FortiAP Management – Support for WPA3 on FAP

Support for WPA3 on FAP

This feature is implemented on FortiOS 6.2.0 B0816 and FAP-S/W2 6.2.0 b0218. In October 2017, Mathy Vanhoef published a document that exposed a flaw in WPA2 networks known as Key Reinstallation Attack (KRACK). To avoid the attack, the Wi-Fi Alliance announced in January that WPA2 enhancements and a new WPA3 standard were coming in 2018.

The Wi-Fi Alliance defines three areas for improvement:

  • Enhanced Open: The Wi-Fi Alliance proposes using Opportunistic Wireless Encryption (OWE) (RFC 8110)to improve security in such networks.
  • WPA3 Personal: WPA3-Personal utilizes Simultaneous Authentication of Equals (SAE). l WPA3 Enterprise: WPA3-Enterprise contains a new 192-bit security level.

All three areas incorporate Protected Management Frames (PMF) as a prerequisite to protect management frame integrity.

Configuration

  1. WPA3 OWE
    1. WPA3 OWE only: only Client which support WPA3 can connect with this SSID.

config wireless-controller vap

edit “80e_owe”

set ssid “80e_owe” set security owe set pmf enable set schedule “always”

next end

  1. WPA3 OWE TRANSITION: Client connected with normal OPEN or OWE depends on its capability. If client can support WPA3, it will connect with owe standard. If client not support WPA3, it will connect with Open SSID.

config wireless-controller vap

edit “80e_open” set ssid “80e_open” set security open set owe-transition enable set owe-transition-ssid “wpa3_open” set schedule “always” next edit “wpa3_owe_tr” set ssid “wpa3_open” set broadcast-ssid disable set security owe set pmf enable set owe-transition enable set owe-transition-ssid “80e_open” set schedule “always” next

  1. WPA3 SAE
  2. WPA3 SAE: Client with WPA3 support can connect with the SSID.

config wireless-controller vap

edit “80e_sae” set ssid “80e_sae” set security wpa3-sae set pmf enable set schedule “always” set sae-password 12345678

next end

  1. WPA3 SAE TRANSITION: There are two passwords in the SSID. Client will connect with WPA2 PSK if passphrase is used. Client will connect with WPA3 SAE if sae-password is used.

config wireless-controller vap

edit “80e_sae-tr” set ssid “80e_sae-transition” set security wpa3-sae-transition

set pmf optional set passphrase 11111111 set schedule “always” set sae-password 22222222

next end

  1. WPA3 Enterprise: When select security as wpa3-enterprise, the auth type can choose either radius authentication or local user authentication.

config wireless-controller vap edit “80e_wpa3” set ssid “80e_wpa3” set security wpa3-enterprise

set pmf enable set auth radius

set radius-server “wifi-radius” set schedule “always” next

edit “80e_wpa3_user” set ssid “80e_wpa3_user” set security wpa3-enterprise

set pmf enable set auth usergroup set usergroup “usergroup” set schedule “always”

next end

FortiAP Management – Configuring MAC filter on SSID

Configuring MAC filter on SSID

This guide provides instructions on simple configuration for enabling MAC filter on SSID. Consider the following for this feature:

  • The MAC filter function is independent of the SSID security mode.
  • To enable MAC filter on SSID, you must first configure the wireless controller address and wireless controller address group. This is covered in the CLI instructions below.

The following shows a simple network topology for this recipe:

To block a specific client from connecting to the SSID using MAC filter:

  1. Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this example, the client’s MAC address is b4:ae:2b:cb:d1:72:

config wireless-controller address edit “client_1” set mac b4:ae:2b:cb:d1:72 set policy deny

next

end

  1. Create a wireless controller address group. Select the above address. Set the default policy to allow:

config wireless-controller addrgrp edit mac_grp set addresses “client_1” set default-policy allow

next

end

  1. On the virtual access point, select the created address group:

config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set address-group “mac_grp”

next

end

After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) is denied from connecting to SSID Fortinetpsk. Other clients, such as a client with MAC address e0:33:8e:e9:65:01, can connect.

To allow a specific client to connect to the SSID using MAC filter:

  1. Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this example, the client’s MAC address is b4:ae:2b:cb:d1:72:

config wireless-controller address edit “client_1” set mac b4:ae:2b:cb:d1:72

set policy deny

next

end

  1. Create a wireless controller address group. Select the above address. Set the default policy to deny:

config wireless-controller addrgrp edit mac_grp set addresses “client_1” set default-policy deny

next

end

  1. On the virtual access point, select the created address group:

config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set address-group “mac_grp”

next

end

After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) can connect to SSID Fortinet-psk. Other clients, such as a client with MAC address e0:33:8e:e9:65:01, are denied from connecting.

FortiAP Management – Configuring quarantining on SSID

Configuring quarantining on SSID

This guide provides instructions on simple configuration for on SSID. Consider the following for this feature:

l The quarantine function only works with SSID tunnel mode. l The quarantine function is independent of SSID security mode.

The following shows a simple network topology for this recipe:

To quarantine a wireless client on the FortiOS GUI:

  1. In FortiOS, go to the policy applied to the SSID and enable All Sessions for Log Allowed Traffic.
  2. Edit the SSID:
    1. Go to WiFi & Switch Controller > SSID, and select the desired SSID.
    2. Enable Device Detection.
    3. Enable Quarantine Host.
    4. Click OK.
  3. Quarantine a wireless client:
    1. Do one of the following:
      1. Go to Security Fabric > Physical Topology. View the topology by access device.
      2. Go to FortiView > Traffic from LAN/DMZ > Source.
  • Go to FortiView > Traffic from LAN/DMZ > WiFi Clients.
  1. Right-click the wireless client, then click Quarantine Host.

To quarantine a wireless client using the FortiOS CLI:

  1. Under global quarantine settings, enable quarantine:

config user quarantine set quarantine enable

end

  1. Under virtual access point (VAP) settings, enable quarantine:

config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set quarantine enable

next

end

  1. Quarantine a wireless client. The example client has the MAC address b4:ae:2b:cb:d1:72:

config user quarantine config targets edit “DESKTOP-Surface” config macs edit b4:ae:2b:cb:d1:72 set description “Surface”

next

end

next

end

end

FortiAP Management – Deploying captive portal SSID to FortiAP units

Deploying captive portal SSID to FortiAP units

The guide provides simple configuration instructions for developing captive portal SSID with FortiAP. The steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows a simple network topology for this recipe:

To deploy captive portal SSID to FortiAP units on the FortiOS GUI:

  1. Create a local user:
    1. Go to User& Device > UserDefinition, then click Create New.
    2. In the Users/Groups Creation Wizard, select Local User, then click Next.
    3. Enter the desired values in the Username and Password fields, then click Next.
    4. On the Contact Info tab, fill in any information as desired, then click You do not need to configure any contact information for the user.
    5. On the Extra Info tab, set the UserAccount Status to Enabled.
    6. If the desired user group already exists, enable UserGroup, then select the desired user group. Click Submit.
  2. Create a user group:
    1. Go to User& Device > UserGroups, then click Create New.
    2. Enter the desired group name.
    3. For Type, select Firewall.
    4. For Members, click the + button. In the dropdown list, select the local user created in step 1. Click OK. Click OK.
  3. Create a captive portal SSID:
    1. Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name. For Captive Portal, select Security.
    5. Configure the portal type as one of the following:
      1. For Portal Type, select Authentication. In the UserGroup dropdown list, select the user group created in step 2.
      2. For Portal Type, select Disclaimer+ Authentication. In the UserGroup dropdown list, select the user group created in step 2.
  • For Portal Type, select DisclaimerOnly.
  1. To configure the portal type as email collection, go to System > Feature Visibility, and enable Email Collection, then select Email Collection for Portal Type.
  1. Click OK.
  1. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C. Do one of the following: Select the SSID by editing the FortiAP:
  2. Go to WiFi & Switch Controller> Managed FortiAPs. Select the FortiAP-320C and click Edit. ii. Ensure that Managed AP Status is Connected.
    • Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
  1. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
  2. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
  3. Click OK.
  4. Select the SSID by editing the FortiAP profile:
  1. Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
  2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
  3. Click OK.
  4. Create the SSID-to-Internet firewall policy:
  5. Go to Policy & Objects > IPv4 Policy, then click Create New.
  6. Enter the desired policy name.
  7. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
  8. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
  9. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
  10. Click OK.

To deploy captive portal SSID to FortiAP units using the FortiOS CLI:

  1. Create a local user:

config user local edit “local” set type password set passwd 123456

next

end

  1. Create a user group:

config user group edit “group-local” set member “local”

next

end

  1. Create a captive portal SSID. Do one of the following:
    1. Create a captive portal SSID with portal type Authentication:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Captive” set security captive-portal

set portal-type auth

set selected-usergroups “group-local”

next

end

  1. Create a captive portal SSID with portal type Disclaimer+ Authentication:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Captive” set security captive-portal set portal-type auth+disclaimer set selected-usergroups “group-local”

next

end

  1. Create a captive portal SSID with portal type DisclaimerOnly:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Captive” set security captive-portal set portal-type disclaimer

next

end

  1. Create a captive portal SSID with portal type Email Collection:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Captive” set security captive-portal set portal-type email-collect

next

end

  1. Configure an IP address and enable DHCP:

config system interface edit “wifi-vap” set ip 10.10.80.1 255.255.255.0

next

end

config system dhcp server

edit 1 set dns-service default set default-gateway 10.10.80.1 set netmask 255.255.255.0 set interface “wifi-vap” config ip-range edit 1 set start-ip 10.10.80.2 set end-ip 10.10.80.254

next

end

set timezone-option default

next

end

  1. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:

config wireless-controller wtp edit “FP320C3X14000640” set admin enable

set wtp-profile “FAP320C-default”

next

end

config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable set vaps “wifi-vap”

end config radio-2 set vap-all disable set vaps “wifi-vap”

end

next

end

  1. Create the SSID-to-Internet firewall policy: config firewall policy

edit 1 set name “WiFi to Internet” set srcintf “wifi-vap” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set fsso disable set nat enable

next

end

FortiAP Management – Deploying WPA2-Enterprise SSID to FortiAP units

Deploying WPA2-Enterprise SSID to FortiAP units

The guide provides simple configuration instructions for developing WPA2-Enterprise SSID with FortiAP. The steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows a simple network topology for this recipe:

To deploy WPA2-Enterprise SSID to FortiAP units on the FortiOS GUI:

  1. Create an SSID as WPA2-Enterprise. Do one of the following:
  2. Create an SSID as WPA2-Enterprise with authentication from a RADIUS server:
  3. Create a RADIUS server:
  4. Go to User& Device > RADIUS Servers, then click Create New.
  5. Enter a server name. In the Primary Server> IP/Name field, enter the IP address or server name. iv. In the Primary Server> Secret field, enter the secret key.
    1. Click Test Connectivity to verify the connection with the RADIUS server.
    2. Click Test UserCredentials to verify that the user account can be authenticated with the RADIUS server.
  • Click OK.
  1. Create a WPA2-Enterprise SSID:
  1. Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
  2. Enter the desired interface name. For Traffic mode, select Tunnel.
  • In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
  1. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
  2. In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step i.
  3. Click OK.
  4. Create an SSID as WPA2-Enterprise with authentication from a user group:
  5. Create a user group:
    1. Go to User& Device > UserGroups, then click Create New.
    2. Enter the desired group name. For Type, select Firewall.
    3. For Remote Groups, click the + button. In the dropdown list, select the desired RADIUS server. Click OK.
    4. Click OK.
  6. Create a WPA2-Enterprise SSID:
    1. Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
    5. In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step i.
    6. Click OK.
  7. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C. Do one of the following: Select the SSID by editing the FortiAP:
  8. Go to WiFi & Switch Controller> Managed FortiAPs. Select the FortiAP-320C and click Edit. ii. Ensure that Managed AP Status is Connected.
    • Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
  1. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
  2. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
  3. Click OK.
  4. Select the SSID by editing the FortiAP profile:
  5. Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
  6. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
  • To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
  1. Click OK.
  1. Create the SSID-to-Internet firewall policy:
    1. Go to Policy & Objects > IPv4 Policy, then click Create New.
    2. Enter the desired policy name.
    3. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
    4. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
    5. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
    6. Click OK.

To deploy WPA2-Enterprise SSID to FortiAP units using the FortiOS CLI:

  1. Create a RADIUS server:

config user radius edit “wifi-radius” set server “172.16.200.55” set secret fortinet

next

end

  1. Create a user group:

config user group edit “group-radius” set member “wifi-radius”

next

end

  1. Create a WPA2-Enterprise SSID:
    1. Create an SSID with authentication from the RADIUS server:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Ent-Radius” set security wpa2-only-enterprise set auth radius

set radius-server “wifi-radius”

next

end

  1. Create an SSID with authentication from the user group:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Ent-Radius” set security wpa2-only-enterprise set auth usergroup set usergroup “group-radius”

next

end

  1. Configure an IP address and enable DHCP:

config system interface edit “wifi-vap” set ip 10.10.80.1 255.255.255.0

next end config system dhcp server

edit 1 set dns-service default set default-gateway 10.10.80.1 set netmask 255.255.255.0 set interface “wifi-vap” config ip-range edit 1 set start-ip 10.10.80.2 set end-ip 10.10.80.254

next

end

set timezone-option default

next

end

  1. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:

config wireless-controller wtp edit “FP320C3X14000640” set admin enable

set wtp-profile “FAP320C-default”

next

end

config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable set vaps “wifi-vap”

end config radio-2 set vap-all disable set vaps “wifi-vap”

end

next

end

  1. Create the SSID-to-Internet firewall policy: config firewall policy

edit 1 set name “WiFi to Internet” set srcintf “wifi-vap” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set fsso disable set nat enable

next end

FortiAP Management – Deploying WPA2-Personal SSID to FortiAP units

Deploying WPA2-Personal SSID to FortiAP units

The guide provides simple configuration instructions for developing WPA2-Personal SSID with FortiAP. The steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows a simple network topology for this recipe:

To deploy WPA2-Personal SSID to FortiAP units on the FortiOS GUI:

  1. Create a WPA2-Personal SSID:
    1. Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Personal.
    5. In the Pre-Shared Key field, enter the password. The password must be 8 to 63 characters long, or exactly 64 academical digits.
    6. Click OK.
  2. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C. Do one of the following: Select the SSID by editing the FortiAP:
  3. Go to WiFi & Switch Controller> Managed FortiAPs. Select the FortiAP-320C and click Edit. ii. Ensure that Managed AP Status is Connected.
    • Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
  1. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
  2. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
  3. Click OK.
  4. Select the SSID by editing the FortiAP profile:
  5. Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
  6. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
  7. Click OK.
  1. Create the SSID-to-Internet firewall policy:
  2. Go to Policy & Objects > IPv4 Policy, then click Create New.
  3. Enter the desired policy name.
  4. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
  5. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
  6. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
  7. Click OK.

To deploy WPA2-Personal SSID to FortiAP units using the FortiOS CLI:

  1. Create a WPA2-Personal SSID:
  2. Create a VAP interface named “wifi-vap”:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet

next

end

  1. Configure an IP address and enable DHCP:

config system interface edit “wifi-vap” set ip 10.10.80.1 255.255.255.0

next

end

config system dhcp server edit 1 set dns-service default set default-gateway 10.10.80.1 set netmask 255.255.255.0 set interface “wifi-vap” config ip-range edit 1 set start-ip 10.10.80.2 set end-ip 10.10.80.254

next

end

set timezone-option default

next

end

  1. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:

config wireless-controller wtp edit “FP320C3X14000640” set admin enable

set wtp-profile “FAP320C-default”

next

end

config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable

set vaps “wifi-vap”

end config radio-2 set vap-all disable set vaps “wifi-vap”

end

next

end

  1. Create the SSID-to-Internet firewall policy: config firewall policy edit 1 set name “WiFi to Internet” set srcintf “wifi-vap” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set fsso disable set nat enable

next

end

FortiAP Management – Set up a mesh connection between FortiAP units

Set up a mesh connection between FortiAP units

To set up a WiFi mesh connection, a minimum of three devices are required:

  1. A FortiGate as the AP Controller (AC)
  2. A FortiAP as the Mesh Root AP (MRAP)
  3. A FortiAP as a Mesh Leaf AP (MLAP).

Configuring the AC

These instructions assume that the MRAP is already being managed by the AC (see Configuring the FortiGate interface to manage FortiAP units on page 639 and Discovering, authorizing, and deauthorizing FortiAP units on page 640).

To configure the AC:

  1. Go to WiFi & Switch Controller> SSID and create a mesh SSID.
  2. Go to WiFi & Switch Controller> Managed FortiAPs, edit the MRAP, and assign the mesh SSID to the MRAP, and wait for a connection.

Configuring the MLAP

The MLAP can be configured to use the mesh link as its Main uplink or a Backup link for Ethernet connections.

To configure the MLAP:

  1. On the FortiAP, go to Connectivity.
  2. Set Uplink to Mesh or Ethernet with mesh backup support.
  3. Enter a mesh SSID and password.
  4. Optionally, select Ethernet Bridge (see Main uplink on page 646). This option is not available if Uplink is set to Ethernet with mesh backup support.

Once the MLAP has joined the AC, it can be managed in the same way as a wired AP.

A mesh SSID can also be assigned to an MLAP for other downstream MLAPs, creating a multi-hop WiFi mesh network. The maximum hop count has a default value of 4, and can be configured in the FAP console with the following commands:

cfg -a MESH_MAX_HOPS=n cfg -c

Main uplink

When a mesh link is set as the main uplink of the MLAP, the Ethernet port on the MLAP can be set up as a bridge to the mesh link. This allows downstream wired devices to use the mesh link to connect to the network.

To enable a mesh Ethernet bridge, select Ethernet Bridge in the FortiAP Connectivity section in the GUI, or use the following console commands:

cfg -a MESH_ETH_BRIDGE=1 cfg -c

Backup link for Ethernet connections

When a mesh link is set to be the backup link for an Ethernet connection, the mesh link will not be established unless the Ethernet connection goes offline. When a mesh link is in this mode, the Ethernet port cannot be used as a bridge to the mesh link.

FortiAP Management – Discovering, authorizing, and deauthorizing FortiAP units

Discovering, authorizing, and deauthorizing FortiAP units

AC actions when a FortiAP attempts to get discovered

Enable the ap-discover setting on the AC for the interface designed to manage FortiAPs:

config system interface edit “lan” set ap-discover enable

next

end

The set ap-discover enable setting allows the AC to create an entry in the Managed FortiAPs table when it receives the FortiAP’s discovery request. The ap-discover setting is enabled by the factory default settings. When the FAP entry is created automatically, it is marked as discovered status, and is pending for administrator’s authorization, unless the following setting is present.

config system interface edit “lan” set auto-auth-extension-device enable

next

end

The above set auto-auth-extension-device enable setting will allow AC authorize an new discovered FAP automatically without administrator’s manual authorization operation. The auto-auth-extension-device setting is disabled by factory default.

Authorize a discovered FAP

Once the FAP discovery request is received by AC, an FAP entry will be added to Managed FAP table, and shown on GUI > Managed FortiAP list page.

To authorize the specific AP, click to select the FAP entry, then click Authorize button on the top of the table or Authorize entry in the pop-out menu.

Through GUI, authorization can also be done in FAP detail panel, under Action menu.

The authorization can also be done through CLI with follow commands.

config wireless-controller wtp edit “FP423E3X16000320” set admin enable

next

end

De-authorize a managed FAP

To de-authorize a managed FAP, click to select the FAP entry, then click Deauthorize button on the top of the table or Deauthorize entry in the pop-out menu.

Through GUI, de-authorization can also be done in FAP detail panel, under Action menu.

The de-authorization can also be done through CLI with follow commands.

config wireless-controller wtp edit “FP423E3X16000320” set admin discovered

next

end