Category Archives: FortiWLC

FortiWLC – Automatic AP Upgrade

Automatic AP Upgrade

The automatic AP upgrade features is enabled by default. It allows an AP’s firmware to be automatically upgraded by the controller when the AP joins the WLAN. An AP cannot provide service (and consequently be part of the WLAN) if its firmware is at a different level than that of the controller.

When an AP initiates its discovery phase, the controller checks the firmware version and initiates an upgrade if the version is not at the same level as that of the controller. This feature simplifies the process of adding and maintaining a group of APs on an existing WLAN.

When the automatic AP upgrade feature is enabled, you can check the upgrade status of affected APs through syslog messages and SNMP traps that warn of an AP/controller software version mismatch. An alarm is dispatched to an SNMP manager if a mismatch exists. After the firmware is downloaded to the AP, the AP boots, attempts discovery, is checked, and after upgrading, runs the new software version. Once the match is confirmed, another set of syslog messages and SNMP traps are sent notifying that the AP/controller software versions match. Alarms are then cleared.

To disable this feature:

default# auto‐ap‐upgrade disable default# show controller

Global Controller Parameters

Configure Gain for External Antennas

Controller ID                                         : 1

Description                                           : 3dot4dot1 Controller

Host Name                                             : DC9

Uptime                                                : 03d:01h:17m:33s

Location                                              : Qa scale testbed near IT room

Contact                                               : Raju

Operational State                                     : Enabled

Availability Status                                   : Online

Alarm State                                           : No Alarm

Automatic AP Upgrade                                  : off

Virtual IP Address                                    : 192.168.9.3

Virtual Netmask                                       : 255.255.255.0

Default Gateway                                       : 192.168.9.1

DHCP Server                                           : 10.0.0.10

Statistics Polling Period (seconds)/0 disable Polling : 60

Audit Polling Period (seconds)/0 disable Polling      : 60

Software Version                                      : 3.7‐49

Network Device Id                                     : 00:90:0b:07:9f:6a

System Id                                             : 245AA7436A21

Default AP Init Script                                :

DHCP Relay Passthrough                                : on

Controller Model                                      : mc3200

Country Setting                                       : United States Of America

Manufacturing Serial #                                : N/A

Management by wireless stations                       : on

Controller Index                                      : 0

Topology Information Update                           : off Viewing AP Status

From the Web UI, view AP radio status by clicking Monitor > Dashboard > Radio or Monitor > Diagnostics > Radio. Click Help for descriptions of the charts. The icons at the bottom of all screens include a green AP (enabled) and a red AP (disabled); you can also see the same information at Monitor > Dashboard > System.

There are several CLI commands you can use to view AP status:

Automatic AP Upgrade

TABLE 26: Commands to View System Status

Command Purpose
show ap [index] Displays the status of the AP, such as serial number, uptime, operational status, availability, alarm state, security mode, privacy bit, boot script, AP model, and FPGA version. If the AP index is not specified, a summary of the AP status is displayed.
show antenna-property Displays the antenna properties.
show ap-connectivity Displays the access point connections.
show ap-discovered Displays the list of discovered access points and stations.
show ap-limit Displays how many APs are licensed for this controller.
show ap-siblings Displays the AP Siblings table. APs operating in the same channel that can hear each other are AP-siblings. APs can hear beacons with RSSI as low as -80 to -85dbm, but RSSI values lower than this are not heard.
show ap-swap Displays the access point replacement table.
show ess-ap Displays the ESS-AP table for the access point.
show interfaces Dot11radio Displays the configuration of the wireless interface.
show interfaces Dot11Radio statistics Displays the statistics related to the wireless interface.
show regulatory-domain Displays the regulatory information for the country.
show statistics top10-ap-problem Displays a list of the top 10 problem access points.
show statistics top10-ap-talker Displays a list of the top 10 most active access points.
show topoap Displays the topology of all access points as seen by the coordinator.
show topoapap Displays the Received Signal Strength Indicator (RSSI) between all pairs of APs.

Automatic AP Upgrade

FortiWLC – Configure Gain for External Antennas

Configure Gain for External Antennas

The total power that an AP produces must not exceed 30dbi; this number includes any antenna gain. Therefore, if an antenna produces 2dbi, the radio can produce 28dbi. FortiWLC

(SD) automatically sets antenna gain; in the case of an AP400, it assumes an antenna with 5dbi and therefore sets the AP400 to 25dbi. This may or may not be correct for your antenna.

To check and change antenna gain, follow these steps from FortiWLC (SD):

  1. Click Configuration > APs (under Devices).
  2. Select an AP ID.
  3. Click the Antenna Property tab.
  4. Select an Interface (1/2).
  5. Change the gain if needed.
  6. Click OK.

FortiWLC – Supported Modes of Operation for APs

Supported Modes of Operation for APs

AP332/AP400/AP832 and AP1000 with two radios can have both set to 5.0 GHz, but both radios cannot be set to 2.4 GHz. If you want to use both radios on 2.4 GHz, put the radios on separate channels.

AP1000 radios default to the following bands:

AP Model Radio 1 Radio 2 Radio 3
AP122 BGN AC
AP332 BGN AN
AP1010 BGN  
AP1020 BGN AN
AP400 BGN AN Scanning on both bands (in AP433is)

Supported Modes of Operation for APs

AP Model Radio 1 Radio 2   Radio 3
AP822 BGN AC    
AP832 BGN AC  
FAP-U421EV BGN AC  
FAP-U423EV BGN AC  
Security Modes

Although AP400/AP1000 support all security modes supported by the 802.11i security standard (WEP, WPA, WPA2 and mixed mode), 802.11n supports only clear and WPA2 security. Even though you can configure any security mode for 802.11n, you only gain 11n benefits using WPA2 or clear. Because of this, any 11n client connected to an SSID configured for WEP or WPA will behave like a legacy ABG client. An 802.11n ESSID configured for either

WEP or WPA has no 802.11n rates for that ESSID. If you configure an ESSID for Mixed Mode, 802.11n rates are enabled only for the WPA2 clients; WPA clients behave like a legacy ABG client. See the chart below for details.

ESSID Security AP400/AP1000 Realize These 11n Benefits
Clear and

WPA2

All 11n benefits are realized.
WEP and WPA No 11n benefits are realized. Clients behave like legacy ABG clients.
Mixed Mode 11n performance in ESS configured for mixed mode depends on kind of application used in the network. Only WPA2 clients connected to mixed mode have 11n benefits. WPA clients behave like legacy ABG clients.

FortiWLC – Replacing Access Points

Replacing Access Points

You can replace APs in one of the following conditions:

  • If you have a faulty AP, you can replace that with a new AP of the same model as the faulty AP.
  • Migrate from an older AP model to a newer AP model.
Before Replacing Access Points

The following are important points to remember before you replace your access points: Replacing one AP model with another usually preserves the settings of the original configuration. A newer AP may have settings that the older one does not; those settings will be set to the default.

  • Despite the fact that some AP settings and configurations can be carried over when replacing an AP, users cannot simply replace an AP400 with a different model (such as an AP1000). The two models have very different capabilities and configuration specifications and should not be considered synonymous.

Replacing Access Points

How to Replace Access Points

If you are replacing existing APs with a newer model of APs, use the ap‐swap command to ease the task of updating your site’s AP settings. To use the ap‐swap command, you need the MAC addresses of the new and old APs. You can check MAC addresses of the APs to be replaced with the show ap command.

The ap‐swap command equates the MAC address of an AP that you want to replace with the MAC address of the new AP. By linking the numbers to an AP ID in the replacement table, the system can assign the configured settings from the old AP to the new AP. The settings that are tracked are the channel number, preamble, and power settings. After inputting the swap information, use the show ap‐swap command to double check the AP MAC settings before physically swapping the APs.

Once you have double-checked the MAC addresses, take the old APs off-line by disconnecting them from the system. Replace the APs. When the APs are discovered, the replacement table is checked, and the changes are applied to the new APs. Once the new AP has been updated, the entry is removed from the replacement table.

To summarize the steps to replace the APs:

meru‐wifi (config)# show ap (gets the serial numbers of the APs you are replacing) meru‐wifi (config)# swap ap 00:oc:e6:00:00:66 00:CE:60:00:17:BD meru‐wifi (config)# exit meru‐wifi# show ap‐swap

 AP Serial Number        New AP Serial Number 00:0c:e6:00:00:66       00:ce:60:00:17:bd

AP Replacement Table(1 entry) meru‐wifi# show ap

After you completed the commands for replacing APs, disconnect the old APs and make sure they show Disconnect/off-line status) and then replace the old APs with the new APs

Replacing Access Points

Configuration Updates After AP Replacements

 

TABLE 25: Configuration Updates After AP Replacement

AP Types Configuration Changes Other
Both APs (new and the one that is replaced) are same The following configurations are preserved: ATS-Entry: AP name, location, Contact, Descr, KeepAlive

•  802.11 Entry: RFType, Channel, Tx Power, Channel-Width, VCell Mode.

•  ESS-AP Entry: BSSID, Channel

This is usually used while replacing faulty APs.
AP Models are different Only the following AP configurations will be preserved

•  ATS-Entry: AP name, location, Contact, Descr,

KeepAlive

The following Radio/BSSID configuration will be changed to default setting for the newer AP model.

•  802.11 Entry: RFType, Channel, Tx Power, Channel-Width, VCell Mode.

•  ESS-AP Entry: BSSID, Channel

This is usually done while migrating from older AP models to newer AP models.

For example: Migrating from AP1020/ AP1010 to AP822

FortiWLC – Roaming Across Controllers (RAC)

Roaming Across Controllers (RAC)

Clients can roam between access points connected to two different controllers in same subnet or different subnets. FortiWLC (SD) allows you to specify static or dynamic roaming.

Things to consider before enabling RAC

  • IP PREFIX validation has to be OFF in the RAC enabled ESS profile.
  • RAC can be enabled on more than one ESSID
  • If any parameter of an ESSID profile is changed, then RAC must be stopped and the changes made in the ESSID must be updated to all controllers in the roaming domain. Ensure that the controller IP is reachable before adding its IP address to the roaming domain.
  • In the output of show roaming-domain all command, the -1 value in the VLAN column depicts tunnelling to another controller in the roaming domain.

In static DHCP home configuration, you specify one of the controllers (in the roaming domain) as the home controller. A client associating with any controller in the roaming domain will receive an IP address from this home controller. Once a controller is set has the home controller, it applies to all the native VLAN, configured VLAN and dynamic VLAN configurations of that controller as per the “tunnel interface type” set in the ESS profile.

In dynamic DHCP home configuration, a client associating with a controller for the first time will continue to receive IP address from that controller and will be the clients the home controller. To allow dynamic roaming, set the home controller IP address as 0.0.0.0.

Roaming Time-out

In a dynamic roaming scenario, if a client leaves the coverage area and returns after the configured timeout value, a fresh association happens and the client may get associated with a different controller as its home controller. The roaming time-out value (in minutes) for clients can be configured via CLI:

default(15)(config)# roaming‐domain roam‐time‐out 70

Roaming Across Controllers (RAC)

Default and minimum timeout value is 60 minutes and maximum is 240 minutes. The roaming timeout countdown starts as soon as the client leaves the coverage area.

NOTE: When RCA is stopped all the existing clients are forcefully de-authenticated and forced to reconnect. Irrespective of the client has roamed or not, this process is applied to all clients in the roaming domain.

Setting up RAC requires the following steps

Static Roaming

  1. Specify an ESSID for the roaming domain.
  2. Add your controller’s IP address as the member controller.
  3. Add your controller’s IP address as the Home controller.
  4. Repeat the above steps for adding peer controllers. Ensure that you keep the same ESSID name and the home controller IP address.

Dynamic Roaming

  1. Specify an ESSID for the roaming domain.
  2. Add your controller’s IP address as the member controller.\
  3. Add 0.0.0.0 as the IP address of the home controller.
  4. Repeat the above steps for adding peer controllers. Ensure that you keep the same ESSID name and the home controller IP address as 0.0.0.0.
Configuring Using WebUI
  1. Go to Configuration > Wired > RAC.
  2. In the Peer Controllers tab add the following:
  • ESSID: This should be replicated as-is across in all controllers in the roaming domain.
  • Peer Controller IP address

Roaming Across Controllers (RAC)

  • Home DHCP controller IP address: IP address of the home controller in the roaming domain. All the DHCP packets from the visiting client will be forwarded to this home controller and will be delivered locally in the home controller.

Roaming Across Controllers (RAC)

Configuring Using CLI

A new CLI command roaming-domain with the following options is available to set up RAC essid – Specify the name of the common ESSID that is available in all 6 controllers in the roaming domain

  • start – To start RAC.
  • stop – To stop RAC
  • peer-controller – To specify the IP address of the peer controller in the roaming domain
  • homedhcp-controller – To specify the home controller in the roaming domain.

Example default(15)(config)# roaming‐domain start

default(15)(config)# roaming‐domain essid Roaming1 peer‐controller 10.10.1.20 homedhcp‐controller 10.10.12.100

Dynamic DHCP home

default(15)(config)# roaming‐domain essid Roaming1 peer‐controller 10.10.1.20 homedhcp‐controller 0.0.0.0.

Where, essid is the name of the “ESS profile” string displayed in the show essid command.

FortiWLC – Configuring 802.11k/r

Configuring 802.11k/r

Devices can now benefit from the 802.11r implementation to fast roam between best available access points within a controller domain. Additionally, with implementation of 802.11k specifications you can now calculate 802.11k neighbor and radio measurement reports.

The fast roaming capability and 802.11k is configurable in ESS profile.

Supported Access Points: AP122, AP822, AP832, OAP832

Limitations
  • Supported only for clients that are compliant with 802.11k/v/r specifications Fast roaming is not available in inter-controller roaming.
Enabling 802.11k
Using WebUI
  • Go to Configuration > Wireless > ESS and in the ESS Profile tab, change the following:
  • For 802.11r, select On.
  • For 802.11r Mobility Domain, enter an integer value.
  • For 802.11k, select On to perform radio measurements.

Configuring 802.11k/r

 

Using CLI

default(15)# configure terminal default(15)(config)# essid fastroam‐1 default(15)(config‐essid)# 802.11r on default(15)(config‐essid)# 802.11k on default(15)(config‐essid)# 802.11r‐mobility‐domain‐id 100

FortiWLC – Hotspot 2.0

Hotspot 2.0

Hotspot 2.0 is a specification by the Wi-Fi Alliance that specifies a framework for seamless roaming between WiFi networks and Cellular networks. The specification is based on the IEEE802.11u standard; a Generic Advertisement Service (GAS) that provides over-the-air

Hotspot 2.0

transportation for frames of higher layer advertisements between stations APs and external information servers. This feature will allow users to configure hotspot profiles that can (optionally) be connected to existing ESS Profiles as desired. An ESS-profile connected to a hotspot profile will advertise 802.11u capabilities in its beacons.

FAP-U42x and FAP-U32x are Passpoint R2 certified.

Adding a Hotspot 2.0 Profile

The Hotspot Profiles can be created from the Configuration > Wireles > Hotspot 2.0 page. By default, the page shows the following details about a Hotspot profile.

  • Hotspot Profile Name – Displays the name of the Hotspot Profile.
  • Description – Displays the Description provided for the Hotspot profile.
  • Venue Type – Displays the Venue Type.
  • Access Network Type – Select the Access Network Type from the list. The default selection is displayed as Private Network. The types are as follows:
  • Private Network
  • Private Network with Guest Access
  • Chargeable Public Network
  • Free Public Network
  • Personal Device Network
  • Emergency Services Only Network
  • Test or Experimental Network
  • Wildcard Network
  • IPv6 Availability – Select the IPv6 Availability from the list. The default selection is displayed as Address type not available. The types are as follows:
  • Address type available
  • Address type not available
  • Availability of the Address type not known
  • IPv4 Availability – Select the IPv4 Availability from the list. The default selection is displayed as Address type not available. The types are as follows:
  • Address type available
  • Address type not available
  • Availability of the Address type not known
  • Port-restricted IPv4 address available
  • Single NATed private IPv4 address available
  • Double NATed private IPv4 address available

Hotspot 2.0

 

Port-restricted IPv4 address and single NATed IPv4 address available

  • Port-restricted IPv4 address and double NATed IPv4 address available
  • Roaming Consortium – Enter the roaming ORG ID for the Hotspot profile. The valid range is 0-10 characters.
  • Operators – Enter multiple network operators. Select a language and enter a name. The valid range is 0 – 256 characters.
  • Venue – Enter multiple hotspot venues. Select a language and enter a name. The valid range is 0 – 512 characters.
  • 3GPP Cell Network – Provide the following details:
  • Country code of the operator.
  • Provide the 3GPP Cell Network MCC. The default value is displayed is 0. The Valid range is [0-999]. Provide the 3GPP Cell Network MNC. The default value is displayed is 0. The Valid range is [0-999].
  • Domain Name – Provide the Domain Name. The valid range is [0-128] chars.
  • NAI Realm from 1-10 – Provide the NAI Realm [1-10] from the list. The valid range is [0-50] chars.
  • NAI Realm Auth Method from 1-10 – Select the NAI Realm Auth Method [1-10] from the list. The valid range is [0-50] chars. The types are as follows:
  • EAP TLS Certificate
  • EAP TTLS MSCHAPv2 Username/Password
  • EAP SIM
  • EAP AKA
  • EAP AKA`
  • Advanced Settings – Provide the following configuration details for advanced settings: HESSID – A globally unique identifier, used to give a single identifier for a group of APs connected to the same SP or other destination network(s).
  • GTK Per Station – Enables the Group Temporal Key (GTK) to be assigned per station.
  • Gas Come Back Flag – Enables the Generic Advertisement Service (GAS) comeback request/response option.
  • Gas Come back Delay (millisecs) – At the end of the GAS comeback delay interval, the client can attempt to retrieve the query response using the comeback request action frame.
  • ASRA Flag – Enable the Additional Step Required for Access (ASRA) to indicate that the network requires one more step for access. Authentication type – Configure the network authentication type required as per ASRA. Supported values are, Acceptance of terms and conditions, On line enrolment supported, http/https redirection, and DNS redirection.

Hotspot 2.0

Redirect URL – Specify the Redirect URL in case of http/https redirection and DNS Redirection.

  • WAN Metrics – Provide the following configuration details for WAN metrics:
  • Link Status State – Select the status of the WAN link.
  • Symmetric Link – Enable symmetric bandwidth. At Capacity – Select whether the WAN link is at capacity and no additional mobile devices will be allowed to associate with the AP.
  • Down Link speed/Up Link speed – The WAN Backhaul link for current downlink/uplink speed in KBPS.
  • Down Link load/Up Link load – The current percentage load of the downlink/uplink connection, measured over an interval the duration of which is reported by the Load Measurement Duration.
  • Load Measurement Duration – The duration over which the downlink/uplink load is measured in KBPS.
  • Connection CapabilityThe Connection Capability enables filtering of protocols, allowing or restricting traffic on some protocols and ports. A set of system defined protocols as listed. Additionally, you can also create rules for custom protocols.
  • QoS Map – Create a Quality of Service (QoS) policy by configuring the following DSCP ranges and DSCP exceptions.
  • DSCP Ranges – For a given DSCP range, specify the User Priority (valid range: 0 -7), DSCP High Priority (valid range: 0 – 255), and DSCP Low Priority (valid range: 0-255). DSCP Exceptions – For a given DSCP exception, specify the User Priority (valid range: 0 -7) and the DSCP Value (valid range: 0 – 255).
  • OSU Settings – The Online Sign Up (OSU) Service settings configures one or more Hotspot providers offering OSU service.
  • Online Sign Up Support – Select to enable OSU.
  • OSEN Enable – Enable OSU Server-only authenticated layer-2 Encryption Network (OSEN) to indicate that the hotspot uses a OSEN network type. This network provisions clients using the OSU functionality.
  • OSU/OSEN ESSID – Specify the OSU ESSID.

OSU Server URL – Specify the URL of the OSU server.

  • OSU NAI – Specify the OSU NAI for authentication.

Click Settings to configure the OSU provider settings.

  • OSU Provider Friendly Names
  • OSU Provoder Icons
  • OSU Provider Method – Select one of the OSU provider provisioning methods, OMADM or SOAP-XML.

Hotspot 2.0

OSU Provider Description – The description of the OSU Provider.

Select OK. The Hotspot Profile is added and displayed on the Hotspot Profile screen.

The following operations can be performed on the Hotspot 2.0 profile.

  • Delete – Select a Hotspot Profile and click Delete. The selected Hotspot Profile gets deleted from the Hotspot Profile screen.
  • Edit – Select a Hotspot Profile and click Edit.
  • View – Allows to view the details of the Hotspot Profile. Select a Hotspot Profile and click View.