WiFi
This chapter describes new WiFi features added to FortiOS 5.4.
Conflicting local-standalone and local-bridging VAP CLI resolved (256450)
- Disabling local-bridging now forcefully disables local-standalone. Also, disabling either local-bridging or local-standalone now forcefully disables intra-vap-privacy.
- Enabling intra-vap-privacy now forcefully disables local-standalone.
- Local-bridging will be forcefully enabled when local-standalone is also enabled.
Support fast-roaming for mesh backhaul link (274007 293321)
Added basic functionality required to make a leaf FortiAP able to roam fast enough from one root FortiAP to another when signal conditions change. The feature allows administrator to tune the fast roaming for most mobility scenarios. The leaf FAP is used as a wireless bridge passing traffic from the Ethernet port to the wireless mesh link.
- Includes background scan while the leaf AP is connected to the root AP (Mesh uplink established)
- Leaf AP will schedule a background scan using local interfaces (wbh0/1)
- Scan parameters are configured in the AP
- Every 10 minutes, WTP daemon reviews list of available root AP. If a better root AP is found, WTP daemon triggers a mesh roaming.
For full leaf AP scan mesh CLI variables, see Mesh variables.
Captive portal authentication to support roaming (284202 306681)
Client devices will maintain captive portal authentication as they roam across different APs. By maintaining a consistent authentication, a client can ensure uninterrupted access to latency sensitive applications such as VoIP.
Cloud will push a random per-APNetwork encrypt key to AP. The encrypt key is 32 bytes length, and will be used in captive portal fast roaming. All APs of an APNetwork will use one same encrypt key. This encrypt key is randomly generated, and will be updated daily.
Link aggregation supports CAPWAP to improve WiFi performance (305156)
Link aggregation is used to combine multiple network connections in parallel in order to increase throughput beyond what a single connection could sustain.
- FortiAP 320B and 320C models are supported.
- FortiAP 112B and 112D models cannot support link aggregation.
- NPI FAP-S3xxCR and "wave2" FAP/FAP-S models will have link aggregation feature via synchronization with regular FortiAP trunk build.
Link aggregation can be set in the FortiAP's C LI. See FortiAP CLI for more information.
Blocking management access via non-management interface (307813)
Previously, FortiAP accepted Telnet and HTTP connection to any virtual interfaces that have an IP address. For security reasons, Telnet and HTTP access are now limited to br0 or br.vlan for AP_MGMT_VLAN_ID.
Support HTTPS and SSH administrative access for FortiAPs (355122)
FortiAP now supports HTTPS and SSH administrative access, as well as HTTP and Telnet.
CLI additions have been made under wtp-profile and wtp.
Syntax
config wireless-controller wtp-profile
edit {profile}
set allowaccess [telnet | http | https | ssh]
end
config wireless-controller wtp
edit 1
set override-allowaccess [enable | disable]
set allowaccess [telnet | http | https | ssh]
end
Support to Disable PowerSave Feature (355273)
Added transmit-optimize
under wireless-controller wtp-profile
> radio
to manually configure transmit optimization.
Syntax
config wireless-controller wtp-profile
edit {profile}
config {radio}
set transmit-optimize [disable | power-save | aggr-limit | retry-limit | send-bar]
- disable: Disable transmit optimization.
- power-save: Mark a client as power save mode if excessive transmit retries happen.
- aggr-limit: Set aggregation limit to a lower value when data rate is low.
- retry-limit: Set software retry limit to a lower value when data rate is low.
- send-bar: Do not send BAR frame too often.
ARP not resolved for IPADs (364516)
Added the arp-proxy
option under config wireless-controller vap
> set broadcast-suppression
to configure VAP to reply ARP requests for wireless clients as a proxy.
Option to block intra-SSID traffic in Bridge mode for client connected to same FortiAP (365128)
A FortiAP in Bridge mode can now block traffic to clients associated with same FortiAP. This is useful in hotspot deployments managed by a central FortiGate, but would also be useful in cloud deployments. Until now,this was only supported in Tunnel mode.
Run FortiAP shell command through CAPWAP control tunnel (365609)
Very often, the FortiAP in the field is behind a NAT device, and access to the FortiAP through Telnet or SSH is not available. As a troubleshooting enhancement, this feature allows an AP shell command up to 127-bytes sent to the FAP, and FAP will run this command, and return the results to the controller using the CAPWAP tunnel.
Maximal output from a command is limited to 4M, and the default output size is set to 32K.
The FortiAP will only report running results to the controller after the command is finished. If a new command is sent to the AP before the previous command is finished, the previous command will be canceled.
Syntax
diag w-c wlac wtpcmd wtp_ip wtp_port cmd [cmd-to-ap]
cmd: run,show,showhex,clr,r&h,r&sh
- cmd-to-ap: any shell commands, but AP will not report results until the command is finished on the AP
- run: controller sends the ap-cmd to the FAP to run
- show: show current results reported by the AP in text
- showhex: show current results reported by the AP in hex
- clr: clear reported results
- r&s: run/show
- r&sh: run/showhex
New Certificate Bundle 20160525 is available (373743)
A new WiFi certificate bundle is available, issued by Entrust. The chain is: wifi_cert > Entrust_L1K > Entrust_G2 > Entrust_Root.
Per Entrust's request, unpopular G2 root is removed from CA bundle.
Automatic all-SSID selection in FortiAP Profile (219347)
The SSID field in FortiAP Profiles now includes the option Automatically assign Tunnel-mode SSIDs. This eliminates the need to re-edit the profile when new SSIDs are created. You can still select SSIDs individually using the Select SSIDs option.
Automatic assignment of SSIDs is not available for FortiAPs in Local Bridge mode. The option is hidden on both the Managed FortiAP settings and the FortiAP Profile assigned to that AP.
Improved override of FortiAP settings (219347 264010 264897)
The configuration settings of a FortiAP in WiFi Controller > Managed FortiAPs can override selected settings in the FortiAP Profile:
- Band and/or Channel
- Transmitter Power
- SSIDs
- LAN Port mode
Note that a Band override also overrides Channel selections.
In the CLI, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, and split tunneling settings.
Spectrum Analysis removed from FortiAP Profile GUI
Spectrum Analysis is no longer available in FortiAP Profiles in the GUI. It can be enabled in the CLI if needed.
Disable low data rates in 802.11a, g, n ac (297821)
To reduce air-time usage on your WiFi network, you can disable the use of low data rates which cause communications to consume more air time.
The 802.11 a, b, and g protocols are specified by data rate. 802.11a can support 6,9,12, 18, 24, 36, 48, and 54 Mb/s. 802.11b/g can support 1, 2, 5.5, 6, 9,12, 18, 24, 36, 48, 54 Mb/s. Basic rates are specified with the suffix "basic", "12-basic" for example. The capabilities of expected client devices need to be considered when deciding the lowest Basic rate.
The 802.11n and ac protocols are specified by MSC (Modulation and Coding Scheme) Index and the number of spatial streams.
- 802.11n with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1,mcs8/2,mcs9/2, mcs10/2, mcs11/2, mcs12/2, mcs13/2, mcs14/2, mcs15/2.
- 802.11n with 3 or 4 spatial streams can support mcs16/3, mcs17/3, mcs18/3, mcs19/3, mcs20/3, mcs21/3, mcs22/3, mcs23/3, mcs24/4, mcs25/4, mcs26/4, mcs27/4, mcs28/4, mcs29/4, mcs30/4, mcs31/4.
- 802.11ac with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1, mcs8/1, mcs9/1, mcs0/2, mcs1/2, mcs2/2, mcs3/2, mcs4/2, mcs5/2, mcs6/2, mcs7/2, mcs8/2, mcs9/2.
- 802.11ac with 3 or 4 spatial streams can support mcs0/3, mcs1/3, mcs2/3, mcs3/3, mcs4/3, mcs5/3, mcs6/3, mcs7/3, mcs8/3, mcs9/3, mcs0/4, mcs1/4, mcs2/4, mcs3/4, mcs4/4, mcs5/4, mcs6/4, mcs7/4, mcs8/4, mcs9/4
Here are some examples of setting basic and supported rates.
config wireless-controller vap
edit <vap_name>
set rates-11a 12-basic 18 24 36 48 54
set rates-11bg 12-basic 18 24 36 48 54
set rates-11n-ss34 mcs16/3 mcs18/3 mcs20/3 mcs21/3 mcs22/3 mcs23/3 mcs24/4 mcs25/4
set rates-11ac-ss34 mcs0/3 mcs1/3 mcs2/3 mcs9/4 mcs9/3
end
WiFi and Switch controllers are enabled separately (275860)
In the Feature Store (System > Features), the WiFi Controller and Switch Controller are now separate. However, the Switch Controller must be enabled in order for the WiFi Controller to be visible.
In the CLI, the settings that enable the WiFi and Switch controllers have been separated:
config system global
set wireless-controller enable
set switch-controller enable
end
The settings that enable the GUI display for those controllers have also been separated:
config system settings
set gui-wireless-controller enable
set gui-switch-controller enable
end
Add Support of LLDP protocol on FortiAP to send switch and port information (283107)
You can enable LLDP protocol in the FortiAP Profile. Each FortiAP using that profile can then send back information about the switch and port that it is connected to. This information is visible in the optional LLDP column of the Managed FortiAP list. To enable LLDP:
config wireless-controller wtp-profile
edit <profile-name>
set lldp enable
end
WTP groups (278462)
You can define FortiAP Groups. Each group can contain FortiAPs of a single platform (model). These groups can be used in VLAN-pooling to assign APs to particular VLANs. Create a FortiAP Group in the CLI like this:
config wireless-controller wtp-group
edit 1
set platform-type 320C
config wtp-list
edit FP320C3X14010828
next
edit FP320C3X14010830
end
end
The platform-type field is optional. If it is left empty, the group can contain FortiAPs of any model.
VLAN-pooling (278462)
In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN pool can
- assign a specific VLAN based on the AP's FortiAP Group, usually for network configuration reasons, or
- assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)
Assignment by FortiAP Group
In this example, VLAN 101, 102, or 103 is assigned depending on the AP's FortiAP Group.
config wireless-controller vap
edit wlan
set vlan-pooling wtp-group
config vlan-pool
edit 101
set wtp-group wtpgrp1
next
edit 102
set wtp-group wtpgrp2
next
edit 103
set wtp-group wtpgrp3
end
end
Load Balancing
The vlan-pooling type can be either of these:
- round-robin - from the VLAN pool, choose the VLAN with the smallest number of clients
- hash - choose a VLAN from the VLAN pool based on a hash of the current number of SSID clients and the number of entries in the VLAN pool
If the VLAN pool contains no valid VLAN ID, the SSID's static VLAN ID setting is used.
In this example, VLAN 101, 102, or 103 is assigned using the round-robin method:
config wireless-controller vap
edit wlan
set vlan-pooling round-robin
config vlan-pool
edit 101
next
edit 102
next
edit 103
end
end
Option to disable automatic registration of unknown FortiAPs (272368)
By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator's authorization. Optionally, you can disable this automatic registration function. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface. Disable automatic registration in the CLI like this:
config system interface
edit port15
set ap-discover disable
end
Automatic authorization of extension devices
To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually. This feature is available only on network interfaces designated as Dedicated to Extension Device.
To enable automatic authorization on all dedicated interfaces
config system global
set auto-auth-extension-device enable
end
To enable automatic authorization per-interface
config system interface
edit port15
set auto-auth-extension-device enable
end
In the GUI, the Automatically authorize devices option is available when Addressing Mode is set to Dedicated to Extension Device.
Control WIDS client deauthentication rate for DoS attack (285674 278771)
As part of mitigating a Denial of Service (DoS) attack, the FortiGate sends deauthentication packets to unknown clients. In an aggressive attack, this deauthentication activity can prevent the processing of packets from valid clients. A new WIDS Profile option in the CLI limits the deauthentication rate.
config wireless-controller wids-profile
edit default
set deauth-unknown-src-thresh 10
end
The range is 1 to 65,535 deathorizations per second. 0 means no limit. The default is 10.
Prevent DHCP starvation (285521)
The SSID broadcast-suppression settings in the CLI now include an option to prevent clients from depleting the DHCP address pool by making multiple requests. Add this option as follows:
config wireless-controller vap
edit "wifi"
append broadcast-suppression dhcp-starvation
end
Prevent ARP Poisoning (285674)
The SSID broadcast-suppression settings in the CLI now include an option to prevent clients from spoofing ARP messages. Add this option as follows:
config wireless-controller vap
edit "wifi"
append broadcast-suppression arp-poison
end
Suppress all other multicast/broadcast packets (282404)
The SSID broadcast-suppression field in the CLI contains several options for specific multicast and broadcast packet types. Two new options suppress multicast (mc) and broadcast (bc) packets that are not covered by any of the specific options.
config wireless-controller vap
edit "wifi"
append broadcast-suppression all-other-mc all-other-bc
end
A new configurable timer flushes the wireless station presence cache (283218)
The FortiGate generates a log entry only the first time that station-locate detects a mobile client. No log is generated for clients that have been detected before. To log repeat client visits, previous station presence data must be deleted (flushed). The sta-locate-timer can flush this data periodically. The default period is 1800 seconds (30 minutes). The timer can be set to any value between 1 and 86400 seconds (24 hours). A setting of 0 disables the flush, meaning a client is logged only on the very first visit.
The timer is one of the wireless controller timers and it can be set in the CLI. For example:
config wireless-controller timers
set sta-locate-timer 1800
end
The sta-locate-timer should not be set to less than the sta-capability-timer (default 30 minutes) because that could cause duplicate logs to be generated.
Distributed Automatic Radio Resource Provisioning (DARRP) support (283501)
Through DARRP, each FortiAP unit autonomously and periodically determines the channel that is best suited for wireless communications. The distributed ARRP feature allows FortiAP units to select their channel so that they do not interfere with each other in large-scale deployments where multiple access points have overlapping radio ranges. Furthermore, Fortinet's implementation of DARRP simplifies operations by removing dependency on client software or hardware.
By default, DARRP optimization occurs at a fixed interval of 1800 seconds. Optionally, you can now schedule optimization for a fixed time. This enables you to confine DARRP activity to a low-traffic period. Setting darrp-optimize to 0, makes darrp-day and darrp-time available. For example, here's how to set DARRP optimization for 3:00am every day:
config wireless-controller timers
set darrp-optimize 0
set darrp-day sunday monday tuesday wednesday thursday friday saturday
set darrp-time 03:00
end
Both darrp-day and darrp-time can accept multiple entries.
The FAP-320C, 320B and 112B second WAN port can be configured as a LAN bridge (261415)
This change makes FortiAP models 320C, 320B and 112B work more like other FortiAP models with LAN ports. The LAN port can be
- bridged to the incoming WAN interface
- bridged to one of the WiFi SSIDs that the FortiAP unit carries
- connected by NAT to the incoming WAN interface
The LAN port is labeled LAN2. The port labeled LAN1 acts as a WAN port connecting the FortiAP to a FortiGate or to FortiCloud. By default, LAN2 is bridged to LAN1. Access to other modes of LAN2 operation must be enabled in the CLI:
config wireless-controller wtp-profile
edit <profile_name>
set wan-port-mode wan-lan
end
By default wan-port-mode is set to wan-only.
When wan-port-mode is set to wan-lan, LAN2 Port options are available in the FortiAP Profile, the same as other FortiAP models with LAN ports, such as 11C and 14C. In the GUI, see the LAN Port settings in Wireless Controller > FortiAP Profiles. In the CLI, use the config lan subcommand of config wireless-controller wtp-profile. LAN Port settings can be overridden on individual FortiAPs.
The WAN port can also be configured on the FortiAP's CLI. See FortiAP CLI for more information.
SSID Groups (264010)
SSID groups have SSIDs as members and can be used just like an individual SSID. To create an SSID group go to WiFi Controller > SSID and select Create New > SSID Group. An SSID can belong to multiple groups.
GUI improvements (205523 278771 278898)
- Managed FortiAP pages now show WTP Mode, either Normal or Remote. WTP Mode is an optional column in the Managed FortiAPs list.
- WIDS Profile is an optional column in the FortiAP Profiles list.
- If a software switch interface contains a SSID (but only one), the WiFi SSID settings are available in the switch interface settings.
CAPWAP Protected Management Frames (PMF) support (244510)
Protected Management Frames protect some types of management frames like deauthorization, disassociation and action frames. This feature, now mandatory on WiFi certified 802.1ac devices, prevents attackers from sending plain deauthorization/disassociation frames to disrupt or tear down a connection/association. PMF is a Wi-Fi Alliance specification based on IEEE 802.11w.
PMF is configurable only in the CLI.
config wireless-controller vap
edit <vap_name>
set pmf {disable | enable | optional}
set pmf-assoc-comeback-timeout <integer>
set pmf-sa-query-retry-timeout <integer>
set okc {disable | enable}
next
end
optional Enable PMF and allow clients without PMF.
pmf-assoc-comeback-timeout Protected Management Frames (PMF) maximum timeout for comeback (1-20 seconds).
pmf-sa-query-retry-timeout Protected Management Frames (PMF) sa query retry timeout interval (in 100 ms), from 100 to 500. Integer value from 1 to 5.
okc
enable or disable Opportunistic Key Caching (OKC).
Opportunistic Key Caching Support (244510)
To facilitate faster roaming client roaming, you can enable Opportunistic Key Caching (OKC) on your WiFi network. When a client associates with an AP, its PMK identifier is sent to all other APs on the network. This eliminates the need for an already-authenticated client to repeat the full EAP exchange process when it roams to another AP on the same network.
OKC is configurable only in the CLI.
config wireless-controller vap
edit <vap_name>
set okc {disable | enable}
next
end
FortiPresence push REST API (273954)
When the FortiGate is located on a private IP network, the FortiPresence server cannot poll the FortiGate for information. Instead, the FortiGate must be configured to push the information to the FortiPresence server.
The configuration parameters are:
fortipresence-server | FortiPresence server IP address |
fortipresence-port | FortiPresence server UDP listening port (the default is 3000) |
fortipresence-secret | FortiPresence secret password (8 characters maximum) |
fortipresence-project | FortiPresence project name (16 characters maximum) |
fortipresence-frequency | FortiPresence report transmit frequency (Range 5 to 65535 seconds. Default = 30) |
fortipresence-rogue | Enable/disable FortiPresence reporting of Rogue APs |
fortipresence-unassoc | Enable/disable FortiPresence reporting of unassociated devices |
For example,
config wireless-controller wtp-profile
edit "FP223B-GuestWiFi"
config lbs
set fortipresence enable
set fortipresence-server 10.10.0.1
set fortipresence-port 3000
set fortipresence-secret "hardtoguess"
set fortipresence-project fortipresence
set fortipresence-frequency 30
set fortipresence-rogue : disable
set fortipresence-unassoc: disable
end
More detailed information will be provided in FortiPresence documentation.
GUI support for WiFi SSID schedules (276425 269695 269668 )
WiFi SSIDs include a schedule that determines when the WiFi network is available. The default schedule is Always. You can choose any schedule (but not schedule group) that is defined in Policy & Objects > Objects > Schedules.
CLI Syntax
config wireless-controller vap
edit vap-name
set schedule always
end
The WiFi SSID list includes a Schedule column.
SSID Groups
An SSID Group has SSIDs as members and can be specified in any field that accepts an SSID.
To create an SSID Group in the GUI, go to WiFi Controller > SSID and select Create New > SSID Group. Give the group a Name and choose Members (SSIDs, but not SSID Groups).
To create an SSID Group in the CLI:
config wireless-controller vap-group
edit vap-group-name
set vaps "ssid1" "ssid2"
end
RADIUS Change of Authorization (CoA) support
The CoA feature enables the FortiGate to receive a client disconnect message from the RADIUS server. This is used to disconnect clients when their time, credit or bandwidth had been used up. Enable this on the RADIUS server using the CLI:
config user radius
edit <server_name>
set radius-coa enable
end
CAPWAP offloading to NPU
On FortiGates with the NP6 processor, offloading of CAPWAP traffic to the NP6 is enabled by default.
Administrative access to managed FortiAPs
By default, telnet access to a FortiAP unit's internal configuration is disabled when the FortiAP is managed (has been authorized) by a FortiGate. You can enable administrative access in the FortiAP profile, like this:
config wireless-controller wtp-profile
edit FAP321C-default
set allowaccess telnet
end
The allowaccess field also accepts http to allow HTTP administatrative access.
The FortiAP Profile allowaccess settings can be overridden at the individual FortiAP:
config wireless-controller wtp
edit FP321CX14004706
set override-allowaccess enable
set allowaccess telnet http
end
Improved monitoring
The WiFi Client Monitor under Monitor displays top wireless user network usage and information that includes Device, Source IP, Source SSID, and Access Point. Disk logging must be enabled.
Wifi Clients and Failed Authentication views under FortiView are historical views.