FortiWLC – Configuring Port Profiles

Configuring Port Profiles

The Port Profile configuration screen allows you to create custom Ethernet profiles that can be applied to non-primary Ethernet ports on deployed devices. Certain AP models implement multiple Ethernet ports, and while one is always used for wireless service, the remaining ones can be configured by applying a Port Profile to them. If this functionality is not needed, the port can also be disabled via the Port Profile feature.

Each device that is connected to a non-primary port (either directly or through a switch that is wired to the port) can be monitored as a wired station in the controller WebUI (via Monitor > Devices > All Stations). If the interface is configured for tunneled operation and the connected device is a VoIP phone utilizing SIP, the phone will be visible as a SIP phone in the controller’s phone database. Note that the maximum number of wired stations supported per wired interface is 128.

Refer to the following sections for steps on how to configure and apply Port Profiles.

Creating a Port Profile

By default, a default Port Profile is configured in the controller interface. To view the existing Port Profiles, simply open the WebUI and navigate to Configuration > Wired > Port. See Figure 38.

Figure 38: Port Table

Several options can be configured as part of a Port Profile.

Configuring Port Profiles

The following table describes each field displayed.

TABLE 11: Port Profile Options

Field Description
Port Profile Name The name provided for the port profile during profile creation.
Enable/Disable Displays whether the profile is currently enabled for use.
Dataplane Mode Allows the profile to be configured for either Tunneled or Bridged configuration.
AP VLAN Tag This field is only configured when the profile is operating in Bridged mode. The VLAN tag is an integer from 0 to 4094 that identifies the VLAN on which the AP resides.
VLAN Name This field is only used when the profile is operating in Tunneled mode. It allows you to specify the VLAN on which the profile is configured.
Allow Multicast Flag This option allows you to specify whether multicast transmissions will be permitted via the port in use.
IPv6 Bridging Specifies whether bridging for IPv6 devices is On or Off.

If desired, the default profile can be modified by checking the box alongside it in the table and clicking Settings. To add a new profile, perform the following steps:

  1. From the WebUI, navigate to Configuration > Wired > Port.
  2. Click Add. The screen refreshes to display the Port Table – Add page.
  3. Configure the profile as desired. Refer to Table 11 for descriptions of the configuration options.
  4. When finished, click OK to save the new profile.

Once a profile has been created, it can be applied to the desired port(s) on network devices.

Refer to the following section for instructions.

Enabling a Port Profile on a Specific Ethernet Port

To specify a port profile for a given Ethernet port, you must access the Port AP Table; from the Port Profile Table, select the desired profile and click Configuration. The Port AP Table is the second tab provided on the resulting screen.

By default, the Port AP Table is blank; you can manually add ports as desired. To add a port for the profile:

  1. From the Port AP Table screen, click Add. The resulting table will allow you to select the AP and Interface ID to which the port profile will apply.
  2. Use the drop-down lists to select the desired AP and Ethernet IDs. Note that if the Ethernet Interface Index specified is an Uplink interface (i.e., the interface is its primary connection to the network), it cannot be configured for a port profile and an error message will appear.
  3. Click OK to save the changes.

These steps may be repeated for as many profiles as desired.

Enable 802.1x Authentication

Wired clients can be connected to the AP’s Wired Interface directly or can be connected via an L2 switch. In a deployment that uses L2 switch for multiple wired clients, the L2 switch must be configured to pass through 802.1x packets.

To enable 802.1 x authentication for wired clients, do the following:

  1. Create a RADIUS profile and security profile (using 802.1x L2 authentication mechanism with Clear Encryption mode )
  2. Attach the security profile to the respective port profile configuration.
Enabling using CLI

Create RADIUS Profile default(15)(config)# default(15)(config)# radius‐profile dot1xport default(15)(config‐radius)# ip‐address 10.10.10.10 default(15)(config‐radius)# key meru2002 default(15)(config‐radius)# port 1812 default(15)(config‐radius)# exit

Create Security Profile default(15)# configure terminal default(15)(config)# security‐profile dotxportauth default(15)(config‐security)# allowed‐l2‐modes 802.1x default(15)(config‐security)# encryption‐modes clear default(15)(config‐security)# radius‐server primary dot1xport

Configuring Port Profiles

default(15)(config‐security)# exit

Create Port Profile default(15)# configure terminal default(15)(config)# port‐profile dot1xauth default(15)(config‐port‐profile)# enable default(15)(config‐port‐profile)# dataplane tunnelled default(15)(config‐port‐profile)# security‐profile dot1xportauth default(15)(config‐port‐profile)# exit default(15)#

Enabling using WebUI

Create RADIUS Profile

Create Security Profile

Create Port Profile

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.