FortiWLC – Roaming Across Controllers (RAC)

Roaming Across Controllers (RAC)

Clients can roam between access points connected to two different controllers in same subnet or different subnets. FortiWLC (SD) allows you to specify static or dynamic roaming.

Things to consider before enabling RAC

  • IP PREFIX validation has to be OFF in the RAC enabled ESS profile.
  • RAC can be enabled on more than one ESSID
  • If any parameter of an ESSID profile is changed, then RAC must be stopped and the changes made in the ESSID must be updated to all controllers in the roaming domain. Ensure that the controller IP is reachable before adding its IP address to the roaming domain.
  • In the output of show roaming-domain all command, the -1 value in the VLAN column depicts tunnelling to another controller in the roaming domain.

In static DHCP home configuration, you specify one of the controllers (in the roaming domain) as the home controller. A client associating with any controller in the roaming domain will receive an IP address from this home controller. Once a controller is set has the home controller, it applies to all the native VLAN, configured VLAN and dynamic VLAN configurations of that controller as per the “tunnel interface type” set in the ESS profile.

In dynamic DHCP home configuration, a client associating with a controller for the first time will continue to receive IP address from that controller and will be the clients the home controller. To allow dynamic roaming, set the home controller IP address as 0.0.0.0.

Roaming Time-out

In a dynamic roaming scenario, if a client leaves the coverage area and returns after the configured timeout value, a fresh association happens and the client may get associated with a different controller as its home controller. The roaming time-out value (in minutes) for clients can be configured via CLI:

default(15)(config)# roaming‐domain roam‐time‐out 70

Roaming Across Controllers (RAC)

Default and minimum timeout value is 60 minutes and maximum is 240 minutes. The roaming timeout countdown starts as soon as the client leaves the coverage area.

NOTE: When RCA is stopped all the existing clients are forcefully de-authenticated and forced to reconnect. Irrespective of the client has roamed or not, this process is applied to all clients in the roaming domain.

Setting up RAC requires the following steps

Static Roaming

  1. Specify an ESSID for the roaming domain.
  2. Add your controller’s IP address as the member controller.
  3. Add your controller’s IP address as the Home controller.
  4. Repeat the above steps for adding peer controllers. Ensure that you keep the same ESSID name and the home controller IP address.

Dynamic Roaming

  1. Specify an ESSID for the roaming domain.
  2. Add your controller’s IP address as the member controller.\
  3. Add 0.0.0.0 as the IP address of the home controller.
  4. Repeat the above steps for adding peer controllers. Ensure that you keep the same ESSID name and the home controller IP address as 0.0.0.0.
Configuring Using WebUI
  1. Go to Configuration > Wired > RAC.
  2. In the Peer Controllers tab add the following:
  • ESSID: This should be replicated as-is across in all controllers in the roaming domain.
  • Peer Controller IP address

Roaming Across Controllers (RAC)

  • Home DHCP controller IP address: IP address of the home controller in the roaming domain. All the DHCP packets from the visiting client will be forwarded to this home controller and will be delivered locally in the home controller.

Roaming Across Controllers (RAC)

Configuring Using CLI

A new CLI command roaming-domain with the following options is available to set up RAC essid – Specify the name of the common ESSID that is available in all 6 controllers in the roaming domain

  • start – To start RAC.
  • stop – To stop RAC
  • peer-controller – To specify the IP address of the peer controller in the roaming domain
  • homedhcp-controller – To specify the home controller in the roaming domain.

Example default(15)(config)# roaming‐domain start

default(15)(config)# roaming‐domain essid Roaming1 peer‐controller 10.10.1.20 homedhcp‐controller 10.10.12.100

Dynamic DHCP home

default(15)(config)# roaming‐domain essid Roaming1 peer‐controller 10.10.1.20 homedhcp‐controller 0.0.0.0.

Where, essid is the name of the “ESS profile” string displayed in the show essid command.

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.