Category Archives: FortiWLC

FortiWLC – Encryption Support

Encryption Support

Wireless LAN System offers CCMP-AES for WPA2. WPA2 uses CCMP/AES as encryption method. Descriptions of these technologies are provided in this section. Fortinet also supports the original 802.11encryption protocols provided by WEP64 and WEP128.

We recommend using the more secure CCMP-AES encryption solution if your site’s client hardware cannot support CCMP.

CCMP-AES

AES is the Advanced Encryption Standard and is used by the US Department of Defence as a replacement for older encryption standards. As such, it is very secure. AES can be used in several modes, and CCMP is the mode used by WPA2. Both terms are commonly used interchangeably.

WEP Security Features

Wired Equivalent Privacy (WEP64 and WEP128) is a Layer 2 security protocol specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11. WEP is designed to provide a wireless LAN with comparable level of security and privacy to what is usually expected of a wired LAN. A wired LAN is generally protected by physical security mechanisms, such as controlled access to a building, that are effective for a controlled physical environment. However, such security

Encryption Support

mechanisms do not apply to WLANs because the walls containing the network do not necessarily bind radio waves. WEP seeks to establish protection similar to that offered by the wired network’s physical security measures by encrypting data transmitted over the WLAN. Data encryption protects the vulnerable wireless link between clients and access points. Once this measure has been taken, other typical LAN security mechanisms such as authentication, password protection, and end-to-end encryption, can be put in place to protect privacy.

With the WEP protocol, all access points and client radio NICs on a particular wireless LAN must use the same encryption key. Each sending station encrypts the body of each frame with a WEP key before transmission, and the receiving station decrypts it using an identical key. This process reduces the risk of someone passively monitoring the transmission and gaining access to the information contained within the frames.

The WEP implementation allows the Security Profile configuration to specify one of four possible WEP keys that can be configured by a user station key management program.

FortiWLC – Configure a Security Profile With the Web UI

Configure a Security Profile With the Web UI

To configure Security Profile parameters, follow these steps:

  1. Click Configuration > Security > Profile.
  2. In the Security Profile Name box, type the name of the security profile. The name can be up to 32 alphanumeric characters long and cannot contain spaces.
  3. In the L2 Modes Allowed area, select one of the following Layer 2 security modes: Clear: The WLAN does not require authentication or encryption, and the WLAN does not secure client traffic. This is the default setting.
    • 1X: Can provide 802.1X authentication and WEP64 or WEP128 encryption.
    • Static WEP keys: Requires that stations use a WEP key (see step 6).
    • WPA2: Requires 802.1x RADIUS server authentication with one of the EAP types (see step 4 to select a pre-configured RADIUS server profile). For more information, see “WiFi Protected Access (WPA2)” on page 220. WPA2 PSK: Uses the CCMP-AES encryption protocol and requires a pre-shared key (see step 12 to enter the pre-shared key).
    • WPA2-TKIP
    • MIXED: Allows WPA2 clients using a single security profile.
    • MIXED PSK: Allows pre-shared key clients to use a single security profile.
    • WAI: Uses the WPI-SMS4 encryption protocol. WAI PSK: Uses the WPI-SMS4 encryption protocol and requires a shared key.
  4. In the Data Encrypt area, select one of the following (available choices are determined by the L2 Mode selected):
    • Clear: The WLAN does not require encryption.
    • WEP64: A 64-bit WEP key is used to encrypt packets. For more information, see “WEP Security Features” on page 220.
    • WEP128: A 128-bit WEP key is used to encrypt packets. For more information, see “WEP Security Features” on page 220. CCMP-AES: A 128-bit block key is used to encrypt packets with WPA2. For more information, see “CCMP-AES” on page 220.
    • WPI-SMS4: Encryption algorithm used with WAI and WAI PSK.

Configure a Security Profile With the Web UI

If you select WEP64 or WEP128, you need to specify a WEP key, as described in step 6. If you specify CCMP-AES for WPA2-PSK, a pre-shared key must be set, as described in step 12.

  1. From the Primary RADIUS Profile Name list, select one of the configured RADIUS Server Profiles for use as the primary server or select the No RADIUS option. If no RADIUS

Server Profiles have been configured, the selectable list is unavailable and the text “No Data for Primary RADIUS Profile Name” displays. To configure a RADIUS Server Profile, click Configuration > Security > RADIUS.

  1. From the Secondary RADIUS Profile Name list, select one of the configured RADIUS Server Profiles for use as the secondary server or select the No RADIUS option. If no RADIUS Server Profiles have been configured, the selectable list is unavailable and the text “No Data for Primary RADIUS Profile Name” displays. To configure a RADIUS server profile, click Configuration > Security > RADIUS.
  2. In the WEP Key box, specify a WEP key. If you selected Static WEP Keys in step 2, you need to specify a WEP key in hexadecimal or text string format.

A WEP64 key must be 5 octets long, which you can specify as 10 hexadecimal digits (the hexadecimal string must be preceded with 0x) or 5 printable alphanumeric characters (the ! character cannot be used). For example, 0x619B947A3D is a valid hexadecimal value, and wpass is a valid alphanumeric string.

A WEP128 key must be 13 octets long, which you can specify as 26 hexadecimal digits (the hexadecimal string must be preceded with 0x) or 13 printable alphanumeric characters (the ! character cannot be used). For example, 0xB58CE2C2C75D73B298A36CDA6A is a valid hexadecimal value, and mypass8Word71 is a valid alphanumeric string.

  1. In the Static WEP Key Index box, type the index number to be used with the WEP key for encryption and decryption. A station can have up to four static WEP keys configured. The static WEP key index must be an integer between 1 through 4 (although internal mapping is performed to handle wireless clients that use 0 through 3 assignments).
  2. In the Re-Key Period box, type the duration that the key is valid. Specify a value from 0 to 65,535 seconds. The default re-key value is zero (0). Specifying 0 indicates that re-keying is disabled, which means that the key is valid for the entire session, regardless of the duration.

10.In the BKSA Caching Period (seconds), the duration that the key is valid. Specify a value from 0 to 65,535 seconds. The default value is 43200.

11.In the Captive Portal list, select one of the following:

  • Disabled: Disables Captive Portal.
  • WebAuth: Enables a WebAuth Captive Portal. This feature can be set for all L2 Mode selections.

12.If you want to use a third-party Captive Portal solution from a company such as Bradford,

Avenda, or CloudPath change the value for Captive Portal Authentication Method to

Configure a Security Profile With the Web UI

external. For more information, see Captive Portal (CP) Authentication for Wired Clients.

13.To use 802.1X, select one of the following in the 802.1X Network Initiation list: On: The controller initiates 802.1X authentication by sending an EAP-REQUEST packet to the client. By default, this feature is enabled.

  • Off: The client sends an EAP-START packet to the controller to initiate 802.1X authentication. If you select this option, the controller cannot initiate 802.1X authentication.

14.Tunnel Termination: Tunnel-Termination is provided by IOSCLI and Controller GUI, to perform configuration on per-security profile basis. Select one of the following in the Tunnel Termination list:

  • PEAP: PEAP (Protected Extensible Authentication Protocol) is a version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. It is designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control. It authenticates the server with a public key certificate and carries the authentication in a secure Transport Layer Security (TLS)
  • TTLS: TTLS (Tunneled Transport Layer Security) is a proposed wireless security protocol.

Note that when Tunnel Termination is enabled, Fortinet’s default certificate is used. In this case, the certificate must be “trusted” on the wireless client end in order for authentication to be successful. Refer to Security Certificates for details on how to import a certificate.

15.If the Static WEP Key mode is used, in the Shared Key Authentication list, select one of the following:

  • On: Allows 802.1X shared key authentication. Off: Uses Open authentication. By default, this feature is off.

16.In the Pre-shared Key text box, enter the key if WPA2-PSK was selected in step 2 above. The key can be from 8 to 63 ASCII characters or 64 hex characters (hex keys must use the prefix “0x” or the key will not work).

17.In the Group Keying Interval text box, enter the time in seconds for the interval before a new group key is distributed.

18.In PMK Caching, select On or Off.

19.In the Key Rotation drop-down list, select whether to enable or disable this feature.

20.The timeout value for Backend Authentication Server Timeout can be 1-65535 seconds.  Configure a Security Profile With the Web UI

21.For Re-authentication, select one of the following: On: Causes the controller to honor and enforce the “Session-timeout” RADIUS attribute that may be present in a RADIUS Access-Accept packet. A customer would use this option if the Session-timeout attribute is used to require stations to re-authenticate to the network (802.1X) at a specified period. If “Session-timeout” is not used, there is no reason to enable re-authentication.

  • Off: Disables re-authentication for this security profile.

22.In the MAC Filtering list, select one of the following:

  • On: Enables MAC Filtering for this security profile. Off: Disables MAC Filtering for this security profile.

23.In the MAC Auth Primary RADIUS Profile Name list, select the name of a previously configured authentication server profile.

24.In the MAC Auth Secondary RADIUS Profile Name list, select the name of a previously configured authentication server profile.

25.In the MAC Accounting Primary RADIUS Profile Name list, select the name of a previously configured RADIUS accounting server profile or the No RADIUS option.

26.In the MAC Accounting Secondary RADIUS Profile Name list, select the name of a previously configured RADIUS accounting server profile or the No RADIUS option.

27.In the Firewall Capability drop-down list, select one of the following: Configured: The controller defines the policy through configuration of the Firewall filterid.

  • RADIUS-configured: The RADIUS server provides the policy after successful 802.1X authentication of the user. This option requires the RADIUS server have the filter-id configured. If this is not configured, the firewall capability is not guaranteed.
  • None: Disables the Firewall Capability for this security profile.

28.In the Firewall Filter ID text box, enter the firewall filter-id that is used for this security profile. The filter-id is an alphanumeric value that defines the firewall policy to be used on the controller, when the firewall capability is set to configured. For example, 1.

29.In the Security Logging drop-down list, select one of the following:

  • On: Enables logging of security-related messages for this security profile.
  • Off: Disables logging of security-related messages for this security profile

30.In the Passthrough Firewall Filter ID text box, enter a firewall filter ID that was created using Configuration > QoS > System Settings > QoS and Firewall Rules > Add. The filter ID is an alphanumeric value that defines the firewall policy to be used on the controller for a Captive Portal-enabled client that has no authentication.

31.Click OK.

Configure a Security Profile With the Web UI

Wi-Fi Protected Access (WPA2)

Fortinet Wireless LAN System supports both WPA2 and 802.1x protocols that have been presented by the Wi-Fi Alliance as interim security standards that improve upon the known vulnerabilities of WEP until the release of the 802.11i standard.

In WPA2, the WPA Message Integrity Code (MIC) algorithm is replaced by a message authentication code, CCMP, that is considered fully secure and the RC4 cipher is replaced by the Advanced Encryption Standard (AES), as described in “CCMP-AES” on page 220.

If 802.1X authentication is not available (in a SOHO, for example), WPA2-Personal can be implemented as alternatives and provide for manual key distribution between APs and clients.

To achieve a truly secure WPA2 implementation, the installation must be “pure,” that is, all APs and client devices are running WPA2-Enterprise. Implement this for Wireless LAN System with an ESS that uses a Security Profile that configures WPA2, leverages the site’s 802.1X user authentication and includes TKIP or CCMP encryption. Once associated with this profile, users and enterprises can be assured of a high level of data protection.

FortiWLC – Configuring Wireless LAN Security

Configuring Wireless LAN Security

In Wireless LAN System, Layer 2 and Layer 3 security options are enforced by creating Security Profiles that are assigned to an ESSID. As such, they can be tailored to the services and the structure (virtual Port, Virtual Cell, etc.) offered by the ESSID and propagated to the associated APs. Security profiles for a controller can also be configured from E(z)RF Network Manager. You can tell where a profile was configured by checking the read-only field Owner. The Owner is either E(z)RF or controller. The general security configuration tasks are as follows:

  1. Create VLANs to keep the client traffic in each SSID secure and separate from clients in other SSIDs. See the chapter
  2. Set up the Certificate Server or RADIUS server configuration (see the RADIUS server documentation for instructions).
  3. Configure Security Profiles based on the type of security required (continue with the following sections).
  4. Configure one or more ESSIDs (see the chapter Configuring an ESS for directions) and assign the VLAN and Security Profile to them.

FortiWLC – Virtual Interfaces

Virtual Interfaces

When operating in L3 Routing mode, Virtual Interfaces can be configured in order to act in much the same way as the standard physical interfaces on a device: they can be assigned an IP (or range of IPs), subnet, and gateway, and can be used to isolate clients in their own pri-

Virtual Interfaces

vate IP range. Once a Virtual Interface is created, it can be mapped to a DHCP scope (see Feature Group) and an ESS in order to service clients.

To view the virtual interface table, access the WebUI and navigate to Configuration > Wired > Virtual Interface. Note that until at least one interface has been created, the table will be blank.

Adding a Virtual Interface

To create a new virtual interface, access the Virtual Interface Table and click Add. The Virtual Interface – Add screen appears. See Figure 43.

Figure 43: Creating a Virtual Interface

Provide the required details as described in the following table.

TABLE 13: Virtual Interface Fields

Field Description
Virtual Interface Profile Name Enter a descriptive name for the interface. Note that this must be between 1 and 32 characters in length.
Enable/Disable Use this drop-down to enable or disable the virtual interface.
Subnet IP Address Enter the subnet to be used by the interface. This is typically in the xxx.xxx.xxx.0 format, as shown above.
Subnet Mask Enter the subnet mask for the interface. This is typically in the 255.255.255.0 format, as shown above.
Gateway IP Address Specify the IP address for the gateway on the selected subnet. This is typically in the xxx.xxx.xxx.1 format, as shown above.

Once the fields are filled in, click OK to save the interface. Repeat this process for as many interfaces as desired. After the interfaces have been created, you can assign them a DHCP scope. Refer to Feature Group for further instructions.

FortiWLC – Configuring Management Interfaces

Configuring Management Interfaces

The Management Interfaces table (Configuration > Devices > System Settings > Management Interfaces) allows the user to control how traffic is sent from the controller to the wireless network. Refer to the following sections for each tab in the table.

Physical Interfaces

The Physical Interfaces table is where the user may configure the IP information for the physical Ethernet ports on the controller. The number of ports that may be configured will vary depending on the controller model purchased.

Add a Physical Interface

To configure a new physical interface, follow the steps below:

  1. From the Physical Interfaces table, click Add. The Management Interface-Add window appears.

Configuring Management Interfaces

Figure 39: Adding a Physical Interface

  1. Add in the required data as described in the table below.
Field Description
Interface Number The number for the desired interface.
Assignment Type Specifies whether the interface utilizes a Static or Dynamic IP address.
IP Address If using a static IP, enter the IP address to be used by the interface.
NetMask If using a static IP, enter the NetMask for the interface.
Gateway Address If using a static IP, enter the gateway address for the interface.
Interface Mode Specify whether the interface will be a active redundant.
  1. Click Save to save the interface. Note that the controller must be rebooted in order to apply the changes.
VLAN Interfaces

VLAN Interfaces allow the user to specify VLANs that are to be used specifically for Management traffic on the network. This traffic includes:

  • Communications between the controller and APs or controller to controller Access to the WebUI or CLI

Configuring Management Interfaces

  • SNMP traffic
  • Communications to the Network Management server and any additional Fortinet applications (SAM, Spectrum Manager, etc)
  • Syslog messages
  • Authentication server traffic (RADIUS, TACACS+, etc)
  • NTP communications

Using this functionality, users can isolate management traffic from the rest of the network and route it specifically to the devices for which it is intended. Follow the steps in the section below to create a VLAN interface.

Add a Management VLAN Interface
  1. From the VLAN Interfaces table, click Add. The Management Interface-Add window appears.

Figure 40: Adding a VLAN Interface

  1. Add in the required data as described in the table below.
Field Description
VLAN Name Enter a name for the VLAN.
Interface Number The physical interface number to be used.

Note: Management VLANs must utilize Interface number 1, so this field cannot be modified.

Tag Enter a tag for the VLAN.

Configuring Management Interfaces

Field Description
IP Address Enter the IP address to be used by the VLAN.
NetMask Enter the NetMask for the VLAN.
Default Gateway Enter the gateway to be used by the VLAN.
Assignment Type Management VLANs can only be implemented on static IP addresses, so this field cannot be changed.
Interface Mode Management VLANs can only operate on Active interfaces, so this field cannot be changed.
  1. Click Save to save the VLAN. The new VLAN will appear in the VLAN Interfaces table.
Using Static Routes

Static routes allow the system administrator to manually define the adapters that are permitted access to configured subnets. This is of particular use in smaller deployments where only a few routes are needed, or in larger ones where certain subnets must be kept separate from each other. Static routing can also be advantageous in that it doesn’t require the processing power that dynamic routes (in which the network router automatically determines the best delivery path for packets) can.

To view the static route table, access the WebUI and navigate to Configuration > Devices > System Settings > Management Interfaces > Static Route. Figure 41: Static Route Table

Adding a Static Route

To create a new static route, access the Static Route Table and click Add. The Static Route Configuration – Add screen appears.

Configuring Management Interfaces

Figure 42: Creating a Static Route

Provide the required details as described in the following table.

TABLE 12: Static Route Fields

Field Description
Static Route Name Enter a descriptive name for the route. Note that this must be between 1 and 16 characters in length.
IP Address/Subnet Enter the subnet for which the route provides access. This is typically in the xxx.xxx.xxx.0 format, as shown above.
Subnet Mask Enter the subnet mask for the route. This is typically in the 255.255.255.0 format, as shown above.
FastEthernet Use this drop-down to specify which Ethernet adapter will utilize the route. The specified adapter will subsequently gain access to the configured subnet.
Interface Name The name of the interface used for the route.
Default Gateway The default gateway for the route.

Once the fields are filled in, click OK to save the route. Repeat this process for as many routes as desired.

FortiWLC – Configuring Port Profiles

Configuring Port Profiles

The Port Profile configuration screen allows you to create custom Ethernet profiles that can be applied to non-primary Ethernet ports on deployed devices. Certain AP models implement multiple Ethernet ports, and while one is always used for wireless service, the remaining ones can be configured by applying a Port Profile to them. If this functionality is not needed, the port can also be disabled via the Port Profile feature.

Each device that is connected to a non-primary port (either directly or through a switch that is wired to the port) can be monitored as a wired station in the controller WebUI (via Monitor > Devices > All Stations). If the interface is configured for tunneled operation and the connected device is a VoIP phone utilizing SIP, the phone will be visible as a SIP phone in the controller’s phone database. Note that the maximum number of wired stations supported per wired interface is 128.

Refer to the following sections for steps on how to configure and apply Port Profiles.

Creating a Port Profile

By default, a default Port Profile is configured in the controller interface. To view the existing Port Profiles, simply open the WebUI and navigate to Configuration > Wired > Port. See Figure 38.

Figure 38: Port Table

Several options can be configured as part of a Port Profile.

Configuring Port Profiles

The following table describes each field displayed.

TABLE 11: Port Profile Options

Field Description
Port Profile Name The name provided for the port profile during profile creation.
Enable/Disable Displays whether the profile is currently enabled for use.
Dataplane Mode Allows the profile to be configured for either Tunneled or Bridged configuration.
AP VLAN Tag This field is only configured when the profile is operating in Bridged mode. The VLAN tag is an integer from 0 to 4094 that identifies the VLAN on which the AP resides.
VLAN Name This field is only used when the profile is operating in Tunneled mode. It allows you to specify the VLAN on which the profile is configured.
Allow Multicast Flag This option allows you to specify whether multicast transmissions will be permitted via the port in use.
IPv6 Bridging Specifies whether bridging for IPv6 devices is On or Off.

If desired, the default profile can be modified by checking the box alongside it in the table and clicking Settings. To add a new profile, perform the following steps:

  1. From the WebUI, navigate to Configuration > Wired > Port.
  2. Click Add. The screen refreshes to display the Port Table – Add page.
  3. Configure the profile as desired. Refer to Table 11 for descriptions of the configuration options.
  4. When finished, click OK to save the new profile.

Once a profile has been created, it can be applied to the desired port(s) on network devices.

Refer to the following section for instructions.

Enabling a Port Profile on a Specific Ethernet Port

To specify a port profile for a given Ethernet port, you must access the Port AP Table; from the Port Profile Table, select the desired profile and click Configuration. The Port AP Table is the second tab provided on the resulting screen.

By default, the Port AP Table is blank; you can manually add ports as desired. To add a port for the profile:

  1. From the Port AP Table screen, click Add. The resulting table will allow you to select the AP and Interface ID to which the port profile will apply.
  2. Use the drop-down lists to select the desired AP and Ethernet IDs. Note that if the Ethernet Interface Index specified is an Uplink interface (i.e., the interface is its primary connection to the network), it cannot be configured for a port profile and an error message will appear.
  3. Click OK to save the changes.

These steps may be repeated for as many profiles as desired.

Enable 802.1x Authentication

Wired clients can be connected to the AP’s Wired Interface directly or can be connected via an L2 switch. In a deployment that uses L2 switch for multiple wired clients, the L2 switch must be configured to pass through 802.1x packets.

To enable 802.1 x authentication for wired clients, do the following:

  1. Create a RADIUS profile and security profile (using 802.1x L2 authentication mechanism with Clear Encryption mode )
  2. Attach the security profile to the respective port profile configuration.
Enabling using CLI

Create RADIUS Profile default(15)(config)# default(15)(config)# radius‐profile dot1xport default(15)(config‐radius)# ip‐address 10.10.10.10 default(15)(config‐radius)# key meru2002 default(15)(config‐radius)# port 1812 default(15)(config‐radius)# exit

Create Security Profile default(15)# configure terminal default(15)(config)# security‐profile dotxportauth default(15)(config‐security)# allowed‐l2‐modes 802.1x default(15)(config‐security)# encryption‐modes clear default(15)(config‐security)# radius‐server primary dot1xport

Configuring Port Profiles

default(15)(config‐security)# exit

Create Port Profile default(15)# configure terminal default(15)(config)# port‐profile dot1xauth default(15)(config‐port‐profile)# enable default(15)(config‐port‐profile)# dataplane tunnelled default(15)(config‐port‐profile)# security‐profile dot1xportauth default(15)(config‐port‐profile)# exit default(15)#

Enabling using WebUI

Create RADIUS Profile

Create Security Profile

Create Port Profile

FortiWLC – Link Aggregation

Link Aggregation

Link aggregation allows data traffic across both Ethernet ports on AP resulting in increased throughput and redundancy. You can configure LACP only on the second interface of the AP. Before you configure LACP on the second interface of the AP, enable bonding on the switch that terminates AP. When configured for link aggregation, the second interface of the AP will inherit all properties of the first interface. When enabled, LACP is functional on both ports.

The second interface of the AP is disabled by default and when enabled it functions as the bonded pair to the first interface. The second interface cannot be used in standalone mode. However, when LACP is enabled and if one of the interfaces fails, the second interface takes over and passes traffic. During a failover, the second interface will function only if there is an external power supply or if the switch can provide only power via PoE.

Link aggregation is available only on AP832, AP822, FAP-U421, and FAP-U423. If the switch that terminates the AP does not support LACP, the AP will fall back to non-LACP mode with only one interface passing data traffic. Static bonding is not supported.

Pre-requisites

Before you enable LACP on the AP, ensure that you do the following

  • Remove port AP entry from the port profile of that AP.
  • Enable LACP support for the ports on the switch that terminates the AP.
  • AP requires 802.3at power to support LACP.

NOTE: If the switch does not support LACP, the AP will work in non-LACP mode.

Link Aggregation

 

Enabling LACP in CLI

Use the lacp enable command on an AP’s ethernet interface to enable LACP.

controller(15)# config terminal controller(15)(config)# interface ap 108 2 controller(15)(config‐if‐WiredEth)# lacp enable

Verifying LACP Status

The Uplink Type and LACP column in the show interfaces ap <ap-id> command displays the status of LACP for an AP.

Controller(15)# show interfaces Ethernet ap 108

Type        ID  Name            IfIndex MTU     MAC Address       Admin State Op State  Last Change          Uplink Type LACP     

ap          108 AP‐108          1       1500    00:0c:e6:13:01:a9 Up          Disabled  05/19/2014 20:05:12  Uplink      disable  

ap          108 AP‐108          2       1500    00:0c:e6:13:01:a9 Up          Disabled  05/20/2014 23:51:48  Uplink‐lacp enable   

        Ethernet Table(2 entries)

For additional diagnostics, you can view the Tx and Rx errors of AP interface using the show interfaces Ethernet statistics <ap-ID> command.

Controller(15)# show interfaces Ethernet statistics ap 13

 IfIndex   Node ID Node Name       Type        In Octets     In Errors     Out Octets    Out Errors   

 

  • 13 AP‐13           ap          78217745      0             4637677       0            
  • 13 AP‐13           ap          0             0             0             0            

LACP      13      AP‐13           ap          78217745      0             4638109       0            

        Ethernet Statistics(3 entries)

Enabling LACP in WebUI
  1. Goto Configuration > Devices > AP, select the AP.

Link Aggregation

  1. Goto Ethernet Interface tab, and select the second Ethernet Interface and set LACP to Enable.

To batch enable LACP on multiple APs.

  1. Goto Configuration > Wired > Ethernet, select all APs and click the Bulk Update button.
  2. Set LACP to Enable.

FortiWLC – Dual-Ethernet Operation

Dual-Ethernet Operation

Dual-Ethernet support enables the controller’s second Ethernet port and provides the ability for it to work either as a redundant interface or a second active interface.

If the second interface is configured as redundant, it will serve as a backup interface to the first interface. This means that it will be idle as long as the first interface is functional and will perform all functions of the first interface if the first interface fails. In a redundant configuration, the first interface can have static or DHCP IP address.

If the second interface is configured as active, it can be configured as a separate interface that can support an additional configuration, for example to support GRE tunneling while the first interface is configured for VLANs.

The first Ethernet interface is treated as the default interface. The responsibility of the default interface is to pass wireless tunnel traffic between the APs and the controller. In addition to the general support of GRE and VLAN, the default interface is also the designated management interface for the controller, providing support for management access traffic via SSH and HTTPS.

It is implicit in the configuration of redundant mode that the second Ethernet interface should be connected to a switch port in which it can perform the same functions as the default Ethernet interface.

Note that when changing from redundant to dual active operation, a controller reboot is required.

Configuring Dual Ethernet

The second Ethernet interface can be configured as either redundant or active. An active interface can be used to support a VLAN or GRE (Generic Routing Encapsulation) tunneling. A redundant interface is a backup interface in case the primary interface fails.

Dual-Ethernet Operation

Configuring a Redundant Interface

See the chapter Implementing Redundancy.

Configuring an Active Interface

The following commands configure Ethernet port 2 as an active interface that can be used to support a VLAN or GRE (Generic Routing Encapsulation) tunneling. The ip address specifies the IP address of the VLAN or GRE local endpoint followed by the associated netmask. The gw command specifies the gateway address, and is a mandatory field.

default# configure terminal default(config)# interface FastEthernet 2

default(config‐if‐FastEth)# ip address 172.26.16.200 255.0.0.0 default(config‐if‐FastEth)# gw 172.26.16.1 default(config‐if‐FastEth)# type active default(config‐if‐FastEth)# exit default(config)# exit

After completing the interface configuration above, to configure a GRE tunnel, see Configure GRE Tunnels in the Security chapter.

Viewing FastEthernet Interface Information

To view the FastEthernet interface 1 configuration, use the show interfaces FastEthernet controller or show interfaces FastEthernet ap commands to display information relating to each type of interface.

To view the FastEthernet interface 2 redundant configuration, use the command show second_interface_status.

Interface and Networking Commands

The following interface and networking configuration commands are available.

Dual-Ethernet Operation

TABLE 10: Interface and Networking Commands

Command Purpose
controller(config)# interface FastEthernet controller interface-index Specify the controller interface index (0-31) and enter FastEthernet interface configuration submode.
controller(config)# ip address ip-address mask Specifies the IP address and subnet mask for the controller. This is used to specify the static IP address if you are not enabling DHCP.
controller(config)# gw ip-address Specifies the IP address of the default gateway. Used to specify the gateway if you are not using DHCP.
controller# setup Interactive script that helps set up hostname and other system and networking parameters.
controller# show interfaces FastEthernet statistics Displays the summary table of Ethernet statistics for the controller and APs.
controller# show interfaces FastEthernet statistics controller Displays the Ethernet statistics for the controller.
controller# show interfaces FastEthernet statistics ap id Displays the Ethernet statistics for the AP with the given node ID.
controller# show second_interface_status Displays the status of the second FastEthernet interface when configured for redundant mode.