downgrade.

Amazon AWS Enhanced Networking Compatibility Issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 5.6.1 image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover the downgraded image.

Upgrade Information                                                                                                            FortiGate VM firmware

When downgrading from 5.6.1 to older versions, running the enhanced nic driver is not allowed. The following AWS instances are affected:

• C3 l C4 l R3 l I2
• M4 l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the QCOW2 file for Open Source XenServer.
• .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Hyper-V

• .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file vhd in the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

• .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
• .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

Firmware image checksums                                                                                                    Upgrade Information

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Product Integration and Support

FortiOS 5.6.1 support

The following table lists 5.6.1 product integration and support information:

FortiOS 5.6.1 support

Product Integration and Support                                                                                                  Language support

Language support

The following table lists language support information.

Language support

SSL VPN support

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Product Integration and Support                                                                                                  SSL VPN support

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Supported Microsoft Windows 7 32-bit antivirus and firewall software

SSL VPN support

Resolved Issues

The following issues have been fixed in version 5.6.1. For inquires about a particular bug, please contact CustomerService & Support.

Antivirus

Authentication

DLP

DNSFilter

FOC

FortiGate 92D

FortiLink

FortiView

Firewall

GUI

HA

IPS

IPsec

Log & Report

Proxy

Router

Security Fabric

SLBC

Spam

SSL VPN

System

User

VM

VoIP

WebProxy

WiFi

Common Vulnerabilities and Exposures

FortiOS5.6.1 is no longer vulnerable to the following issues and CVE references. For more information, see https://fortiguard.com/psirt.

Known Issues

The following issues have been identified in version 5.6.1. For inquires about a particular bug or to report a bug, please contact CustomerService & Support.

Application Control

Firewall

FortiGate 3815D

FortiLink

FortiSwitch-Controller/FortiLink

Known

FortiView

GUI

Known Issues

HA

IPsec

Log & Report

Proxy

Known Security Fabric

SSL VPN

System

Known Issues

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

• XenTools installation is not supported.
• FortiGate-VM can be imported or deployed in only the following three formats:
• XVA (recommended) l VHD l OVF
• The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual NIC. Other formats will require manual configuration before the first power on process.

Open Source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise when using the QCOW2 format and existing HDA issues.

Configuring WiFi captive portal security – FortiGate captive portal

The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.

To configure a WiFi Captive Portal – web-based manager:

1. Go to WiFi & Switch Controller > SSID and create your SSID.

If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.

2. In Security Mode, select Captive Portal.
3. Enter

4. Select OK.

Configuring WiFi captive portal security – external server

An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.

On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data magic=session_id&username=<username>&password=<password>.

(The magic value was provided in the initial FortiGate request to the web server.)

To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

config user setting set auth-secure-http enable

end

To configure use of an external WiFi Captive Portal – web-based manager:

1. Go to WiFi & Switch Controller > SSIDand create your SSID.

If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.

2. In Security Mode, select Captive Portal.
3. Enter

SSID Groups

4. Select OK.

Defining SSID Groups

Optionally, you can define SSID Groups. An SSID Group has SSIDs as members and can be specified just like an SSID in a FortiAP Profile.

To create an SSID Group – GUI

Go to WiFi & Switch Controller > SSID and select Create New > SSID Group. Give the group a Name and choose Members (SSIDs, but not SSID Groups).

To create an SSID Group – CLI:

config wireless-controller vap-group edit vap-group-name set vaps “ssid1” “ssid2”

end

Dynamic user VLAN assignment

Clients connecting to the WiFi network can be assigned to a VLAN. You can do this with RADIUS attributes when the user authenticates or with VLAN pooling when the client associates with a particular FortiAP. You cannot use both of these methods at the same time.

VLAN assignment by RADIUS

You can assign each individual user to a VLAN based on information stored in the RADIUS authentication server. If the user’s RADIUS record does not specify a VLAN ID, the user is assigned to the default VLAN for the SSID.

The RADIUS user attributes used for the VLAN ID assignment are:

IETF 64 (Tunnel Type)—Set this to VLAN.

IETF 65 (Tunnel Medium Type)—Set this to 802

IETF 81 (Tunnel Private Group ID)—Set this to the VLAN ID.  To configure dynamic VLAN assignment, you need to:

1. Configure access to the RADIUS server.
2. Create the SSID and enable dynamic VLAN assignment.
3. Create a FortiAP Profile and add the local bridge mode SSID to it.
4. Create the VLAN interfaces and their DHCP servers.
5. Create security policies to allow communication from the VLAN interfaces to the Internet.
6. Authorize the FortiAP unit and assign the FortiAP Profile to it.

Dynamic user VLAN assignment

To configure access to the RADIUS server

1. Go to User & Device > RADIUS Servers and select Create New.
2. Enter a Name, the name or IP address in Primary Server IP/Name, and the server secret in Primary Server Secret.
3. Select OK.

To create the dynamic VLAN SSID

1. Go to WiFi & Switch Controller > SSID, select Create New > SSID and enter:

2. Select OK.
3. Enable dynamic VLAN in the CLI. Optionally, you can also assign a VLAN ID to set the default VLAN for users without a VLAN assignment.

config wireless-controller vap edit dynamic_vlan_ssid set dynamic-vlan enable set vlanid 10

end

To create the FortiAP profile for the dynamic VLAN SSID

1. Go to WiFi & Switch Controller > FortiAP Profiles, select Create New and enter:

2. Adjust other radio settings as needed.
3. Select OK.

To create the VLAN interfaces

1. Go to Network > Interfaces and select Create New > Interface.
2. Enter:

Dynamic user VLAN assignment

3. Select OK.
4. Repeat the preceding steps to create other VLANs as needed.

Security policies determine which VLANs can communicate with which other interfaces. These are the simple Firewall Address policy without authentication. Users are assigned to the appropriate VLAN when they authenticate.

To connect and authorize the FortiAP unit

1. Connect the FortiAP unit to the FortiGate unit.
2. Go to WiFi & Switch Controller > Managed FortiAPs.
3. When the FortiAP unit is listed, double-click the entry to edit it.
4. In FortiAP Profile, select the FortiAP Profile that you created.
5. Select Authorize.
6. Select OK.

VLAN assignment by VLAN pool

In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN pool can

l assign a specific VLAN based on the AP’s FortiAP Group, usually for network configuration reasons, or l assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)

To assign a VLAN by FortiAP Group – CLI

In this example, VLAN 101, 102, or 103 is assigned depending on the AP’s FortiAP Group.

config wireless-controller vap edit wlan set vlan-pooling wtp-group config vlan-pool edit 101 set wtp-group wtpgrp1

next edit 102 set wtp-group wtpgrp2

next edit 101 set wtp-group wtpgrp3

end

end end

Configuring user authentication

Load balancing

There are two VLAN pooling methods used for load balancing: The choice of VLAN can be based on any one of the following criteria:

l round-robin – from the VLAN pool, choose the VLAN with the smallest number of clients l hash – choose a VLAN from the VLAN pool based on a hash of the current number of SSID clients and the number of entries in the VLAN pool

If the VLAN pool contains no valid VLAN ID, the SSID’s static VLAN ID setting is used.

To assign a VLAN by round-robin selection – CLI

In this example, VLAN 101, 102, or 103 is assigned using the round-robin method:

config wireless-controller vap edit wlan set vlan-pooling round-robin config vlan-pool edit 101 next edit 102 next edit 103 end

end

end

To assign a VLAN by hash-based selection – CLI

In this example, VLAN 101, 102, or 103 is assigned using the hash method:

config wireless-controller vap edit wlan set vlan-pooling hash config vlan-pool edit 101 next edit 102 next edit 103 end

end

end

Configuring user authentication

You can perform user authentication when the wireless client joins the wireless network and when the wireless user communicates with another network through a firewall policy. WEP and WPA-Personal security rely on legitimate users knowing the correct key or passphrase for the wireless network. The more users you have, the more likely it is that the key or passphrase will become known to unauthorized people. WPA-Enterprise and captive portal security provide separate credentials for each user. User accounts can be managed through FortiGate user groups or an external RADIUS authentication server.

WPA2 Enterprise authentication

Enterprise authentication can be based on the local FortiGate user database or on a remote RADIUS server.

Local authentication is essentially the same for WiFi users as it is for wired users, except that authentication for WiFi users occurs when they associate their device with the AP. Therefore, enterprise authentication must be configured in the SSID. WiFi users can belong to user groups just the same as wired users and security policies will determine which network services they can access.

If your WiFi network uses WPA2 Enterprise authentication verified by a RADIUS server, you need to configure the FortiGate unit to connect to that RADIUS server.

Configuring connection to a RADIUS server – web-based manager

1. Go to User & Device > RADIUS Servers and select Create New.
2. Enter a Name for the server.

This name is used in FortiGate configurations. It is not the actual name of the server.

3. In Primary Server Name/IP, enter the network name or IP address for the server.
4. In Primary Server Secret, enter the shared secret used to access the server.
5. Optionally, enter the information for a secondary or backup RADIUS server.
6. Select OK.

To configure the FortiGate unit to access the RADIUS server – CLI

config user radius edit exampleRADIUS set auth-type auto set server 10.11.102.100 set secret aoewmntiasf

end

To implement WPA2 Enterprise security, you select this server in the SSID security settings. See Configuring user authentication on page 58.

To use the RADIUS server for authentication, you can create individual FortiGate user accounts that specify the authentication server instead of a password, and you then add those accounts to a user group. Or, you can add the authentication server to a FortiGate user group, making all accounts on that server members of the user group.

Creating a wireless user group

Most wireless networks require authenticated access. To enable creation of firewall policies specific to WiFi users, you should create at least one WiFi user group. You can add or remove users later. There are two types of user group to consider:

• A Firewall user group can contain user accounts stored on the FortiGate unit or external authentication servers such as RADIUS that contain and verify user credentials.
• A Fortinet Single Sign-On (FSSO) user group is used for integration with Windows Active Directory or Novell eDirectory. The group can contain Windows or Novell user groups who will be permitted access to the wireless LAN.

WiFi Single Sign-On (WSSO) authentication

WSSO is RADIUS-based authentication that passes the user’s user group memberships to the FortiGate. For each user, the RADIUS server must provide user group information in the Fortinet-Group-Name attribute. This information is stored in the server’s database. After the user authenticates, security policies provide access to network services based on user groups.

1. Configure the RADIUS server to return the Fortinet-Group-Name attribute for each user.
2. Configure the FortiGate to access the RADIUS server, as described in WPA2 Enterprise authentication on page 59.
3. Create firewall user groups on the FortiGate with the same names as the user groups listed in the RADIUS database. Leave the groups empty.
4. In the SSID choose WPA2-Enterprise authentication. In the Authentication field, select RADIUS Server and choose the RADIUS server that you configured.
5. Create security policies as needed, using user groups (Source User(s) field) to control access.

When a user authenticates by WSSO, the firewall monitor Monitor > Firewall Monitor) shows the authentication method as WSSO.

Assigning WiFi users to VLANs dynamically

Some enterprise networks use Virtual LANs (VLANs) to separate traffic. In this environment, to extend network access to WiFi users might appear to require multiple SSIDs. But it is possible to automatically assign each user to their appropriate VLAN from a single SSID. To accomplish this requires RADIUS authentication that passes the appropriate VLAN ID to the FortiGate by RADIUS attributes. Each user’s VLAN assignment is stored in the user database of the RADIUS server.

1. Configure the RADIUS server to return the following attributes for each user:

Tunnel-Type (value: VLAN)

Tunnel-Medium-Type (value: IEEE-802)

Tunnel_Private-Group-Id (value: the VLAN ID for the user’s VLAN)

2. Configure the FortiGate to access the RADIUS server.
3. Configure the SSID with WPA2-Enterprise authentication. In the Authentication field, select RADIUS Server and choose the RADIUS server that you will use.
4. Create VLAN subinterfaces on the SSID interface, one for each VLAN. Set the VLAN ID of each as appropriate. You can do this on the Network > Interfaces
5. Enable Dynamic VLAN assignment for the SSID. For example, if the SSID interface is “office”, enter:

config wireless-controller vap edit office set dynamic-vlan enable

end

6. Create security policies for each VLAN. These policies have a WiFI VLAN subinterface as Incoming Interface and allow traffic to flow to whichever Outgoing Interface these VLAN users will be allowed to access.

MAC-based authentication

Wireless clients can also be supplementally authenticated by MAC address. A RADIUS server stores the allowed MAC address for each client and the wireless controller checks the MAC address independently of other authentication methods.

firewall policies for the SSID

MAC-based authentication must be configured in the CLI. In the following example, MAC-based authentication is added to an existing access point “vap1” to use RADIUS server hq_radius (configured on the FortiGate):

config wireless-controller vap edit vap1 set radius-mac-auth enable set radius-mac-auth-server hq_radius

end

Authenticating guest WiFi users

The FortiOS Guest Management feature enables you to easily add guest accounts to your FortiGate unit. These accounts are authenticate guest WiFi users for temporary access to a WiFi network managed by a FortiGate unit. To implement guest access, you need to

1. Go to User & Device > User Groups and create one or more guest user groups.
2. Go to User & Device > Guest Management to create guest accounts. You can print the guest account credentials or send them to the user as an email or SMS message.
3. Go to WiFi & Switch Controller > SSID and configure your WiFi SSID to use captive portal authentication. Select the guest user group(s) that you created.

Guest users can log into the WiFi captive portal with their guest account credentials until the account expires. For more detailed information about creating guest accounts, see “Managing Guest Access” in the Authentication chapter of the FortiOS Handbook.

Configuring the built-in access point on a FortiWiFi unit

Both FortiGate and FortiWiFi units have the WiFi controller feature. If you configure a WiFi network on a

FortiWiFi unit, you can also use the built-in wireless capabilities in your WiFi network as one of the access points.

If Virtual Domains are enabled, you must select the VDOM to which the built-in access point belongs. You do this in the CLI. For example:

config wireless-controller global set local-radio-vdom vdom1

end

To configure the FortiWiFi unit’s built-in WiFi access point

1. Go to WiFi Controller > Local WiFi Radio.
2. Make sure that Enable WiFi Radio is selected.
3. In SSID, if you do not want this AP to carry all SSIDs, select Select SSIDs and then select the required SSIDs.
4. Optionally, adjust the TX Power

If you have selected your location correctly (see Configuring the built-in access point on a FortiWiFi unit on page 62), the 100% setting corresponds to the maximum power allowed in your region.

the built-in access point on a FortiWiFi unit

5. If you do not want the built-in WiFi radio to be used for rogue scanning, select Do not participate in Rogue AP scanning.
6. Select OK.

If you want to connect external APs, such as FortiAP units, see the next chapter, Access point deployment.

Access point deployment

This chapter describes how to configure access points for your wireless network.

Overview

Network topology for managed APs

Discovering and authorizing APs

Advanced WiFi controller discovery

Wireless client load balancing for high-density deployments

FortiAP Groups

LAN port options

Preventing IP fragmentation of packets in CAPWAP tunnels

LED options

CAPWAP bandwidth formula

Overview

FortiAP units discover WiFi controllers. The administrator of the WiFi controller authorizes the FortiAP units that the controller will manage.

In most cases, FortiAP units can find WiFi controllers through the wired Ethernet without any special configuration. Review the following section, Access point deployment on page 64, to make sure that your method of connecting the FortiAP unit to the WiFi controller is valid. Then, you are ready to follow the procedures in Access point deployment on page 64.

If your FortiAP units are unable to find the WiFi controller, refer to Access point deployment on page 64 for detailed information about the FortiAP unit’s controller discovery methods and how you can configure them.

Network topology for managed APs

The FortiAP unit can be connected to the FortiGate unit in any of the following ways:

Direct connection: The FortiAP unit is directly connected to the FortiGate unit with no switches between them.

This configuration is common for locations where the number of FortiAP’s matches up with the number of

‘internal’ ports available on the FortiGate. In this configuration the FortiAP unit requests an IP address from the FortiGate unit, enters discovery mode and should quickly find the FortiGate WiFi controller. This is also known as a wirecloset deployment. See “Wirecloset and Gateway deployments” below.

Network topology for managed APs

Wirecloset deployment

Switched Connection: The FortiAP unit is connected to the FortiGate WiFi controller by an Ethernet switch operating in L2 switching mode or L3 routing mode. There must be a routable path between the FortiAP unit and the FortiGate unit and ports 5246 and 5247 must be open. This is also known as a gateway deployment. See Gateway Deployment below.

Network topology for managed

Gateway Deployment

Connection over WAN: The FortiGate WiFi controller is off-premises and connected by a VPN tunnel to a local FortiGate. In this method of connectivity its best to configure each FortiAP with the static IP address of the WiFi controller. Each FortiAP can be configured with three WiFi controller IP addresses for redundant failover. This is also known as a datacenter remote management deployment. See Remote deployment below.

Remote deployment

Discovering and authorizing APs

After you prepare your FortiGate unit, you can connect your APs to discover them using the discovery methods described earlier. To prepare the FortiGate unit, you need to l Configure the network interface to which the AP will connect. l Configure DHCP service on the interface to which the AP will connect. l Optionally, preauthorize FortiAP units. They will begin to function when connected. l Connect the AP units and let the FortiGate unit discover them. l Enable each discovered AP and configure it or assign it to an AP profile.

Configuring the network interface for the AP unit

The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled.

To configure the interface for the AP unit – web-based manager

1. Go to Network > Interfaces and edit the interface to which the AP unit connects.
2. Set Addressing Mode to Dedicate to Extension Device.
3. Enter the IP address and netmask to use.

This FortiGate unit automatically configures a DHCP server on the interface that will assign the remaining higher addresses up to .254 to FortiAP units. For example, if the IP address is 10.10.1.100, the FortiAP units will be assigned 10.10.1.101 to 10.10.1.254. To maximize the available addresses, use the .1 address for the interface:

10.10.1.1, for example.

4. Select OK.

To configure the interface for the AP unit – CLI

In the CLI, you must configure the interface IP address and DHCP server separately.

config system interface edit port3 set mode static

set ip 10.10.70.1 255.255.255.0

end

config system dhcp server edit 0 set interface “dmz” config ip-range edit 1 set end-ip 10.10.70.254 set start-ip 10.10.70.2

end

set netmask 255.255.255.0 set vci-match enable set vci-string “FortiAP”

end

The optional vci-match and vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.

Pre-authorizing a FortiAP unit

If you enter the FortiAP unit information in advance, it is authorized and will begin to function when it is connected.

To pre-authorize a FortiAP unit

1. Go to WiFi & Switch Controller > Managed FortiAPs and select Create New.

On some models the WiFi Controller menu is called WiFi & Switch Controller.

2. Enter the Serial Number of the FortiAP unit.
3. Configure the Wireless Settings as required.
4. Select OK.

Enabling and configuring a discovered AP

Within two minutes of connecting the AP unit to the FortiGate unit, the discovered unit should be listed on WiFi Controller > Managed FortiAPs page. After you select the unit, you can authorize, edit or delete it.

Discovered access point unit

When you authorize (enable) a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). You can create and select a different profile if needed. The FortiAP Profile defines the entire configuration for the AP.

To add and configure the discovered AP unit – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.

This configuration also applies to local WiFi radio on FortiWiFi models.

2. Select the FortiAP unit from the list and edit it.
3. Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
4. Select Authorize.
5. Select a FortiAP Profile.
6. Select OK.

The physical access point is now added to the system. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP.

To add the discovered AP unit – CLI

First get a list of the discovered access point unit serial numbers:

get wireless-controller wtp

Add a discovered unit and associate it with AP-profile1, for example:

config wireless-controller wtp edit FAP22A3U10600118 set admin enable set wtp-profile AP-profile1

end

To view the status of the added AP unit

config wireless-controller wtp edit FAP22A3U10600118

get

The join-time field should show a time, not “N/A”. See the preceding web-based manager procedure for more information.

Disable automatic discovery of unknown FortiAPs

By default, the FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator’s authorization. Optionally, you can disable this automatic registration function to avoid adding unknown FortiAPs. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface.

To disable automatic discovery and registration, enter the following command:

config system interface edit port15 set ap-discover disable

end

Automatic authorization of extension devices

To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually.

This feature is only configurable in the CLI.

To enable automatic authorization on all dedicated interfaces

config system global set auto-auth-extension-device enable

end

To enable automatic authorization per-interface

config system interface edit <port> set auto-auth-extension-device enable

end

Assigning the same profile to multiple FortiAP units

The same profile can now be applied to multiple managed FortiAP units at the same time. To do this, do the following:

1. Go to WiFi & Switch Controller > Managed FortiAPs to view the AP list.
2. Select all FortiAP units you wish to apply the profile to.
3. Right click on one of the selected FortiAPs and select Assign Profile.
4. Choose the profile you wish to apply.

Overriding the FortiAP Profile

In the FortiAP configuration WiFi & Switch Controller > Managed FortiAPs, there several radio settings under Override Radio 1 and Override Radio 2 to choose a value independently of the FortiAP Profile setting.

When each of the radios are disabled, you will see what the FortiAP Profile has each of the settings configured to.

To override radio settings in the CLI

In this example, Radio 1 is set to 802.11n on channel 11, regardless of the profile setting.

config wireless-controller wtp edit FP221C3X14019926 config radio-1 set override-band enable set band 802.11n set override-channel enable

set channel 11

end

Override settings are available for band, channel, vaps (SSIDs), and txpower.

Outside of configuring radio settings, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, split tunneling, and login password settings.

Accessing the FortiAP CLI through the FortiGate unit

Enable remote login for the FortiAP. In the FortiAP Profile for this FortiAP, enable remote access.

Connecting to the FortiAP CLI

The FortiAP unit has a CLI through which some configuration options can be set. You can access the CLI using Telnet.

To access the FortiAP unit CLI through the FortiAP Ethernet port

1. Connect your computer to the FortiAP Ethernet interface, either directly with a cross-over cable or through a separate switch or hub.
2. Change your computer’s IP address to 192.168.1.3
3. Telnet to IP address 192.168.1.2.

Ensure that FortiAP is in a private network with no DHCP server for the static IP address to be accessible.

4. Login with user name admin and no password.
5. Enter commands as needed.
6. Optionally, use the passwd command to assign an administrative password for better security.
7. Save the configuration by entering the following command:

cfg –c .

8. Unplug the FortiAP and then plug it back in, in order for the configuration to take effect

Accessing the FortiAP CLI through the FortiGate

After the FortiAP has been installed, physical access to the unit might be inconvenient. You can access a connected FortiAP unit’s CLI through the FortiGate unit that controls it.

To enable remote access to the FortiAP CLI

In the CLI, edit the FortiAP Profile that applies to this FortiAP.

config wireless-controller wtp-profile edit FAP221C-default set allowaccess telnet

end

FortiAP now supports HTTPS and SSH administrative access, as well as HTTP and Telnet. Use the command above to set administrative access to telnet, http, https, or ssh.

To access the FortiAP unit CLI through the FortiGate unit – GUI

1. Go to WiFi & Switch Controller > Managed FortiAPs.
2. In the list, right-click the FortiAP unit and select >_Connect to CLI. A detached Console window opens.
3. At the FortiAP login prompt, enter admin. When you are finished using the FortiAP CLI, enter exit.

To access the FortiAP unit CLI through the FortiGate unit – CLI

1. Use the FortiGate CLI execute telnet command to access the FortiAP. For example, if the FortiAP unit IP address is 192.168.1.2, enter:

execute telnet 192.168.1.2

2. At the FortiAP login prompt, enter admin. When you are finished using the FortiAP CLI, enter exit.

Checking and updating FortiAP unit firmware

You can view and update the FortiAP unit’s firmware from the FortiGate unit that acts as its WiFi controller.

Checking the FortiAP unit firmware version

Go to WiFi & Switch Controller > Managed FortiAPs to view the list of FortiAP units that the FortiGate unit can manage. The OS Version column shows the current firmware version running on each AP.

Updating FortiAP firmware from the FortiGate unit

You can update the FortiAP firmware using either the web-based manager or the CLI. Only the CLI method can update all FortiAP units at once.

To update FortiAP unit firmware – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.
2. Right-click the FortiAP unit in the list and select Upgrade Firmware.

or

Edit the FortiAP entry and select Upgrade from File in FortiAP OS Version.

3. Select Browse and locate the firmware upgrade file.
4. Select OK.
5. When the upgrade process completes, select OK. The FortiAP unit restarts.

To update FortiAP unit firmware – CLI

1. Upload the FortiAP image to the FortiGate unit.

For example, the Firmware file is FAP_22A_v4.3.0_b0212_fortinet.out and the server IP address is 192.168.0.100.

execute wireless-controller upload-wtp-image tftp FAP_22A_v4.3.0_b0212_fortinet.out 192.168.0.100

If your server is FTP, change tftp to ftp, and if necessary add your user name and password at the end of the command.

2. Verify that the image is uploaded:

execute wireless-controller list-wtp-image

3. Upgrade the FortiAP units:

exec wireless-controller reset-wtp all

If you want to upgrade only one FortiAP unit, enter its serial number instead of all.

Updating FortiAP firmware from the FortiAP unit

You can connect to a FortiAP unit’s internal CLI to update its firmware from a TFTP server on the same network. This method does not require access to the wireless controller.

1. Place the FortiAP firmware image on a TFTP server on your computer.
2. Connect the FortiAP unit to a separate private switch or hub or directly connect to your computer via a cross-over cable.
3. Change your computer’s IP address to 192.168.1.3.
4. Telnet to IP address 192.168.1.2.

This IP address is overwritten if the FortiAP is connected to a DHCP environment. Ensure that the FortiAP unit is in a private network with no DHCP server.

5. Login with the username “admin” and no password.
6. Enter the following command.

For example, the FortiAP image file name is FAP_22A_v4.3.0_b0212_fortinet.out.

restore FAP_22A_v4.3.0_b0212_fortinet.out 192.168.1.3

Advanced WiFi controller discovery

Advanced WiFi controller discovery

A FortiAP unit can use any of six methods to locate a controller. By default, FortiAP units cycle through all six of the discovery methods. In most cases there is no need to make configuration changes on the FortiAP unit.

There are exceptions. The following section describes the WiFi controller discovery methods in more detail and provides information about configuration changes you might need to make so that discovery will work.

Controller discovery methods

There are six methods that a FortiAP unit can use to discover a WiFi controller. Below is the list of AC discovery methods used in sequence:

0(auto) → 1(static) → 2(dhcp) → 3(dns) → 7(forticloud) → 5(broadcast) → 6(multicast)

Static IP configuration

If FortiAP and the controller are not in the same subnet, broadcast and multicast packets cannot reach the controller. The admin can specify the controller’s static IP on the AP unit. The AP unit sends a discovery request message in unicast to the controller. Routing must be properly configured in both directions.

To specify the controller’s IP address on a FortiAP unit

cfg –a AC_IPADDR_1=”192.168.0.100″

By default, the FortiAP unit receives its IP address, netmask, and gateway address by DHCP. If you prefer, you can assign these statically.

To assign a static IP address to the FortiAP unit

cfg -a ADDR_MODE=STATIC cfg –a AP_IPADDR=”192.168.0.100″ cfg -a AP_NETMASK=”255.255.255.0″ cfg –a IPGW=192.168.0.1 cfg -c

For information about connecting to the FortiAP CLI, see Connecting to the FortiAP CLI on page 71.

DHCP

If you use DHCP to assign an IP address to your FortiAP unit, you can also provide the WiFi controller IP address at the same time. This is useful if the AP is located remotely from the WiFi controller and other discovery techniques will not work.

When you configure the DHCP server, configure Option 138 to specify the WiFi controller IP address. You need to convert the address into hexadecimal. Convert each octet value separately from left to right and concatenate them. For example, 192.168.0.1 converts to C0A80001.

If Option 138 is used for some other purpose on your network, you can use a different option number if you configure the AP units to match.

To change the FortiAP DHCP option code To use option code 139 for example, enter Wireless client load balancing for high-density deployments

cfg –a AC_DISCOVERY_DHCP_OPTION_CODE=139

For information about connecting to the FortiAP CLI, see Connecting to the FortiAP CLI on page 71.

DNS

The access point can discover controllers through your domain name server (DNS). For the access point to do so, you must configure your DNS to return controller IP addresses in response. Allow DNS lookup of the hostname configured in the AP by using the AP parameter “AC_HOSTNAME_1”.

FortiCloud

The access point can discover FortiCloud by doing a DNS lookup of the hardcoded FortiCloud AP controller hostname “apctrl1.fortinet.com”. The forticloud AC discovery technique finds the AC info from apctl1.fortinet.com using HTTPS.

FortiCloud APController: apctrl1.fortinet.com:443 208.91.113.187:443

Broadcast request

The AP unit broadcasts a discovery request message to the network and the controller replies. The AP and the controller must be in the same broadcast domain. No configuration adjustments are required.

Multicast request

The AP unit sends a multicast discovery request and the controller replies with a unicast discovery response message. The AP and the controller do not need to be in the same broadcast domain if multicast routing is properly configured.

The default multicast destination address is 224.0.1.140. It can be changed through the CLI. The address must be same on the controller and AP.

To change the multicast address on the controller

config wireless-controller global set discovery-mc-addr 224.0.1.250

end

To change the multicast address on a FortiAP unit

cfg –a AC_DISCOVERY_MC_ADDR=”224.0.1.250″

For information about connecting to the FortiAP CLI, see Advanced WiFi controller discovery on page 74.

Wireless client load balancing for high-density deployments

Wireless load balancing allows your wireless network to distribute wireless traffic more efficiently among wireless access points and available frequency bands. FortiGate wireless controllers support the following types of client load balancing:

• Access Point Hand-off – the wireless controller signals a client to switch to another access point.
• Frequency Hand-off – the wireless controller monitors the usage of 2.4GHz and 5GHz bands, and signals clients to switch to the lesser-used frequency.

Wireless client load balancing for high-density deployments

Load balancing is not applied to roaming clients.

Access point hand-off

Access point handoff wireless load balancing involves the following:

• If the load on an access point (ap1) exceeds a threshold (of for example, 30 clients) then the client with the weakest signal will be signaled by wireless controller to drop off and join another nearby access point (ap2).
• When one or more access points are overloaded (for example, more than 30 clients) and a new client attempts to join a wireless network, the wireless controller selects the least busy access point that is closest to the new client and this access point is the one that responds to the client and the one that the client joins.

Frequency hand-off or band-steering

Encouraging clients to use the 5GHz WiFi band if possible enables those clients to benefit from faster interference-free 5GHz communication. The remaining 2.4GHz clients benefit from reduced interference.

The WiFi controller probes clients to determine their WiFi band capability. It also records the RSSI (signal strength) for each client on each band.

If a new client attempts to join the network, the controller looks up that client’s MAC address in its wireless device table and determines if it’s a dual band device. If it is not a dual band device, then its allowed to join. If it is a dual band device, then its RSSI on 5GHz is used to determine whether the device is close enough to an access point to benefit from movement to 5GHz frequency.

If both conditions of 1) dual band device and 2) RSSI value is strong, then the wireless controller does not reply to the join request of the client. This forces the client to retry a few more times and then timeout and attempt to join the same SSID on 5GHz. Once the Controller see this new request on 5GHz, the RSSI is again measured and the client is allowed to join. If the RSSI is below threshold, then the device table is updated and the controller forces the client to timeout again. A client’s second attempt to connect on 2.4GHz will be accepted.

Configuration

From the web-based manager, edit a custom AP profile and select Frequency Handoff and AP Handoff as required for each radio on the AP.

From the CLI, you configure wireless client load balancing thresholds for each custom AP profile. Enable access point hand-off and frequency hand-off separately for each radio in the custom AP profile.

config wireless-controller wtp-profile edit new-ap-profile set handoff-rssi <rssi_int> set handoff-sta-thresh <clients_int> config radio-1 set frequency-handoff {disable | enable} set ap-handoff {disable | enable}

end config radio-2 set frequency-handoff {disable | enable} set ap-handoff {disable | enable}

end

end Where:

FortiAP Groups

• handoff-rssi is the RSSI threshold. Clients with a 5 GHz RSSI threshold over this value are load balanced to the 5GHz frequency band. Default is 25. Range is 20 to 30.
• handoff-sta-thresh is the access point handoff threshold. If the access point has more clients than this threshold it is considered busy and clients are changed to another access point. Default is 30, range is 5 to 25. l frequency-handoff enable or disable frequency handoff load balancing for this radio. Disabled by default. l ap-handoff enable or disable access point handoff load balancing for this radio. Disabled by default.

Frequency handoff must be enabled on the 5GHz radio to learn client capability.

FortiAP Groups

FortiAP Groups facilitate the application of FortiAP profiles to large numbers of FortiAPs. A FortiAP can belong to no more than one FortiAP Group. A FortiAP Group can include only one model of FortiAP.

Through the VLAN pool feature, a FortiAP Group can be associated with a VLAN to which WiFi clients will be assigned. For more on VLAN pool assignment, see VLAN assignment by VLAN pool.

FortiAP groups are only configurable in the CLI Console.

To create a FortiAP group – CLI

In this example, wtp-group-1 is created for a FortiAP-221C and one member device is added.

config wireless-controller wtp-group edit wtp-group-1 set platform-type 221C config wtp-list edit FP221C3X14019926

end

end

LAN port options

Some FortiAP models have one or more LAN interfaces that can provide wired network access. LAN ports can be l bridged to the incoming WAN interface l bridged to one of the WiFi SSIDs that the FortiAP unit carries l connected by NAT to the incoming WAN interface There are some differences among FortiAP models.

Models like 11C and 14C have one port labeled WAN and one or more ports labeled LAN. By default, the LAN ports are offline. You can configure LAN port operation in the FortiAP Profile in the GUI (Wireless Controller > FortiAP Profiles) or in the CLI (config wireless-controller wtp-profile, config lan subcommand).

Models like 320C, 320B, 112D, and 112B have two ports, labeled LAN1 and LAN2. LAN1 acts as a WAN port connecting the FortiAP to a FortiGate or FortiCloud. By default, LAN2 is bridged to LAN1. Other modes of LAN2 operation must be enabled in the CLI:

config wireless-controller wtp-profile edit <profile_name>

LAN port options

set wan-port-mode wan-lan

end

By default wan-port-mode is set to wan-only.

When wan-port-mode is set to wan-lan, LAN2 Port options are available in the GUI and the CLI the same as the other FortiAP models that have labeled WAN and LAN ports.

Bridging a LAN port with an SSID

Bridging a LAN port with a FortiAP SSID combines traffic from both sources to provide a single broadcast domain for wired and wireless users. In this configuration l The IP addresses for LAN clients come from the DHCP server that serves the wireless clients.

• Traffic from LAN clients is bridged to the SSID’s VLAN. Dynamic VLAN assignment for hosts on the LAN port is not supported.
• Wireless and LAN clients are on the same network and can communicate locally, via the FortiAP.
• Any host connected to the LAN port will be taken as authenticated. RADIUS MAC authentication for hosts on the LAN port is not supported.

For configuration instructions, see LAN port options on page 77.

Bridging a LAN port with the WAN port

Bridging a LAN port with the WAN port enables the FortiAP unit to be used as a hub which is also an access point. In this configuration l The IP addresses for LAN clients come from the WAN directly and will typically be in the same range as the AP itself. l All LAN client traffic is bridged directly to the WAN interface.

l Communication between wireless and LAN clients can only occur if a policy on the FortiGate unit allows it.

For configuration instructions, see LAN port options on page 77.

Configuring FortiAP LAN ports

You can configure FortiAP LAN ports for APs in a FortiAP Profile. A profile applies to APs that are the same model and share the same configuration. If you have multiple models or different configurations, you might need to create several FortiAP Profiles. For an individual AP, it is also possible to override the profile settings.

To configure FortiAP LAN ports – web-based manager

1. If your FortiAP unit has LAN ports, but no port labeled WAN (models 320C, 320B, 112D, and 112B for example), enable LAN port options in the CLI:

config wireless-controller wtp-profile edit <profile_name> set wan-port-mode wan-lan

end

2. Go to WiFi & Switch Controller > FortiAP Profiles.
3. Edit the default profile for your FortiAP model or select Create New.
4. If you are creating a new profile, enter a Name and select the correct Platform (model).

LAN port options

5. Select SSIDs.
6. In the LAN Port section, set Mode to Bridge to and select an SSID or WAN Port as needed.

On some models with multiple LAN ports, you can set Mode to Custom and configure the LAN ports individually.

Enable each port that you want to use and select an SSID or WAN Port as needed.

7. Select OK.

Be sure to select this profile when you authorize your FortiAP units.

To configure FortiAP LAN ports – CLI

In this example, the default FortiAP-11C profile is configured to bridge the LAN port to the office SSID.

config wireless-controller wtp-profile edit FAP11C-default config lan set port-mode bridge-to-ssid set port-ssid office

end

end

end

In this example, the default FortiAP-28C profile is configured to bridge LAN port1 to the office SSID and to bridge the other LAN ports to the WAN port.

config wireless-controller wtp-profile edit FAP28C-default config lan set port1-mode bridge-to-ssid set port1-ssid office set port2-mode bridge-to-wan set port3-mode bridge-to-wan set port4-mode bridge-to-wan set port5-mode bridge-to-wan set port6-mode bridge-to-wan set port7-mode bridge-to-wan set port8-mode bridge-to-wan

end

end

In this example, the default FortiAP-320C profile is configured to bridge the LAN port to the office SSID.

config wireless-controller wtp-profile edit FAP320C-default set wan-port-mode wan-lan config lan set port-mode bridge-to-ssid set port-ssid office

end

end

end

To configure FortiAP unit LAN ports as a FortiAP Profile override – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.
2. Select the FortiAP unit from the list and select Edit.
3. Select the FortiAP Profile, if this has not already been done.
4. In the LAN Port section, select Override. The options for Mode are shown.

Preventing IP fragmentation of packets in CAPWAP tunnels

5. Set Mode to Bridge to and select an SSID or WAN Port, or NAT to WAN as needed.

On some models with multiple LAN ports, you can set Mode to Custom and configure the LAN ports individually.

Enable and configure each port that you want to use.

6. Select OK.

To configure FortiAP unit LAN ports as a FortiAP Profile override – CLI

In this example, a FortiAP unit’s configuration overrides the FortiAP Profile to bridge the LAN port to the office SSID.

config wireless-controller wtp edit FP320C3X14020000 set wtp-profile FAP320C-default set override-wan-port-mode enable set wan-port-mode wan-lan set override-lan enable config lan set port-mode bridge-to-ssid set port-ssid office

end

end

Preventing IP fragmentation of packets in CAPWAP tunnels

A common problem with controller-based WiFi networks is reduced performance due to IP fragmentation of the packets in the CAPWAP tunnel.

Fragmentation can occur because of CAPWAP tunnel overhead increasing packet size. If the original wireless client packets are close to the maximum transmission unit (MTU) size for the network (usually 1500 bytes for Ethernet networks unless jumbo frames are used) the resulting CAPWAP packets may be larger than the MTU, causing the packets to be fragmented. Fragmenting packets can result in data loss, jitter, and decreased throughput.

The FortiOS/FortiAP solution to this problem is to cause wireless clients to send smaller packets to FortiAP devices, resulting in1500-byte CAPWAP packets and no fragmentation. The following options configure CAPWAP IP fragmentation control:

config wireless-controller wtp-profle edit FAP321C-default set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}

set tun-mtu-uplink {0 | 576 | 1500} set tun-mtu-downlink {0 | 576 | 1500}

end

end

By default, tcp-mss-adjust is enabled, icmp-unreachable is disabled, and tun-mtu-uplink and tun-mtu-downlink are set to 0.

To set tun-mtu-uplink and tun-mtu-downlink, use the default TCP MTU value of 1500. This default configuration prevents packet fragmentation because the FortiAP unit limits the size of TCP packets received from wireless clients so the packets don’t have to be fragmented before CAPWAP encapsulation.

The tcp-mss-adjust option causes the FortiAP unit to limit the maximum segment size (MSS) of TCP packets sent by wireless clients. The FortiAP does this by adding a reduced MSS value to the SYN packets sent LED options

by the FortiAP unit when negotiating with a wireless client to establish a session. This results in the wireless client sending packets that are smaller than the tun-mtu-uplink setting, so that when the CAPWAP headers are added, the CAPWAP packets have an MTU that matches the tun-mtu-uplink size.

The icmp-unreachable option affects all traffic (UDP and TCP) between wireless clients and the FortiAP unit. This option causes the FortiAP unit to drop packets that have the “Don’t Fragment” bit set in their IP header and that are large enough to cause fragmentation and then send an ICMP packet — type 3 “ICMP Destination unreachable” with code 4 “Fragmentation Needed and Don’t Fragment was Set” back to the wireless controller. This should cause the wireless client to send smaller TCP and UDP packets.

Overriding IP fragmentation settings on a FortiAP

If the FortiAP Profile settings for IP fragmentation are not appropriate for a particular FortiAP, you can override the settings on that specific unit.

config wireless-controller wtp edit FAP321C3X14019926 set override-ip-fragment enable

set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}

set tun-mtu-uplink {0 | 576 | 1500} set tun-mtu-downlink {0 | 576 | 1500}

end

end

LED options

Optionally, the status LEDs on the FortiAP can be kept dark. This is useful in dormitories, classrooms, hotels, medical clinics, hospitals where the lights might be distracting or annoying to occupants.

On the FortiGate, the LED state is controlled in the FortiAP Profile. By default the LEDs are enabled. The setting is CLI-only. For example, to disable the LEDs on FortiAP-221C units controlled by the FAP221C-default profile, enter:

config wireless-controller wtp-profile edit FAP221C-default set led-state disable

end

You can override the FortiAP Profile LED state setting on an individual FortiAP using the CLI. For example, to make sure the LEDs are disabled on one specific unit, enter:

config wireless-controller wtp edit FAP221C3X14019926 set override-led-state enable set led-state disable

end

The LED state is also controllable from the FortiAP unit itself. By default, the FortiAP follows the FortiAP Profile setting.

CAPWAP bandwidth formula

CAPWAP bandwidth formula

The following section provides information on how to calculate the control plane CAPWAP traffic load in local bridging. The formula provided can help estimate the approximate package bandwidth cost. This is important for knowing precisely how much bandwidth is required on a WAN link for a centralized ForitGate managing hundreds of access points.

There are multiple factors that might affect the volume of CAPWAP control traffic, including the number of stations there are and large WiFi events.

The Ethernet/IP/UDP/CAPWAP uplink header cost should be approximately 66 bytes.

The tables below depict basic and commonly used optional CAPWAP bandwidth costs, on a per-AP basis.

Note the following:

l STA: The number of stations associated with the FortiAP. l ARP scan: Finds hidden devices in your network. l VAP: The number of VAPS held by the FortiAP. l Radio: The number of radios (maximum of two) enabled by the FortiAP.

Basic per-AP CAPWAP bandwidth costs

Commonly used optional per-AP CAPWAP bandwidth costs

CAPWAP bandwidth formula

Example:

There are 100 FortiAPs, with 187 stations distributed among them. Each FortiAP holds five VAPs among their radios, and each enables two radios. The basic CAPWAP bandwidth cost would be: 908.7*100+343.2*187+9.6*5*100+13.3*2*100 = 162.51kbps

Additionally, if two FortiAPs enabled “AP scan”, and suppose one scans 99 APs in each scan and the other scans 20 APs in each scan, the additional CAPWAP bandwidth cost would be:

(24.26+16.8*99)+(24.26+16.8*20) = 2 kbps

Enabling LLDP protocol

You can enable the LLDP protocol in the FortiAP Profile via the CLI. Each FortiAP using that profile can then send back information about the switch and port that it is connected to.

To enable LLDP, enter the following:

config wireless-controller wtp-profile edit <profile-name> set lldp enable

end

Wireless Mesh

The access points of a WiFi network are usually connected to the WiFi controller through Ethernet wiring. A wireless mesh eliminates the need for Ethernet wiring by connecting WiFi access points to the controller by radio. This is useful where installation of Ethernet wiring is impractical.

Overview of Wireless Mesh

Configuring a meshed WiFi network

Configuring a point-to-point bridge

Overview of Wireless Mesh

The figure below shows a wireless mesh topology.

A wireless mesh is a multiple AP network in which only one FortiAP unit is connected to the wired network. The other FortiAPs communicate with the controller over a separate backhaul SSID that is not available to regular WiFi clients. The AP that is connected to the network by Ethernet is called the Mesh Root node. The backhaul SSID carries CAPWAP discovery, configuration, and other communications that would usually be carried on an Ethernet connection.

The root node can be a FortiAP unit or the built-in AP of a FortiWiFi unit. APs that serve regular WiFi clients are called Leaf nodes. Leaf APs also carry the mesh SSID for more distant leaf nodes. A leaf node can connect to the mesh SSID directly from the root node or from any of the other leaf nodes. This provides redundancy in case of an AP failure.

All access points in a wireless mesh configuration must have at least one of their radios configured to provide mesh backhaul communication. As with wired APs, when mesh APs start up they can be discovered by a FortiGate or FortiWiFi unit WiFi controller and authorized to join the network.

Overview of Wireless Mesh

The backhaul SSID delivers the best performance when it is carried on a dedicated radio. On a two-radio FortiAP unit, for example, the 5GHz radio could carry only the backhaul SSID while the 2.4GHz radio carries one or more SSIDs that serve users. Background WiFi scanning is possible in this mode.

The backhaul SSID can also share the same radio with SSIDs that serve users. Performance is reduced because the backhaul and user traffic compete for the available bandwidth. Background WiFi scanning is not available in this mode. One advantage of this mode is that a two-radio AP can offer WiFi coverage on both bands.

Wireless mesh deployment modes

There are two common wireless mesh deployment modes:

Firmware requirements

All FortiAP units that will be part of the wireless mesh network must be upgraded to FAP firmware version 5.0 build 003. FortiAP-222B units must have their BIOS upgraded to version 400012. The FortiWiFi or FortiGate unit used as the WiFi controller must be running FortiOS 5.0.

Types of wireless mesh

A WiFi mesh can provide access to widely-distributed clients. The root mesh AP which is directly connected to the WiFi controller can be either a FortiAP unit or the built-in AP of a FortiWiFi unit that is also the WiFi controller.

FortiAP units used as both mesh root AP and leaf AP

Overview of Wireless Mesh

FortiWiFi unit as root mesh AP with FortiAP units as leaf APs

An alternate use of the wireless mesh functionality is as a point-to-point relay. Both wired and WiFi users on the leaf AP side are connected to the LAN segment on the root mesh side.

Overview of Wireless Mesh Point-to-point wireless mesh

Configuring a meshed WiFi network

Fast-roaming for mesh backhaul link

Mesh implementations for leaf FortiAP can perform background scan when the leaf AP is associated to root. Various options for background scanning can be configured with the CLI. See Mesh variables on page 183 for more details.

Configuring a meshed WiFi network

You need to:

• Create the mesh root SSID. l Create the FortiAP profile. l Configure mesh leaf AP units.
• Configure the mesh root AP, either a FortiWiFi unit’s Local Radio or a FortiAP unit. l Authorize the mesh branch/leaf units when they connect to the WiFi Controller.
• Create security policies.

This section assumes that the end-user SSIDs already exist.

Creating the mesh root SSID

The mesh route SSID is the radio backhaul that conveys the user SSID traffic to the leaf FortiAPs.

To configure the mesh root SSID

1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
2. Enter a Name for the WiFi interface.
3. In Traffic Mode, select Mesh Downlink.
4. Enter the SSID.
5. Set Security Mode to WPA2 Personal and enter the Pre-shared key.

Remember the key, you need to enter it into the configurations of the leaf FortiAPs.

6. Select OK.

Creating the FortiAP profile

Create a FortiAP profile for the meshed FortiAPs. If more than one FortiAP model is involved, you need to create a profile for each model. Typically, the profile is configured so that Radio 1 (5GHz) carries the mesh backhaul SSID while Radio 2 (2.4GHz) carries the SSIDs to which users connect.

The radio that carries the backhaul traffic must not carry other SSIDs. Use the Select SSIDs option and choose only the backhaul SSID. Similarly, the radio that carries user SSIDs, should not carry the backhaul. Use the Select SSIDs option and choose the networks that you want to provide.

For more information, see Configuring a WiFi LAN on page 40.

Configuring the mesh root FortiAP

The mesh root AP can be either a FortiWiFi unit’s built-in AP or a FortiAP unit.

Configuring a meshed WiFi network

To enable a FortiWiFi unit’s Local Radio as mesh root – web-based manager

1. Go to WiFi Controller > Local WiFi Radio.
2. Select Enable WiFi Radio.
3. In SSID, select Select SSIDs, then select the mesh root SSID.
4. Optionally, adjust TX Power or select Auto Tx Power Control.
5. Select Apply.

In a network with multiple wireless controllers, make sure that each mesh root has a unique SSID. Other controllers using the same mesh root SSID might be detected as fake or rogue APs. Go to WiFi & Switch Controller > SSID to change the SSID.

To configure a network interface for the mesh root FortiAP unit

1. On the FortiGate unit, go to Network > Interfaces.
2. Select the interface where you will connect the FortiAP unit, and edit it.
3. Make sure that Role is LAN.
4. In Addressing mode, select Dedicated to Extension Device.
5. In IP/Network Mask, enter an IP address and netmask for the interface.

DHCP will provide addresses to connected devices. To maximize the number of available addresses, the interface address should end with 1, for example 192.168.10.1.

6. Select OK.

At this point you can connect the mesh root FortiAP, as described next. If you are going to configure leaf FortiAPs through the wireless controller (see “Configuring a meshed WiFi network” on page 89), it would be convenient to leave connecting the root unit for later.

To enable the root FortiAP unit

1. Connect the root FortiAP unit’s Ethernet port to the FortiGate network interface that you configured for it.
2. Go to WiFi & Switch Controller > Managed FortiAPs.

If the root FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the root FortiAP unit and try again.

3. Right-click the FortiAP entry and choose your profile from the Assign Profile
4. Right-click the FortiAP entry and select Authorize.

Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

5. Select OK.

You might need to select Refresh a few times before the FortiAP shows as Online.

Configuring the leaf mesh FortiAPs

The FortiAP units that will serve as leaf nodes must be preconfigured. This involves changing the FortiAP unit internal configuration.You can do this by direct connection or through the FortiGate wireless controller. 89

Configuring a meshed WiFi network

Method 1: Direct connection to the FortiAP

1. Connect a computer to the FortiAP unit’s Ethernet port. Configure the computer’s IP as 192.168.1.3.
2. Telnet to 192.168.1.2. Login as admin. By default, no password is set.
3. Enter the following commands, substituting your own SSID and password (pre-shared key):

cfg -a MESH_AP_TYPE=1 cfg -a MESH_AP_SSID=fortinet.mesh.root cfg -a MESH_AP_PASSWD=hardtoguess

cfg -c exit

4. Disconnect the computer.
5. Power down the FortiAP.
6. Repeat the preceding steps for each branch FortiAP.

Method 2: Connecting through the FortiGate unit

1. Connect the branch FortiAP unit’s Ethernet port to the FortiGate network interface that you configured for FortiAPs. Connect the FortiAP unit to a power source unless POE is used.
2. Go to WiFi & Switch Controller > Managed FortiAPs.

If the FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the FortiAP unit and try again.

3. Select the discovered FortiAP unit and authorize it. Click Refresh every 10 seconds until the State indicator is green.
4. Right-click the FortiAP and select >_Connect to CLI. The CLI Console window opens. Log in as “admin”.
5. Enter the following commands, substituting your own SSID and password (pre-shared key):

cfg -a MESH_AP_TYPE=1 cfg -a MESH_AP_SSID=fortinet.mesh.root cfg -a MESH_AP_PASSWD=hardtoguess

cfg -c exit

6. Disconnect the branch FortiAP and delete it from the Managed FortiAP list.
7. Repeat the preceding steps for each branch FortiAP.

Authorizing leaf APs

When the root FortiAP is connected and online, apply power to the pre-configured leaf FortiAPs. The leaf FortiAPs will connect themselves wirelessly to the WiFi Controller through the mesh network. You must authorize each unit.

1. Go to WiFi & Switch Controller > Managed FortiAPs. Periodically select Refresh until the FortiAP unit is listed. This can take up to three minutes.

The State of the FortiAP unit should be Waiting for Authorization.

2. Right-click the FortiAP entry and choose your profile from the Assign Profile
3. Right-click the FortiAP entry and select Authorize.

Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

Configuring a point-to-point bridge

Creating security policies

You need to create security policies to permit traffic to flow from the end-user WiFi network to the network interfaces for the Internet and other networks. Enable NAT.

Viewing the status of the mesh network

Go to WiFi & Switch Controller > Managed FortiAPs to view the list of APs.

The Connected Via field lists the IP address of each FortiAP and uses icons to show whether the FortiAP is connected by Ethernet or Mesh.

If you mouse over the Connected Via information, a topology displays, showing how the FortiGate wireless controller connects to the FortiAP.

Configuring a point-to-point bridge

You can create a point-to-point bridge to connect two wired network segments using a WiFi link. The effect is the same as connecting the two network segments to the same wired switch.

You need to:

Configuring a point-to-point bridge

l Configure a backhaul link and root mesh AP as described in Configuring a point-to-point bridge on page 91.

Note: The root mesh AP for a point-to-point bridge must be a FortiAP unit, not the internal AP of a FortiWiFi unit. l Configure bridging on the leaf AP unit.

To configure the leaf AP unit for bridged operation – FortiAP web-based manager

1. With your browser, connect to the FortiAP unit web-based manager.

You can temporarily connect to the unit’s Ethernet port and use its default address: 192.168.1.2.

2. Enter:

3. Select Apply.
4. Connect the local wired network to the Ethernet port on the FortiAP unit.

Users are assigned IP addresses from the DHCP server on the wired network connected to the root mesh AP unit.

To configure a FortiAP unit as a leaf AP – FortiAP CLI

cfg -a MESH_AP_SSID=fortinet-ap cfg -a MESH_AP_PASSWD=fortinet cfg -a MESH_ETH_BRIDGE=1 cfg -a MESH_AP_TYPE=1 cfg -c

Combining WiFi and wired networks with a software switch

Combining WiFi and wired networks with a software switch

FortiAP local bridging (Private Cloud-Managed AP)

Using bridged FortiAPs to increase scalability

Combining WiFi and wired networks with a software switch

A WiFi network can be combined with a wired LAN so that WiFi and wired clients are on the same subnet. This is a convenient configuration for users. Note that software switches are only available if your FortiGate is in Interface mode.

To create the WiFi and wired LAN configuration, you need to:

• Configure the SSID so that traffic is tunneled to the WiFi controller.
• Configure a software switch interface on the FortiGate unit with the WiFi and internal network interface as members. l Configure Captive Portal security for the software switch interface.

To configure the SSID – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New.
2. Enter:

3. Select OK.
4. Go to WiFi & Switch Controller > Managed FortiAPs, select the FortiAP unit for editing.
5. Authorize the FortiAP unit.

The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.

Combining WiFi and wired networks with a software switch

To configure the SSID – CLI

This example creates a WiFi interface “homenet_if” with SSID “homenet” using WPA-Personal security, passphrase “Fortinet1”.

config wireless-controller vap edit “homenet_if” set vdom “root” set ssid “homenet” set security wpa-personal set passphrase “Fortinet1”

end

config wireless-controller wtp edit FAP22B3U11005354 set admin enable set vaps “homenet_if”

end

To configure the FortiGate software switch – web-based manager

1. Go to Network > Interfaces and select Create New > Interface.
2. Enter:

3. Select OK.

To configure the FortiGate unit – CLI

config system interface edit homenet_nw set ip 172.16.96.32 255.255.255.0 set type switch set security-mode captive-portal set security-groups “Guest-group”

end

config system interface edit homenet_nw set member “homenet_if” “internal” end

FortiAP local bridging (Private Cloud-Managed AP)

VLAN configuration

If your environment uses VLAN tagging, you assign the SSID to a specific VLAN in the CLI. For example, to assign the homenet_if interface to VLAN 100, enter:

config wireless-controller vap edit “homenet_if” set vlanid 100

end

Additional configuration

The configuration described above provides communication between WiFi and wired LAN users only. To provide access to other networks, create appropriate firewall policies between the software switch and other interfaces.

FortiAP local bridging (Private Cloud-Managed AP)

A FortiAP unit can provide WiFi access to a LAN, even when the wireless controller is located remotely. This configuration is useful for the following situations:

• Installations where the WiFI controller is remote and most of the traffic is local or uses the local Internet gateway l Wireless-PCI compliance with remote WiFi controller
• Telecommuting, where the FortiAP unit has the WiFi controller IP address pre-configured and broadcasts the office SSID in the user’s home or hotel room. In this case, data is sent in the wireless tunnel across the Internet to the office and you should enable encryption using DTLS.

FortiAP local bridging (Private Cloud-Managed AP)

Remotely-managed FortiAP providing WiFi access to local network

On the remote FortiGate wireless controller, the WiFi SSID is created with the Bridge with FortiAP Interface option selected. In this mode, no IP addresses are configured. The FortiAP unit’s WiFi and Ethernet interfaces behave as a switch. WiFi client devices obtain IP addresses from the same DHCP server as wired devices on the LAN.

The Local Bridge feature cannot be used in conjunction with Wireless Mesh features.

Block-Intra-SSID Traffic is available in Bridge mode. This is useful in hotspotdeployments managed by a central FortiGate, but would also be useful in cloud deployments. Previously, this was only supported in Tunnel mode.

To configure a FortiAP local bridge – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
2. Enter:

FortiAP local bridging (Private Cloud-Managed AP)

3. Select OK.
4. Go to WiFi & Switch Controller > Managed FortiAPs and select the FortiAP unit for editing.
5. Authorize the FortiAP unit.

The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.

SSID configured for Local Bridge operation

To configure a FortiAP local bridge – CLI

This example creates a WiFi interface “branchbridge” with SSID “LANbridge” using WPA-Personal security, passphrase “Fortinet1”.

config wireless-controller vap edit “branchbridge” set vdom “root” set ssid “LANbridge” set local-bridging enable set security wpa-personal set passphrase “Fortinet1”

end

config wireless-controller wtp edit FAP22B3U11005354 set admin enable set vaps “branchbridge” end

Using bridged FortiAPs to increase scalability

Continued FortiAP operation when WiFi controller connection is down

The wireless controller, or the connection to it, might occasionally become unavailable. During such an outage, clients already associated with a bridge mode FortiAP unit continue to have access to the WiFi and wired networks. Optionally, the FortiAP unit can also continue to authenticate users if the SSID meets these conditions:

• Traffic Mode is Local bridge with FortiAP’s Interface.

In this mode, the FortiAP unit does not send traffic back to the wireless controller.

• Security Mode is WPA2 Personal.

These modes do not require the user database. In WPA2 Personal authentication, all clients use the same preshared key which is known to the FortiAP unit.

• Allow New WiFi Client Connections When Controller is down is enabled. This field is available only if the other conditions have been met.

The “LANbridge” SSID example would be configured like this in the CLI:

config wireless-controller vap edit “branchbridge” set vdom “root” set ssid “LANbridge” set local-bridging enable set security wpa-personal set passphrase “Fortinet1” set local-authentication enable

end

Using bridged FortiAPs to increase scalability

The FortiGate wireless controller can support more FortiAP units in local bridge mode than in the normal mode. But this is only true if you configure some of your FortiAP units to operate in remote mode, which supports only local bridge mode SSIDs.

The Managed FortAP page (WiFi & Switch Controller > Managed FortiAPs) shows at the top right the current number of Managed FortiAPs and the maximum number that can be managed, “5/64” for example. The maximum number, however, is true only if all FortiAP units operate in remote mode. For more detailed information, consult the Maximum Values Table. For each FortiGate model, there are two maximum values for managed FortiAP units: the total number of FortiAPs and the number of FortiAPs that can operate in normal mode.

Using bridged FortiAPs to increase scalability

To configure FortiAP units for remote mode operation

1. Create at least one SSID with Traffic Mode set to Local bridge with FortiAP’s Interface.
2. Create a custom AP profile that includes only local bridge SSIDs.
3. Configure each managed FortiAP unit to use the custom AP profile. You also need to set the FortiAP unit’s wtpmode to remote, which is possible only in the CLI. The following example uses the CLI both to set wtp-mode and select the custom AP profile:

config wireless-controller wtp edit FAP22B3U11005354 set wtp-mode remote set wtp-profile 220B_bridge end

Using Remote WLAN FortiAPs

Remote WLAN FortiAP models enable you to provide a pre-configured WiFi access point to a remote or traveling employee. Once plugged in at home or in a hotel room, the FortiAP automatically discovers the enterprise FortiGate WiFi controller over the Internet and broadcasts the same wireless SSID used in the corporate office. Communication between the WiFi controller and the FortiAP is secure, eliminating the need for a VPN.

Split tunneling

By default, all traffic from the remote FortiAP is sent to the FortiGate WiFi controller. If split tunneling is configured, only traffic destined for the corporate office networks is routed to the FortiGate unit. Other general Internet traffic is routed unencrypted through the local gateway. Split tunneling avoids loading the FortiGate unit with unnecessary traffic and allows direct access to local private networks at the FortiAP’s location even if the connection to the WiFi controller goes down.

Note: Split tunneling in WiFi networks differs in implementation from split tunneling in VPN configurations.

By default, split tunneling options are not visible in the FortiGate GUI. You can make these options visible using the following CLI command:

config system settings set gui-fortiap-split-tunneling enable

end

Split tunneling is configured in Managed FortiAPs, FortiAP Profiles, and enabled in the SSID.

Configuring the FortiGate for remote FortiAPs

This section assumes that you have already defined SSIDs and now want to make them available to remote FortiAPs.

• Create FortiAP profiles for the Remote LAN FortiAP models l If split tunneling will be used l configure override split tunneling in Managed FortiAPs l enable Split Tunneling in the SSID
• configure the split tunnel networks in the FortiAP profile

Override Split Tunneling

Go to WiFi & Switch Controller > Managed FortiAPs and edit your managed APs. When preconfiguring the AP to connect to your FortiGate WiFi controller, you can choose to override split tunneling, optionally including the local subnet of the FortiAP.

Creating FortiAP profiles

If you were not already using Remote LAN FortiAP models, you will need to create FortiAP profiles for them. In the FortiAP profile, you specify the SSIDs that the FortiAP will broadcast. For more information, see “Creating a FortiAP Profile” on page 43.

Configuring the FortiGate for remote FortiAPs                                                              Using Remote WLAN FortiAPs

Configuring split tunneling – FortiGate GUI

Go to WiFi & Switch Controller > SSID and edit your SSID. In the WiFi Settings section, enable Split Tunneling.

Go to WiFi Controller > FortiAP Profiles and edit the FortiAP Profile(s) that apply to the AP types used in the WiFi network. In the Split Tunneling section, enable Include Local Subnet and Split Tunneling Subnet(s), where you can enter a list all of the destination IP address ranges that should not be routed through the the FortiGate WiFi controller. Packets for these destinations will instead be routed through the remote gateway local to the FortiAP.

The list of split tunneling subnets includes public Internet destinations and private subnets local to the FortiAP. Split tunneling public Internet destinations reduces traffic through the FortiGate unit. Split tunneling local private subnets allows these networks to be accessible to the client behind the FortiAP. Otherwise, private network IP destinations are assumed to be behind the FortiGate WiFi controller.

Configuring split tunneling – FortiGate CLI

In this example, split tunneling is configured on the example-ssid WiFi network. On FortiAP model 21D, traffic destined for the 192.168.x.x range will not be routed through the FortiGate WiFi controller. This private IP address range is typically used as a LAN by home routers.

config wireless-controller vap edit example-ssid set split-tunneling enable

end

config wireless-controller wtp-profile edit FAP21D-default set split-tunneling-acl-local-ap-subnet enable config split-tunneling-acl edit 1 set dest-ip 192.168.0.0 255.255.0.0

end

end

To enter multiple subnets, create a split-tunneling-acl entry for each one.

Overriding the split tunneling settings on a FortiAP

If the FortiAP Profile split tunneling settings are not appropriate for a particular FortiAP, you can override the settings on that unit.

config wireless-controller wtp edit FAP321C3X14019926 set override-split-tunnel enable

set split-tunneling-acl-local-ap-subnet enable config split-tunneling-acl edit 1 set dest-ip 192.168.10.0 255.255.255.0

end end

Using Remote WLAN FortiAPs                                                                                     Configuring the FortiAP units

Configuring the FortiAP units

Prior to providing a Remote WLAN FortiAP unit to an employee, you need to preconfigure the AP to connect to your FortiGate WiFi controller.

To pre-configure a FortiAP

1. Connect the FortiAP to the FortiGate unit.
2. Go to WiFi & Switch Controller > Managed FortiAPs and wait for the FortiAP to be listed. Click Refresh periodically to see the latest information. Note the Connected Via IP address.
3. Go to Dashboard. In the CLI Console, log into the FortiAP CLI. For example, if the IP address is 192.168.1.4, enter:

exec telnet 192.168.1.4

Enter admin at the login prompt. By default, no password is set.

4. Enter the following commands to set the FortiGate WiFi controller IP address. This should be the FortiGate Internet-facing IP address, in this example 172.20.120.142.

cfg -a AC_IPADDR_1=172.20.120.142 cfg -c

5. Enter exit to log out of the FortiAP CLI.

Preauthorizing FortiAP units

By preauthorizing FortiAP units, you facilitate their automatic authorization on the network. Also, you can assign each unit a unique name, such as the employee’s name, for easier tracking.

1. Go to WiFi & Switch Controller > Managed FortiAPs and create a new entry.
2. Enter the Serial Number of the FortiAP unit and give it a Name. Select the appropriate FortiAP Profile.
3. Click OK.

Repeat this process for each FortiAP.

Features for high-density deployments

High-density environments such as auditoriums, classrooms, and meeting rooms present a challenge to WiFi providers. When a large number of mobile devices try to connect to a WiFi network, difficulties arise because of the limited number of radio channels and interference between devices.

FortiOS and FortiAP devices provide several tools to mitigate the difficulties of high-density environments.

Power save feature

Occasionally, voice calls can become disrupted. One way to alleviate this issue is by controlling the power save feature, or to disable it altogether.

Manually configure packet transmit optimization settings by entering the following command:

config wireless-controller wtp-profile edit <name> config <radio-1> | <radio-2> set transmit-optimize {disable | power-save | aggr-limit | retry-limit | sendbar}

l disable: Disable transmit optimization. l power-save: Mark a client as power save mode if excessive transmit retries happen. l aggr-limit: Set aggregation limit to a lower value when data rate is low. l retry-limit: Set software retry limit to a lower value when data rate is low. l send-bar: Do not send BAR frame too often.

Broadcast packet suppression

Broadcast packets are sent at a low data rate in WiFi networks, consuming valuable air time. Some broadcast packets are unnecessary or even potentially detrimental to the network and should be suppressed.

ARP requests and replies could allow clients to discover each other’s IP addresses. On most WiFi networks, intraclient communication is not allowed, so these ARP requests are of no use, but they occupy air time.

DHCP (upstream) should be allowed so that clients can request an IP address using DHCP.

DHCP (downstream) should be suppressed because it would allow a client to provide DHCP service to other clients. Only the AP should do this.

NetBIOS is a Microsoft Windows protocol for intra-application communication. Usually this is not required in highdensity deployments.

IPv6 broadcast packets can be suppressed if your network uses IPv4 addressing.

You can configure broadcast packet suppression in the CLI. The following options are available for broadcast suppression:

config wireless-controller vap edit <name>

Features for high-density deployments                                                                        Multicast to unicast conversion

set broadcast-suppression {dhcp-up | dhcp-down | dhcp-starvation | arp-known | arpunknown | arp-reply | arp-poison | arp-proxy | netbios-ns | netbios-ds | ipv6 | all-other-mc | all-other-bc}

end

dhcp-starvation helps prevent clients from depleting the DHCP address pool by making multiple requests. arp-poison helps prevent clients from spoofing ARP messages.

Because of all these specific multicast and broadcast packet types, the two options all-other-mc and allother-bc help suppress multicast (mc) and broadcast (bc) packets that are not covered by any of the specific options.

Multicast to unicast conversion

Multicast data such as streaming audio or video are sent at a low data rate in WiFi networks. This causes them to occupy considerable air time. FortiOS provides a multicast enhancement option that converts multicast streams to unicast. A unicast stream is sent to each client at high data rate that makes more efficient use of air time. You can configure multicast-to-unicast conversion in the CLI:

config wireless-controller vap edit <vap_name> set multicast-enhance enable

end

Ignore weak or distant clients

Clients beyond the intended coverage area can have some impact on your high-density network. Your APs will respond to these clients’ probe signals, consuming valuable air time. You can configure your WiFi network to ignore weak signals that most likely come from beyond the intended coverage area. The settings are available in the CLI:

config wireless-controller vap edit <vap_name> set probe-resp-suppression enable set probe-resp-threshold <level_int>

end vap_name is the SSID name.

probe-resp-threshold is the signal strength in dBm below which the client is ignored. The range is -95 to 20dBm. The default level is -80dBm.

Turn off 802.11b protocol

By disabling support for the obsolete 802.11b protocol, you can reduce the air time that beacons and management frames occupy. These signals will now be sent at a minimum of 6Mbps, instead of 1Mbps. You can set this for each radio in the FortiAP profile, using the CLI:

config wireless-controller wtp-profile edit <name_string>

Disable low data rates                                                                                   Features for high-density deployments

config radio-1 set powersave-optimize no-11b-rate

end

Disable low data rates

Each of the 802.11 protocols supports several data rates. By disabling the lowest rates, air time is conserved, allowing the channel to serve more users. You can set the available rates for each 802.11 protocol: a, b, g, n, ac. Data rates set as Basic are mandatory for clients to support. Other specified rates are supported.

The 802.11 a, b, and g protocols are specified by data rate. 802.11a can support 6,9,12, 18, 24, 36, 48, and 54

Mb/s. 802.11b/g can support 1, 2, 5.5, 6, 9,12, 18, 24, 36, 48, 54 Mb/s. Basic rates are specified with the suffix “basic”, “12-basic” for example. The capabilities of expected client devices need to be considered when deciding the lowest Basic rate.

The 802.11n and ac protocols are specified by the Modulation and Coding Scheme (MCS) Index and the number of spatial streams.

• 11n with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1,mcs8/2,mcs9/2, mcs10/2, mcs11/2, mcs12/2, mcs13/2, mcs14/2, mcs15/2.
• 11n with 3 or 4 spatial streams can support mcs16/3, mcs17/3, mcs18/3, mcs19/3, mcs20/3, mcs21/3, mcs22/3, mcs23/3, mcs24/4, mcs25/4, mcs26/4, mcs27/4, mcs28/4, mcs29/4, mcs30/4, mcs31/4.
• 11ac with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1, mcs8/1, mcs9/1, mcs0/2, mcs1/2, mcs2/2, mcs3/2, mcs4/2, mcs5/2, mcs6/2, mcs7/2, mcs8/2, mcs9/2.
• 11ac with 3 or 4 spatial streams can support mcs0/3, mcs1/3, mcs2/3, mcs3/3, mcs4/3, mcs5/3, mcs6/3, mcs7/3, mcs8/3, mcs9/3, mcs0/4, mcs1/4, mcs2/4, mcs3/4, mcs4/4, mcs5/4, mcs6/4, mcs7/4, mcs8/4, mcs9/4 Here are some examples of setting basic and supported rates.

config wireless-controller vap edit <vap_name> set rates-11a 12-basic 18 24 36 48 54 set rates-11bg 12-basic 18 24 36 48 54

set rates-11n-ss34 mcs16/3 mcs18/3 mcs20/3 mcs21/3 mcs22/3 mcs23/3 mcs24/4 mcs25/4 set rates-11ac-ss34 mcs0/3 mcs1/3 mcs2/3 mcs9/4 mcs9/3

end

Limit power

High-density deployments usually cover a small area that has many clients. Maximum AP signal power is usually not required. Reducing the power reduces interference between APs. Fortinet recommends that you use FortiAP automatic power control. You can set this in the FortiAP profile.

1. Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile for your AP model.
2. For each radio, enable Auto TX Power Control and set the TX Power Low and TX Power High The default range of 10 to 17dBm is recommended.

Features for high-density deployments                                                                Use frequency band load-balancing

Use frequency band load-balancing

In a high-density environment is important to make the best use of the two WiFi bands, 2.4GHz and 5GHz. The 5GHz band has more non-overlapping channels and receives less interference from non-WiFi devices, but not all devices support it. Clients that are capable of 5GHz operation should be encouraged to use 5GHz rather than the 2.4GHz band.

To load-balance the WiFi bands, you enable Frequency Handoff in the FortiAP profile. In the FortiGate webbased manager, go to WiFi & Switch Controller > FortiAP Profiles and edit the relevant profile. Or, you can use the CLI:

config wireless-controller wtp-profile edit FAP221C-default config radio-1 set frequency-handoff enable

end

The FortiGate wireless controller continuously performs a scan of all clients in the area and records their signal strength (RSSI) on each band. When Frequency Handoff is enabled, the AP does not reply to clients on the

2.4GHz band that have sufficient signal strength on the 5GHz band. These clients can associate only on the 5GHz band. Devices that support only 2.4GHz receive replies and associate with the AP on the 2.4GHz band.

Setting the handoff RSSI threshold

The FortiAP applies load balancing to a client only if the client has a sufficient signal level on 5GHz. The minimum signal strength threshold is set in the FortiAP profile, but is accessible only through the CLI:

config wireless-controller wtp-profile edit FAP221C-default set handoff-rssi 25

end

handoff-rssi has a range of 20 to 30. RSSI is a relative measure. The higher the number, the stronger the signal.

AP load balancing

The performance of an AP is degraded if it attempts to serve too many clients. In high-density environments, multiple access points are deployed with some overlap in their coverage areas. The WiFi controller can manage the association of new clients with APs to prevent overloading.

To load-balance between APs, enable AP Handoff in the FortiAP profile. In the FortiGate web-based manager, go to WiFi & Switch Controller > FortiAP Profiles and edit the relevant profile. Or, you can use the CLI:

config wireless-controller wtp-profile edit FAP221C-default config radio-1 set ap-handoff enable

end

When an AP exceeds the threshold (the default is 30 clients), the overloaded AP does not reply to a new client that has a sufficient signal at another AP.

Application rate-limiting                                                                                 Features for high-density deployments

Setting the AP load balance threshold

The thresholds for AP handoff are set in the FortiAP profile, but is accessible only through the CLI:

config wireless-controller wtp-profile edit FAP221C-default set handoff-sta-thresh 30 set handoff-rssi 25

end

handoff-sta-thresh sets the number of clients at which AP load balancing begins. It has a range of 5 to 35.

handoff-rssi Sets the minimum signal strength that a new client must have at an alternate AP for the overloaded AP to ignore the client. It has a range of 20 to 30. RSSI is a relative measure. The higher the number, the stronger the signal.

Application rate-limiting

To prevent particular application types from consuming too much bandwidth, you can use the FortiOS Application Control feature.

1. Go to Security Profiles > Application Control.

You can use the default profile or create a new one.

2. Click the category, select Traffic Shaping and then select the priority for the category.

Repeat for each category to be controlled.

3. Select Apply.
4. Go to Policy & Objects > IPv4 Policy and edit your WiFi security policy.
5. In Security Profiles, set Application Control ON and select the security profile that you edited.
6. Select OK.

Protecting the WiFi Network

Wireless IDS

WiFi data channel encryption

Protected Management Frames and Opportunisitc Key Caching support

Wireless IDS

The FortiGate Wireless Intrusion Detection System (WIDS) monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected the FortiGate unit records a log message.

You can create a WIDS profile to enable these types of intrusion detection:

• Asleap Attack—ASLEAP is a tool used to perform attacks against LEAP authentication.
• Association Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
• Authentication Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
• Broadcasting De-authentication—This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-athenticate, then re-authenticate with their AP.
• EAPOL Packet Flooding—Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack. Several types of EAPOL packets are detected: EAPOL-FAIL, EAPOL-LOGOFF, EAPOL-START, EAPOL-SUCC.
• Invalid MAC OUI—Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.
• Long Duration Attack—To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200. l Null SSID Probe Response—When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.
• Spoofed De-authentication—Spoofed de-authentication frames are a denial of service attack. They cause all clients to disconnect from the AP.
• Weak WEP IV Detection—A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.
• Wireless Bridge—WiFi frames with both the fromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.

You can enable wireless IDS by selecting a WIDS Profile in your FortiAP profile.

To create a WIDS Profile

1. Go to WiFi & Switch Controller > WIDS Profiles.
2. Select a profile to edit or select Create New.

WiFi data channel encryption                                                                                          Protecting the WiFi Network

3. Select the types of intrusion to protect against. By default, all types are selected.
4. Select Apply.

You can also configure a WIDS profile in the CLI using the config wireless-controller widsprofile command.

Rogue AP detection

The WIDS profile includes settings for detection of unauthorized (rogue) access points in your wireless network. For more information, see Wireless network monitoring on page 111.

WIDS client deauthentication rate for DoS attacks

As part of mitigating a Denial of Service (DoS) attack, the FortiGate sends deauthentication packets to unknown clients. In an aggressive attack, this deauthentication activity can prevent the processing of packets from valid clients. A WIDS Profile option in the CLI limits the deauthentication rate.

config wireless-controller wids-profile edit default set deauth-unknown-src-thresh <1-65535>

end

The value set is a measure of the number of deathorizations per second. 0 means no limit. The default is 10.

WiFi data channel encryption

Optionally, you can apply DTLS encryption to the data channel between the wireless controller and FortiAP units. This enhances security.

There are data channel encryption settings on both the FortiGate unit and the FortiAP units. At both ends, you can enable Clear Text, DTLS encryption, or both. The settings must agree or the FortiAP unit will not be able to join the WiFi network. By default, both Clear Text and DTLS-encrypted communication are enabled on the FortiAP unit, allowing the FortiGate setting to determine whether data channel encryption is used. If the FortiGate unit also enables both Clear Text and DTLS, Clear Text is used.

Data channel encryption settings are located in the FortiAP profile. By default, only Clear Text is supported.

Configuring encryption on the FortiGate unit

You can use the CLI to configure data channel encryption.

Enabling encryption

In the CLI, the wireless wtp-profile command contains a new field, dtls-policy, with options clear-text and dtls-enabled. To enable encryption in profile1 for example, enter:

config wireless-controller wtp-profile

Protecting the WiFi Network                              Protected Management Frames and Opportunisitc Key Caching support

edit profile1 set dtls-policy dtls-enabled

end

Configuring encryption on the FortiAP unit

The FortiAP unit has its own settings for data channel encryption.

Enabling CAPWAP encryption – FortiAP web-based manager

1. On the System Information page, in WTP Configuration > AC Data Channel Security, select one of:

l Clear Text l DTLS Enabled l Clear Text or DTLS Enabled (default)

2. Select Apply.

Enabling encryption – FortiAP CLI

You can set the data channel encryption using the AC_DATA_CHAN_SEC variable: 0 is Clear Text, 1 is DTLS Enabled, 2 (the default) is Clear Text or DTLS Enabled.

For example, to set security to DTLS and then save the setting, enter

cfg -a AC_DATA_CHAN_SEC=1 cfg -c

Protected Management Frames and Opportunisitc Key Caching support

Protected Management Frames (PMF) protect some types of management frames like deauthorization, disassociation and action frames. This feature, now mandatory on WiFi certified 802.1ac devices, prevents attackers from sending plain deauthorization/disassociation frames to disrupt or tear down a connection/association. PMF is a Wi-Fi Alliance specification based on IEEE 802.11w.

To facilitate faster roaming client roaming, you can enable Opportunistic Key Caching (OKC) on your WiFi network. When a client associates with an AP, its PMK identifier is sent to all other APs on the network. This eliminates the need for an already-authenticated client to repeat the full EAP exchange process when it roams to another AP on the same network.

Use of PMF and OKC on an SSID is configurable only in the CLI:

config wireless-controller vap edit <vap_name> set pmf {disable | enable | optional} set pmf-assoc-comeback-timeout <integer> set pmf-sa-query-retry-timeout <integer>

set okc {disable | enable}

next

end

When pmf is set to optional, it is considered enabled, but will allow clients that do not use PMF. When pmf is set to enable, PMF is required by all clients.

Monitoring wireless clients

To view connected clients on a FortiWiFi unit

1. Go to Monitor > Client Monitor.

The following information is displayed:

Results can be filtered. Select the filter icon on the column you want to filter. Enter the values to include or select NOT if you want to exclude the specified values.

Monitoring rogue APs

The access point radio equipment can scan for other available access points, either as a dedicated monitor or in idle periods during AP operation.

Monitoring

Discovered access points are listed in Monitor > Rogue AP Monitor. You can then mark them as either Accepted or Rogue access points. This designation helps you to track access points. It does not affect anyone’s ability to use these access points.

It is also possible to suppress rogue APs. See Monitoring rogue APs on page 111.

On-wire rogue AP detection technique

Other APs that are available in the same area as your own APs are not necessarily rogues. A neighboring AP that has no connection to your network might cause interference, but it is not a security threat. A rogue AP is an unauthorized AP connected to your wired network. This can enable unauthorized access. When rogue AP detection is enabled, the On-wire column in the Rogue AP Monitor list shows a green up-arrow on detected rogues.

Rogue AP monitoring of WiFi client traffic builds a table of WiFi clients and the Access Points that they are communicating through. The FortiGate unit also builds a table of MAC addresses that it sees on the LAN. The FortiGate unit’s on-wire correlation engine constantly compares the MAC addresses seen on the LAN to the MAC addresses seen on the WiFi network.

There are two methods of Rogue AP on-wire detection operating simultaneously: Exact MAC address match and MAC adjacency.

Exact MAC address match

If the same MAC address is seen on the LAN and on the WiFi network, this means that the wireless client is connected to the LAN. If the AP that the client is using is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue. This scheme works for non-NAT rogue APs.

MAC adjacency

If an access point is also a router, it applies NAT to WiFi packets. This can make rogue detection more difficult.

However, an AP’s WiFi interface MAC address is usually in the same range as its wired MAC address. So, the MAC adjacency rogue detection method matches LAN and WiFi network MAC addresses that are within a defined numerical distance of each other. By default, the MAC adjacency value is 7. If the AP for these matching MAC addresses is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue.

Limitations

On-wire rogue detection has some limitations. There must be at least one WiFi client connected to the suspect AP and continuously sending traffic. If the suspect AP is a router, its WiFi MAC address must be very similar to its Ethernet port MAC address.

Logging

Information about detected rogue APs is logged and uploaded to your FortiAnalyzer unit, if you have one. By default, rogue APs generate an alert level log, unknown APs generate a warning level log. This log information can help you with PCI-DSS compliance requirements.

Rogue AP scanning as a background activity

Each WiFi radio can perform monitoring of radio channels in its operating band while acting as an AP. It does this by briefly switching from AP to monitoring mode. By default, a scan period starts every 300 seconds. Each second a different channel is monitored for 20ms until all channels have been checked.

Monitoring rogue APs                                                                                                  Wireless network monitoring

During heavy AP traffic, it is possible for Spectrum Analysis background scanning to cause lost packets when the radio switches to monitoring. To reduce the probability of lost packets, you can set the CLI ap-bgscan-idle field to delay the switch to monitoring until the AP has been idle for a specified period. This means that heavy AP traffic may slow background scanning.

The following CLI example configures default background rogue scanning operation except that it sets apbgscan-idle to require 100ms of AP inactivity before scanning the next channel.

config wireless-controller wtp-profile edit ourprofile config radio-1 set wids-profile ourwidsprofile set spectrum-analysis enable

end

end

config wireless-controller wids-profile edit ourwidsprofile set ap-scan enable set rogue-scan enable set ap-bgscan-period 300 set ap-bgscan-intv 1 set ap-bgscan-duration 20 set ap-bgscan-idle 100

end

Configuring rogue scanning

All APs using the same FortiAP Profile share the same rogue scanning settings, unless override is configured.

To enable rogue AP scanning with on-wire detection – web-based manager

1. Go to WiFi & Switch Controller > WIDS Profiles.

On some models, the menu is WiFi & Switch Controller.

2. Select an existing WIDS Profile and edit it, or select Create New.
3. Make sure that Enable Rogue AP Detection is selected.
4. Select Enable On-Wire Rogue AP Detection.
5. Optionally, enable Auto Suppress Rogue APs in Foreground Scan.
6. Select OK.

To enable the rogue AP scanning feature in a custom AP profile – CLI

config wireless-controller wids-profile edit FAP220B-default set ap-scan enable set rogue-scan enable

end

Exempting an AP from rogue scanning

By default, if Rogue AP Detection is enabled, it is enabled on all managed FortiAP units. Optionally, you can exempt an AP from scanning. You should be careful about doing this if your organization must perform scanning to meet PCI-DSS requirements.

Monitoring

To exempt an AP from rogue scanning – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.
2. Select which AP to edit.
3. In Wireless Settings, enable Override Settings.
4. Select Do not participate in Rogue AP Scanning and then select OK.

To exempt an AP from rogue scanning – CLI

This example shows how to exempt access point AP1 from rogue scanning.

config wireless-controller wtp edit AP1 set override-profile enable set ap-scan disable

end

MAC adjacency

You can adjust the maximum WiFi to Ethernet MAC difference used when determining whether an suspect AP is a rogue.

To adjust MAC adjacency

For example, to change the adjacency to 8, enter

config wireless-controller global set rogue-scan-mac-adjacency 8 end

Monitoring rogue APs                                                                                                  Wireless network monitoring

Using the Rogue AP Monitor

Go to Monitor > Rogue AP Monitor to view the list of other wireless access points that are receivable at your location.

Suppressing

To change the Online Status of an AP, right-click it and select Mark Accepted or Mark Rogue.

Suppressing rogue APs

In addition to monitoring rogue APs, you can actively prevent your users from connecting to them. When suppression is activated against an AP, the FortiGate WiFi controller sends deauthentication messages to the rogue AP’s clients, posing as the rogue AP, and also sends deauthentication messages to the rogue AP, posing as its clients. This is done using the monitoring radio.

To enable rogue AP suppression, you must enable monitoring of rogue APs with the on-wire detection technique. See “Monitoring rogue APs”. The monitoring radio must be in the Dedicated Monitor mode.

To activate AP suppression against a rogue AP

1. Go to Monitor > Rogue AP Monitor.
2. When you see an AP listed that is a rogue detected “on-wire”, select it and then select Mark > Mark Rogue.
3. To suppress an AP that is marked as a rogue, select it and then select Suppress AP.

To deactivate AP suppression

1. Go to Monitor > Rogue AP Monitor.
2. Select the suppressed rogue AP and then select Suppress AP > Unsuppress AP.

Monitoring wireless network health

The Wireless Health Dashboard provides a comprehensive view of the health of your network’s wireless infrastructure. The dashboard includes widgets to display

• AP Status – Active, Down or missing, up for over 24 hours, rebooted in past 24 hours l Client Count Over Time – viewable for past hour, day, or 30 days l Top Client Count Per-AP – separate widgets for 2.4GHz and 5GHz bands l Top Wireless Interference – separate widgets for 2.4GHz and 5GHz bands, requires spectrum analysis to be enabled on the radios
• Login Failures Information

To view the Wireless Health dashboard, go to Monitor > Wireless Health Monitor.

Configuring wireless network clients

This chapter shows how to configure typical wireless network clients to connect to a wireless network with WPAEnterprise security.

Windows XP client

Windows 7 client

Mac OS client

Linux client

Troubleshooting

Windows XP client

To configure the WPA-Enterprise network connection

1. In the Windows Start menu, go to Control Panel > Network Connections > Wireless Network Connection or select the wireless network icon in the Notification area of the Taskbar. A list of available networks is displayed.

Windows XP

If you are already connected to another wireless network, the Connection Status window displays. Select View Wireless Networks on the General tab to view the list.

If the network broadcasts its SSID, it is listed. But do not try to connect until you have completed the configuration step below. Because the network doesn’t use the Windows XP default security configuration, configure the client’s network settings manually before trying to connect.

2. You can configure the WPA-Enterprise network to be accessible from the View Wireless Networks window even if it does not broadcast its SSID.
3. Select Change Advanced Settings and then select the Wireless Networks

Any existing networks that you have already configured are listed in the Preferred Networks list.

Windows XP client

4. Select Add and enter the following information:

5. If this wireless network does not broadcast its SSID, select Connect even if this network is not broadcasting so that the network will appear in the View Wireless Networks

Windows XP

6. Select the Authentication
7. In EAP Type, select Protected EAP (PEAP).
8. Make sure that the other two authentication options are not selected.

Windows XP client

9. Select Properties.
10. Make sure that Validate server certificate is selected.
11. Select the server certificate Entrust Root Certification Authority.
12. In Select Authentication Method, select Secured Password (EAP-MSCHAPv2).
13. Ensure that the remaining options are not selected.
14. Select Configure.
15. If your wireless network credentials are the same as your Windows logon credentials, select Automatically use my Windows logon name and password. Otherwise, make sure that this option is not selected.
16. Select OK. Repeat until you have closed all of the Wireless Network Connection Properties

Windows 7

To connect to the WPA-Enterprise wireless network

1. Select the wireless network icon in the Notification area of the Taskbar.
2. In the View Wireless Networks list, select the network you just added and then select Connect. You might need to log off of your current wireless network and refresh the list.
3. When the following popup displays, click on it.
4. In the Enter Credentials window, enter your wireless network User name, Password, and Logon domain (if applicable). Then, select OK.

In future, Windows will automatically send your credentials when you log on to this network.

Windows 7 client

1. In the Windows Start menu, go to Control Panel > Network and Internet > Network and Sharing Center > Manage Wireless Networks or select the wireless network icon in the Notification area of the Taskbar. A list of available networks is displayed.

Windows 7 client

2. Do one of the following:

l If the wireless network is listed (it broadcasts its SSID), select it from the list. l Select Add > Manually create a network profile.

Windows 7

3. Enter the following information and select Next.

The Wireless Network icon will display a popup requesting that you click to enter credentials for the network. Click on the popup notification.

4. In the Enter Credentials window, enter your wireless network User name, Password, and Logon domain (if applicable). Then, select OK.
5. Select Change connection settings.
6. On the Connection tab, select Connect automatically when this network is in range.
7. On the Security tab, select the Microsoft PEAP authentication method and then select Settings.

Windows 7 client

8. Make sure that Validate server certificate is selected.
9. Select the server certificate Entrust Root Certification Authority.
10. In Select Authentication Method, select Secured Password (EAP-MSCHAPv2).
11. Select Configure.
12. If your wireless network credentials are the same as your Windows logon credentials, select Automatically use my Windows logon name and password. Otherwise, make sure that this option is not selected.
13. Ensure that the remaining options are not selected.
14. Select OK. Repeat until you have closed all of the Wireless Network Properties

Mac OS

Mac OS client

To configure network preferences

1. Right-click the AirPort icon in the toolbar and select Open Network Preferences.
2. Select Advanced and then select the 1X tab.
3. If there are no Login Window Profiles in the left column, select the + button and then select Add Login Window

Profile.

4. Select the Login Window Profile and then make sure that both TTLS and PEAP are selected in Authentication.

To configure the WPA-Enterprise network connection

1. Select the AirPort icon in the toolbar.
2. Do one of the following:

l If the network is listed, select the network from the list. l Select Connect to Other Network.

Mac OS client

One of the following windows opens, depending on your selection.

3. Enter the following information and select OK or Join:

You are connected to the wireless network.

Linux

Linux client

This example is based on the Ubuntu 10.04 Linux wireless client.

To connect to a WPA-Enterprise network

1. Select the Network Manager icon to view the Wireless Networks menu.

Wireless networks that broadcast their SSID are listed in the Available section of the menu. If the list is long, it is continued in the More Networks submenu.

2. Do one of the following:
   • Select the network from the list (also check More Networks).
   • Select Connect to Hidden Wireless Network.

One of the following windows opens, depending on your selection.

Linux client

3. Enter the following information:

Troubleshooting

4. If you did not select a CA Certificate above, you are asked to do so. Select Ignore.
5. Select You are connected to the wireless network.

To connect to a WPA-Enterprise network

1. Select the Network Manager icon to view the Wireless Networks menu.
2. Select the network from the list (also check More Networks).

If your network is not listed (but was configured), select Connect to Hidden Wireless Network, select your network from the Connection drop-down list, and then select Connect.

Troubleshooting

Using tools provided in your operating system, you can find the source of common wireless networking problems.

Checking that client received IP address and DNS server information

Windows XP

1. Double-click the network icon in the taskbar to display the Wireless Network Connection Status

Check that the correct network is listed in the Connection section.

2. Select the Support

Check that the Address Type is Assigned by DHCP. Check that the IP Address, Subnet Mask, and Default Gateway values are valid.

3. Select Details to view the DNS server addresses.

The listed address should be the DNS serves that were assigned to the WAP. Usually a wireless network that provides access to the private LAN is assigned the same DNS servers as the wired private LAN. A wireless network that provides guest or customer users access to the Internet is usually assigned public DNS servers.

4. If any of the addresses are missing, select Repair.

If the repair procedure doesn’t correct the problem, check your network settings.

Troubleshooting

Mac OS

1. From the Apple menu, open System Preferences > Network.
2. Select AirPort and then select Configure.
3. On the Network page, select the TCP/IP
4. If there is no IP address or the IP address starts with 169, select Renew DHCP Lease.
5. To check DNS server addresses, open a terminal window and enter the following command:

cat /etc/resolv.conf

Check the listed nameserver addresses. A network for employees should us the wired private LAN DNS server. A network for guests should specify a public DNS server.

Linux

This example is based on the Ubuntu 10.04 Linux wireless client.

Troubleshooting

1. Right-click the Network Manager icon and select Connection Information.
2. Check the IP address, and DNS settings. If they are incorrect, check your network settings.