CAPWAP Protected Management Frames (PMF) support (244510)

Protected Management Frames protect some types of management frames like deauthorization, disassociation and action frames. This feature, now mandatory on WiFi certified 802.1ac devices, prevents attackers from sending plain deauthorization/disassociation frames to disrupt or tear down a connection/association. PMF is a Wi-Fi Alliance specification based on IEEE 802.11w.

PMF is configurable only in the CLI.

config wireless-controller vap edit <vap_name>

set pmf {disable | enable | optional}

set pmf-assoc-comeback-timeout <integer> set pmf-sa-query-retry-timeout <integer> set okc {disable | enable}

next end

optional Enable PMF and allow clients without PMF.

pmf-assoc-comeback-timeout Protected Management Frames (PMF) maximum timeout for comeback (1-20 seconds).

pmf-sa-query-retry-timeout Protected Management Frames (PMF) sa query retry timeout interval (in 100 ms), from 100 to 500. Integer value from 1 to 5.

okc enable or disable Opportunistic Key Caching (OKC).


Opportunistic Key Caching Support (244510)

To facilitate faster roaming client roaming, you can enable Opportunistic Key Caching (OKC) on your WiFi network. When a client associates with an AP, its PMK identifier is sent to all other APs on the network. This eliminates the need for an already-authenticated client to repeat the full EAP exchange process when it roams to another AP on the same network.

OKC is configurable only in the CLI.

config wireless-controller vap

edit <vap_name>

set okc {disable | enable}

next end


FortiPresence push REST API (273954)

When the FortiGate is located on a private IP network, the FortiPresence server cannot poll the FortiGate for information. Instead, the FortiGate must be configured to push the information to the FortiPresence server.

The configuration parameters are:

fortipresence-server              FortiPresence server IP address

fortipresence-port                  FortiPresence server UDP listening port (the default is 3000)

fortipresence-secret              FortiPresence secret password (8 characters maximum)

fortipresence-project             FortiPresence project name (16 characters maximum)

fortipresence-frequency        FortiPresence report transmit frequency (Range 5 to 65535 seconds. Default = 30)

fortipresence-rogue               Enable/disable FortiPresence reporting of Rogue APs

fortipresence-unassoc           Enable/disable FortiPresence reporting of unassociated devices

For example,

config wireless-controller wtp-profile edit “FP223B-GuestWiFi”

config lbs

set fortipresence enable

set fortipresence-server set fortipresence-port 3000

set fortipresence-secret “hardtoguess” set fortipresence-project fortipresence set fortipresence-frequency 30

set fortipresence-rogue : disable set fortipresence-unassoc: disable


More detailed information will be provided in FortiPresence documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.