WiFi (5.6)

Leave a reply

WiFi (5.6)

New WiFi features added to FortiOS 5.6.

Captive Portal Authentication with FortiAP in Bridge Mode (408915)

The FortiGate can operate as a web captive portal server to serve the captive portal local bridge mode.

A new CLI command has been added under config wireless-controller vap to set the captive portal type to CMCC, a wireless cipher.

CLI syntax

config wireless-controller vap edit <name> set portal-type { … | cmcc}

next

end

802.11kv(r) support (405498, 395037)

New CLI commands have been added under config wireless-controller vap to set various 802.11kvr settings, or Voice Enterprise (802.11kv) and Fast Basic Service Set (BSS) Transition (802.11r), to provide faster and more intelligent roaming for the client.

CLI syntax

config wireless-controller vap edit <name> set voice-enterprise {enable | disable} set fast-bss-transition {enable | disable} set ft-mobility-domain set ft-r0-key-lifetime [1-65535] set ft-over-ds {enable | disable}

next end

 

External Captive Portal authentication with FortiAP in Bridge Mode (403115, 384872)

New CLI commands have been added under config wireless-controller vap to set various options for external captive portal with FortiAP in Bridge Mode. The commands set the standalone captive portal server category, the server’s domain name or IP address, secret key to access the RADIUS server, and the standalone captive portal Access Controller (AC) name.

Note that these commands are only available when local-standalone is set to enable and security is set to captive-portal.

CLI syntax

config wireless-controller vap edit <name> set captive-portal-category {FortiCloud | CMCC} Default is FortiCloud. set captive-portal-radius-server <server> set captive-portal-radius-secret <password> set captive-portal-ac-name <name>

next

end

Japan DFS support for FAP-421E/423E/S421E/S423E (402287, 401434)

Korea and Japan Dynamic Frequency Selection (DFS) certification has been added for FAP-

421E/423E/S421E/S423E. DFS is a mechanism that allows WLANs to select a frequency that does not interfere with certain radar systems while operating in the 5 GHz band.

802.3az support on WAVE2 WiFi APs (400558)

A new CLI command has been added under config wireless-controller wtp-profile to enable or disable use of Energy-Efficient Ethernet (EEE) on WTP, allowing for less power consumption during periods of low data activity.

CLI syntax

config wireless-controller wtp-profile edit <profile-name> set energy-efficient-ethernet {enable|disable}

end

CLI command update made in wids-profile (400263)

The CLI command rogue-scan under config wireless-controller wids-profile has been changed to sensor-mode and allows easier configuration of radio sensor mode. Note that while foreign enables radio sensor mode on foreign channels only, both enables the feature on foreign and home channels.

CLI syntax

config wireless-controller wids-profile edit <example> set sensor-mode {disable|foreign|both}

end

Channel utilization, FortiPresence support on AP mode, QoS enhancement for voice

(399134, 377562)

A new CLI command has been added, config wireless-controller qos-profile, to configure

quality of service (QoS) profiles where you can add WiFi multi-media (WMM) control and Differentiated Services Code Point (DSCP) mapping.

Note that:

  • call-capacity and bandwidth-admission-control are only available when call-admissioncontrol is set to enable. l bandwidth-capacity is only available when bandwidth-admission-control is set to enable. l All DSCP mapping options are only available when dscp-wmm-mapping is set to enable.
  • wmm is already set to enable by default. If wmm is set to disable, the following entries are not available: wmm-

uapsd, call-admission-control, and dscp-wmm-mapping.

CLI syntax

config wireless-controller qos-profile edit <example> set comment <comment> set uplink [0-2097152] Default is 0 Kbps. set downlink [0-2097152] Default is 0 Kbps. set uplink-sta [0-2097152] Default is 0 Kbps. set downlink-sta [0-2097152] Default is 0 Kbps. set burst {enable|disable} Default is disable. set wmm {enable|disable} Default is enable. set wmm-uapsd {enable|disable} Default is enable.

set call-admission-control {enable|disable} Default is disable. set call-capacity [0-60] Default is 10 phones. set bandwidth-admission-control {enable|disable} Default is disable. set bandwidth-capacity [1-600000] Default is 2000 Kbps. set dscp-wmm-mapping {enable|disable} Default is disable. set dscp-wmm-vo [0-63] Default is 48 56. set dscp-wmm-vi [0-63] Default is 32 40. set dscp-wmm-be [0-63] Default is 0 24. set dscp-wmm-bk [0-63] Default is 8 16.

QoS profiles can be assigned under the config wireless-controller vap command using qosprofile.

FortiCloud managed APs can now be applied a bandwidth restriction or rate limitation based on SSID. For instance if guest and employee SSIDs are available, you can rate limit guest access to a certain rate to accommodate for employees. This feature also applies a rate limit based on the application in use, as APs are application aware.

FAP-U421E and FAP-U423E support (397900)

Two Universal FortiAP models support FortiOS 5.6. Their default profiles are added under config wirelesscontroller wtp-profiles, as shown below:

CLI syntax

config wireless-controller wtp-profile edit “FAPU421E-default” config platform set type U421E

end set ap-country US config radio-1 set band 802.11n

end config radio-2 set band 802.11ac

end

next

end

config wireless-controller wtp-profile edit “FAPU423E-default” config platform set type U423E

end set ap-country US config radio-1 set band 802.11n

end config radio-2 set band 802.11ac

end

next

end

Minor reorganization of WiFi GUI entries (396497)

WiFi & Switch Controller GUI entries Managed FortiAPs, SSID, FortiAP Profiles, and WIDS Profiles have been reorganized.

Multiple PSK support for WPA personal (393320, 264744)

New CLI commands have been added, under config wireless-controller vap, to configure multiple WiFi Protected Access Pre-Shared Keys (WPA-PSKs), as PSK is more secure without all devices having to share the same PSK.

Note that, for the following multiple PSK related commands to become available, vdom, ssid, and passhphrase all have to be set first.

CLI syntax

config wireless-controller vap edit <example> set mpsk {enable|disable} set mpsk-concurrent-clients [0-65535] Default is 0. config mpsk-key edit key-name <example>

set passphrase <wpa-psk> set concurrent-clients [0-65535] Default is empty. set comment <comments>

next

end

end

Use the mpsk-concurrent-clients entry to set the maximum number of concurrent connected clients for each mpsk entry. Use the mpsk-key configuration method to configure multiple mpsk entries.

Table size of qos-profile has VDOM limit (388070)

The command config wireless-controller qos-profile now has VDOM table limit; there is no longer an unlimited number of entries within each VDOM.

Add “dhcp-lease-time” setting to local-standalone-nat VAP (384229)

When a Virtual Access Point (VAP) has been configured for a FortiAP, a DHCP server is automatically configured on the FortiAP side with a hard lease time. A new CLI command under config wireless-controller vap has been added to customize the DHCP lease time for NAT IP address. This is to solve issues where the DHCP IP pool was exhausted when the number of clients grew too large for the lease time span.

Note that the new command, dhcp-lease-time, is only available when local-standalone is set to enable, then setting local-standalone-nat to enable.

CLI syntax

config wireless-controller vap edit <example> set local-standalone {enable|disable} set local-standalone-nat {enable|disable} set dhcp-lease-time [300-8640000] Default is 2400 seconds.

end

New CLI command to configure LDPC for FortiAP (383864)

Previously, LDPC value on FortiAP could only be changed on FortiAP local CLI. Syntax has been added in FortiOS CLI under the ‘wireless-controller.vap’ entry to configure the LDPC value on FortiAP.

CLI Syntax

configure wireless-controller vap edit 1 set ldpc [enable|rx|tx|disable]

end

New region code/SKU for Indonesia (382926)

A new country region code, F, has been added to meet Indonesia’s WiFi channel requirements. Indonesia previously belonged to region code W.

FortiAP RMA support added (381936)

New CLI command fortiap added under exe replace-device to replace an old FortiAP’s serial number with a new one.

CLI Syntax execute replace-device fortiap <old-fortiap-id> <new-fortiap-id>

Support fixed-length 64-hex digit for WPA-Personal passphrase (381030)

WPA-Personal passphrase now supports a fixed-length of 64 hexadecimal digits.

Allow FortiGates to manage cloud-based FortiAPs (380150)

FortiGates can now manage cloud-based FortiAPs using the new fapc-compatibility command under wireless-controller setting.

If enabled, default FAP-C wtp-profiles will be added. If disabled, FAP-C related CMDB configurations will be removed: wtp-group in vap’s vlan-pool, wtp-group, ws, wtp, wtp-profile.

CLI syntax

config wireless-controller setting set country CN

set fapc-compatibility [enable|disable] end

You will receive an error message when trying to change country while fapccompatibility is enabled. You need to disable fapc-compatibility before changing to an FAPC unsupported country.

Use IPsec instead of DTLS to protect CAPWAP tunnels (379502)

This feature is to utilize FortiAP hardware to improve the throughput of tunneled data traffic by using IPsec when data security is enabled.

“AES-256-CBC & SHA256” algorithm and “dh_group 15” are used for both CAPWAP IPsec phase1 and phase 2.

FAP320B will not support this feature due to its limited capacity of free flash.

New option added to support only one IP per one endpoint association (378207)

When users change configuration, the radiusd will reset all configurations and refresh all logons in the kernel. All these actions are done in the one loop. A CLI option has been added to enable/disable replacement of an old IP address with a new IP address for the same endpoint on RADIUS accounting start.

CLI Syntax

configure user radius edit radius-root

set rsso-ep-one-ip-only [enable|disable]

next

end

FAP-222C-K DFS support (377795)

Dynamic Frequency Selection (DFS) bands can now be configured for FortiAP 222C-K.

Note that this FortiAP model has the Korean region code (K), but ap-country under config wirelesscontroller wtp-profile still needs to be set to KR.

CLI syntax

config wireless-controller wtp-profile edit <K-FAP222C> config platform set type <222C>

end set ap-country KR config radio-2 set band <802.11ac> set vap-all <disable> set vaps “vap-vd-07”

set channel “52” “56” “60” “64” “100” “104” “108” “112” “116” “120” “124” “128”

“132” “136” “140” end

next

end

Dynamic VLAN support in standalone mode (377298)

Dynamic VLAN is now supported in standalone mode. Previously, dynamic VLAN only worked in local bridge mode.

CLI-only features added to GUI (376891)

Previously CLI-only features have been added to the GUI under FortiAP Profiles, Managed FortiAPs, and SSID. Also fixed issue where the correct value is displayed when viewing the WIDS Profile notification icon under FortiAP Profiles.

Managed AP GUI update (375376)

Upgraded Managed FortiAPs dialog page to a newer style, including icons for SSID and LAN port.

Bonjour gateway support (373659)

Bonjour gateway now supported for WiFi networks.

Syntax

config wireless-controller bonjour-profile edit 0 set comment “comment” config policy-list

edit 1 set description “description” set from-vlan [0-4094] Default is 0. set to-vlan [0-4094|all] Default is all.

set services [all|airplay|afp|bittorrent|ftp|ichat|itunes|printers|samba|scanners|ssh|chromecast]

next

end

next

end

FAP421E/423E wave2 support (371374)

Previously removed wave2 FAP421E and FAP423E models have been reinstated and are now supported again. The models are available again through the CLI and GUI. These models are listed under the Platform dropdown menu when creating a new FortiAP Profile under WiFi & Switch Controller > FortiAP Profiles.

CLI syntax

config wireless-controller wtp-profile edit <example> config platform set type <…|421E|423E>

end

end

WiFi Health Monitor GUI changes (308317)

The Wifi Health Monitor page has been improved, including the following changes:

  • Flowchart used for diagrams l Chart used for interference and AP clients l Removed spectrum analysis l Added functionality to upgrade FortiAP firmware
  • Added option to view both 2.4GHz and 5GHz data simultaneously

AP Profile GUI page updates (298266)

The AP Profile GUI page has been upgraded to a new style including AngularJS code.

1+1 Wireless Controller HA (294656)

Instances of failover between FortiAP units was too long and lead to extended periods of time where WiFi users were without network connection. Because WiFi is considered a primary network connection in today’s verticals (including enterprise, retail, education, warehousing, healthcare, government, and more), it is necessary for successful failover to occur as fast as possible.

You can now define the role of the primary and secondary controllers on the FortiAP unit, allowing the unit to decide the order in which the FortiAP selects the FortiGate. This process was previously decided on load-based detection, but can now be defined by each unit’s pre-determined priority. In addition, heartbeat intervals have been lowered to further improve FortiAP awareness and successful failover.

Syntax

config wireless-controller inter-controller set inter-controller-mode {disable | l2-roaming | 1+1} Default is disable. set inter-controller-key <password> set inter-controller-pri {primary | secondary} Default is primary. set fast-failover-max [3-64] Default is 10. set fast-failover-wait [10-86400] Default is 10. config inter-controller-peer edit <name> set peer-ip <ip-address> set peer-port [1024-49150] Default is 5246.

set peer-priority {primary | secondary} Default is primary. next

end

end

Support for duplicate SSID names on tunnel and bridge mode interfaces (278955)

When duplicate-ssid is enabled in the CLI, this feature allows VAPs to use the same SSID name in the same VDOM. When disabled, all SSIDs in WLAN interface will be checked—if duplicate SSIDs exist, an error message will be displayed. When duplicate-ssid is enabled in the CLI, duplicate SSID check is removed in “Edit SSID” GUI page.

Syntax

config wireless-controller setting set duplicate-ssid [enable|disable] next

end

Controlled failover between wireless controllers (249515)

Instances of failover between FortiAP units was too long and lead to extended periods of time where WiFi users were without network connection. Because WiFi is considered a primary network connection in today’s verticals (including enterprise, retail, education, warehousing, healthcare, government, and more), it is necessary for successful failover to occur as fast as possible.

Administrators can now define the role of the primary and secondary controllers on the FortiAP unit, allowing the unit to decide the order in which the FortiAP selects the FortiGate. This process was decided on load-based detection, but can now be defined by each unit’s pre-determined priority. In addition, heartbeat intervals have been lowered to further improve FortiAP awareness and successful failover.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.