FortiWLC – Add an ESS with the Web UI

Add an ESS with the Web UI

ESS profiles can be configured either from E(z)RF Network Manager or from the controller.

You can tell where an ESS profile was configured by checking the read-only field Owner; the Owner is either nms-server or controller. AP400 is designed to use either a Virtual Cell ESS or a non-Virtual Cell ESS, but not both at once. AP1000 is designed to use a Virtual Cell ESS and a non-Virtual Cell ESS simultaneously. To add an ESS from the controller’s Web UI, follow these steps:

  1. Click Configuration > Wireless > ESS > Add.

137

The ESS Profile Add screen displays – see below.

  1. In the ESS Profile Name field, type the name (ID) of the extended service set. The name can be up to 32 alphanumeric characters long with no spaces.
  2. In the Enable/Disable list, select one of the following:
  • Enable: ESS Profile created is enabled.
  • Disable: ESS Profile created is Disabled.
  1. In the SSID field, type a name up to 32 characters for the SSID for this ESS. (Note that when you are creating either Virtual Cell overflow or a non-Virtual Cell ESS, you will be creating two ESS Profiles with the same ESSID. See “Configure Virtual Cell Overflow with the Web UI” on page 158 for details.)
  2. In the Security Profile Name list, select an existing Security Profile to associate with the ESS profile. By default, an ESS profile is associated with the Security Profile named default. For more explanation, see “Security Profiles for an ESS” on page 147.
  3. In the Primary RADIUS Accounting Server list, select either the name of a previously configured RADIUS accounting server profile or the No RADIUS option. Selecting the No RADIUS option means that no RADIUS accounting messages will be sent for clients connecting to this ESSID profile. For more information, see the authentication chapter RADIUS Accounting for Clients.
  4. In the Secondary RADIUS Accounting Server list, select the name of a previously configured RADIUS accounting server profile or the No RADIUS option. If No RADIUS is selected, then no RADIUS accounting messages will be sent for clients connecting to this ESSID profile. For more information, see the security chapter RADIUS Accounting for Clients.
  5. In the Accounting Interim Interval (seconds) field, type the time (in seconds) that elapses between accounting information updates for RADIUS authentication. If a RADIUS accounting server is enabled, the controller sends an interim accounting record to the RADIUS server at the interval specified. Accounting records are only sent to the RADIUS server for clients that authenticate using 802.1x. The interval can be from 60 through 36,000 seconds (10 minutes through 10 hours). The default value is 3,600 seconds (1 hour). For more information, see the security chapter RADIUS Accounting for Clients.
  6. Beacon Interval sets the rate at which beacons are transmitted. Setting the beacon interval to a higher value decreases the frequency of unicasts and broadcasts sent by the access point. If the power-save feature is enabled on clients that are connected to access points, clients “wake up” less if fewer unicasts and broadcasts are sent, which conserves the battery life for the clients. In the Beacon Interval field, type the interval (in ms) at which beacons are transmitted. The beacon interval must be between 20 through 1000 milliseconds. For AP400 and AP1000, beacon interval is a multiple of 20, from 20 to 1000ms. If your WLAN consists mostly of Wi-Fi phones, and you have a low number of ESSIDs configured (for example, one or two), Fortinet recommends setting the beacon interval to 100.

10.In the SSID Broadcast list, select one of the following:

  • On: SSID is included in the beacons transmitted.
  • Off: SSID is not included in the beacons transmitted. Also Probe Responses will are not sent in response to Probe Requests that do not specify an SSID.

11.In the Bridging area, check any of these bridging options: AirFortress: FortressTech Layer 2 bridging and encryption with Fortress Technology AirFortress gateway. IPv6: Configures bridging Internet version 6 addresses. IPv6 via tunneling mode has these limitations:

  • No dynamic VLAN
  • No multiple ESSID mapping to same VLAN
  • No support for IPv6 filtering
  • No IPv6 IGMP snooping

12.By default, access points that join the ESS profile and have the same channel form a Virtual Cell. In the New APs Join ESS profile list, select one of the following:

  • On: (default) Access points automatically join an ESS profile and are configured with its parameters.
  • Off: Prevents access points from automatically joining an ESS profile. The user is now allowed to add multiple interfaces on the ESS Profile screen. Perform the following steps to add multiple interfaces:
  • On the ESS Profile – Update screen select the New APs Join ESS profile as Off. This option prevents the APs from automatically joining an ESS profile.
  • Select the checkbox for an ESS profile and click the Settings button.
  • The ESS Profile – Update screen is displayed.
  • On the ESS Profile – Update screen, select the ESS-AP Table tab.
  • The ESS-AP Configuration screen is displayed. No information is displayed on the ESS-AP Configuration screen.
  • On the ESS-AP Configuration screen, click the Add button.
  • The ESS-AP Configuration – Add screen is displayed. Here, the user is now allowed to add multiple interfaces on the ESS Profile screen.
  • Click OK.
  • The selected interfaces are now displayed on the ESS-AP Configuration screen.

13.In the Tunnel Interface Type, select one of the following:

  • No Tunnel: No tunnel is associated with this ESS profile.
  • Configured VLAN Only: Only a configured VLAN listed in the following VLAN Name list is associated with this ESS profile. If you select this option, go to Step 13. RADIUS VLAN Only: The VLAN is assigned by the RADIUS server via the RADIUS attribute Tunnel Id. Use RADIUS VLAN Only when clients authenticate via 802.1x/WPA/ WPA2 or MAC Filtering.
  • RADIUS and Configured VLAN: Both a configured VLAN and RADIUS VLAN are associated with this ESS profile. If you select this option, proceed to Step 15.
  • GRE: Specifies a GRE Tunnel configuration If you select this option, go to Step 14. For details, see the security chapter Configure GRE Tunnels.

14.If you selected Configured VLAN Only in Step 12, select a VLAN from the list to associate with this ESS profile.

15.If you selected GRE for Tunnel Interface Type, select the name of a GRE Tunnel profile previously configured in the Configuration > Wired > GRE area. For GRE to work, DHCP relay must be enabled either locally or globally.

16.In the Allow Multicast Flag list, optionally enable multicasting (on). Only enable multicasting if you need to use a multicast application. Enabling multicasting causes all multicast packets on the air side to appear on the wired side, and all multicast packets on the wired side to appear on the air side. Also see “Multicast” on page 163 in this chapter. On: Enables multicasting. Enable multicasting only if you need to use a multicast application. Enabling multicasting causes all multicast packets on the air side to appear on the wired side, and all multicast packets on the wired side to appear on the air side.

  • Off: Disables multicasting.

17.Isolate Wireless to Wireless Traffic can be used to prevent two wireless stations operating on the same L2 domain from communicating directly with each other. This is not a common requirement, but can be necessary for some security policies. Set the option to On if your network requires this.

18.In the Multicast-to-Unicast Conversion, select one of the following: On: Enables multicast-to-unicast conversion. Enabling this conversion allows multicast packets to be converted to unicast packets and deliver it all the clients.

  • Off: Disables multicast-to-unicast conversion.The multicast packets will be delivered as multicast packets to the clients.

19.The RF Virtualization Mode drop-down in the ESS Configuration page allows the user to specify the type of virtualization used by the specified ESS profile. The option for selections are as follows:

  • Virtual Cell: This is the default setting for all APs except AP400 models.
  • Virtual Port: This is the default setting for AP400 models.
  • Native Cell: This option disables virtualization on the ESS.

RF-Mode

Channel Width

N-only Mode

Channel and MIMO mode

20.If the APs are any AP400 model, you can make this ESS an “overflow” ESS by selecting a Virtual Cell ESS for the Overflow for: setting. This means that when the named Virtual Cell ESS (that was created earlier) maxes out, it will overflow into this non-Virtual Cell ESS.

This works by having the two ESS Profiles share an SSID so they can seamlessly move clients back and forth as needed. For more explanation, see “Virtual Cell Overflow Feature” on page 157.

21.In release 5.1, WMM configuration in the ESSID has no effect. However, in order to enable or disable APSD features across APs, the WMM parameter must be set to on. For more information, see “Supported WMM Features” on page 156.

22.For APSD support, select on or off. APSD stands for Advanced WMM Power Save and is supported AP400/AP1000. For more explanation, see “Supported WMM Features” on page 156.

On: Data packets for powersave mode clients are buffered and delivered based on the trigger provided by the client. This feature saves more power and provides longer lifetime for batteries than the legacy power save mode (TIM method). Note that you must haveWMM set to on for this to work – see previous step. Off: No APSD support.

23.DTIM affects clients in power save mode. In the DTIM Period field, type the number of beacon intervals that elapse before broadcast and multicast frames stored in buffers are sent. This value is transmitted in the DTIM period field of beacon frames.

The DTIM period can be a value from 1 through 255. The default DTIM period is 1. Setting the DTIM period to a higher value decreases the frequency of broadcasts sent by the access point. If power save is enabled on clients that are connected to access points, clients “wake up” less if fewer broadcasts are sent, which conserves battery life for the clients.

Only the behavior of clients currently in power-save mode is affected by the DTIM period value. Because broadcasts are generally wasteful of air resources, the Forti WLAN has devised mechanisms that mitigate broadcasts either with proxy services or with more efficient, limited unicasts. As an example, ARP Layer 2 broadcasts received by the wired side are not relayed to all wireless clients. Instead, the Forti WLC maintains a list of IPMAC address mappings for all wireless clients and replies with proxy-ARP on behalf of the client.

24.In the Dataplane Mode list, select the type of AP/Controller configuration: Tunneled: (default) In tunneled mode, a controller and an AP1000 are connected with a data tunnel so that data and control packets from a mobile station are tunneled to the controller from the AP and vice versa.

  • Bridged: (Bridged mode was formerly Remote AP mode.) In bridged mode, data packets are not passed between AP and the controller; only control plane packets are passed. When bridged mode is configured, an AP can be installed and managed at a location separated from the controller by a WAN or ISP, for example at a satellite office. The controller monitors the remote APs through a keep-alive signal. Remote APs can exchange control information with the controller, including authentication and accounting information, but they are unable to exchange data. Remote APs can, however, exchange data with other APs within their subnet. ESSIDs in bridged mode cannot exchange dataplane traffic (including DHCP) with the controller and the following FortiWLC (SD) features are not available in a bridged configuration: Rate Limiting, and QoS

(and all QoS-related features). For more explanation, see “Bridging Versus Tunneling”

on page 159 in this chapter.

A VLAN tag can be configured for a Bridged mode profile (see Step 29 below) and then multiple profiles can be associated to that VLAN tag. The AP VLAN priority can be set in Step 26 below.

25.Provide an AP VLAN tag between zero and 4094. This VLAN tag value is configured in the controller VLAN profile and is used for tagging client traffic for ESSIDs with dataplane mode bridged, using 802.1q VLAN. This field indicates whether an AP needs to map incoming VLAN 802.1p data packets into WMM ACs or not. By default in a bridged ESS, this field is disabled and an AP always honors DSCP field in IPV4 packet to map an incoming packet to one of WMM ACs. When turned on, an AP honors VLAN 802.1p priority over DSCP priority when the packet is mapped into one of WMM ACs.

26.To Enable VLAN Priority, set this field to On.

  • On: AP disregards the DSCP value in the IP header of a packet.
  • Off: AP honors the DSCP values in the IP header of a packet. AP converts the DSCP value in the IP header to appropriate WMM queues. This feature works only for downstream packets and only for an ESSID with dataplane mode set to bridged.

27.For Countermeasure, select when to enable or disable MIC Countermeasures: On: (default) Countermeasures are helpful if an AP encounters two consecutive MIC errors from the same client within a 60 second period. The AP will disassociate all clients from the ESSID where the errors originated and not allow any clients to connect for 60 seconds. This prevents an MIC attack.

  • Off: Countermeasures should only be turned off temporarily while the network administrator identifies and then resolves the source of a MIC error.

28.In the Enable Multicast MAC Transparency field, indicate on or off. For more explanation, see “Multicast MAC Transparency Feature” on page 164 in this chapter.

  • On: All downstream multicast packets will have the MAC address of the streaming station.
  • Off: (default) All downstream multicast packets will have the MAC address of the controller.

29.Band steering balances multi-band capable clients on AP1000 by assigning bands to clients based on their capabilities. To use band steering for ABGN traffic, you could use Asteering to direct dual mode clients with A capability to the 5GHz band and use N-steering to direct all dual mode clients with AN capability to the 5GHz band. Band steering is also useful for directing multicast traffic. For this command to work as clients are added, also set the field New APs Join ESS to on. For more explanation, see “Band Steering Feature” on page 165 in this chapter.Band Steering Mode options are:

  • Band Steering Disabled
  • Band Steering to A band: Infrastructure attempts to steer all A-Capable wireless clients to the 5GHz band when they connect to this ESS.

 

  • Band Steering to N band: Infrastructure attempts to steer all N-Capable wireless client that are also A-Capable to the 5GHz band when they connect to this ESS. Infrastructure also attempts to steer non N-Capable wireless clients to the 2.4GHz band.

30.Band Steering Timeout sets the number of seconds that assignment for a steered client is blocked on the forbidden band while it is unassociated. For this command to work, also set the field Band Steering to A-band or N-band (see above). Band Steering Timeout can be any integer from 1-65535.

31.Expedited Forward Override option is implemented to override the system’s default DSCP-to-WMM priority mapping. IP datagrams marked with DSCP Expedited Forwarding (46) will be sent from the WMM  queue (AC_VO) of the AP rather than the Video queue (AC_VI) in downstream (to stations). It is configured on a per-ESS Profile basis and works in both bridged and tunneled ESS profiles. For configuration, see “Expedited Forward Override” on page 168 in this chapter.

32.SSID Broadcast Preference is specific to address the CISCO phone connectivity issues. It consists of three options as follows:

  • Disable: Configuring the parameter to “Disable” makes the AP not to advertise the SSID string in the beacon.
  • Always: Configuring the parameter to “Always” enables the AP to advertise the SSID on the beacons always. This must not be configured unless recommended.
  • Till-Association: This is the default option. Configuring the parameter to “Till-Association” enables the AP to advertise the SSID in the beacons till association stage of the client and disable the SSID broadcast in the later part of connectivity. This parameter is preferable to configure for the certain version of phones which will resolves the connectivity issues with the Vport ON. Once station associated, the AP will stop broadcasting SSID string. Here the users are allowed to configure SSID broadcast for VPort parameter from controller GUI per ESS basis in addition to AP CLI. For configuration, see “SSID Broadcast for Vport” on page 170 in this chapter. By default, this option is selected.

33.For the remaining Supported and Base Transmit Rates for B, A, G, and BG modes, enable or disable rates as needed.

34.Click OK.

If Ascom i75 phones are used to connect to WPA2PSK profile with VCell enabled, then create an ESSID with all BGN Supported HT Transmit rates unchecked (set to none).


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.