FortiWLC AeroScout

Using Location Feed

Figure 8: AeroScout Network Diagram

In addition to Fortinet standard Wi-Fi infrastructure, AeroScout Location Receivers and Exciters can be deployed for time-different of arrival (TDOA) locationing and choke points respectively.

Configuring AeroScout

Tracking tags is done from the AeroScout product using a Forti WLC and APs. To configure a Forti WLC to work with AeroScout, use the command aeroscout enable as shown here:

 

controller(config)# aeroscout ?

disable                (10) Disabling AeroScout Feature. enable                 (10) Enabling AeroScout Feature. ip‐address             (10) The Aeroscout engine IP address. port                   (10) The Aeroscout engine port. controller(config)#

Location Accuracy

Since RSSI values are the basis of the location calculation, the access point must match its channel with the tag’s transmission channel, and drop tag messages that were transmitted on a channel other than that of the access point. The matching is implemented because tag reports contain the transmission channel in each message.

For this reason, the combination of AeroScout’s solution architecture with Fortinet’s Virtual Cell deployments and Air Traffic ControlTM technology provide a more accurate location for tags. In other words, Fortinet’s APs can all be deployed in a single channel with a virtualized BSSID, thereby providing more reference points for the tag messages and a more accurate location.

For the location of a tag to be calculated accurately, at least three access points need to report the Wi-Fi message transmitted by the tag. A message received and reported by less than three APs provides only a very general location which, in most cases, is the location of the AP closest to the tag. To see the tag locations, use AeroScout. Tags do not show up when you use the Fortinet CLI command show discovered-station or anywhere else from the Fortinet CLI.

It is important to place APs closer to the perimeter of the space that will tag and track assets, filling in coverage holes in the center of the coverage area. It is better to surround the tracking area. Aside from this, use standard Fortinet Networks deployment guidelines in placing the APs and distancing them from one another. In other words, plan for coverage and optimal data rates. When AeroScout Exciters are used for choke-point location, one AP receiving the Tag message is enough to deliver an accurate location report.

Tag Protocol Implementation

The Tag protocol operates between access points and the AeroScout engine. The Fortinet AeroScout implementation supports tag (but not laptop) messages transmitted in either in IBSS (default) or WDS frame format, although Fortinet APs receive and process tag frames only in IBSS format.

Once the Forti WLC and access points are upgraded to the current version, the tag protocol is enabled automatically. No additional configuration steps are necessary. Management of the AeroScout Tags, Engine, and MobileView application are managed through the AeroScout platform. Figure 9 on page 81 shows the operation and messages used in the Tag protocol:

Figure 9: AeroScout Tag Protocol Messages

AeroScout Tag                    AP                            Controller                         AeroScout Engine

AeroScout and Rogue Detection

If an AP interface is in dedicated scanning mode with Rogue AP enabled, tags are not forwarded for any channels. If an AP interface is in normal mode with Rogue AP enabled, tags are forwarded on the home channel only. Tags on foreign channels are not forwarded.

AeroScout Syslog Error Messages
Error Condition Severity Message
Cannot create a ATS AeroScout Manager mailbox critical AeroScoutMgr mailbox creation failed
Cannot set AeroScout mode in the driver critical Cannot set AeroScout mode to enable/disable
Invalid AE messages warning Unknown Message Code[0xXX]
    Data length error. rcvdLength[%d], expect at least [%d]
Messages from unknown or unsupported mailboxes miscellaneous Msg from Unknown MailboxId[xx]
Cannot allocate a mailbox buffer to send a controller message warning AllocBuf failed reqID[0xXXXX]
IOCTL to the AeroScout kernel module failed warning reqID[0xXXXX] IOCTL[xx] to AeroScout kernel module failed
Cannot get wireless channel config information warning Could not get wireless interface config for interface[xx]
AeroScout Mobile Unit

AeroScout offers Wi-Fi-based solutions for Real Time Location Service (RTLS). The following devices support AeroScout tag based location management:

  • AP400 AP822
  • AP832
  • FAP-U421EV
  • FAP-U423EV
  • AP1000

The AeroScout Mobile Unit architecture is displayed in Figure 10 on page 83. The following is the high-level process that occurs in the implementation:

  • Wi-Fi mobile units send wireless frames to one or more APs.
  • The AP sends reports for each Wi-Fi mobile unit (by using a dilution mechanism to control traffic between AP and Engine) to the AeroScout Engine.
  • The AeroScout Engine determines the coordinates and sends it to AeroScout MobileView.
  • The AeroScout Mobile View uses location data to display maps, enable searches, create alerts, manage assets, work with third-parties, and much more.

Figure 10: Aeroscout Mobile Unit

Wi-Fi Mobile Units (MUs) can be located, if associated to some access point, or while transmitting broadcast or unicast messages. The messages transmitted by Wi-Fi Mobile Units are received by Access Points and are passed along with additional information (e.g., signal strength measurements) to the AeroScout Engine, which is a core component of the AeroScout visibility system. The AeroScout Engine also calculates an accurate location of the WiFi device. In order to locate the Mobile Units, Access Points that receive their messages must pass the RSSI values of each message to the AeroScout Engine. The access points must also be able to collect data messages from MUs that are not associated with them and pass the RSSI values to the AeroScout Engine.

Reporting Tags and/or Wi-Fi mobile units must not affect the normal operation of the AP—that is, the AP must be performing in all its supported modes, such as normal 802.11a/b/g communication, monitoring, bridge modes, etc. Due to the high MU traffic, it is possible to dilute the MU messages that are sent to AeroScout Engine.

Configuring AeroScout

Tracking tags is preformed from the AeroScout product using a Forti WLC and APs. To configure a Forti WLC to work with AeroScout, use the command aeroscout enable, as shown below:

default# sh aeroscout

Aeroscout Parameters

Enable/Disable              : enable

Aeroscout Engine IP Address : 0.0.0.0 Aeroscout Engine Port       : 12092 default#

Configure AeroScout Mobile Unit from AeroScout Engine

Follow the steps below to configure an AeroScout Mobile Unit from the AeroScout Engine:

  1. Enable Aeroscout on the controller.
  2. Open the Aeroscout Engine.
  3. Load the Floor Map on the Engine.
  4. Add the APs on the Aeroscout Engine.
  5. In the Configuration->System Parameters->Access Points, check the “Enable mobile-unit location with access Points” checkbox.
  6. To start the Mobile Unit Positioning option on the AeroScout engine, select ‘Start MU positioning’ from the Actions menu.
AeroScout Compounded Report

For better performance, several MU reports can be combined within a fixed pre-defined period in Compounded Reports. Fortinet’s system combines a maximum of 18 MU reports in one Compounded Report. The number of Mobile Unit reports inside the Compounded Report varies as per the Compounded Message Timeout configured on the Aeroscout Integration Tool. The ‘Compounded Message timeout’ is configured on the Aeroscout Integration tool under ‘Set Configuration’.

Dilution Timeout

In certain scenarios, the Mobile Unit traffic may be high, and the time resolution needed for location is much lower than the data rate of most Mobile Units. If every AP starts reporting every Wi-Fi frame to the Aeroscout Engine, it will create unnecessary data overhead on the network, and provide a real-time location in a level much higher than required.

To help the AP dilute messages from each Mobile Unit, the Aeroscout protocol provides the following two parameters:

  • Dilution Factor
  • Dilution Timeout

Fortinet Mobile Unit reporting supports and implements only Dilution Timeout. The Dilution Timeout allows to set a limitation for the amount of time with no Mobile Unit messages from a specific Mobile Unit.

For Example: If the Dilution Timeout value is set to 60 seconds and, if the AP receives a message from an MU for which it has not reported a message to the AE for more than 60 seconds, the new message will be reported to the AE immediately regardless of the dilution factor and the dilution counter will be initialized. Commands broadcast by an MU (e.g. Probe Requests) are required to be forwarded to the AE regardless of the dilution parameters.

The Dilution Timeout can be configured on the Aeroscout Engine as follows Configuration->system parameters->Access Points->Dilution Time out.

Generic AP Notification

Generic AP notifications are autonomous messages sent to the Aeroscout Integration tool on port 12092 to report the AP connectivity state (AP comes online, offline, Aersocout parameter configuration changes).The Aeroscout Integration tool acknowledges all Generic AP notification messages sent by the controller. For Generic AP Notifications, the IP address of the Aeroscout engine must be configured on the controller.

In the Fortinet solution, Generic AP notifications are sent out from the controller to the Aeroscout Engine during the AP connectivity state change or when aeroscout configurations on the controller undergoes a change. In general a Generic AP notification is used to communicate an IP address change, a “wake up” from reboot, and or any error conditions that need to be communicated to the Aeroscout engine.

Configure AeroScout Integration tool for Receiving the Generic AP Notification

To Configure AeroScout Integration tool for receiving the Generic AP Notification, perform the following steps:

  • Enable AeroScout on the controller and configure the ip-address of the AeroScout Integration tool on controller.

 

  • Open the AeroScout Integration Tool and configure the port from the default value 1122′ to ‘12092’. In the scenario where the AP’s come online and go offline, change the AeroScout Configuration parameter on the controller. The Controller sends a generic AP Notification for all the AP’s on the Controller and the AeroScout Integration Tool acknowledges to the controller’s notification for each generic AP Notification.
This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.