Access point deployment

This chapter describes how to configure access points for your wireless network.

Overview

Network topology for managed APs

Discovering and authorizing APs

Advanced WiFi controller discovery

Wireless client load balancing for high-density deployments

FortiAP Groups

LAN port options

Preventing IP fragmentation of packets in CAPWAP tunnels

LED options

CAPWAP bandwidth formula

Overview

FortiAP units discover WiFi controllers. The administrator of the WiFi controller authorizes the FortiAP units that the controller will manage.

In most cases, FortiAP units can find WiFi controllers through the wired Ethernet without any special configuration. Review the following section, Access point deployment on page 64, to make sure that your method of connecting the FortiAP unit to the WiFi controller is valid. Then, you are ready to follow the procedures in Access point deployment on page 64.

If your FortiAP units are unable to find the WiFi controller, refer to Access point deployment on page 64 for detailed information about the FortiAP unit’s controller discovery methods and how you can configure them.

Network topology for managed APs

The FortiAP unit can be connected to the FortiGate unit in any of the following ways:

Direct connection: The FortiAP unit is directly connected to the FortiGate unit with no switches between them.

This configuration is common for locations where the number of FortiAP’s matches up with the number of

‘internal’ ports available on the FortiGate. In this configuration the FortiAP unit requests an IP address from the FortiGate unit, enters discovery mode and should quickly find the FortiGate WiFi controller. This is also known as a wirecloset deployment. See “Wirecloset and Gateway deployments” below.

Network topology for managed APs

Wirecloset deployment

Switched Connection: The FortiAP unit is connected to the FortiGate WiFi controller by an Ethernet switch operating in L2 switching mode or L3 routing mode. There must be a routable path between the FortiAP unit and the FortiGate unit and ports 5246 and 5247 must be open. This is also known as a gateway deployment. See Gateway Deployment below.

Network topology for managed

Gateway Deployment

 

Connection over WAN: The FortiGate WiFi controller is off-premises and connected by a VPN tunnel to a local FortiGate. In this method of connectivity its best to configure each FortiAP with the static IP address of the WiFi controller. Each FortiAP can be configured with three WiFi controller IP addresses for redundant failover. This is also known as a datacenter remote management deployment. See Remote deployment below.

Remote deployment

Discovering and authorizing APs

After you prepare your FortiGate unit, you can connect your APs to discover them using the discovery methods described earlier. To prepare the FortiGate unit, you need to l Configure the network interface to which the AP will connect. l Configure DHCP service on the interface to which the AP will connect. l Optionally, preauthorize FortiAP units. They will begin to function when connected. l Connect the AP units and let the FortiGate unit discover them. l Enable each discovered AP and configure it or assign it to an AP profile.

Configuring the network interface for the AP unit

The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled.

To configure the interface for the AP unit – web-based manager

1. Go to Network > Interfaces and edit the interface to which the AP unit connects.
2. Set Addressing Mode to Dedicate to Extension Device.
3. Enter the IP address and netmask to use.

This FortiGate unit automatically configures a DHCP server on the interface that will assign the remaining higher addresses up to .254 to FortiAP units. For example, if the IP address is 10.10.1.100, the FortiAP units will be assigned 10.10.1.101 to 10.10.1.254. To maximize the available addresses, use the .1 address for the interface:

10.10.1.1, for example.

4. Select OK.

To configure the interface for the AP unit – CLI

In the CLI, you must configure the interface IP address and DHCP server separately.

config system interface edit port3 set mode static

set ip 10.10.70.1 255.255.255.0

end

config system dhcp server edit 0 set interface “dmz” config ip-range edit 1 set end-ip 10.10.70.254 set start-ip 10.10.70.2

end

set netmask 255.255.255.0 set vci-match enable set vci-string “FortiAP”

end

The optional vci-match and vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.

Pre-authorizing a FortiAP unit

If you enter the FortiAP unit information in advance, it is authorized and will begin to function when it is connected.

To pre-authorize a FortiAP unit

1. Go to WiFi & Switch Controller > Managed FortiAPs and select Create New.

On some models the WiFi Controller menu is called WiFi & Switch Controller.

2. Enter the Serial Number of the FortiAP unit.
3. Configure the Wireless Settings as required.
4. Select OK.

Enabling and configuring a discovered AP

Within two minutes of connecting the AP unit to the FortiGate unit, the discovered unit should be listed on WiFi Controller > Managed FortiAPs page. After you select the unit, you can authorize, edit or delete it.

Discovered access point unit

When you authorize (enable) a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). You can create and select a different profile if needed. The FortiAP Profile defines the entire configuration for the AP.

To add and configure the discovered AP unit – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.

This configuration also applies to local WiFi radio on FortiWiFi models.

2. Select the FortiAP unit from the list and edit it.
3. Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
4. Select Authorize.
5. Select a FortiAP Profile.
6. Select OK.

The physical access point is now added to the system. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP.

To add the discovered AP unit – CLI

First get a list of the discovered access point unit serial numbers:

get wireless-controller wtp

Add a discovered unit and associate it with AP-profile1, for example:

config wireless-controller wtp edit FAP22A3U10600118 set admin enable set wtp-profile AP-profile1

end

To view the status of the added AP unit

config wireless-controller wtp edit FAP22A3U10600118

get

The join-time field should show a time, not “N/A”. See the preceding web-based manager procedure for more information.

Disable automatic discovery of unknown FortiAPs

By default, the FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator’s authorization. Optionally, you can disable this automatic registration function to avoid adding unknown FortiAPs. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface.

To disable automatic discovery and registration, enter the following command:

config system interface edit port15 set ap-discover disable

end

Automatic authorization of extension devices

To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually.

This feature is only configurable in the CLI.

To enable automatic authorization on all dedicated interfaces

config system global set auto-auth-extension-device enable

end

To enable automatic authorization per-interface

config system interface edit <port> set auto-auth-extension-device enable

end

Assigning the same profile to multiple FortiAP units

The same profile can now be applied to multiple managed FortiAP units at the same time. To do this, do the following:

1. Go to WiFi & Switch Controller > Managed FortiAPs to view the AP list.
2. Select all FortiAP units you wish to apply the profile to.
3. Right click on one of the selected FortiAPs and select Assign Profile.
4. Choose the profile you wish to apply.

Overriding the FortiAP Profile

In the FortiAP configuration WiFi & Switch Controller > Managed FortiAPs, there several radio settings under Override Radio 1 and Override Radio 2 to choose a value independently of the FortiAP Profile setting.

When each of the radios are disabled, you will see what the FortiAP Profile has each of the settings configured to.

Band	The available options depend on the capability of the radio. Overriding Band also overrides Channels. Make appropriate settings in Channels.
Channels	Choose channels. The available channels depend on the Band.
TX Power Control	If you enable Auto, adjust to set the power range in dBm. If you enable Manual, adjust the slider. The 100% setting is the maximum power permitted in your region. See Configuring a WiFi LAN on page 40.
SSIDs	Select between Auto or Manual. Selecting Auto eliminates the need to re-edit the profile when new SSIDs are created. However, you can still select SSIDs individually using Manual.

To override radio settings in the CLI

In this example, Radio 1 is set to 802.11n on channel 11, regardless of the profile setting.

config wireless-controller wtp edit FP221C3X14019926 config radio-1 set override-band enable set band 802.11n set override-channel enable

set channel 11

end

Override settings are available for band, channel, vaps (SSIDs), and txpower.

Outside of configuring radio settings, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, split tunneling, and login password settings.

Accessing the FortiAP CLI through the FortiGate unit

Enable remote login for the FortiAP. In the FortiAP Profile for this FortiAP, enable remote access.

Connecting to the FortiAP CLI

The FortiAP unit has a CLI through which some configuration options can be set. You can access the CLI using Telnet.

To access the FortiAP unit CLI through the FortiAP Ethernet port

1. Connect your computer to the FortiAP Ethernet interface, either directly with a cross-over cable or through a separate switch or hub.
2. Change your computer’s IP address to 192.168.1.3
3. Telnet to IP address 192.168.1.2.

Ensure that FortiAP is in a private network with no DHCP server for the static IP address to be accessible.

4. Login with user name admin and no password.
5. Enter commands as needed.
6. Optionally, use the passwd command to assign an administrative password for better security.
7. Save the configuration by entering the following command:

cfg –c .

8. Unplug the FortiAP and then plug it back in, in order for the configuration to take effect

Accessing the FortiAP CLI through the FortiGate

After the FortiAP has been installed, physical access to the unit might be inconvenient. You can access a connected FortiAP unit’s CLI through the FortiGate unit that controls it.

To enable remote access to the FortiAP CLI

In the CLI, edit the FortiAP Profile that applies to this FortiAP.

config wireless-controller wtp-profile edit FAP221C-default set allowaccess telnet

end

FortiAP now supports HTTPS and SSH administrative access, as well as HTTP and Telnet. Use the command above to set administrative access to telnet, http, https, or ssh.

To access the FortiAP unit CLI through the FortiGate unit – GUI

1. Go to WiFi & Switch Controller > Managed FortiAPs.
2. In the list, right-click the FortiAP unit and select >_Connect to CLI. A detached Console window opens.
3. At the FortiAP login prompt, enter admin. When you are finished using the FortiAP CLI, enter exit.

To access the FortiAP unit CLI through the FortiGate unit – CLI

1. Use the FortiGate CLI execute telnet command to access the FortiAP. For example, if the FortiAP unit IP address is 192.168.1.2, enter:

execute telnet 192.168.1.2

2. At the FortiAP login prompt, enter admin. When you are finished using the FortiAP CLI, enter exit.

Checking and updating FortiAP unit firmware

You can view and update the FortiAP unit’s firmware from the FortiGate unit that acts as its WiFi controller.

Checking the FortiAP unit firmware version

Go to WiFi & Switch Controller > Managed FortiAPs to view the list of FortiAP units that the FortiGate unit can manage. The OS Version column shows the current firmware version running on each AP.

Updating FortiAP firmware from the FortiGate unit

You can update the FortiAP firmware using either the web-based manager or the CLI. Only the CLI method can update all FortiAP units at once.

To update FortiAP unit firmware – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.
2. Right-click the FortiAP unit in the list and select Upgrade Firmware.

or

Edit the FortiAP entry and select Upgrade from File in FortiAP OS Version.

3. Select Browse and locate the firmware upgrade file.
4. Select OK.
5. When the upgrade process completes, select OK. The FortiAP unit restarts.

To update FortiAP unit firmware – CLI

1. Upload the FortiAP image to the FortiGate unit.

For example, the Firmware file is FAP_22A_v4.3.0_b0212_fortinet.out and the server IP address is 192.168.0.100.

execute wireless-controller upload-wtp-image tftp FAP_22A_v4.3.0_b0212_fortinet.out 192.168.0.100

If your server is FTP, change tftp to ftp, and if necessary add your user name and password at the end of the command.

2. Verify that the image is uploaded:

execute wireless-controller list-wtp-image

3. Upgrade the FortiAP units:

exec wireless-controller reset-wtp all

If you want to upgrade only one FortiAP unit, enter its serial number instead of all.

Updating FortiAP firmware from the FortiAP unit

You can connect to a FortiAP unit’s internal CLI to update its firmware from a TFTP server on the same network. This method does not require access to the wireless controller.

1. Place the FortiAP firmware image on a TFTP server on your computer.
2. Connect the FortiAP unit to a separate private switch or hub or directly connect to your computer via a cross-over cable.
3. Change your computer’s IP address to 192.168.1.3.
4. Telnet to IP address 192.168.1.2.

This IP address is overwritten if the FortiAP is connected to a DHCP environment. Ensure that the FortiAP unit is in a private network with no DHCP server.

5. Login with the username “admin” and no password.
6. Enter the following command.

For example, the FortiAP image file name is FAP_22A_v4.3.0_b0212_fortinet.out.

restore FAP_22A_v4.3.0_b0212_fortinet.out 192.168.1.3

 

Advanced WiFi controller discovery

Advanced WiFi controller discovery

A FortiAP unit can use any of six methods to locate a controller. By default, FortiAP units cycle through all six of the discovery methods. In most cases there is no need to make configuration changes on the FortiAP unit.

There are exceptions. The following section describes the WiFi controller discovery methods in more detail and provides information about configuration changes you might need to make so that discovery will work.

Controller discovery methods

There are six methods that a FortiAP unit can use to discover a WiFi controller. Below is the list of AC discovery methods used in sequence:

0(auto) → 1(static) → 2(dhcp) → 3(dns) → 7(forticloud) → 5(broadcast) → 6(multicast)

Static IP configuration

If FortiAP and the controller are not in the same subnet, broadcast and multicast packets cannot reach the controller. The admin can specify the controller’s static IP on the AP unit. The AP unit sends a discovery request message in unicast to the controller. Routing must be properly configured in both directions.

To specify the controller’s IP address on a FortiAP unit

cfg –a AC_IPADDR_1=”192.168.0.100″

By default, the FortiAP unit receives its IP address, netmask, and gateway address by DHCP. If you prefer, you can assign these statically.

To assign a static IP address to the FortiAP unit

cfg -a ADDR_MODE=STATIC cfg –a AP_IPADDR=”192.168.0.100″ cfg -a AP_NETMASK=”255.255.255.0″ cfg –a IPGW=192.168.0.1 cfg -c

For information about connecting to the FortiAP CLI, see Connecting to the FortiAP CLI on page 71.

DHCP

If you use DHCP to assign an IP address to your FortiAP unit, you can also provide the WiFi controller IP address at the same time. This is useful if the AP is located remotely from the WiFi controller and other discovery techniques will not work.

When you configure the DHCP server, configure Option 138 to specify the WiFi controller IP address. You need to convert the address into hexadecimal. Convert each octet value separately from left to right and concatenate them. For example, 192.168.0.1 converts to C0A80001.

If Option 138 is used for some other purpose on your network, you can use a different option number if you configure the AP units to match.

To change the FortiAP DHCP option code To use option code 139 for example, enter Wireless client load balancing for high-density deployments

cfg –a AC_DISCOVERY_DHCP_OPTION_CODE=139

For information about connecting to the FortiAP CLI, see Connecting to the FortiAP CLI on page 71.

DNS

The access point can discover controllers through your domain name server (DNS). For the access point to do so, you must configure your DNS to return controller IP addresses in response. Allow DNS lookup of the hostname configured in the AP by using the AP parameter “AC_HOSTNAME_1”.

FortiCloud

The access point can discover FortiCloud by doing a DNS lookup of the hardcoded FortiCloud AP controller hostname “apctrl1.fortinet.com”. The forticloud AC discovery technique finds the AC info from apctl1.fortinet.com using HTTPS.

FortiCloud APController: apctrl1.fortinet.com:443 208.91.113.187:443

Broadcast request

The AP unit broadcasts a discovery request message to the network and the controller replies. The AP and the controller must be in the same broadcast domain. No configuration adjustments are required.

Multicast request

The AP unit sends a multicast discovery request and the controller replies with a unicast discovery response message. The AP and the controller do not need to be in the same broadcast domain if multicast routing is properly configured.

The default multicast destination address is 224.0.1.140. It can be changed through the CLI. The address must be same on the controller and AP.

To change the multicast address on the controller

config wireless-controller global set discovery-mc-addr 224.0.1.250

end

To change the multicast address on a FortiAP unit

cfg –a AC_DISCOVERY_MC_ADDR=”224.0.1.250″

For information about connecting to the FortiAP CLI, see Advanced WiFi controller discovery on page 74.

Wireless client load balancing for high-density deployments

Wireless load balancing allows your wireless network to distribute wireless traffic more efficiently among wireless access points and available frequency bands. FortiGate wireless controllers support the following types of client load balancing:

• Access Point Hand-off – the wireless controller signals a client to switch to another access point.
• Frequency Hand-off – the wireless controller monitors the usage of 2.4GHz and 5GHz bands, and signals clients to switch to the lesser-used frequency.

Wireless client load balancing for high-density deployments

Load balancing is not applied to roaming clients.

Access point hand-off

Access point handoff wireless load balancing involves the following:

• If the load on an access point (ap1) exceeds a threshold (of for example, 30 clients) then the client with the weakest signal will be signaled by wireless controller to drop off and join another nearby access point (ap2).
• When one or more access points are overloaded (for example, more than 30 clients) and a new client attempts to join a wireless network, the wireless controller selects the least busy access point that is closest to the new client and this access point is the one that responds to the client and the one that the client joins.

Frequency hand-off or band-steering

Encouraging clients to use the 5GHz WiFi band if possible enables those clients to benefit from faster interference-free 5GHz communication. The remaining 2.4GHz clients benefit from reduced interference.

The WiFi controller probes clients to determine their WiFi band capability. It also records the RSSI (signal strength) for each client on each band.

If a new client attempts to join the network, the controller looks up that client’s MAC address in its wireless device table and determines if it’s a dual band device. If it is not a dual band device, then its allowed to join. If it is a dual band device, then its RSSI on 5GHz is used to determine whether the device is close enough to an access point to benefit from movement to 5GHz frequency.

If both conditions of 1) dual band device and 2) RSSI value is strong, then the wireless controller does not reply to the join request of the client. This forces the client to retry a few more times and then timeout and attempt to join the same SSID on 5GHz. Once the Controller see this new request on 5GHz, the RSSI is again measured and the client is allowed to join. If the RSSI is below threshold, then the device table is updated and the controller forces the client to timeout again. A client’s second attempt to connect on 2.4GHz will be accepted.

Configuration

From the web-based manager, edit a custom AP profile and select Frequency Handoff and AP Handoff as required for each radio on the AP.

From the CLI, you configure wireless client load balancing thresholds for each custom AP profile. Enable access point hand-off and frequency hand-off separately for each radio in the custom AP profile.

config wireless-controller wtp-profile edit new-ap-profile set handoff-rssi <rssi_int> set handoff-sta-thresh <clients_int> config radio-1 set frequency-handoff {disable | enable} set ap-handoff {disable | enable}

end config radio-2 set frequency-handoff {disable | enable} set ap-handoff {disable | enable}

end

end Where:

FortiAP Groups

• handoff-rssi is the RSSI threshold. Clients with a 5 GHz RSSI threshold over this value are load balanced to the 5GHz frequency band. Default is 25. Range is 20 to 30.
• handoff-sta-thresh is the access point handoff threshold. If the access point has more clients than this threshold it is considered busy and clients are changed to another access point. Default is 30, range is 5 to 25. l frequency-handoff enable or disable frequency handoff load balancing for this radio. Disabled by default. l ap-handoff enable or disable access point handoff load balancing for this radio. Disabled by default.

Frequency handoff must be enabled on the 5GHz radio to learn client capability.

FortiAP Groups

FortiAP Groups facilitate the application of FortiAP profiles to large numbers of FortiAPs. A FortiAP can belong to no more than one FortiAP Group. A FortiAP Group can include only one model of FortiAP.

Through the VLAN pool feature, a FortiAP Group can be associated with a VLAN to which WiFi clients will be assigned. For more on VLAN pool assignment, see VLAN assignment by VLAN pool.

FortiAP groups are only configurable in the CLI Console.

To create a FortiAP group – CLI

In this example, wtp-group-1 is created for a FortiAP-221C and one member device is added.

config wireless-controller wtp-group edit wtp-group-1 set platform-type 221C config wtp-list edit FP221C3X14019926

end

end

LAN port options

Some FortiAP models have one or more LAN interfaces that can provide wired network access. LAN ports can be l bridged to the incoming WAN interface l bridged to one of the WiFi SSIDs that the FortiAP unit carries l connected by NAT to the incoming WAN interface There are some differences among FortiAP models.

Models like 11C and 14C have one port labeled WAN and one or more ports labeled LAN. By default, the LAN ports are offline. You can configure LAN port operation in the FortiAP Profile in the GUI (Wireless Controller > FortiAP Profiles) or in the CLI (config wireless-controller wtp-profile, config lan subcommand).

Models like 320C, 320B, 112D, and 112B have two ports, labeled LAN1 and LAN2. LAN1 acts as a WAN port connecting the FortiAP to a FortiGate or FortiCloud. By default, LAN2 is bridged to LAN1. Other modes of LAN2 operation must be enabled in the CLI:

config wireless-controller wtp-profile edit <profile_name>

LAN port options

set wan-port-mode wan-lan

end

By default wan-port-mode is set to wan-only.

When wan-port-mode is set to wan-lan, LAN2 Port options are available in the GUI and the CLI the same as the other FortiAP models that have labeled WAN and LAN ports.

Bridging a LAN port with an SSID

Bridging a LAN port with a FortiAP SSID combines traffic from both sources to provide a single broadcast domain for wired and wireless users. In this configuration l The IP addresses for LAN clients come from the DHCP server that serves the wireless clients.

• Traffic from LAN clients is bridged to the SSID’s VLAN. Dynamic VLAN assignment for hosts on the LAN port is not supported.
• Wireless and LAN clients are on the same network and can communicate locally, via the FortiAP.
• Any host connected to the LAN port will be taken as authenticated. RADIUS MAC authentication for hosts on the LAN port is not supported.

For configuration instructions, see LAN port options on page 77.

Bridging a LAN port with the WAN port

Bridging a LAN port with the WAN port enables the FortiAP unit to be used as a hub which is also an access point. In this configuration l The IP addresses for LAN clients come from the WAN directly and will typically be in the same range as the AP itself. l All LAN client traffic is bridged directly to the WAN interface.

l Communication between wireless and LAN clients can only occur if a policy on the FortiGate unit allows it.

For configuration instructions, see LAN port options on page 77.

Configuring FortiAP LAN ports

You can configure FortiAP LAN ports for APs in a FortiAP Profile. A profile applies to APs that are the same model and share the same configuration. If you have multiple models or different configurations, you might need to create several FortiAP Profiles. For an individual AP, it is also possible to override the profile settings.

To configure FortiAP LAN ports – web-based manager

1. If your FortiAP unit has LAN ports, but no port labeled WAN (models 320C, 320B, 112D, and 112B for example), enable LAN port options in the CLI:

config wireless-controller wtp-profile edit <profile_name> set wan-port-mode wan-lan

end

2. Go to WiFi & Switch Controller > FortiAP Profiles.
3. Edit the default profile for your FortiAP model or select Create New.
4. If you are creating a new profile, enter a Name and select the correct Platform (model).

LAN port options

5. Select SSIDs.
6. In the LAN Port section, set Mode to Bridge to and select an SSID or WAN Port as needed.

On some models with multiple LAN ports, you can set Mode to Custom and configure the LAN ports individually.

Enable each port that you want to use and select an SSID or WAN Port as needed.

7. Select OK.

Be sure to select this profile when you authorize your FortiAP units.

To configure FortiAP LAN ports – CLI

In this example, the default FortiAP-11C profile is configured to bridge the LAN port to the office SSID.

config wireless-controller wtp-profile edit FAP11C-default config lan set port-mode bridge-to-ssid set port-ssid office

end

end

end

In this example, the default FortiAP-28C profile is configured to bridge LAN port1 to the office SSID and to bridge the other LAN ports to the WAN port.

config wireless-controller wtp-profile edit FAP28C-default config lan set port1-mode bridge-to-ssid set port1-ssid office set port2-mode bridge-to-wan set port3-mode bridge-to-wan set port4-mode bridge-to-wan set port5-mode bridge-to-wan set port6-mode bridge-to-wan set port7-mode bridge-to-wan set port8-mode bridge-to-wan

end

end

In this example, the default FortiAP-320C profile is configured to bridge the LAN port to the office SSID.

config wireless-controller wtp-profile edit FAP320C-default set wan-port-mode wan-lan config lan set port-mode bridge-to-ssid set port-ssid office

end

end

end

To configure FortiAP unit LAN ports as a FortiAP Profile override – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.
2. Select the FortiAP unit from the list and select Edit.
3. Select the FortiAP Profile, if this has not already been done.
4. In the LAN Port section, select Override. The options for Mode are shown.

Preventing IP fragmentation of packets in CAPWAP tunnels

5. Set Mode to Bridge to and select an SSID or WAN Port, or NAT to WAN as needed.

On some models with multiple LAN ports, you can set Mode to Custom and configure the LAN ports individually.

Enable and configure each port that you want to use.

6. Select OK.

To configure FortiAP unit LAN ports as a FortiAP Profile override – CLI

In this example, a FortiAP unit’s configuration overrides the FortiAP Profile to bridge the LAN port to the office SSID.

config wireless-controller wtp edit FP320C3X14020000 set wtp-profile FAP320C-default set override-wan-port-mode enable set wan-port-mode wan-lan set override-lan enable config lan set port-mode bridge-to-ssid set port-ssid office

end

end

Preventing IP fragmentation of packets in CAPWAP tunnels

A common problem with controller-based WiFi networks is reduced performance due to IP fragmentation of the packets in the CAPWAP tunnel.

Fragmentation can occur because of CAPWAP tunnel overhead increasing packet size. If the original wireless client packets are close to the maximum transmission unit (MTU) size for the network (usually 1500 bytes for Ethernet networks unless jumbo frames are used) the resulting CAPWAP packets may be larger than the MTU, causing the packets to be fragmented. Fragmenting packets can result in data loss, jitter, and decreased throughput.

The FortiOS/FortiAP solution to this problem is to cause wireless clients to send smaller packets to FortiAP devices, resulting in1500-byte CAPWAP packets and no fragmentation. The following options configure CAPWAP IP fragmentation control:

config wireless-controller wtp-profle edit FAP321C-default set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}

set tun-mtu-uplink {0 | 576 | 1500} set tun-mtu-downlink {0 | 576 | 1500}

end

end

By default, tcp-mss-adjust is enabled, icmp-unreachable is disabled, and tun-mtu-uplink and tun-mtu-downlink are set to 0.

To set tun-mtu-uplink and tun-mtu-downlink, use the default TCP MTU value of 1500. This default configuration prevents packet fragmentation because the FortiAP unit limits the size of TCP packets received from wireless clients so the packets don’t have to be fragmented before CAPWAP encapsulation.

The tcp-mss-adjust option causes the FortiAP unit to limit the maximum segment size (MSS) of TCP packets sent by wireless clients. The FortiAP does this by adding a reduced MSS value to the SYN packets sent LED options

by the FortiAP unit when negotiating with a wireless client to establish a session. This results in the wireless client sending packets that are smaller than the tun-mtu-uplink setting, so that when the CAPWAP headers are added, the CAPWAP packets have an MTU that matches the tun-mtu-uplink size.

The icmp-unreachable option affects all traffic (UDP and TCP) between wireless clients and the FortiAP unit. This option causes the FortiAP unit to drop packets that have the “Don’t Fragment” bit set in their IP header and that are large enough to cause fragmentation and then send an ICMP packet — type 3 “ICMP Destination unreachable” with code 4 “Fragmentation Needed and Don’t Fragment was Set” back to the wireless controller. This should cause the wireless client to send smaller TCP and UDP packets.

Overriding IP fragmentation settings on a FortiAP

If the FortiAP Profile settings for IP fragmentation are not appropriate for a particular FortiAP, you can override the settings on that specific unit.

config wireless-controller wtp edit FAP321C3X14019926 set override-ip-fragment enable

set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}

set tun-mtu-uplink {0 | 576 | 1500} set tun-mtu-downlink {0 | 576 | 1500}

end

end

LED options

Optionally, the status LEDs on the FortiAP can be kept dark. This is useful in dormitories, classrooms, hotels, medical clinics, hospitals where the lights might be distracting or annoying to occupants.

On the FortiGate, the LED state is controlled in the FortiAP Profile. By default the LEDs are enabled. The setting is CLI-only. For example, to disable the LEDs on FortiAP-221C units controlled by the FAP221C-default profile, enter:

config wireless-controller wtp-profile edit FAP221C-default set led-state disable

end

You can override the FortiAP Profile LED state setting on an individual FortiAP using the CLI. For example, to make sure the LEDs are disabled on one specific unit, enter:

config wireless-controller wtp edit FAP221C3X14019926 set override-led-state enable set led-state disable

end

The LED state is also controllable from the FortiAP unit itself. By default, the FortiAP follows the FortiAP Profile setting.

CAPWAP bandwidth formula

CAPWAP bandwidth formula

The following section provides information on how to calculate the control plane CAPWAP traffic load in local bridging. The formula provided can help estimate the approximate package bandwidth cost. This is important for knowing precisely how much bandwidth is required on a WAN link for a centralized ForitGate managing hundreds of access points.

There are multiple factors that might affect the volume of CAPWAP control traffic, including the number of stations there are and large WiFi events.

The Ethernet/IP/UDP/CAPWAP uplink header cost should be approximately 66 bytes.

The tables below depict basic and commonly used optional CAPWAP bandwidth costs, on a per-AP basis.

Note the following:

l STA: The number of stations associated with the FortiAP. l ARP scan: Finds hidden devices in your network. l VAP: The number of VAPS held by the FortiAP. l Radio: The number of radios (maximum of two) enabled by the FortiAP.

Basic per-AP CAPWAP bandwidth costs

Content	Time (seconds)	Payload (byte)	Package bandwidth cost (bps)
Echo Req	30	16	(66+16)*8/30=21.86
STA scan	30	25+20*sta	(66+25+20*sta)*8/30=24.26+5.3*sta
ARP scan	30	25+18*sta	(66+25+18*sta)*8/30=24.26+4.8*sta
STA CAP	30	25+19*sta	(66+25+19*sta)*8/30=24.26+5.1*sta
STA stats	1	25+41*sta	(66+25+41*sta)*8/1=728.0+328.0*sta
VAP stats	15	40+18*vap	(66+40+18*vap)*8/15=56.53+9.6*vap
Radio stats	15	25+25*radio	(66+25+25*radio)*8/15=48.53+13.3*radio
		Total:	908.7+343.2*sta+9.6*vap+13.3*radio

Commonly used optional per-AP CAPWAP bandwidth costs

Content	Time Payload (byte) (seconds)	Package bandwidth cost (bps)
AP scan	30              25+63*scannedap	(66+25+63*scanned-ap)*8/30=24.26+16.8*scanned-ap

CAPWAP bandwidth formula

Content	Time Payload (byte) (seconds)	Package bandwidth cost (bps)
	Total:	932.96+343.2*sta+9.6*vap+13.3*radio+16.8*scannedap

Example:

There are 100 FortiAPs, with 187 stations distributed among them. Each FortiAP holds five VAPs among their radios, and each enables two radios. The basic CAPWAP bandwidth cost would be: 908.7*100+343.2*187+9.6*5*100+13.3*2*100 = 162.51kbps

Additionally, if two FortiAPs enabled “AP scan”, and suppose one scans 99 APs in each scan and the other scans 20 APs in each scan, the additional CAPWAP bandwidth cost would be:

(24.26+16.8*99)+(24.26+16.8*20) = 2 kbps

Enabling LLDP protocol

You can enable the LLDP protocol in the FortiAP Profile via the CLI. Each FortiAP using that profile can then send back information about the switch and port that it is connected to.

To enable LLDP, enter the following:

config wireless-controller wtp-profile edit <profile-name> set lldp enable

end

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!