WiFi

This chapter describes new WiFi features added to FortiOS 5.4.

Conflicting local-standalone and local-bridging VAP CLI resolved (256450)

  • Disabling local-bridging now forcefully disables local-standalone. Also, disabling either local-bridging or local-standalone now forcefully disables intra-vap-privacy.
  • Enabling intra-vap-privacy now forcefully disables local-standalone.
  • Local-bridging will be forcefully enabled when local-standalone is also enabled.

Support fast-roaming for mesh backhaul link (274007 293321)

Added basic functionality required to make a leaf FortiAP able to roam fast enough from one root FortiAP to another when signal conditions change. The feature allows administrator to tune the fast roaming for most mobility scenarios. The leaf FAP is used as a wireless bridge passing traffic from the Ethernet port to the wireless mesh link.

  • Includes background scan while the leaf AP is connected to the root AP (Mesh uplink established)
  • Leaf AP will schedule a background scan using local interfaces (wbh0/1)
  • Scan parameters are configured in the AP
  • Every 10 minutes, WTP daemon reviews list of available root AP. If a better root AP is found, WTP daemon triggers a mesh roaming.

For full leaf AP scan mesh CLI variables, see Mesh variables.

Captive portal authentication to support roaming (284202 306681)

Client devices will maintain captive portal authentication as they roam across different APs. By maintaining a consistent authentication, a client can ensure uninterrupted access to latency sensitive applications such as VoIP.

Cloud will push a random per-APNetwork encrypt key to AP. The encrypt key is 32 bytes length, and will be used in captive portal fast roaming. All APs of an APNetwork will use one same encrypt key. This encrypt key is randomly generated, and will be updated daily.

Link aggregation supports CAPWAP to improve WiFi performance (305156)

Link aggregation is used to combine multiple network connections in parallel in order to increase throughput beyond what a single connection could sustain.

  • FortiAP 320B and 320C models are supported.
  • FortiAP 112B and 112D models cannot support link aggregation.
  • NPI FAP-S3xxCR and "wave2" FAP/FAP-S models will have link aggregation feature via synchronization with regular FortiAP trunk build.

Link aggregation can be set in the FortiAP's C LI. See FortiAP CLI for more information.

Blocking management access via non-management interface (307813)

Previously, FortiAP accepted Telnet and HTTP connection to any virtual interfaces that have an IP address. For security reasons, Telnet and HTTP access are now limited to br0 or br.vlan for AP_MGMT_VLAN_ID.

Support HTTPS and SSH administrative access for FortiAPs (355122)

FortiAP now supports HTTPS and SSH administrative access, as well as HTTP and Telnet.

CLI additions have been made under wtp-profile and wtp.

Syntax

config wireless-controller wtp-profile

edit {profile}

set allowaccess [telnet | http | https | ssh]

end

 

config wireless-controller wtp

edit 1

set override-allowaccess [enable | disable]

set allowaccess [telnet | http | https | ssh]

end

Support to Disable PowerSave Feature (355273)

Added transmit-optimize under wireless-controller wtp-profile > radio to manually configure transmit optimization.

Syntax

config wireless-controller wtp-profile

edit {profile}

config {radio}

set transmit-optimize [disable | power-save | aggr-limit | retry-limit | send-bar]

 

  • disable: Disable transmit optimization.
  • power-save: Mark a client as power save mode if excessive transmit retries happen.
  • aggr-limit: Set aggregation limit to a lower value when data rate is low.
  • retry-limit: Set software retry limit to a lower value when data rate is low.
  • send-bar: Do not send BAR frame too often.

ARP not resolved for IPADs (364516)

Added the arp-proxy option under config wireless-controller vap > set broadcast-suppression to configure VAP to reply ARP requests for wireless clients as a proxy.

Option to block intra-SSID traffic in Bridge mode for client connected to same FortiAP (365128)

A FortiAP in Bridge mode can now block traffic to clients associated with same FortiAP. This is useful in hotspot deployments managed by a central FortiGate, but would also be useful in cloud deployments. Until now,this was only supported in Tunnel mode.

Run FortiAP shell command through CAPWAP control tunnel (365609)

Very often, the FortiAP in the field is behind a NAT device, and access to the FortiAP through Telnet or SSH is not available. As a troubleshooting enhancement, this feature allows an AP shell command up to 127-bytes sent to the FAP, and FAP will run this command, and return the results to the controller using the CAPWAP tunnel.

Maximal output from a command is limited to 4M, and the default output size is set to 32K.

The FortiAP will only report running results to the controller after the command is finished. If a new command is sent to the AP before the previous command is finished, the previous command will be canceled.

Syntax

diag w-c wlac wtpcmd wtp_ip wtp_port cmd [cmd-to-ap]

cmd: run,show,showhex,clr,r&h,r&sh

 

  • cmd-to-ap: any shell commands, but AP will not report results until the command is finished on the AP
  • run: controller sends the ap-cmd to the FAP to run
  • show: show current results reported by the AP in text
  • showhex: show current results reported by the AP in hex
  • clr: clear reported results
  • r&s: run/show
  • r&sh: run/showhex

New Certificate Bundle 20160525 is available (373743)

A new WiFi certificate bundle is available, issued by Entrust. The chain is: wifi_cert > Entrust_L1K > Entrust_G2 > Entrust_Root.

Per Entrust's request, unpopular G2 root is removed from CA bundle.

Automatic all-SSID selection in FortiAP Profile (219347)

The SSID field in FortiAP Profiles now includes the option Automatically assign Tunnel-mode SSIDs. This eliminates the need to re-edit the profile when new SSIDs are created. You can still select SSIDs individually using the Select SSIDs option.

Automatic assignment of SSIDs is not available for FortiAPs in Local Bridge mode. The option is hidden on both the Managed FortiAP settings and the FortiAP Profile assigned to that AP.

Improved override of FortiAP settings (219347 264010 264897)

The configuration settings of a FortiAP in WiFi Controller > Managed FortiAPs can override selected settings in the FortiAP Profile:

  • Band and/or Channel
  • Transmitter Power
  • SSIDs
  • LAN Port mode

Note that a Band override also overrides Channel selections.

In the CLI, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, and split tunneling settings.

Spectrum Analysis removed from FortiAP Profile GUI

Spectrum Analysis is no longer available in FortiAP Profiles in the GUI. It can be enabled in the CLI if needed.

Disable low data rates in 802.11a, g, n ac (297821)

To reduce air-time usage on your WiFi network, you can disable the use of low data rates which cause communications to consume more air time.

The 802.11 a, b, and g protocols are specified by data rate. 802.11a can support 6,9,12, 18, 24, 36, 48, and 54 Mb/s. 802.11b/g can support 1, 2, 5.5, 6, 9,12, 18, 24, 36, 48, 54 Mb/s. Basic rates are specified with the suffix "basic", "12-basic" for example. The capabilities of expected client devices need to be considered when deciding the lowest Basic rate.

The 802.11n and ac protocols are specified by MSC (Modulation and Coding Scheme) Index and the number of spatial streams.

  • 802.11n with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1,mcs8/2,mcs9/2, mcs10/2, mcs11/2, mcs12/2, mcs13/2, mcs14/2, mcs15/2.
  • 802.11n with 3 or 4 spatial streams can support mcs16/3, mcs17/3, mcs18/3, mcs19/3, mcs20/3, mcs21/3, mcs22/3, mcs23/3, mcs24/4, mcs25/4, mcs26/4, mcs27/4, mcs28/4, mcs29/4, mcs30/4, mcs31/4.
  • 802.11ac with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1, mcs8/1, mcs9/1, mcs0/2, mcs1/2, mcs2/2, mcs3/2, mcs4/2, mcs5/2, mcs6/2, mcs7/2, mcs8/2, mcs9/2.
  • 802.11ac with 3 or 4 spatial streams can support mcs0/3, mcs1/3, mcs2/3, mcs3/3, mcs4/3, mcs5/3, mcs6/3, mcs7/3, mcs8/3, mcs9/3, mcs0/4, mcs1/4, mcs2/4, mcs3/4, mcs4/4, mcs5/4, mcs6/4, mcs7/4, mcs8/4, mcs9/4

Here are some examples of setting basic and supported rates.

config wireless-controller vap

edit <vap_name>

set rates-11a 12-basic 18 24 36 48 54

set rates-11bg 12-basic 18 24 36 48 54

set rates-11n-ss34 mcs16/3 mcs18/3 mcs20/3 mcs21/3 mcs22/3 mcs23/3 mcs24/4 mcs25/4

set rates-11ac-ss34 mcs0/3 mcs1/3 mcs2/3 mcs9/4 mcs9/3

end

WiFi and Switch controllers are enabled separately (275860)

In the Feature Store (System > Features), the WiFi Controller and Switch Controller are now separate. However, the Switch Controller must be enabled in order for the WiFi Controller to be visible.

In the CLI, the settings that enable the WiFi and Switch controllers have been separated:

config system global

set wireless-controller enable

set switch-controller enable

end

 

The settings that enable the GUI display for those controllers have also been separated:

config system settings

set gui-wireless-controller enable

set gui-switch-controller enable

end

Add Support of LLDP protocol on FortiAP to send switch and port information (283107)

You can enable LLDP protocol in the FortiAP Profile. Each FortiAP using that profile can then send back information about the switch and port that it is connected to. This information is visible in the optional LLDP column of the Managed FortiAP list. To enable LLDP:

config wireless-controller wtp-profile

edit <profile-name>

set lldp enable

end

 

WTP groups (278462)

You can define FortiAP Groups. Each group can contain FortiAPs of a single platform (model). These groups can be used in VLAN-pooling to assign APs to particular VLANs. Create a FortiAP Group in the CLI like this:

config wireless-controller wtp-group

edit 1

set platform-type 320C

config wtp-list

edit FP320C3X14010828

next

edit FP320C3X14010830

end

end

The platform-type field is optional. If it is left empty, the group can contain FortiAPs of any model.

VLAN-pooling (278462)

In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN pool can

  • assign a specific VLAN based on the AP's FortiAP Group, usually for network configuration reasons, or
  • assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)
Assignment by FortiAP Group

In this example, VLAN 101, 102, or 103 is assigned depending on the AP's FortiAP Group.

config wireless-controller vap

edit wlan

set vlan-pooling wtp-group

config vlan-pool

edit 101

set wtp-group wtpgrp1

next

edit 102

set wtp-group wtpgrp2

next

edit 103

set wtp-group wtpgrp3

end

end

 

Load Balancing

The vlan-pooling type can be either of these:

  • round-robin - from the VLAN pool, choose the VLAN with the smallest number of clients
  • hash - choose a VLAN from the VLAN pool based on a hash of the current number of SSID clients and the number of entries in the VLAN pool

If the VLAN pool contains no valid VLAN ID, the SSID's static VLAN ID setting is used.

In this example, VLAN 101, 102, or 103 is assigned using the round-robin method:

config wireless-controller vap

edit wlan

set vlan-pooling round-robin

config vlan-pool

edit 101

next

edit 102

next

edit 103

end

end

 

Option to disable automatic registration of unknown FortiAPs (272368)

By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator's authorization. Optionally, you can disable this automatic registration function. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface. Disable automatic registration in the CLI like this:

config system interface

edit port15

set ap-discover disable

end

Automatic authorization of extension devices

To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually. This feature is available only on network interfaces designated as Dedicated to Extension Device.

To enable automatic authorization on all dedicated interfaces

config system global

set auto-auth-extension-device enable

end

To enable automatic authorization per-interface

config system interface

edit port15

set auto-auth-extension-device enable

end

 

In the GUI, the Automatically authorize devices option is available when Addressing Mode is set to Dedicated to Extension Device.

Control WIDS client deauthentication rate for DoS attack (285674 278771)

As part of mitigating a Denial of Service (DoS) attack, the FortiGate sends deauthentication packets to unknown clients. In an aggressive attack, this deauthentication activity can prevent the processing of packets from valid clients. A new WIDS Profile option in the CLI limits the deauthentication rate.

config wireless-controller wids-profile

edit default

set deauth-unknown-src-thresh 10

end

The range is 1 to 65,535 deathorizations per second. 0 means no limit. The default is 10.

Prevent DHCP starvation (285521)

The SSID broadcast-suppression settings in the CLI now include an option to prevent clients from depleting the DHCP address pool by making multiple requests. Add this option as follows:

config wireless-controller vap

edit "wifi"

append broadcast-suppression dhcp-starvation

end


Prevent ARP Poisoning (285674)

The SSID broadcast-suppression settings in the CLI now include an option to prevent clients from spoofing ARP messages. Add this option as follows:

config wireless-controller vap

edit "wifi"

append broadcast-suppression arp-poison

end


Suppress all other multicast/broadcast packets (282404)

The SSID broadcast-suppression field in the CLI contains several options for specific multicast and broadcast packet types. Two new options suppress multicast (mc) and broadcast (bc) packets that are not covered by any of the specific options.

config wireless-controller vap

edit "wifi"

append broadcast-suppression all-other-mc all-other-bc

end

A new configurable timer flushes the wireless station presence cache (283218)

The FortiGate generates a log entry only the first time that station-locate detects a mobile client. No log is generated for clients that have been detected before. To log repeat client visits, previous station presence data must be deleted (flushed). The sta-locate-timer can flush this data periodically. The default period is 1800 seconds (30 minutes). The timer can be set to any value between 1 and 86400 seconds (24 hours). A setting of 0 disables the flush, meaning a client is logged only on the very first visit.

The timer is one of the wireless controller timers and it can be set in the CLI. For example:

config wireless-controller timers

set sta-locate-timer 1800

end

The sta-locate-timer should not be set to less than the sta-capability-timer (default 30 minutes) because that could cause duplicate logs to be generated.

Distributed Automatic Radio Resource Provisioning (DARRP) support (283501)

Through DARRP, each FortiAP unit autonomously and periodically determines the channel that is best suited for wireless communications. The distributed ARRP feature allows FortiAP units to select their channel so that they do not interfere with each other in large-scale deployments where multiple access points have overlapping radio ranges. Furthermore, Fortinet's implementation of DARRP simplifies operations by removing dependency on client software or hardware.

By default, DARRP optimization occurs at a fixed interval of 1800 seconds. Optionally, you can now schedule optimization for a fixed time. This enables you to confine DARRP activity to a low-traffic period. Setting darrp-optimize to 0, makes darrp-day and darrp-time available. For example, here's how to set DARRP optimization for 3:00am every day:

config wireless-controller timers

set darrp-optimize 0

set darrp-day sunday monday tuesday wednesday thursday friday saturday

set darrp-time 03:00

end

Both darrp-day and darrp-time can accept multiple entries.

The FAP-320C, 320B and 112B second WAN port can be configured as a LAN bridge (261415)

This change makes FortiAP models 320C, 320B and 112B work more like other FortiAP models with LAN ports. The LAN port can be

  • bridged to the incoming WAN interface
  • bridged to one of the WiFi SSIDs that the FortiAP unit carries
  • connected by NAT to the incoming WAN interface

The LAN port is labeled LAN2. The port labeled LAN1 acts as a WAN port connecting the FortiAP to a FortiGate or to FortiCloud. By default, LAN2 is bridged to LAN1. Access to other modes of LAN2 operation must be enabled in the CLI:

config wireless-controller wtp-profile

edit <profile_name>

set wan-port-mode wan-lan

end

By default wan-port-mode is set to wan-only.

When wan-port-mode is set to wan-lan, LAN2 Port options are available in the FortiAP Profile, the same as other FortiAP models with LAN ports, such as 11C and 14C. In the GUI, see the LAN Port settings in Wireless Controller > FortiAP Profiles. In the CLI, use the config lan subcommand of config wireless-controller wtp-profile. LAN Port settings can be overridden on individual FortiAPs.

The WAN port can also be configured on the FortiAP's CLI. See FortiAP CLI for more information.

SSID Groups (264010)

SSID groups have SSIDs as members and can be used just like an individual SSID. To create an SSID group go to WiFi Controller > SSID and select Create New > SSID Group. An SSID can belong to multiple groups.

GUI improvements (205523 278771 278898)

 
  • Managed FortiAP pages now show WTP Mode, either Normal or Remote. WTP Mode is an optional column in the Managed FortiAPs list.
  • WIDS Profile is an optional column in the FortiAP Profiles list.
  • If a software switch interface contains a SSID (but only one), the WiFi SSID settings are available in the switch interface settings.

CAPWAP Protected Management Frames (PMF) support (244510)

Protected Management Frames protect some types of management frames like deauthorization, disassociation and action frames. This feature, now mandatory on WiFi certified 802.1ac devices, prevents attackers from sending plain deauthorization/disassociation frames to disrupt or tear down a connection/association. PMF is a Wi-Fi Alliance specification based on IEEE 802.11w.

PMF is configurable only in the CLI.

config wireless-controller vap

edit <vap_name>

set pmf {disable | enable | optional}

set pmf-assoc-comeback-timeout <integer>

set pmf-sa-query-retry-timeout <integer>

set okc {disable | enable}

next

end

optional Enable PMF and allow clients without PMF.

pmf-assoc-comeback-timeout Protected Management Frames (PMF) maximum timeout for comeback (1-20 seconds).

pmf-sa-query-retry-timeout Protected Management Frames (PMF) sa query retry timeout interval (in 100 ms), from 100 to 500. Integer value from 1 to 5.

okc enable or disable Opportunistic Key Caching (OKC).

Opportunistic Key Caching Support (244510)

To facilitate faster roaming client roaming, you can enable Opportunistic Key Caching (OKC) on your WiFi network. When a client associates with an AP, its PMK identifier is sent to all other APs on the network. This eliminates the need for an already-authenticated client to repeat the full EAP exchange process when it roams to another AP on the same network.

OKC is configurable only in the CLI.

config wireless-controller vap

edit <vap_name>

set okc {disable | enable}

next

end

FortiPresence push REST API (273954)

When the FortiGate is located on a private IP network, the FortiPresence server cannot poll the FortiGate for information. Instead, the FortiGate must be configured to push the information to the FortiPresence server.

The configuration parameters are:

fortipresence-server FortiPresence server IP address
fortipresence-port FortiPresence server UDP listening port (the default is 3000)
fortipresence-secret FortiPresence secret password (8 characters maximum)
fortipresence-project FortiPresence project name (16 characters maximum)
fortipresence-frequency FortiPresence report transmit frequency (Range 5 to 65535 seconds. Default = 30)
fortipresence-rogue Enable/disable FortiPresence reporting of Rogue APs
fortipresence-unassoc Enable/disable FortiPresence reporting of unassociated devices

For example,

config wireless-controller wtp-profile

edit "FP223B-GuestWiFi"

config lbs

set fortipresence enable

set fortipresence-server 10.10.0.1

set fortipresence-port 3000

set fortipresence-secret "hardtoguess"

set fortipresence-project fortipresence

set fortipresence-frequency 30

set fortipresence-rogue : disable

set fortipresence-unassoc: disable

end

 

More detailed information will be provided in FortiPresence documentation.

GUI support for WiFi SSID schedules (276425 269695 269668 )

WiFi SSIDs include a schedule that determines when the WiFi network is available. The default schedule is Always. You can choose any schedule (but not schedule group) that is defined in Policy & Objects > Objects > Schedules.

CLI Syntax

config wireless-controller vap

edit vap-name

set schedule always

end

 

The WiFi SSID list includes a Schedule column.


SSID Groups

An SSID Group has SSIDs as members and can be specified in any field that accepts an SSID.

To create an SSID Group in the GUI, go to WiFi Controller > SSID and select Create New > SSID Group. Give the group a Name and choose Members (SSIDs, but not SSID Groups).

To create an SSID Group in the CLI:

config wireless-controller vap-group

edit vap-group-name

set vaps "ssid1" "ssid2"

end

RADIUS Change of Authorization (CoA) support

The CoA feature enables the FortiGate to receive a client disconnect message from the RADIUS server. This is used to disconnect clients when their time, credit or bandwidth had been used up. Enable this on the RADIUS server using the CLI:

config user radius

edit <server_name>

set radius-coa enable

end

CAPWAP offloading to NPU

On FortiGates with the NP6 processor, offloading of CAPWAP traffic to the NP6 is enabled by default.

Administrative access to managed FortiAPs

By default, telnet access to a FortiAP unit's internal configuration is disabled when the FortiAP is managed (has been authorized) by a FortiGate. You can enable administrative access in the FortiAP profile, like this:

config wireless-controller wtp-profile

edit FAP321C-default

set allowaccess telnet

end

The allowaccess field also accepts http to allow HTTP administatrative access.

The FortiAP Profile allowaccess settings can be overridden at the individual FortiAP:

config wireless-controller wtp

edit FP321CX14004706

set override-allowaccess enable

set allowaccess telnet http

end

Improved monitoring

The WiFi Client Monitor under Monitor displays top wireless user network usage and information that includes Device, Source IP, Source SSID, and Access Point. Disk logging must be enabled.

Wifi Clients and Failed Authentication views under FortiView are historical views.