To specify the controller’s IP address on a FortiAP unit

cfg –a AC_IPADDR_1=”192.168.0.100″

By default, the FortiAP unit receives its IP address, netmask, and gateway address by DHCP. If you prefer, you can assign these statically.

 

To assign a static IP address to the FortiAP unit

cfg -a ADDR_MODE=STATIC

cfg –a AP_IPADDR=”192.168.0.100″ cfg -a AP_NETMASK=”255.255.255.0″ cfg –a IPGW=192.168.0.1

cfg -c

For information about connecting to the FortiAP CLI, see Connecting to the FortiAP CLI on page 856.

 

Broadcast request

The AP unit broadcasts a discovery request message to the network and the controller replies. The AP and the controller must be in the same broadcast domain. No configuration adjustments are required.

 

Multicast request

The AP unit sends a multicast discovery request and the controller replies with a unicast discovery response message. The AP and the controller do not need to be in the same broadcast domain if multicast routing is properly configured.

The default multicast destination address is 224.0.1.140. It can be changed through the CLI. The address must be same on the controller and AP.

 

To change the multicast address on the controller

config wireless-controller global set discovery-mc-addr 224.0.1.250

end

 

To change the multicast address on a FortiAP unit

cfg –a AC_DISCOVERY_MC_ADDR=”224.0.1.250″

For information about connecting to the FortiAP CLI, see Advanced WiFi controller discovery on page 859.

 

DHCP

If you use DHCP to assign an IP address to your FortiAP unit, you can also provide the WiFi controller IP address at the same time. This is useful if the AP is located remotely from the WiFi controller and other discovery techniques will not work.

When you configure the DHCP server, configure Option 138 to specify the WiFi controller IP address. You need to convert the address into hexadecimal. Convert each octet value separately from left to right and concatenate them. For example, 192.168.0.1 converts to C0A80001.

If Option 138 is used for some other purpose on your network, you can use a different option number if you configure the AP units to match.

 

To change the FortiAP DHCP option code

To use option code 139 for example, enter

cfg –a AC_DISCOVERY_DHCP_OPTION_CODE=139

For information about connecting to the FortiAP CLI, see Advanced WiFi controller discovery on page 859.

 

Wireless client load balancing for high-density deployments

Wireless load balancing allows your wireless network to distribute wireless traffic more efficiently among wireless access points and available frequency bands. FortiGate wireless controllers support the following types of client load balancing:

• Access Point Hand-off – the wireless controller signals a client to switch to another access point.
• Frequency Hand-off – the wireless controller monitors the usage of 2.4GHz and 5GHz bands, and signals clients to switch to the lesser-used frequency.

Load balancing is not applied to roaming clients.

 

Access point hand-off

Access point handoff wireless load balancing involves the following:

• If the load on an access point (ap1) exceeds a threshold (of for example, 30 clients) then the client with the weakest signal will be signaled by wireless controller to drop off and join another nearby access point (ap2).
• When one or more access points are overloaded (for example, more than 30 clients) and a new client attempts to join a wireless network, the wireless controller selects the least busy access point that is closest to the new client and this access point is the one that responds to the client and the one that the client joins.

Frequency hand-off or band-steering

Encouraging clients to use the 5GHz WiFi band if possible enables those clients to benefit from faster interference-free 5GHz communication. The remaining 2.4GHz clients benefit from reduced interference.

The WiFi controller probes clients to determine their WiFi band capability. It also records the RSSI (signal strength) for each client on each band.

If a new client attempts to join the network, the controller looks up that client’s MAC address in its wireless device table and determines if it’s a dual band device. If it is not a dual band device, then its allowed to join. If it is a dual band device, then its RSSI on 5GHz is used to determine whether the device is close enough to an access point to benefit from movement to 5GHz frequency.

If both conditions of 1) dual band device and 2) RSSI value is strong, then the wireless controller does not reply to the join request of the client. This forces the client to retry a few more times and then timeout and attempt to join the same SSID on 5GHz. Once the Controller see this new request on 5GHz, the RSSI is again measured and the client is allowed to join. If the RSSI is below threshold, then the device table is updated and the controller forces the client to timeout again. A client’s second attempt to connect on 2.4GHz will be accepted.

 

Configuration

From the web-based manager, edit a custom AP profile and select Frequency Handoff and AP Handoff as required for each radio on the AP.

From the CLI, you configure wireless client load balancing thresholds for each custom AP profile. Enable access point hand-off and frequency hand-off separately for each radio in the custom AP profile.

config wireless-controller wtp-profile edit new-ap-profile

set handoff-rssi <rssi_int>

set handoff-sta-thresh <clients_int>

config radio-1

set frequency-handoff {disable | enable}

set ap-handoff {disable | enable}

end

config radio-2

set frequency-handoff {disable | enable}

set ap-handoff {disable | enable}

end end

Where:

• handoff-rssi is the RSSI threshold. Clients with a 5 GHz RSSI threshold over this value are load balanced to the 5GHz frequency band. Default is 25. Range is 20 to 30.
• handoff-sta-thresh is the access point handoff threshold. If the access point has more clients than this threshold it is considered busy and clients are changed to another access point. Default is 30, range is 5 to 25.
• frequency-handoff enable or disable frequency handoff load balancing for this radio. Disabled by default.
• ap-handoff enable or disable access point handoff load balancing for this radio. Disabled by default. Frequency handoff must be enabled on the 5GHz radio to learn client capability.

 

FortiAP Groups

FortiAP Groups facilitate the application of FortiAP profiles to large numbers of FortiAPs. A FortiAP can belong to no more than one FortiAP Group. A FortiAP Group can include only one model of FortiAP.

Through the VLAN Pool feature, a FortiAP Group can be associated with a VLAN to which WiFi clients will be assigned.

 

To create a FortiAP group – GUI

1. Go to WiFi Controller > FortiAP Groups and select Create New.

2. Give the group a Group Name and choose the Platform Type (FortiAP model).

3. Choose Members.

4. Click OK.

 

To create a FortiAP group – CLI

In this example, a wtp-group-1 is created for FortiAP-221C device and one member device is added.

config wireless-controller wtp-group edit wtp-group-1

set platform-type 221C

config wtp-list

edit FP221C3X14019926 end

end

 

 

LAN port options

Some FortiAP models have one or more LAN interfaces that can provide wired network access. LAN ports can be

• bridged to the incoming WAN interface
• bridged to one of the WiFi SSIDs that the FortiAP unit carries
• connected by NAT to the incoming WAN interface

There are some differences among FortiAP models.

Models like 11C and 14C have one port labeled WAN and one or more ports labeled LAN. By default, the LAN ports are offline. You can configure LAN port operation in the FortiAP Profile in the GUI (Wireless Controller > FortiAP Profiles) or in the CLI (config wireless-controller wtp-profile, config lan subcommand).

Models like 320C, 320B, 112D, and 112B have two ports, labeled LAN1 and LAN2. LAN1 acts as a WAN port connecting the FortiAP to a FortiGate or FortiCloud. By default, LAN2 is bridged to LAN1. Other modes of LAN2 operation must be enabled in the CLI:

config wireless-controller wtp-profile edit <profile_name>

set wan-port-mode wan-lan end

By default wan-port-mode is set to wan-only.

 

When wan-port-mode is set to wan-lan, LAN2 Port options are available in the GUI and the CLI the same as the other FortiAP models that have labeled WAN and LAN ports.

 

Bridging a LAN port with an SSID

Bridging a LAN port with a FortiAP SSID combines traffic from both sources to provide a single broadcast domain for wired and wireless users.

In this configuration

• The IP addresses for LAN clients come from the DHCP server that serves the wireless clients.
• Traffic from LAN clients is bridged to the SSID’s VLAN. Dynamic VLAN assignment for hosts on the LAN port is not supported.
• Wireless and LAN clients are on the same network and can communicate locally, via the FortiAP.
• Any host connected to the LAN port will be taken as authenticated. RADIUS MAC authentication for hosts on the LAN port is not supported.

 

For configuration instructions, see LAN port options on page 862.

 

Bridging a LAN port with the WAN port

Bridging a LAN port with the WAN port enables the FortiAP unit to be used as a hub which is also an access point. In this configuration

• The IP addresses for LAN clients come from the WAN directly and will typically be in the same range as the AP itself.
• All LAN client traffic is bridged directly to the WAN interface.
• Communication between wireless and LAN clients can only occur if a policy on the FortiGate unit allows it. For configuration instructions, see LAN port options on page 862.

 

Configuring FortiAP LAN ports

You can configure FortiAP LAN ports for APs in a FortiAP Profile. A profile applies to APs that are the same model and share the same configuration. If you have multiple models or different configurations, you might need to create several FortiAP Profiles. For an individual AP, it is also possible to override the profile settings.

 

To configure FortiAP LAN ports – web-based manager

1. If your FortiAP unit has LAN ports, but no port labeled WAN (models 320C, 320B, 112D, and 112B for example), enable LAN port options in the CLI:

config wireless-controller wtp-profile edit <profile_name>

set wan-port-mode wan-lan end

2. Go to WiFi & Switch Controller > FortiAP Profiles.

3. Edit the default profile for your FortiAP model or select Create New.

4. If you are creating a new profile, enter a Name and select the correct Platform (model).

5. Select SSIDs.

6. In the LAN Port section, set Mode to Bridge to and select an SSID or WAN Port as needed.

On some models with multiple LAN ports, you can set Mode to Custom and configure the LAN ports individually. Enable each port that you want to use and select an SSID or WAN Port as needed.

7. Select OK.

Be sure to select this profile when you authorize your FortiAP units.

 

To configure FortiAP LAN ports – CLI

In this example, the default FortiAP-11C profile is configured to bridge the LAN port to the office SSID.

config wireless-controller wtp-profile edit FAP11C-default

config lan

set port-mode bridge-to-ssid set port-ssid office

end end

end

In this example, the default FortiAP-28C profile is configured to bridge LAN port1 to the office SSID and to bridge the other LAN ports to the WAN port.

config wireless-controller wtp-profile edit FAP28C-default

config lan

set port1-mode bridge-to-ssid set port1-ssid office

set port2-mode bridge-to-wan set port3-mode bridge-to-wan set port4-mode bridge-to-wan set port5-mode bridge-to-wan set port6-mode bridge-to-wan set port7-mode bridge-to-wan set port8-mode bridge-to-wan

end end

In this example, the default FortiAP-320C profile is configured to bridge the LAN port to the office SSID.

 

config wireless-controller wtp-profile edit FAP320C-default

set wan-port-mode wan-lan config lan

set port-mode bridge-to-ssid set port-ssid office

end end

end

 

To configure FortiAP unit LAN ports as a FortiAP Profile override – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.

2. Select the FortiAP unit from the list and select Edit.

3. Select the FortiAP Profile, if this has not already been done.

4. In the LAN Port section, select Override.

The options for Mode are shown.

5. Set Mode to Bridge to and select an SSID or WAN Port, or NAT to WAN as needed.

On some models with multiple LAN ports, you can set Mode to Custom and configure the LAN ports individually. Enable and configure each port that you want to use.

6. Select OK.

 

To configure FortiAP unit LAN ports as a FortiAP Profile override – CLI

In this example, a FortiAP unit’s configuration overrides the FortiAP Profile to bridge the LAN port to the office SSID.

 

config wireless-controller wtp edit FP320C3X14020000

set wtp-profile FAP320C-default set override-wan-port-mode enable set wan-port-mode wan-lan

set override-lan enable config lan

set port-mode bridge-to-ssid set port-ssid office

end end

 

Preventing IP fragmentation of packets in CAPWAP tunnels

A common problem with controller-based WiFi networks is reduced performance due to IP fragmentation of the packets in the CAPWAP tunnel.

Fragmentation can occur because of CAPWAP tunnel overhead increasing packet size. If the original wireless client packets are close to the maximum transmission unit (MTU) size for the network (usually 1500 bytes for Ethernet networks unless jumbo frames are used) the resulting CAPWAP packets may be larger than the MTU, causing the packets to be fragmented. Fragmenting packets can result in data loss, jitter, and decreased throughput.

The FortiOS/FortiAP solution to this problem is to cause wireless clients to send smaller packets to FortiAP devices, resulting in1500-byte CAPWAP packets and no fragmentation. The following options configure CAPWAP IP fragmentation control:

config wireless-controller wtp-profle edit FAP321C-default

set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}

set tun-mtu-uplink {0 | 576 | 1500}

set tun-mtu-downlink {0 | 576 | 1500}

end end

By default, tcp-mss-adjust is enabled, icmp-unreachable is disabled, and tun-mtu-uplink and

tun-mtu-downlink are set to 0.

 

To set tun-mtu-uplink and tun-mtu-downlink, use the default TCP MTU value of 1500. This default configuration prevents packet fragmentation because the FortiAP unit limits the size of TCP packets received from wireless clients so the packets don’t have to be fragmented before CAPWAP encapsulation.

The  tcp-mss-adjust option causes the FortiAP unit to limit the maximum segment size (MSS) of TCP

packets sent by wireless clients. The FortiAP does this by adding a reduced MSS value to the SYN packets sent

by the FortiAP unit when negotiating with a wireless client to establish a session. This results in the wireless client sending packets that are smaller than the tun-mtu-uplink setting, so that when the CAPWAP headers are added, the CAPWAP packets have an MTU that matches the tun-mtu-uplink size.

The icmp-unreachable option affects all traffic (UDP and TCP) between wireless clients and the FortiAP unit. This option causes the FortiAP unit to drop packets that have the “Don’t Fragment” bit set in their IP header and that are large enough to cause fragmentation and then send an ICMP packet — type 3 “ICMP Destination

 

unreachable” with code 4 “Fragmentation Needed and Don’t Fragment was Set” back to the wireless controller. This should cause the wireless client to send smaller TCP and UDP packets.

 

Overriding IP fragmentation settings on a FortiAP

If the FortiAP Profile settings for IP fragmentation are not appropriate for a particular FortiAP, you can override the settings on that specific unit.

config wireless-controller wtp edit FAP321C3X14019926

set override-ip-fragment enable

set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}

set tun-mtu-uplink {0 | 576 | 1500}

set tun-mtu-downlink {0 | 576 | 1500}

end end

 

 

LED options

Optionally, the status LEDs on the FortiAP can be kept dark. This is useful in dormitories, classrooms, hotels, medical clinics, hospitals where the lights might be distracting or annoying to occupants.

On the FortiGate, the LED state is controlled in the FortiAP Profile. By default the LEDs are enabled. The setting is CLI-only. For example, to disable the LEDs on FortiAP-221C units controlled by the FAP221C-default profile, enter:

config wireless-controller wtp-profile edit FAP221C-default

set led-state disable end

You can override the FortiAP Profile LED state setting on an individual FortiAP using the CLI. For example, to make sure the LEDs are disabled on one specific unit, enter:

config wireless-controller wtp edit FAP221C3X14019926

set override-led-state enable set led-state disable

end

The LED state is also controllable from the FortiAP unit itself. By default, the FortiAP follows the FortiAP Profile setting.

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!