Category Archives: FortiWLC

Configuring a WiFi LAN

Configuring a WiFi LAN

When working with a FortiGate WiFi controller, you can configure your wireless network before you install any access points. If you are working with a standalone FortiWiFi unit, the access point hardware is already present but the configuration is quite similar. Both are covered in this section.

Overview of WiFi controller configuration

Setting your geographic location

Creating a FortiAP profile

Defining a wireless network interface (SSID)

Defining SSID groups

Dynamic user VLAN assignment

Configuring user authentication

Configuring firewall policies for the SSID

Configuring the built-in access point on a FortiWiFi unit

Enforcing UTM policies on a local bridge SSID for managed smart APs

On FortiGate model 30D, web-based manager configuration of the WiFi controller is disabled by default. To enable it, enter the following CLI commands:

config system global

set gui-wireless-controller enable end

The WiFi Controller and Switch Controller are enabled through the Feature Store (under System > Feature Select). However, they are separately enabled and configured to display in the GUI via the CLI.

To enable both WiFi and Switch controllers, enter the following:

config system global set wireless-controller enable set switch-controller enable

end

To enable the GUI display for both controllers, have also been separated:

config system settings set gui-wireless-controller enable set gui-switch-controller enable end

If you want to connect and authorize external APs, such as FortiAP units, see the next chapter, Access point deployment.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Introduction to wireless networking

Introduction to wireless networking

Wireless concepts

Wireless networking is radio technology, subject to the same characteristics and limitations as the familiar audio and video radio communications. Various techniques are used to modulate the radio signal with a data stream.

Bands and channels

Depending on the wireless protocol selected, you have specific channels available to you, depending on what region of the world you are in.

l IEEE 802.11b and g protocols provide up to 14 channels in the 2.400-2.500 GHz Industrial, Scientific and Medical (ISM) band. l IEEE 802.11a,n (5.150-5.250, 5.250-5.350, 5.725–5.875 GHz, up to 16 channels) in portions of Unlicensed National Information Infrastructure (U-NII) band

Note that the width of these channels exceeds the spacing between the channels. This means that there is some overlap, creating the possibility of interference from adjacent channels, although less severe than interference on the same channel. Truly non-overlapping operation requires the use of every fourth or fifth channel, for example ISM channels 1, 6 and 11.

The capabilities of your wireless clients is the deciding factor in your choice of wireless protocol. If your clients support it, 5GHz protocols have some advantages. The 5GHz band is less used than 2.4GHz and its shorter wavelengths have a shorter range and penetrate obstacles less. All of these factors mean less interference from other access points, including your own.

When configuring your WAP, be sure to correctly select the Geography setting to ensure that you have access only to the channels permitted for WiFi use in your part of the world.

For detailed information about the channel assignments for wireless networks for each supported wireless protocol, see Reference on page 182.

 

Power

Wireless LANs operate on frequencies that require no license but are limited by regulations to low power. As with other unlicensed radio operations, the regulations provide no protection against interference from other users who are in compliance with the regulations.

Power is often quoted in dBm. This is the power level in decibels compared to one milliwatt. 0dBm is one milliwatt, 10dBm is 10 milliwatts, 27dBm, the maximum power on Fortinet FortiAP equipment, is 500 milliwatts. The FortiGate unit limits the actual power available to the maximum permitted in your region as selected by the WiFi controller country setting.

Received signal strength is almost always quoted in dBm because the received power is very small. The numbers are negative because they are less than the one milliwatt reference. A received signal strength of -60dBm is one millionth of a milliwatt or one nanowatt.

Antennas

Transmitted signal strength is a function of transmitter power and antenna gain. Directional antennas concentrate the signal in one direction, providing a stronger signal in that direction than would an omnidirectional antenna.

FortiWiFi units have detachable antennas. However, these units receive regulatory approvals based on the supplied antenna. Changing the antenna might cause your unit to violate radio regulations.

Security

There are several security issues to consider when setting up a wireless network.

Whether to broadcast SSID

It is highly recommended to broadcast the SSID. This makes connection to a wireless network easier because most wireless client applications present the user with a list of network SSIDs currently being received. This is desirable for a public network.

Attempting to obscure the presence of a wireless network by not broadcasting the SSID does not improve network security. The network is still detectable with wireless network “sniffer” software. Clients search for SSIDs that they know, leaking the SSID. Refer to RFC 3370. Also, many of the latest Broadcom drivers do not support hidden SSID for WPA2.

Encryption

Wireless networking supports the following security modes for protecting wireless communication, listed in order of increasing security.

None — Open system. Any wireless user can connect to the wireless network.

WEP64 — 64-bit Web Equivalent Privacy (WEP). This encryption requires a key containing 10 hexadecimal digits.

WEP128 — 128-bit WEP. This encryption requires a key containing 26 hexadecimal digits.

WPA — 256-bit WiFi Protected Access (WPA) security. This encryption can use either the TKIP or AES encryption algorithm and requires a key of either 64 hexadecimal digits or a text phrase of 8 to 63 characters. It is also possible to use a RADIUS server to store a separate key for each user.

WPA2 — WPA with security improvements fully meeting the requirements of the IEEE 802.11i standard. Configuration requirements are the same as for WPA.

For best security, use the WPA2 with AES encryption and a RADIUS server to verify individual credentials for each user. WEP, while better than no security at all, is an older algorithm that is easily compromised. With either WEP or WAP, changing encryption passphrases on a regular basis further enhances security.

Separate access for employees and guests

Wireless access for guests or customers should be separate from wireless access for your employees. Each of the two networks can have its own SSID, security settings, firewall policies, and user authentication. This does not require additional hardware. Both FortiWiFi units and FortiAP units support multiple wireless LANs on the same access point.

A good practice is to broadcast the SSID for the guest network to make it easily visible to users, but not to broadcast the SSID for the employee network.

Two separate wireless networks are possible because multiple virtual APs can be associated with an AP profile. The same physical APs can provide two or more virtual WLANs.

Captive portal

As part of authenticating your users, you might want them to view a web page containing your acceptable use policy or other information. This is called a captive portal. No matter what URL the user initially requested, the portal page is returned. Only after authenticating and agreeing to usage terms can the user access other web resources.

Power

Reducing power reduces unwanted coverage and potential interference to other WLANs. Areas of unwanted coverage are a potential security risk. There are people who look for wireless networks and attempt to access them. If your office WLAN is receivable out on the public street, you have created an opportunity for this sort of activity.

Monitoring for rogue APs

It is likely that there are APs available in your location that are not part of your network. Most of these APs belong to neighboring businesses or homes. They may cause some interference, but they are not a security threat. There is a risk that people in your organization could connect unsecured WiFi-equipped devices to your wired network, inadvertently providing access to unauthorized parties. The optional On-Wire Rogue AP Detection Technique compares MAC addresses in the traffic of suspected rogues with the MAC addresses on your network. If wireless traffic to non-Fortinet APs is also seen on the wired network, the AP is a rogue, not an unrelated AP.

Decisions about which APs are rogues are made manually on the Rogue AP monitor page. For detailed information, see Wireless network monitoring on page 115.

Suppressing rogue APs

When you have declared an AP to be a rogue, you have the option of suppressing it. To suppress and AP, the FortiGate WiFi controller sends reset packets to the rogue AP. Also, the MAC address of the rogue AP is blocked in the firewall policy. You select the suppression action on the Rogue AP monitor page. For more information, see Wireless network monitoring on page 115.

Wireless Intrusion Detection (WIDS)

You can create a WIDS profile to enable several types of intrusion detection:

l Unauthorized Device Detection l Rogue/Interfering AP Detection l Ad-hoc Network Detection and Containment l Wireless Bridge Detection l Misconfigured AP Detection l Weak WEP Detection l Multi Tenancy Protection l MAC OUI Checking

Authentication

Wireless networks usually require authenticated access. FortiOS authentication methods apply to wireless networks the same as they do to wired networks because authentication is applied in the firewall policy.

The types of authentication that you might consider include:

l user accounts stored on the FortiGate l user accounts managed and verified on an external RADIUS, LDAP or TACACS+ server l Windows Active Directory authentication, in which users logged on to a Windows network are transparently authenticated to use the wireless network.

This FortiWiFi and FortiAP Configuration Guide provides some information about each type of authentication, but more detailed information is available in the Authentication chapter of the FortiOS Handbook.

What all of these types of authentication have in common is the definition of user groups to specify who is authorized. For each wireless LAN, you will create a user group and add to it the users who can use the WLAN. In the identity-based firewall policies that you create for your wireless LAN, you will specify this user group.

Some access points, including FortiWiFi units, support MAC address filtering. You should not rely on this alone for authentication. MAC addresses can be “sniffed” from wireless traffic and used to impersonate legitimate clients.

Wireless networking equipment

Fortinet produces two types of wireless networking equipment:

  • FortiWiFi units, which are FortiGate units with a built-in wireless access point/client
  • FortiAP units, which are wireless access points that you can control from any FortiGate unit that supports the WiFi Controller featu

FortiWiFi units

A FortiWiFi unit can:

  • Provide an access point for clients with wireless network cards. This is called Access Point mode, which is the default

or

  • Connect the FortiWiFi unit to another wireless network. This is called Client mode. A FortiWiFi unit operating in client mode can only have one wireless interface.

or

  • Monitor access points within radio range. This is called Monitoring mode. You can designate the detected access points as Accepted or Rogue for tracking purposes. No access point or client operation is possible in this mode. But, you can enable monitoring as a background activity while the unit is in Access Point mode.

The Products section of the Fortinet web site (www.fortinet.com) provides detailed information about the FortiWiFi models that are currently available.

FortiAP units

FortiAP units are thin wireless access points are controlled by either a FortiGate unit or FortiCloud service.

FortiAP is a family of Indoor, Outdoor and Remote Access Point models supporting the latest single, dual, and triple stream MIMO 802.11ac and 802.11n technology, as well as 802.11g and 802.11a.

For large deployments, some FortiAP models support a mesh mode of operation in which control and data backhaul traffic between APs and the controller are carried on a dedicated WiFi network. Users can roam seamlessly from one AP to another.

In dual-radio models, each radio can function as an AP or as a dedicated monitor. The monitoring function is also available during AP operation, subject to traffic levels.

The Products section of the Fortinet web site (www.fortinet.com) provides detailed information about the FortiAP models that are currently available.

Automatic Radio Resource Provisioning

To prevent interference between APs, the FortiOS WiFi Controller includes the Distributed Automatic Radio Resource Provisioning (DARRP) feature. Through DARRP, each FortiAP unit autonomously and periodically determines the channel that is best suited for wireless communications. FortiAP units to select their channel so Automatic Radio Resource Provisioning

that they do not interfere with each other in large-scale deployments where multiple access points have overlapping radio ranges.

To enable ARRP – GUI

  1. Go to WiFi Controller > FortiAP Profiles and edit the profile for your device.
  2. In the Radio sections (Radio 1, Radio 2, etc.), enable Radio Resource Provision.
  3. Click OK.

To enable ARRP – CLI

In this example, ARRP is enabled for both radios in the FAP321C-default profile:

config wireless-controller wtp-profile edit FAP321C-default config radio-1 set darrp enable

end config radio-2 set darrp enable

end

end

Setting ARRP timing

By default, ARRP optimization occurs at a fixed interval of 1800 seconds (30 minutes). You can change this interval in the CLI. For example, to change the interval to 3600 seconds enter:

config wireless-controller timers set darrp-optimize 3600

end

Optionally, you can schedule optimization for fixed times. This enables you to confine ARRP activity to a lowtraffic period. Setting darrp-optimize to 0, makes darrp-day and darrp-time available. For example, here’s how to set DARRP optimization for 3:00am every day:

config wireless-controller timers set darrp-optimize 0

set darrp-day sunday monday tuesday wednesday thursday friday saturday set darrp-time 03:00

end

Both darrp-day and darrp-time can accept multiple entries.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWLC – Appendix

Appendix

Captive Portal and Fortinet Connect Deployment Recommendations

These are the deployment recommendations.

DNS Entry

It is mandatory to enter the DNS while creating internal DHCP profile.

External Portal IP Configuration

If a NAT device is located between the controller and the Fortinet Connect, the IP address with which Fortinet Connect sees the controller should be configured under Device > RADIUS Clients page in Fortinet Connect Admin portal (http://<fortinetconnect-ip-address>/admin) . Select the RADIUS client and enter the controller IP address in the Client tab. The Fortinet Connect Automatic Setup then configures the controller correctly and ensures that the correct controller IP address is configured on Fortinet Connect.

Remember Me settings

In the Portal Settings step of the Guest Portal configuration wizard, if you choose to enable

Remember Credentials, then select “Initially attempt to use a cookie, if this fails try the MAC address” option. This removes the dependency on the client’s browser and security settings.

SmartConnect Certificate download

In the Certificates step of the Smart Connect Profile Wizard, ensure that you select the complete certificate chain of your uploaded certificate. If all certificates in the chain (from root to server) have been uploaded, then selecting the server certificate will automatically select the entire certificate chain.

  • To upload the server certificates, go to Server > SSL Settings > Server Certificate
  • To upload rest of the chain, go to Server > SSL Settings > Trusted CA Certificates

Captive Portal and Fortinet Connect Deployment Recommendations

IP Prefix Validation

In a situation where a station with an IP address from a different subnet connects to the controller, it can result in various network issues including outage. A new field, IP Prefix Validation is added to the ESS Profile and Port Profile configuration page. When enabled, stations with different subnet are prevented from connecting to the controller. By default, IP Prefix Validation in ESS Profile is ON and in Port Profile it is OFF.

IP Prefix Validation must be disabled if the ESS profile is used for RAC.

IP Prefix Validation

A Glossary

This glossary contains a collection of terms and abbreviations used in this document. A B C D E F G H I J K L M N O P Q R S T U V W X Y

Numerals

10BaseT An IEEE standard (802.3) for operating 10 megabits per second (Mbps) Ethernet networks (LANs) over twisted pair cabling and using baseband transmission methods.
100baseT A Fast Ethernet standard (802.3u) that allows up to 100 Mbps and uses the CSMA/CD LAN access method.
3DES Triple Des. A Data Encryption Standard (DES) that uses three 64-bit encryption key, and therefore is three times longer than that used by DES.
802.11 802.11, or IEEE 802.11, is a radio technology specification used for Wireless Local Area Networks (WLANs). 802.11 defines the mobile (wireless) network access link layer, including 802.11 media access control (MAC) and different Physical (PHY) interfaces. This standard defines the protocol for communications between a wireless client and a base station as well as between two wireless clients.

The 802.11 specification, often called Wi-Fi, is composed of several standards operating in different radio frequencies, including the 2.4 GHz (802.11 b and g) and 5 GHz (802.11a) unlicensed spectrums. New standards are emerging within the 802.11 specification to define additional aspects of wireless networking.

802.11a A supplement to 802.11 that operates in the 5 GHz frequency range with a maximum 54 Mbps data transfer rate. The 802.11a specification offers more radio channels than the 802.11b and uses OFDM. The additional channels ease radio and microwave interference.
802.11b International standard for wireless networking that operates in the 2.4 GHz frequency range (2.4 GHz to 2.4835 GHz) and provides a throughput of up to 11 Mbps. This common frequency is also used by microwave ovens, cordless phones, medical and scientific equipment, as well as Bluetooth devices.

529

 

802.11e An IEEE specification for providing Quality of Service (QoS) in 802.11 WLANs. 802.11e is a supplement to the IEEE 802.11 and provides enhancements to the 802.11 MAC layer supplying a Time Division Multiple Access (TDMA) construct and error-correcting mechanisms that aid delay-sensitive applications such as  and video.
802.11g Similar to 802.11b, this standard operates in the 2.4 GHz frequency. It uses OFDM to provide a throughput of up to 54 Mbps.
802.11i Supports the 128-bit Advanced Encryption Standard (AES) and Temporal Key Integrity Protocol (TKIP) along with 802.1X authentication and key management features for increased WLAN security capabilities.
802.11j Provides enhancements to the current 802.11 standard to support the 4.9GHz – 5GHz band for operations in Japan.
802.11k Due for ratification in 2005, the 802.11k Radio Resource Management standard will provide measurement information for access points and switches to make Wireless LANs run more efficiently.
802.11n An emerging standard aimed at providing greater than 100 Mbps of throughput in a wireless environment.
802.11r A specification under development to improve a wireless client’s ability to roam across wireless networks.
802.16 A specification for fixed broadband wireless metropolitan access networks (MANs) that uses a point-to-multipoint architecture. The standard defines the use of bandwidth between the licensed 10GHz and 66GHz bands and between the 2GHZ and 11GHz (licensed and unlicensed) frequency ranges. 802.16 supports very high bit rates for a distance of approximately 30 miles.
802.1X

A

Wireless LAN security implementation that uses port-based authentication between an operating system and the network access device, meant to increase security in user authentication by using RADIUS, Extensible Authentication Protocol (EAP), and LDAP.
AAA authentication, authorization, and accounting (triple A). An IP-based system for providing services to ensure secure network connections for users. The system requires a server such as a RADIUS server to enforce these services.
access point A device that is managed by a controller and that allows stations such as cellular phones or laptops to communicate wirelessly with the Wireless LAN System.
accounting Services that track the resources a user session uses such as amount of time logged on, data transferred, resources, etc. Accounting services are typically used for billing, auditing, analysis, etc.

 

 

ACL Access Control List. A list kept by the controller to limit access of station to the WLAN. The ACL can be a permit, deny, or RADIUS Server list of MAC addresses of the NIC device within the station. An ACL is controller by the configured state, either enabled or disabled.
AES Advanced Encryption Standard. An encryption standard that uses a symmetric encryption algorithm (Rijndael). AES was chosen by the National Information and Standards Institute (NIST) as the Federal Information Processing Standard (FIPS).
Air Traffic

Control

Fortinet technology that exercises a high degree of control over all transmissions within a wireless network. Unlike superficially similar technologies from other vendors, Air Traffic Control technology coordinates uplink and downlink transmissions on a single 802.11 channel in such a manner that the effects of co-channel and adjacent channel interference are eliminated and all access points on a network can share a single radio channel. It also load balances traffic across channels when using Channel Layering, ensuring that each channel
ATS Access Transaction Station. Alternative term for access point.
attenuation The reduction of RF signal strength due to the presence of an obstacle, such as a wall or person. The amount of attenuation caused by a particular object will vary depending upon its composition.
authentication The process of identifying a user, usually based on a username and password, but can also be a MAC address.
authorization

B

The process of granting or denying a user access to network resources once the user has been authenticated through the username and password.
backbone The central part of a large network that links two or more subnetworks and is the primary path for data transmission for a large business or corporation. A network can have a wired backbone or a wireless backbone.
bandwidth The amount of transmission capacity that is available on a network at any point in time. Available bandwidth depends on several variables such as the rate of data transmission speed between networked devices, network overhead, number of users, and the type of device used to connect PCs to a network. It is similar to a pipeline in that capacity is determined by size: the wider the pipe, the more water can flow through it; the more bandwidth a network provides, the more data can flow through it. Standard 802.11b provides a bandwidth of 11 Mbps; 802.11a and 802.11g provide a bandwidth of 54 Mbps. These are the raw capabilities of the network. Many things conspire to reduce these values, including protocol overhead, collisions, and implementation inefficiencies.
base station A term in cellular networking that refers to a radio transmitter/receiver that maintains communications with mobile radiotelephone sets within a given range (typically a cell site).

 

bps bits per second. A measure of data transmission speed over communication lines based on the number of bits that can be sent or received per second. Bits per second-bps-is often confused with bytes per second-Bps. 8 bits make a byte, so if a wireless network is operating at a bandwidth of 11 megabits per second (11 Mbps or 11 Mbits/sec), it is sending data at 1.375 megabytes per second (1.375 MBps).
bridge A product that connects a local area network (LAN) to another local area network that uses the same protocol (for example, wireless, Ethernet or token ring). Wireless bridges are commonly used to link buildings in campuses.
BSC Base Station Controller. Manages radio resources and controls handoff between cells. May also contain the transcoder for compressing/uncompressing  between cellular network and the Public Switched Telephone Network (PSTN).
BSSID

C

Basic Service Set Identifier is a means of uniquely identifying an access point, usually intended for machine use rather than human use. A 48-bit Ethernet MAC address is used to identify an 802.11 wireless service. In a Virtual Cell, all same-channel APs may appear to have the same BSSID, thus virtualizing the network from the client’s perspective. When Virtual Ports are used, each client sees a different BSSID, appearing to get its own private AP. See also ESSID.
Co-channel Interference Radio interference that occurs when two transmitters use the same frequency without being closely synchronized. Legacy wireless systems cannot achieve this kind of synchronization, so access points or cell towers that transmit on one channel must be spaced far apart. The result is coverage gaps that must be filled in with radios tuned to another channel, resulting in an inefficient and complex microcell architecture. Air Traffic Control technology avoids cochannel interference by tightly synchronizing access point transmissions, enabling that adjacent APs to use the same channel.
Channel Bonding The combination of two non-overlapping 20 MHz. channels into a single 40 MHz. channel, doubling the amount of data that can be transmitted in a given time but halving the number of available channels. Along with MIMO, it is a key innovation in the 802.11n standard.
Channel Layering Wireless LAN architecture in which several Virtual Cells are located in the same physical space but on non-overlapping channels, multiplying the available capacity. This additional capacity can be used for redundancy or to support higher data rates or user density. It can be enabled through multiple radios on one AP or by using multiple AP close together, so the total capacity is limited only be the number of non-overlapping channels available.
Channel Reuse A pattern in which different APs can use the same channel. In microcell networks, such APs need to be placed far apart to avoid co-channel interference, meaning that contiguous coverage requires multiple channels. In networks using Air Traffic Control technology, the same

channel can be reused throughout the network, meaning that only one channel is required and others are left free for other purposes.

CHAP Challenge Handshake Authentication Protocol. An authentication protocol that defines a three-way handshake to authenticate a user. CHAP uses the MD5 hash algorithm to generate a response to a challenge that can be checked by the authenticator.
CLI Command-line interpreter. On a controller and other units, this is similar to a command shell for giving instructions.
client Any computer connected to a network that requests services (files, print capability) from another member of the network.
client

devices

Clients are end users. Wi-Fi client devices include PC Cards that slide into laptop computers, mini-PCI modules embedded in laptop computers and mobile computing devices, as well as USB radios and PCI/ISA bus Wi-Fi radios. Client devices usually communicate with hub devices like access points and gateways.
collision avoidance A network node characteristic for proactively detecting that it can transmit a signal without risking a collision.
controller A device that is responsible for configuring and integrating the access points in a WLAN.
CSMA-CA CSMA/CA is the principle medium access method employed by IEEE 802.11 WLANs. It is a “listen before talk” method of minimizing (but not eliminating) collisions caused by simultaneous transmission by multiple radios. IEEE 802.11 states collision avoidance method rather than collision detection must be used, because the standard employs half duplex radiosradios capable of transmission or reception-but not both simultaneously.
CSMA/CD

D

A method of managing traffic and reducing noise on an Ethernet network. A network device transmits data after detecting that a channel is available. However, if two devices transmit data simultaneously, the sending devices detect a collision and retransmit after a random time delay.
dBm A measurement of relative power (decibel) related to 1 milliwatt (mW).
Denial of Service (DoS) A condition in which users are deliberately prevented from using network resources.
DES Data Encryption Standard. A symmetric encryption algorithm that always uses 56 bit keys. It is rapidly being replaced by its more secure successor, 3DES.
DHCP A utility that enables a server to dynamically assign IP addresses from a predefined list for a predefined time period, limiting their use time so that they can be reassigned. Without DHCP, IP addresses would have to be manually assigned to all computers on the network. When

DHCP is used, whenever a computer logs onto the network, it automatically is assigned an IP address.

DNS A program that translates URLs to IP addresses by accessing a database maintained on a collection of Internet servers. The program works behind the scenes to facilitate surfing the Web with alpha versus numeric addresses. A DNS server converts a name like mywebsite.com to a series of numbers like 107.22.55.26. Every website has its own specific IP address on the Internet.
DSL

E

Various technology protocols for high-speed data,  and video transmission over ordinary twisted-pair copper POTS (Plain Old Telephone Service) telephone wires.
EAP Extensible Authentication Protocol. An extension to PPP. EAP is a general protocol for authentication that also supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, public key authentication and smart cards. IEEE 802.1x specifies how EAP should be encapsulated in LAN frames.
EAP-TLS Extensible Authentication Protocol with Transport Layer Security. EAP-TLS supports mutual authentication using digital certificates. When a client requests access, the authentication server responds with a server certificate. The client replies with its own certificate and also validates the server certificate. The certificate values are used to derive session encryption keys.
EAP – TTLS Extensible Authentication Protocol with Tunneled Transport Layer Security. EAP-TTLS uses a combination of certificates and password challenge and response for authentication within an 802.1X environment. TTLS supports authentication methods defined by EAP, as well as the older Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), Microsoft CHAP (MS-CHAP), and MS-CHAPV2.
encryption key An alphanumeric (letters and/or numbers) series that enables data to be encrypted and then decrypted so it can be safely shared among members of a network. WEP uses an encryption key that automatically encrypts outgoing wireless data. On the receiving side, the same encryption key enables the computer to automatically decrypt the information so it can be read.
enterprise A term that is often applied to large corporations and businesses. The enterprise market can incorporate office buildings, manufacturing plants, warehouses and R&D facilities, as well as large colleges and universities.
ESSID Extended Service Set Identifier (ID). The identifying name of an 802.11 wireless network, which is a string of up to 32 characters that is intended to be viewed by humans. When you specify an ESSID in your client setup, you ensure that you connect to your wireless network rather than another network in range.

A set of access points can share an ESSID. In this case, a station can roam among the access points.

Ethernet

F

International standard networking technology for wired implementations. Basic 10BaseT networks offer a bandwidth of about 10 Mbps. Fast Ethernet (100 Mbps) and Gigabit Ethernet (1000 Mbps) are becoming popular.
FCC Federal Communications Commission. The United States’ governing body for telecommunications law.
firewall A system that secures a network and prevents access by unauthorized users. Firewalls can be software, hardware or a combination of both. Firewalls can prevent unrestricted access into a network, as well as restrict data from flowing out of a network.
Fourth

Generation

G

Term coined by analyst firm Gartner to describe a wireless LAN system in which the controller governs handoffs, such as one utilizing Virtual Cells. This is contrasted with third generation (micro-cell architecture) systems, in which the controller is only responsible for managing access points and clients must decide for themselves when to initiate a handoff. Second generation systems lacked a controller altogether and were designed for standalone operation, whereas the first generation used proprietary, non-802.11 systems.
gain The ratio of the power output to the power input of an amplifier in dB. The gain is specified in the linear operating range of the amplifier where a 1 dB increase in input power gives rise to a 1 dB increase in output power.
gateway

H

In the wireless world, a gateway is an access point with additional software capabilities such as providing NAT and DHCP. Gateways may also provide VPN support, roaming, firewalls, various levels of security, etc.
Handoff The transfer of a link from one access point to another as a client moves through a network. In legacy microcell networks, Wi-Fi clients are responsible for handoff, meaning that the quality of the link and the overall network performance is dependent on each client’s implementation of 802.11 roaming algorithms. In Virtual Cell and Virtual Port networks, the network itself governs handoffs as clients remain connected to a single virtual AP.
hub A multiport device used to connect PCs to a network via Ethernet cabling or via Wi-Fi. Wired hubs can have numerous ports and can transmit data at speeds ranging from 10 Mbps to multigigabyte speeds per second. A hub transmits packets it receives to all the connected ports. A

small wired hub may only connect 4 computers; a large hub can connect 48 or more. Wireless hubs can connect hundreds.

Hz

I

The international unit for measuring frequency, equivalent to the older unit of cycles per second. One megahertz (MHz) is one million hertz. One gigahertz (GHz) is one billion hertz. The standard US electrical power frequency is 60 Hz, the AM broadcast radio frequency band is 535-1605 kHz, the FM broadcast radio frequency band is 88-108 MHz, and Wireless 802.11b LANs operate at 2.4 GHz.
IP number Also called an IP address. A 32-bit binary number that identifies senders and receivers of traffic across the Internet. It is usually expressed in the form nnn.nnn.nnn.nnn where nnn is a number from 0 to 256.
identitybased networking A concept whereby WLAN policies are assigned and enforced based upon a wireless client’s identity, as opposed to its physical location. With identity networking, wireless devices need only authenticate once with a WLAN system. Context information will follow the devices as they roam, ensuring seamless mobility.
IEEE Institute of Electrical and Electronics Engineers. (www.ieee.org) A membership organization that includes engineers, scientists and students in electronics and allied fields. It has more than 300,000 members and is involved with setting standards for computers and communications.
IEEE 802.11 A set of specifications for LANs from The Institute of Electrical and Electronics Engineers (IEEE). Most wired networks conform to 802.3, the specification for CSMA/CD based Ethernet networks or 802.5, the specification for token ring networks. 802.11 defines the standard for Wireless LANs encompassing three incompatible (non-interoperable) technologies: Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS) and Infrared. WECA’s focus is on 802.11b, an 11 Mbps high-rate DSSS standard for wireless networks.
infrastructure mode A client setting providing connectivity to an AP. As compared to Ad-Hoc mode, whereby PCs communicate directly with each other, clients set in Infrastructure Mode all pass data through a central AP. The AP not only mediates wireless network traffic in the immediate neighborhood, but also provides communication with the wired network. See Ad-Hoc and AP.
IP Internet Protocol. A set of rules used to send and receive messages at the Internet address level.
IP telephony Technology that supports , data and video transmission via IP-based LANs, WANs, and the Internet. This includes VoIP ( over IP).
IP address A 32-bit number that identifies each sender or receiver of information that is sent across the Internet. An IP address has two parts: an identifier of a particular network on the Internet and

an identifier of the particular device (which can be a server or a workstation) within that network.

IPSec                       IPSec is a security protocol from the Internet Engineering Task Force (IETF) that provides authentication and encryption. IPsec, which works at Layer 3, is widely used to secure VPNs and wireless users. Some vendors, like Airespace, have implemented special WLAN features that allow IPsec sessions to roam with clients for secure mobility.

ISDN A type of broadband Internet connection that provides digital service from the customer’s premises to the dial-up telephone network. ISDN uses standard POTS copper wiring to deliver , data or video.

ISO network A network model developed by the International Standards Organization (ISO) that consists of model seven different levels, or layers. By standardizing these layers, and the interfaces in between, different portions of a given protocol can be modified or changed as technologies advance or systems requirements are altered. The seven layers are:

  • Physical
  • Data Link Network
  • Transport
  • Session
  • Presentation
  • Application

The IEEE 802.11 Standard encompasses the physical layer (PHY) and the lower portion of the data link layer. The lower portion of the data link layer is often referred to as the Medium Access Controller (MAC) sublayer.

J

K

L

LAN                          Local Area Network. A system of connecting PCs and other devices within the same physical proximity for sharing resources such as an Internet connections, printers, files and drives. When Wi-Fi is used to connect the devices, the system is known as a Wireless LAN or WLAN.

LDAP Lightweight Directory Access Protocol. A set of protocols for accessing information directories conforming to the X.500 standard.

 

LWAPP

M

Lightweight Access Point Protocol. A proposed specification to the International Engineering Task Force (IETF) created to standardize the communications protocol between access points and WLAN system devices (switches, appliances, routers, etc.). Initial authors include Airespace and NTT DoCoMo. See CAPWAP
MAC Medium Access Control. This is the function of a network controller that determines who gets to transmit when. Each network adapter must be uniquely identified. Every wireless 802.11 device has its own specific MAC address hard-coded into it. This unique identifier can be used to provide security for wireless networks. When a network uses a MAC table, only the 802.11 radios that have had their MAC addresses added to that network’s MAC table will be able to get onto the network.
Man in Middle (MiM) An attack that results from the interception and possible modification of traffic passing between two communicating parties, such as a wireless client and Access Point. MIM attacks succeed if the systems can’t distinguish communications with an intended recipient from those with the intervening attacker.
Mbps Million bits (megabits) per second.
MIC Message Integrity Check. MIC is part of a draft standard from IEEE 802.11i working group. It is an additional 8 byte field which is placed between the data portion of an 802.11 (Wi-Fi) frame and the 4 byte ICV (Integrity Check Value) to protect both the payload and the header. The algorithm which implements the MIC is known as Michael.
Microcell Wireless architecture in which adjacent APs must be tuned to different, non-overlapping channels in an attempt to mitigate co-channel interference. This requires complex channel planning both before the network is built and whenever a change is made, and uses spectrum so inefficiently that some co-channel interference still occurs, especially at 2,4 GHz. Microcell architectures were common in 2G cell phone systems and legacy wireless LAN systems. They are not used in 3G cellular networks or in wireless LAN systems that use Air Traffic Control, as these allow all access points to share a single channel.
mobile professional A salesperson or a “road warrior” who travels frequently and requires the ability to regularly access his or her corporate networks, via the Internet, to post and retrieve files and data and to send and receive e-mail.
multipath

N

The process or condition in which radiation travels between source and receiver via more than one propagation path due to reflection, refraction, or scattering.
NAT NetwOrk Address Translation. A system for converting the IP numbers used in one network to the IP numbers used in another network. Usually one network is the internal network and one

network is the external network. Usually the internal IP numbers form a relatively large set of IP numbers, which must be compressed into a small set of IP numbers for the external network.

network name Identifies the wireless network for all the shared components. During the installation process for most wireless networks, you need to enter the network name or SSID. Different network names are used when setting up your individual computer, wired network or workgroup.
NIC

O

Network Interface Card. A type of PC adapter card that either works without wires (Wi-Fi) or attaches to a network cable to provide two-way communication between the computer and network devices such as a hub or switch. Most office wired NICs operate at 10 Mbps (Ethernet), 100 Mbps (Fast Ethernet) or 10/100 Mbps dual speed. High-speed Gigabit and 10 Gigabit NIC cards are also available. See PC Card.
OFDM Orthogonal Frequency Division Multiplexing. A modulation technique for transmitting large amounts of digital data over a radio wave. OFDM splits the radio signal into multiple smaller signals that are transmitted in parallel at different frequencies to the receiver. OFDM reduces the amount of crosstalk in signal transmissions. 802.11a uses OFDM.
Overlay Network

P

A dedicated network of radio sensors that are similar to access points but do not serve clients, scanning the airwaves full time for security or management issues. Overlay networks lack the flexibility of AP-based scanning, as radios cannot be redeployed between scanning and client access. They also lack deep integration with the main wireless network, necessary for realtime management and intrusion prevention.
Partitioning Virtualization technique in which a single resource is divided up into virtual resources that are then dedicated to a particular application. Examples include the virtual machines in server virtualization, virtual disk drives in SANs and Virtual Ports in Fortinet’s Wireless LAN Virtualization. The main advantages of partitioning are control and isolation: Each application or user can be given exactly the resources that it  needs, protecting them from each other and ensuring that none consumes more than its allocated share of resources. In a wireless context, it makes a wireless LAN behave more like a switched Ethernet port.
Pooling Virtualization technique in which multiple physical resources are combined into a single virtual resource. Examples include the multiple disk drives in a virtual storage array, the multiple CPUs in a modern server and the multiple access points in a Fortinet Virtual Cell. The main advantages of pooling are agility, simplified management and economies of scale: Resources can be moved  between applications on demand, reducing the need for over-provisioning and freeing applications or users from dependence on a single piece of limited infrastructure.

 

PC card A removable, credit-card-sized memory or I/O device that fits into a Type 2 PCMCIA standard slot, PC Cards are used primarily in PCs, portable computers, PDAs and laptops. PC Card peripherals include Wi-Fi cards, memory cards, modems, NICs, hard drives, etc.
PCI A high-performance I/O computer bus used internally on most computers. Other bus types include ISA and AGP. PCIs and other computer buses enable the addition of internal cards that provide services and features not supported by the motherboard or other connectors.
PDA Smaller than laptop computers but with many of the same computing and communication capabilities, PDAs range greatly in size, complexity and functionality. PDAs can provide wireless connectivity via embedded Wi-Fi Card radios, slide-in PC Card radios, or Compact Flash Wi-Fi radios.
PEAP Protected Extensible Authentication Protocol. An extension to the Extensible Authentication Protocol with Transport Layer Security (EAP-TLS), developed by Microsoft Corporation. TLS is used in PEAP Part 1 to authenticate the server only, and thus avoids having to distribute user certificates to every client. PEAP Part 2 performs mutual authentication between the EAP client and the server.
peer-to-peer network A wireless or wired computer network that has no server or central hub or router. All the networked PCs are equally able to act as a network server or client, and each client computer can talk to all the other wireless computers without having to go through an access point or hub. However, since there is no central base station to monitor traffic or provide Internet access, the various signals can collide with each other, reducing overall performance.
PHY The lowest layer within the OSI Network Model. It deals primarily with transmission of the raw bit stream over the PHYsical transport medium. In the case of Wireless LANs, the transport medium is free space. The PHY defines parameters such as data rates, modulation method, signaling parameters, transmitter/receiver synchronization, etc. Within an actual radio implementation, the PHY corresponds to the radio front end and baseband signal processing sections.
plenum The ceiling plenum is the volume defined by the area above the back of the ceiling tile, and below the bottom of the structural slab above. Within this plenum is usually found a combination of HVAC ducts, electrical and electronic conduits, water pipes, traditional masking sound speakers, etc. Networking equipment needs to be plenum rated to certify that it is suitable for deployment in this area.
PoE Power over Ethernet. A technology defined by the IEEE 802.3af standard to deliver dc power over twisted-pair Ethernet data cables rather than power cords. The electrical current, which enters the data cable at the power-supply end and comes out at the device end, is kept separate from the data signal so neither interferes with the other.
POTS Plain Old Telephone Service. Standard analog telephone service (an acronym for Plain Old Telephone Service).

 

proxy server Used in larger companies and organizations to improve network operations and security, a proxy server is able to prevent direct communication between two or more networks. The proxy server forwards allowable data requests to remote servers and/or responds to data requests directly from stored remote server data.
PSTN

Q

Public Switched Telephone Network. The usual way of making telephone calls in the late 20th century, designed around the idea of using wires and switches. Perhaps to be supplanted by  Over IP in the 21st century.
QoS

R

Quality of Service. A set of technologies for managing and allocating Internet bandwidth. Often used to ensure a level of service required to support the performance requirements of a specific application, user group, traffic flow, or other parameter. Defined within the service level are network service metrics that include network availability (uptime), latency and packet loss.
RADIUS Remote Authentication Dial-In User Service. A service that authorizes connecting users and allows them access to requested systems or services. The Microsoft ISA server is a RADIUS server.
range How far will your wireless network stretch? Most Wi-Fi systems will provide a range of a hundred feet or more. Depending on the environment and the type of antenna used, Wi-Fi signals can have a range of up to mile.
RC4 algorithm The RC4 algorithm uses an Initialization Vector (IV) and a secret key to generate a pseudorandom key stream with a high periodicity. Designed by RSA Security, RC4 is used in WEP and many other transmission protocols including SSL.
RF Radio Frequency. The type of transmission between a Wireless LAN access point and a wireless client (e.g., laptop, PDA, or phone). Wireless LANs can use RF spectrum at either 2.4 GHz (IEEE 802.11b or IEEE 802.11g) or 5 GHz (IEEE 802.11G).
RFID Radio Frequency ID. A device that picks up signals from and sends signals to a reader using radio frequency. Tags come in many forms, such as smart labels that are stuck on boxes; smart cards and key-chain wands for paying for things; and a box that you stick on your windshield to enable you to pay tolls without stopping. Most recently, active 802.11 RFID tags are being deployed in enterprise environments to provide more consistent tracking across farther distances than traditional passive devices.
RF fingerprinting In an enterprise WLAN scenario, RF fingerprinting refers to creating a blueprint of a building’s RF characteristics, taking into account specific wall and design characteristics such as attenuation and multipath. This information is compared to real-time information collected by APs for

802.11 location tracking. By taking RF characteristics into account, RF fingerprint is the most accurate method of wireless device tracking available today.

RF prediction The process of predicting WLAN characteristics, such as throughput and coverage area, based upon imported building characteristics and sample WLAN design configurations.
RF triangulation A common method used for 802.11 device tracking whereby 3 or more Access Points compare RSSI information to triangulate in on a device’s location. While easy to implement, RF triangulation does not account for multipath, attenuation, and other RF characteristics that may affect receive sensitivity, making it less accurate than RF fingerprinting.
roaming The process that takes places as a client moves between the coverage areas of different APs, necessitating a handoff. In microcell Wi-Fi networks, roaming can be a complex procedure that risks dropped connections and drags down network performance, as the client is forced to decide when to disconnect from one AP and search for another. In networks using Virtual Cell and Virtual Port technology, the infrastructure controls roaming, automatically connecting each client to the optimum AP.
rogue Access Point An AP that is not authorized to operate within a wireless network. Rogue APs subvert the security of an enterprise network by allowing potentially unchallenged access to the enterprise network by any wireless user (client) in the physical vicinity.
RJ-45 Standard connectors used in Ethernet networks. Even though they look very similar to standard RJ-11 telephone connectors, RJ-45 connectors can have up to eight wires, whereas telephone connectors have only four.
roaming Moving seamlessly from one AP coverage area to another with no loss in connectivity.
router A device that forwards data packets from one local area network (LAN) or wide area network (WAN) to another. Based on routing tables and routing protocols, routers can read the network address in each transmitted frame and make a decision on how to send it via the most efficient route based on traffic load, line costs, speed, bad connections, etc.
RSA A public-key algorithm developed in 1977 and named after its inventors, Rivest, Shamir, and Adleman. RSA, currently owned by RSA Data Security, Inc., is used for encryption, digital signatures, and key exchange.
RSN Robust Security Network. A new standard within IEEE 802.11i to provide security and privacy mechanisms in an 802.11 wireless network. RSN leverages 802.1x authentication with Extensible Authentication Protocol (EAP) and AES for encryption.
RSSI

S

Received Signal Strength Indication. The measured power of a received signal.
scanning The process of checking the airwaves for rogue access points or attackers.  Scanning APs are typically implemented as an Overlay Network, as most APs can not scan and serve traffic at

the same time. Fortinet’s APs are able to scan the airwaves and serve clients simultaneously, eliminating the need for an overlay.  Fortinet’s single-channel architecture improves accuracy when scanning for intruders, as all APs are able to detect signals from all clients.

server A computer that provides its resources to other computers and devices on a network. These include print servers, Internet servers and data servers. A server can also be combined with a hub or router.

Single Channel

Term sometimes used to describe a network in which all access points operate on the same channel, such as one using Virtual Cell technology. Single channel operation is more spectrally efficient than a microcell architecture and necessary for the use of Virtual Cells and network-controlled handoff. Single Channel improves security by making intrusion detection easier and location tracking more accurate, as every AP automatically receives transmissions from every client within range. It also enables the RF Barrier to function with as little as one radio, because only one channel needs to be blocked from outside access.

SIP Session Initiation Protocol. SIP is a protocol for finding users, usually human, and setting up multimedia communication among them, typically a VoIP phone call.
site survey The process whereby a wireless network installer inspects a location prior to putting in a wireless network. Site surveys are used to identify the radio- and client-use properties of a facility so that access points can be optimally placed. Wireless LAN System WLANs are optimized to not require a site survey.
spectral efficiency The ratio of data rate to radio spectrum usage. A Virtual Cell is much more spectrally efficient than a microcell architecture, as the microcells consume at least three non-overlapping channels to provide the coverage that a Virtual Cell offers with just one.
SSID A 32-character unique identifier attached to the header of packets sent over a WLAN that acts as a name when a mobile device tries to connect to the BSS. (Also called ESSID.) The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the BSS unless it can provide the unique SSID. Because an SSID can be sniffed in plain text from a packet, it does not supply any security to the network. An SSID is also referred to as a Network Name because essentially it is a name that identifies a wireless network.
ssh Secure SHell. A terminal-emulation program that allows users to log onto a remote device and execute commands. It encrypts the traffic between the client and the host.
SSL Secure Socket Layer. Commonly used encryption scheme used by many online retail and banking sites to protect the financial integrity of transactions. When an SSL session begins, the server sends its public key to the browser. The browser then sends a randomly generated secret key back to the server in order to have a secret key exchange for that session.

 

station Devices such as cellular phones or laptops that need to communicate wirelessly with the Meru Wireless LAN System and do so through access points.
subnetwork or subnet Found in larger networks, these smaller networks are used to simplify addressing between numerous computers. Subnets connect to the central network through a router, hub or gateway. Each individual Wireless LAN will probably use the same subnet for all the local computers it talks to.
subnet mobility The ability of a wireless user to roam across Access Points deployed on different subnets using a single IP address.
supplicant A wireless client that is requesting access to a network.
switch

T

A type of hub that efficiently controls the way multiple devices use the same network so that each can operate at optimal performance. A switch acts as a networks traffic cop: rather than transmitting all the packets it receives to all ports as a hub does, a switch transmits packets to only the receiving port.
TCP Transmission Control Protocol. A protocol used along with the Internet Protocol (IP) to send data in the form of individual units (called packets) between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the packets that a message is divided into for efficient routing through the Internet. For example, when a web page is downloaded from a web server, the TCP program layer in that server divides the file into packets, numbers the packets, and then forwards them individually to the IP program layer. Although each packet has the same destination IP address, it may get routed differently through the network. At the other end, TCP reassembles the individual packets and waits until they have all arrived to forward them as a single file.
TCP/IP The underlying technology behind the Internet and communications between computers in a network. The first part, TCP, is the transport part, which matches the size of the messages on either end and guarantees that the correct message has been received. The IP part is the user’s computer address on a network. Every computer in a TCP/IP network has its own IP address that is either dynamically assigned at startup or permanently assigned. All TCP/IP messages contain the address of the destination network as well as the address of the destination station. This enables TCP/IP messages to be transmitted to multiple networks (subnets) within an organization or worldwide.
TKIP Temporal Key Integrity Protocol. An enhancement to the WEP encryption technique that uses a set of algorithms to rotate session keys for better protection. TKIP uses RC4 ciphering, but adds functions such as a 128-bit encryption key, a 48-bit initialization vector, a new message integrity code (MIC), and initialization vector (IV) sequencing rules.

U

USB A high-speed bidirectional serial connection between a PC and a peripheral that transmits data at the rate of 12 megabits per second. The new USB 2.0 specification provides a data rate of up to 480 Mbps, compared to standard USB at only 12 Mbps. 1394, FireWire and iLink all provide a bandwidth of up to 400 Mbps.
UTC

V

Universal Time Coordinated. Also known as Greenwich Mean Time. The time is not adjusted for time zones or for daylight savings time.
Virtual Cell Proprietary wireless LAN architecture in which multiple access points are pooled into a single, virtual resource. To the client, APs are indistinguishable because they all use the same BSSID and radio channel . Because clients remain connected to the same virtual AP as they move through a network, no client-initiated handoffs are necessary. Instead, the network itself automatically routes all radio connections through the most appropriate AP. This maximizes bandwidth, simplifies network management and conserves radio spectrum for scalability and redundancy.
Virtual Port An enhancement to the Virtual Cell architecture which partitions the network so that each client device has its own private network with a unique BSSID. From the client’s perspective, it gets its own dedicated AP to which it remains connected no matter where it travels in the network. Like a switched  Ethernet port, the Virtual Port eliminates latency, jitter and contention for bandwidth as there is only ever one client on each port. Unlike an Ethernet port, it can be personalized to fit each user or device, giving the network control over client behavior with no proprietary client-side software or extensions necessary.
VoFI ( over

Wi-Fi) or VoWLAN ( over Wireless

LAN)

 over IP links that run over a wireless network. VoIP does not usually require high data rates, but it stresses wireless networks in other ways by demanding low latencies and smooth handoffs. In addition, no 802.11n phones yet exist, as most handsets are too small to accommodate MIMO’s multiple antennas  spaced a wavelength apart. This means that 802.11n networks running VoFI must have a way to deal with 802.11b/g clients.
VLAN Virtual LAN. A logical grouping of devices that enables users on separate networks to communicate with one another as if they were on a single network.
VPN Virtual Private Network. A type of technology designed to increase the security of information transferred over the Internet. VPN can work with either wired or wireless networks, as well as with dial-up connections over POTS. VPN creates a private encrypted tunnel from the end user’s computer, through the local wireless network, through the Internet, all the way to the corporate servers and database.

W

WAN                        Wide Area Network. A communication system of connecting PCs and other computing

devices across a large local, regional, national or international geographic area. Also used to distinguish between phone-based data networks and Wi-Fi. Phone networks are considered WANs and Wi-Fi networks are considered Wireless Local Area Networks (WLANs).

WEP                          Wired Equivalent Privacy. Basic wireless security provided by Wi-Fi. In some instances, WEP

may be all a home or small-business user needs to protect wireless data. WEP is available in 40-bit (also called 64-bit), or in 104-bit (also called 128-bit) encryption modes. As 104-bit encryption provides a longer key that takes longer to decode, it can provide better security than basic 40-bit (64-bit) encryption.

Wi-Fi                        Brand name for wireless LANs based on various 802.11 specifications. All products bearing the Wi-Fi logo have been tested for interoperability by the Wi-Fi Alliance, an industry group composing every major 802.11 client and infrastructure vendor.

WLAN                      Wireless LAN. Also referred to as LAN. A type of local-area network that uses high-frequency radio waves rather than wires to communicate between nodes.

WME                        Wireless Multimedia Extension. The Wi-Fi Alliance’s standard for QoS based upon the Enhanced Distribution Coordination Function (EDCF), which is a subset of the IEEE 802.11e specification.

WNC                        Wireless Network Controller. Alternative term for controller.

WSM                        Wi-Fi Scheduled Media. The Wi-Fi Alliance’s emerging standard for QoS that is based upon the HCF portion of the 802.11e standard, which dedicates bandwidth segments to specific data types. WSM is going to have less of a focus in the enterprise space than its WME counterpart.

WPA                        Wi-Fi Protected Access. The Wi-Fi Alliance put together WPA as a data encryption method for 802.11 Wireless LANs. WPA is an industry-supported, pre-standard version of 802.11i utilizing the Temporal Key Integrity Protocol (TKIP). WPA will serve until the 802.11i standard is ratified in the third quarter of 2003.

X

X.509                         Created by the International Telecommunications Union Telecommunication Standardization

Sector (ITU-T), X.509 is the most widely used standard for defining digital certificates.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWLC – Syslog Messages

Syslog Messages

This Appendix provides a brief listing of all Syslog messages currently implemented in FortiWLC (SD).

Controller Management

Controller Management

Event System Log Example Description Action
CONTROLLER REBOOT Oct 13 11:11:32 172.18.37.201 ALARM: 1255432836l | system | notice | NOT | Controller administrative reboot requested A controller reboot is requested.  

 

Event System Log Example Description Action
CONTROLLER BOOT

PROCESS

START

502

Oct 13 11:12:55 172.18.37.201 syslog: syslogd startup succeeded

Oct 13 11:12:55 172.18.37.201 syslog: klogd startup succeeded

Oct 13 11:12:58 172.18.37.201 sysctl: net.ipv4.ip_forward = 1

Oct 13 11:12:58 172.18.37.201 sysctl: net.ipv4.conf.default.rp_filter = 1

Oct 13 11:12:58 172.18.37.201 sysctl: kernel.sysrq = 0

Oct 13 11:12:58 172.18.37.201 sysctl: kernel.core_uses_pid = 1

Oct 13 11:12:58 172.18.37.201 network: Setting network parameters:  succeeded

Oct 13 11:12:58 172.18.37.201 network: Bringing up loopback interface:  succeeded

Oct 13 11:12:58 172.18.37.201 crond: crond startup succeeded

Oct 13 11:12:58 172.18.37.201 sshd:  succeeded

Oct 13 11:12:58 172.18.37.201 sshd[303]: Server listening on 0.0.0.0 port 22.

Oct 13 11:12:58 172.18.37.201 network: Bringing up interface eth0:  succeeded

Oct 13 11:12:59 172.18.37.201 xinetd: xinetd startup succeeded

Oct 13 11:12:59 172.18.37.201 root: Start WLAN Services …

Oct 13 11:13:01 172.18.37.201 meru: /etc/init.d/ceflog: / opt/meru/var/run/running-db/ceflog.conf: No such file or directory

Oct 13 11:13:01 172.18.37.201 meru: Setting up swapspace version 0, size = 43446272 bytes

Oct 13 11:13:01 172.18.37.201 meru: Using /lib/modules/

2.4.18-3-meruenabled/kernel/drivers/dump/dump.o

Oct 13 11:13:01 172.18.37.201 meru: Kernel data gathering phase complete

Oct 13 11:13:05 172.18.37.201 meru: Warning: loading / opt/meru/kernel/ipt_vlan_routing.mod will taint the kernel: non-GPL license – Proprietary

Oct 13 11:13:37 172.18.37.201 meru: Process RemoteUpgrade did not come up. Will retry again

Oct 13 11:13:37 172.18.37.201 root: Controller Up on Tue

Controller boot sequence showing different processes and WLAN services getting started.

Co

ntroller Management

 

Event System Log Example Description Action
CONTROLLER SHUTDOWN

PROCESS

STOP

Controller Managem

Oct 13 11:11:33 172.18.37.201 root: Stop WLAN Services

Oct 13 11:11:33 172.18.37.201 meru: icrd stopped.

Oct 13 11:11:33 172.18.37.201 meru: RIos stopped.

Oct 13 11:11:37 172.18.37.201 meru: discovery stopped.

Oct 13 11:11:37 172.18.37.201 meru: WncDhcpRelay stopped.

Oct 13 11:11:37 172.18.37.201 meru: nmsagent stopped.

Oct 13 11:11:38 172.18.37.201 meru: melfd stopped.

Oct 13 11:11:38 172.18.37.201 meru: igmp-snoop-daemon stopped.

Oct 13 11:11:44 172.18.37.201 meru: dfsd stopped.

Oct 13 11:11:45 172.18.37.201 meru: aeroscoutd stopped.

Oct 13 11:11:45 172.18.37.201 meru: snmp stopped. Oct 13 11:11:46 172.18.37.201 meru: cmdd stopped.

Oct 13 11:11:47 172.18.37.201 meru: rfsmgr stopped.

Oct 13 11:11:49 172.18.37.201 meru: wncclid stopped.

Oct 13 11:11:50 172.18.37.201 meru: sipfd stopped.

Oct 13 11:11:51 172.18.37.201 meru: rulefd stopped.

Oct 13 11:11:52 172.18.37.201 meru: watchdog stopped.

Oct 13 11:11:52 172.18.37.201 meru: oct_watchdog stopped.

Oct 13 11:11:52 172.18.37.201 meru: h323fd stopped.

Oct 13 11:11:53 172.18.37.201 meru: sccpfd stopped.

Oct 13 11:11:54 172.18.37.201 meru: coordinator stopped.

Oct 13 11:11:54 172.18.37.201 meru: security-mm stopped.

Oct 13 11:11:56 172.18.37.201 meru: hostapd stopped.

Oct 13 11:11:57 172.18.37.201 meru: rogueapd stopped.

Oct 13 11:11:58 172.18.37.201 meru: xems stopped.

Oct 13 11:11:58 172.18.37.201 meru: apache stopped.

Oct 13 11:12:01 172.18.37.201 meru: xclid stopped.

Oct 13 11:12:07 172.18.37.201 meru: wncagent stopped.

entOct 13 11:12:07 172.18.37.201 meru: Removed VLAN –

:vlan133:-

Oct 13 11:12:08 172.18.37.201 meru: vlan stopped.

Controller shutdown sequence, showing different processes and WLAN ser-

vices getting stopped.

503

 

 

Event System Log Example Description Action
  Oct 13 11:12:15 172.18.37.201 meru:

Oct 13 11:12:18 172.18.37.201 root: WLAN Services stopped

Oct 13 11:12:18 172.18.37.201 rc: Stopping meru:  succeeded

Oct 13 11:12:18 172.18.37.201 sshd[317]: Received signal 15; terminating.

Oct 13 11:12:18 172.18.37.201 sshd: sshd -TERM succeeded

Oct 13 11:12:18 172.18.37.201 xinetd: xinetd shutdown succeeded

Oct 13 11:12:18 172.18.37.201 crond: crond shutdown succeeded

Oct 13 11:12:19 172.18.37.201 syslog: klogd shutdown succeeded

   

 

 

Event System Log Example Description Action
SSH LOGIN SESSION Oct 13 11:13:58 172.18.37.201 sshd[4874]: PAM

_pam_init_handlers: no default config /etc/pam.d/other

Oct 13 11:14:00 172.18.37.201 sshd[4874]: PAM

_pam_init_handlers: no default config /etc/pam.d/other

Oct 13 11:14:00 172.18.37.201 sshd[4874]: Accepted password for admin from 172.18.37.12 port 1891 ssh2

Oct 13 11:14:00 172.18.37.201 sshd(pam_unix)[4876]: session opened for user admin by (uid=0)

Oct 13 11:14:00 172.18.37.201 PAM-env[4876]: Unable to open config file: No such file or directory

Oct 13 11:14:00 172.18.37.201 sshd[4876]: lastlog_perform_login: Couldn’t stat /var/log/lastlog: No such file or directory

Oct 13 11:14:00 172.18.37.201 sshd[4876]: lastlog_openseek: /var/log/lastlog is not a file or directory!

Apr 09 12:00:22 172.18.49.14  — admin[19814]: LOGIN ON pts/3 BY admin FROM xp.merunetworks.com

Apr 09 15:23:07 172.18.37.203 sshd(pam_unix)[23750]:

session closed for user admin

Apr 09 15:07:53 172.18.37.203 su(pam_unix)[28060]:

session opened for user root by admin(uid=0)

Apr 09 15:08:09 172.18.37.203 su(pam_unix)[28060]: session closed for user root

Apr 09 17:48:48 172.18.37.203 sshd[28588]: Received disconnect from 172.18.37.15: 11: Disconnect requested by Windows SSH Client.

A controller user logged in, using an SSH connection.  
WEB ADMIN LOGIN Oct 13 11:15:07 172.18.37.201 xems: 1255433051l | security | info | WAU | Controller Access User

admin@172.18.37.12 login to controller at time Tue Oct 13 11:24:11 2009 is OK

Admin logged in to controller GUI.  

 

Event System Log Example Description Action
NTP SERVER

NOT ACCESSIBLE

Apr 12 18:01:10 172.18.49.14 root: NTP server time.windows.com did not respond. NTP server is not accessible. Check to see if NTP server is down, or verify that the NTP server is correctly configured on the controller. If the configuration is wrong,

use the “Setup” command to

correct the configuration.

User Management: RADIUS request sent Mar 29 13:43:40 172.18.86.229 SecurityMM:

1269866620l | security | info | RBAC | Sending RADIUS

Access-Request message for user : pat

For RADIUS-

based controller user management, RADIUS access request is being sent to

RADIUS server.

 
User Management: Group ID not available Mar 29 13:46:32 172.18.86.229 xems: 1269866791l | security | info | RBAC | Group Id not available for Group Num 700 and User Id pat Group ID configured for controller user is not available. Create group with this group ID, or change the group ID for this user.
User Management: RADIUS

Success

Mar 29 13:49:18 172.18.86.229 SecurityMM:

1269866959l | security | info | RBAC | RADIUS Access succeed for user <pat>

For RADIUS-

based controller user management, RADIUS authentication succeeded.

 
User Management: Group Number

received from

RADIUS

Mar 29 13:49:18 172.18.86.229 SecurityMM:

1269866959l | security | info | RBAC | Group Num <700> received from RADIUS server for user <pat>

RADIUS server returned group number for user logged in.  

 

Event System Log Example Description Action
User Management: User Login Success Mar 29 13:49:18 172.18.86.229 xems: 1269866959l | security | info | WAU | Controller Access User

pat@172.18.45.17 login to controller at time Mon Mar 29 18:19:19 2010 is OK

Controller user logged in.  
User Management: RADIUS

Failure

Mar 29 13:50:42 172.18.86.229 SecurityMM:

1269867043l | security | info | RBAC | RADIUS Access failed for user <local1234>

RADIUS

authentication for controller user failed.

 
User Management: User Login Failure Mar 29 13:50:43 172.18.86.229 xems: 1269867043l | security | info | WAU | Controller Access User

local1234@172.18.45.17 login to controller at time Mon

Mar 29 18:20:43 2010 is FAILED

Controller user login failed.  
DUAL ETHERNET info NOT 10/08/2009 00:12:42 <00:90:0b:0a:81:b0> 1st interface link up. Controller’s first interface link is up.  
DUAL ETHERNET info NOT 10/08/2009 00:16:14 <00:90:0b:0a:81:b0> 1st interface link down. Controller’s first interface link is down.  
DUAL ETHERNET info NOT 10/08/2009 00:25:55 <00:90:0b:0a:81:af> 2nd interface link up. Controller’s second interface link is up.  
DUAL ETHERNET info NOT 10/08/2009 00:26:16 <00:90:0b:0a:81:af> 2nd interface link down. Controller’s second interface link is down.  
DUAL ETHERNET info NOT 10/08/2009 00:25:56 <00:90:0b:0a:81:af> switch to 2nd interface done. Controller is configured in redundant mode for dual Ethernet. The first interface went down, so the second interface has taken over.  

 

Event System Log Example Description Action
DUAL ETHERNET info NOT 10/08/2009 00:26:19 <00:90:0b:0a:81:af> switch to 1st interface done. Controller is configured in redundant mode for dual Ethernet. The second interface

went down, so

the first interface has taken over.

 
DUAL ETHER-

NET: STANDALONE MODE

EXAMPLE

info NOT 10/08/2009 00:12:42 <00:90:0b:0a:81:b0> 1st interface link up.

info NOT 10/08/2009 00:16:14 <00:90:0b:0a:81:b0> 1st interface link down.

Sequence

shown when the controller is configured in standalone mode, and the first interface goes down.

If first interface link down message is seen,

check the con-

nectivity to first interface.

 

 

Event System Log Example Description Action
DUAL ETHER-

NET: REDUN-

DANT MODE

EXAMPLE

info NOT 10/08/2009 00:24:26 <00:90:0b:0a:81:af> 1st interface link up.

info NOT 10/08/2009 00:25:52 <00:90:0b:0a:81:af> 1st interface link down.

info NOT 10/08/2009 00:25:55 <00:90:0b:0a:81:af> 2nd interface link up.

info NOT 10/08/2009 00:25:56 <00:90:0b:0a:81:af> switch to 2nd interface done.

info NOT 10/08/2009 00:26:16 <00:90:0b:0a:81:af> 2nd interface link down.

info NOT 10/08/2009 00:26:19 <00:90:0b:0a:81:af> 1st interface link up.

info NOT 10/08/2009 00:26:19 <00:90:0b:0a:81:af> switch to 1st interface done.

Sequence

shown when the controller is configured in redundant mode. When the first interface goes down, and the second interface takes over.

Check the connectivity on the interface that has gone down.
DUAL ETHER-

NET: ACTIVE

MODE EXAM-

PLE

info NOT 10/08/2009 00:37:29 <00:90:0b:0a:81:b0> 1st interface link up.

info NOT 10/08/2009 00:37:29 <00:90:0b:0a:81:af> 2nd interface link up.

info NOT 10/08/2009 00:38:34 <00:90:0b:0a:81:af> 2nd interface link down.

info NOT 10/08/2009 00:38:39 <00:90:0b:0a:81:b0> 1st interface link down.

info NOT 10/08/2009 00:38:43 <00:90:0b:0a:81:b0> 1st interface link up.

info NOT 10/08/2009 00:38:45 <00:90:0b:0a:81:af> 2nd interface link up.

Sequence

shown when the controller is configured in active mode.

Check the connectivity on the interface that has gone down.

 

AP System
Event System Log Example Description Action  
AP Down Mar 21 12:56:51 172.18.65.202 ALARM: 1206084411l | system | info | ALR | AP DOWN CRITICAL Access Point

Pat-AP300 (2) at time Fri Mar 21 07:26:51 2008

This message is generated when the controller detects an AP Down event.

An AP Down event can be reported for many reasons: AP upgrading

Power failure

Network failure, AP not accessible.

AP crash

If an AP crash is occurring due to an unknown

issue, contact Customer Support.

 
AP Up Mar 21 12:57:20 172.18.65.202 ALARM: 1206084440l | system | info | ALR | AP UP  Access Point Pat-AP300 (2) is up at time Fri Mar 21 07:27:20 2008 This message is generated when the controller detects an AP Up event.    
AP Software Version Mismatch Mar 21 15:19:05 172.18.65.202 ALARM: 1206092945l | system | info | ALR | AP SOFTWARE VERSION MISMATCH CRITICAL AP Pat-AP300 (2) – Software Version Mismatch : AP version is 3.4.SR3m-10 and Controller version is 3.6-40 This message is generated when the AP software version does not match the controller software version. If Auto-APUpgrade is enabled, the controller will automatically upgrade AP software to the same version.

Otherwise, manually upgrade the AP to the version same as the controller.

 
  Event System Log Example Description Action
  AP Upgrade Apr 09 12:41:18 172.18.37.203 ALARM: 1270817859l | system | notice | NOT | Software version of AP 4 is being changed from 4.0-86 to 4.0-89 The AP software

is being upgraded.

 
  Boot Image Version Mismatch Apr 28 14:03:35 172.18.65.202 ALARM: 1209371615l | system | info | ALR | AP BOOTIMAGE VERSION MISMATCH CRITICAL BootImage_Version_MisMatch_for_AP1 This message is generated when the AP has an incompatible boot image.  
  Boot Image Match Apr 28 14:03:51 172.18.65.202 ALARM: 1209371631l | system | info | ALR | AP BOOTIMAGE VERSION MISMATCH CLEAR BootImage_Version_Match_for_AP1 The message is generated when the AP’s incompatible boot image has been replaced by a compatible boot image.  
  AP Neighbor Loss Apr 28 14:01:12 172.18.65.202 ALARM: 1209371472l | system | info | ALR | AP NEIGHBOR LOSS CRITICAL Neighbor_Loss_for_AP1 This message is generated when an AP has lost its neighbor AP.  
  AP Neighbor Loss Cleared Apr 28 14:01:18 172.18.65.202 ALARM: 1209371478l | system | info | ALR | AP NEIGHBOR LOSS CLEAR

Neighbor_Loss_for_AP1

This message is generated when then the AP Neighbor loss alarm is cleared.  
  Hardware Diagnostics Error Mar 21 13:49:53 172.18.65.202 ALARM: 1206087593l | system | info | ALR | AP HARDWARE DIAGNOSTIC

ERROR CRITICAL HardwareDiagnostics

This message is generated when an AP has an incompatible

FPGA version.

 
  Hardware Diagnostics Error

Cleared

Mar 21 13:49:47 172.18.65.202 ALARM: 1206087587l | system | info | ALR | AP HARDWARE DIAGNOSTIC

ERROR CLEAR HardwareDiagnostics

This message is generated when an AP’s incompatible FPGA version is replaced with a compatible version.  

AP System

 

Event System Log Example Description Action  
Handoff Fail Apr 28 14:02:04 172.18.65.202 ALARM: 1209371524l | system | info | ALR | HAND OFF FAIL CRITICAL Hand-

Off_Fail_for_AP1

This message is generated when handoff fails.    
Handoff Fail Cleared Apr 28 14:02:21 172.18.65.202 ALARM: 1209371541l | system | info | ALR | HAND OFF FAIL CLEAR HandOff_-

Fail_Cleared_for_AP1

This message is generated when the handoff fail alarm is cleared.    
Resource

Threshold

Exceeded

Mar 21 13:56:27 172.18.65.202 ALARM: 1206087987l | system | info | ALR | RESOURCE THRESHOLD

EXCEED CRITICAL ResourceThreshold

This message is generated when

the resource (CPU & Mem-

ory) threshold is exceeded.

   
Resource

Threshold

Exceed Cleared

Mar 21 13:57:17 172.18.65.202 ALARM: 1206088037l | system | info | ALR | RESOURCE THRESHOLD

EXCEED CLEAR ResourceThreshold

This message is generated when the resource threshold exceed alarm is cleared.    
System Failure Mar 21 14:18:29 172.18.65.202 ALARM: 1206089309l | system | info | ALR | SYSTEM FAILURE CRITICAL SystemFailure This message is generated when the system.    
System Failure Cleared Mar 21 14:19:04 172.18.65.202 ALARM: 1206089344l | system | info | ALR | SYSTEM FAILURE CLEAR SystemFailure This message is generated when the system failure alarm is cleared.    
Watchdog Failure Mar 21 14:27:28 172.18.65.202 ALARM: 1206089848l | system | info | ALR | WATCHDOG FAILURE CRITICAL WatchDog_Failure This message is generated when the Watchdog process is terminated.    
Watchdog Failure Cleared Mar 21 14:27:59 172.18.65.202 ALARM: 1206089879l | system | info | ALR | WATCHDOG FAILURE CLEAR WatchDog_Failure This message is generated when the Watchdog process resumes.    
  Event System Log Example Description Action
  Certificate Error Mar 21 15:04:10 172.18.65.202 ALARM: 1206092050l | system | info | ALR | CERTIFICATE ERROR CRITICAL Certificare_Error This message is generated when

a certificate error occurs.

 
  Certificate Error

Cleared

Mar 21 15:04:38 172.18.65.202 ALARM: 1206092078l | system | info | ALR | CERTIFICATE ERROR CLEAR Certificate_Error This message is generated when

the certificate error alarm is cleared.

 
  AP Init Failure Apr 28 12:55:58 172.18.65.202 ALARM: 1209367557l | system | info | ALR | AP INIT FAILURE CRITICAL Init_Failure_for_AP1 This message is generated when an AP initialization fails.  
  AP Init Failure

Cleared

Apr 28 12:55:45 172.18.65.202 ALARM: 1209367545l | system | info | ALR | AP INIT FAILURE CLEAR Init_Failure_for_AP1 This message is generated when the AP initialization failure alarm is cleared.  
  AP Radio Card Failure Apr 28 13:01:00 172.18.65.202 ALARM: 1209367860l | system | info | ALR | AP RADIO CARD FAILURE CRITICAL Radio_Card_Failure_for_AP1 This message is generated when an AP radio card stops working.  
  AP Radio Card Failure Cleared Apr 28 13:01:08 172.18.65.202 ALARM: 1209367868l | system | info | ALR | AP RADIO CARD FAILURE CLEAR Radio_Card_Failure_for_AP1 This message is generated when an AP radio card failure alarm is cleared.  
  Primary

RADIUS Server

Restored

Mar 21 15:50:53 172.18.65.202 ALARM: 1206094852l | system | info | ALR | PRIMARY RADIUS SERVER RESTORED CRITICAL RADIUS_Server_Restored This message is generated when the primary

RADIUS server that was down is restored.

 

AP System

 

Event System Log Example Description Action
RADAR

Detected

Mar 21 15:12:08 172.18.65.202 ALARM: 1206092528l | system | info | ALR | RADAR DETECTED CRITICAL Radar Detected This message is generated when DFS Manager detects RADAR.  
MIC Counter Measure Activation Apr 28 13:57:36 172.18.65.202 ALARM: 1209371256l | system | info | ALR | MIC COUNTERMEASURE ACTIVATION CRITICAL MIC_CounterMeasure_Activation_for_AP1 This message is generated when there are two subsequent MIC failures.  
AP MIC Failure Apr 28 13:13:12 172.18.65.202 ALARM: 1209368592l | system | info | ALR | AP MIC FAILURE CRITICAL MIC_-

Failure_for_AP1

This message is generated when there is a MIC failure.  

 

802.11
Event System Log Example Description Action
Station Unassociated Apr 09 13:25:28 172.18.37.203 coordinator: Wireless

Associations, Unassociated for STA 00:1f:3b:6c:62:e7 in

BSSID 00:0c:e6:56:dd:3b ESS 4088clear AP_ID 1 at

Time Fri Apr  9 13:41:49 2010

802.11 station disassociation.  
Station Associated Apr 09 14:05:04 172.18.37.203 coordinator: Wireless

Associations, Associated for STA 00:1f:3b:6c:62:e7 in

BSSID 00:0c:e6:56:dd:3b ESS 4088clear AP_ID 1 at Time Fri Apr  9 14:21:25 2010

Mar 22 13:23:34 172.18.65.202 ALARM: 1206127090l | system | info | ALR | Station Info Update : MacAddress :

00:40:96:ae:20:7a, UserName : pat, AP-Id : 1, AP-Name : AP-1, BSSID : 00:0c:e6:8f:01:01, ESSID : pat, Ip-Type : dynamic dhcp, Ip-Address : 172.18.65.11, L2mode : clear, L3-mode : clear, Vlan-Name : VLAN-111, Vlan-Tag : 111

Apr 06 11:59:24 172.18.65.202 ALARM: 1270535364l | system | info | ALR | Station Disconnected : MacAddress :

00:40:96:ae:20:7a

802.11 station association.

Station connection.

Station disconnected.

 

802.11

 

Security System
Event System Log Example Description Action
RADIUS

ACCESS

REQUEST

Mar 29 13:14:06 172.18.98.221 RADIUSInfo: RADIUS Access-Request Message sent for Client (00:1e:37:0e:98:3e). RADIUS request message has been sent to RADIUS server.  
RADIUS

ACCESS

ACCEPT

Mar 29 13:14:06 172.18.98.221 RADIUSInfo: RADIUS Access-Accept message received for Client (00:1e:37:0e:98:3e). RADIUS server responded with Access-Accept

message for RADIUS

request (success scenario).

 
802.1X RADIUS

ACCESS

REQUEST

Apr 09 15:05:58 172.18.37.203 ALARM: 1270826539l | system | info | ALR | 802.1x Authentication Attempt INFO

RADIUS Access Attempt by station with MAC address

00:1f:3b:6c:62:e7 and user is NULL , AP Id: <1>

As part of 802.1X authentication, RADIUS request message has been sent to RADIUS server from controller.  
802.1X RADIUS

ACCESS

REJECT WITH

BAD USER-

NAME

Apr 13 19:48:23 172.18.48.151 ALARM: 1271169441l | system | info | ALR | 802.1X AUTHENTICATION FAILURE INFO Access Request rejected for User: <harsh>, NAS IP: <172.18.48.151>, SSID: <wpa2h>, Calling Station ID: <00:1f:3b:83:21:13>, Called Station ID: <00:90:0b:0a:82:48>, Authentication Type: <802.1X>,

Reason: <Bad Username or Password>, AP Id: <1>

As part of 802.1X authentication, RADIUS server has responded with Access-Reject message, with the reason “Username or password is not correct.” (Failure scenario). Check for correct username or password.

Security System

Event System Log Example Description Action
RADIUS SWI-

TCHOVER

FAILURE

Apr 09 15:07:54 172.18.37.203 ALARM: 1270826655l | system | info | ALR | RADIUS SERVER SWITCHOVER FAILED MAJOR Primary RADIUS Server <172.18.1.3> failed. No valid Secondary RADIUS Server present. Switchover FAILED for Profile <4089wpa2> During RADIUS authentication, primary RADIUS server was not accessible, and secondary RADIUS server is not configured. Check for connectivity to primary RADIUS server from controller.

If another

RADIUS server

is available, configure it as secondary server.

ACCOUNTING

RADIUS SWI-

TCHOVER

Mar 22 16:38:19 172.18.65.202 ALARM: 1206061018l | system | info | ALR | ACCOUNT RADIUS SERVER SWITCHOVER MAJOR Accounting RADIUS Server switches over from Primary <1.1.1.1> to Secondary <2.2.2.2> for Profile <WPA2> For accounting, primary RADIUS server is not accessible, and switchover to secondary RADIUS server is attempted. Check for connectivity

between primary RADIUS server and controller.

ACCOUNTING

RADIUS SWI-

TCHOVER

FAILURE

Mar 22 16:41:51 172.18.65.202 ALARM: 1206061230l | system | info | ALR | ACCOUNT RADIUS SERVER SWITCHOVER FAILED MAJOR Primary Accounting RADIUS

Server <1.1.1.1> failed. No valid Secondary Accounting

RADIUS Server present. Switchover FAILED for Profile

<WPA2>

For accounting, primary RADIUS server is not accessible, and switchover secondary RADIUS server is not configured. Check for connectivity to primary RADIUS server from controller.

If another

RADIUS server

is available,

configure it as secondary server.

MAC FILTERING: RADIUS

SWITCHOVER

Mar 21 16:38:57 172.18.65.202 ALARM: 1206097736l | system | info | ALR | RADIUS SERVER SWITCHOVER MAJOR RADIUS Server switched over from Primary <

1.1.1.1 > to Secondary < 172.18.1.7 > for Mac Filtering

For MAC filtering, primary

RADIUS server is not accessible, and switchover to secondary RADIUS is attempted.

Check for connectivity between configured primary RADIUS server and controller.

Security System

Captive Portal
Event System Log Example Description Action
Captive Portal Login Request Mar 29 14:11:53 172.18.98.221 xems: 1269867812l | security | info | CAP | Captive Portal

User(pat@172.18.98.41) login Request Received.

Login request for Captive Portal User has been received.  
Captive Portal:

RADIUS Login

Success

Mar 29 14:11:53 172.18.98.221 SecurityMM:

1269867812l | security | info | CAP | pat@172.18.98.41

StationMac[00:1b:77:af:dc:6e] RADIUS User logged in

OK

Captive Portal RADIUS user has successfully logged in.  
Captive Portal: Redirection Mar 29 13:39:16 172.18.86.229 xems: 1269866356l | security | info | CAP | Captive Portal User(172.18.86.14) Redirected. Sending login (https://secsol:8081/vpn/loginformWebAuth.html) Complete Captive Portal login.  

Captive Portal

Event System Log Example Description Action
Captive Portal:

Login Sequence

Mar 22 13:23:47 172.18.65.202 httpd: 1206127103l | 802.mobility | info | CAP | 172.18.111.11:8080 1 http:// www.google.com/webhp?complete=1&hl=en

Mar 22 13:23:47 172.18.65.202 xems: 1206127103l | 802.mobility | info | RED | 172.18.111.11:8080 1

Mar 22 13:23:47 172.18.65.202 xems: 1206127103l | 802.mobility | info | RED | 172.18.111.11:8080 2

Mar 22 13:23:47 172.18.65.202 httpd: 1206127103l | 802.mobility | info | CAP | 172.18.111.11:8080 2

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l |

802.mobility | info | CAP | 172.18.111.11:8081 1 http:// 172.18.111.211:8081/vpn/loginformWebAuth.html

Mar 22 13:23:49 172.18.65.202 xems: 1206127105l | 802.mobility | info | CNT | 172.18.111.11:8081 1

Mar 22 13:23:49 172.18.65.202 xems: 1206127105l | 802.mobility | info | CNT | 172.18.111.11:8081 2

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l | 802.mobility | info | CAP | 172.18.111.11:8081 2

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l |

802.mobility | info | CAP | 172.18.111.11:8081 1 http://

172.18.111.211:8081/vpn/Images.vpn/newlogo.gif

Mar 22 13:23:49 172.18.65.202 xems: 1206127105l | 802.mobility | info | CNT | 172.18.111.11:8081 1

Mar 22 13:23:49 172.18.65.202 xems: 1206127105l | 802.mobility | info | CNT | 172.18.111.11:8081 2

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l | 802.mobility | info | CAP | 172.18.111.11:8081 2

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l |

802.mobility | info | CAP | 172.18.111.11:8081 1 http:// 172.18.111.211:8081/favicon.ico

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l | 802.mobility | info | CAP | 172.18.111.11:8081 2

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l | 802.mobility | info | CAP | 172.18.111.11:8081 1 http://172.18.111.211:8081/favicon.ico

Mar 22 13:23:49 172.18.65.202 httpd: 1206127105l |

802.mobility | info | CAP | 172.18.111.11:8081 2

   

Captive Portal

Event System Log Example Description Action
  Mar 22 13:23:55 172.18.65.202 httpd: 1206127110l |

802.mobility | info | CAP | 172.18.111.11:8081 1 http:// 172.18.111.211:8081/vpn/loginUser

Mar 22 13:23:55 172.18.65.202 xems: 1206127110l | 802.mobility | info | LOG | 172.18.111.11:8081 1

Mar 22 13:23:55 172.18.65.202 xems: 1206127110l | security | info | CAP | ramesh@172.18.111.11 logged in OK

Mar 22 13:23:55 172.18.65.202 xems: 1206127110l | 802.mobility | info | LOG | 172.18.111.11:8081 2

Mar 22 13:23:55 172.18.65.202 httpd: 1206127110l |

802.mobility | info | CAP | 172.18.111.11:8081 2

   

Captive Portal

QoS
Event System Log Example Description Action
QoS: Action Drop  Apr 13 18:14:23 172.18.117.217 kernel: 1271193480 | system | info | ALR | Network Traffic, Flow of Traffic MAC:

00:40:96:ad:49:b0->MAC: 00:90:0b:0a:81:ae src_ip:172.18.117.27-> dst_ip:69.147.125.65:[dst_port:0], rule id: 23, action: Drop. AP MAC Address :

00:0c:e6:05:c5:14

This message is generated when packets match the QoS rule based on the configured parameters Packets are dropped.  
QoS: Action Forward  Apr 13 18:21:54 172.18.117.217 kernel: 1271193932 | system | info | ALR | Network Traffic, Flow of Traffic MAC:

00:14:a8:59:c8:80->MAC: 00:90:0b:0a:81:ae src_ip:172.18.117.1-> dst_ip:172.18.117.217:[dst_port:0], rule id: 23, action: Forward. AP MAC Address :

00:00:00:00:00:00

This message is generated when packets match the QoS rule based on the configured parameters. The packets that match the configured QoS rules are forwarded for further processing.  
QoS: Action Capture  Apr 13 18:30:47 172.18.117.217 kernel: 1271194465 | system | info | ALR | Network Traffic, Flow of Traffic MAC:

00:40:96:ad:49:b0->MAC: 00:90:0b:0a:81:ae src_ip:172.18.117.27-> dst_ip:172.18.122.122:[dst_port:5060], rule id: 3, action: Capture. AP MAC Address : 00:0c:e6:07:5d:71

This message is generated when packets match the QoS rule based on the configured parameters. The packets are captured and sent to respective Flow Detector for further processing.  

QoS

Event System Log Example Description Action
CAC Per BSSID > CAC Per AP info      ALR       05/04/2010 13:39:20        CAC LIMIT

REACHED MAJOR CAC/Global Bssid Limit Reached (1):

call Rejected for STA [00:03:2a:00:d8:55] on AP [00:0c:e6:07:5d:7e] in BSSID [00:0c:e6:de:a2:ef]

This message is generated when the CAC limit is reached (based on BSSID).

Calls will not go through.

 
CAC Per AP > CAC Per BSSID info      ALR       05/04/2010 14:42:39        CAC LIMIT

REACHED MAJOR CAC/AP Limit Reached (1): call

Rejected for STA [00:03:2a:00:d8:55] on AP [00:0c:e6:07:5d:7e]

This message is generated when the CAC limit is reached (based on AP). Calls will not go through.  
CAC Per AP = CAC Per BSSID info      ALR       05/04/2010 15:03:22        CAC LIMIT

REACHED MAJOR CAC/AP Limit Reached (1): call

Rejected for STA [00:03:2a:00:d8:55] on AP [00:0c:e6:07:5d:7e]

This message is generated when the CAC limit is reached (based on AP=BSSID). Calls will not go through.  
CAC PER Interference  info      ALR       05/04/2010 15:09:01        CAC LIMIT

REACHED MAJOR CAC/Interference Limit Reached (1):

call Rejected for STA [00:03:2a:00:d8:55] on AP [00:0c:e6:07:5d:7e]

This message is generated when the CAC limit is reached (based on CAC per interference region). Calls will not go through.  

QoS

Rogue AP
Event System Log Example Description Action
ROGUE AP DETECTED Oct 13 11:11:31 172.18.37.201 ALARM: 1255432835l | system | info | ALR | ROGUE AP DETECTED CRITICAL CONTROLLER (1:13)  ROGUE AP DETECTED. AP mac=00:1f:28:57:fa:b7 bss=00:1f:28:57:fa:b7 cch= 6 ess=Integral  by AP AP-204 (204) A rogue AP has been detected.  
ROGUE AP REMOVED Mar 29 13:12:43 172.18.86.229 ALARM: 1269864763l | system | info | ALR | ROGUE AP REMOVED  CONTROLLER (1:24490)  ROGUE AP DETECTED. AP      mac=00:12:f2:00:17:63 bss=00:12:f2:00:17:63 cch=161 ess=rogue-35 A rogue AP has been removed.  
Licensing
Event System Log Example Description Action
LICENSE

EXPIRE WARN-

ING

Mar 22 15:27:42 172.18.65.202 ALARM: 1205970893l | system | notice | NOT | controller license expires in 1 day Notification that license expires in one day. Install a license for the software.
LICENSE

EXPIRE WARN-

ING

Mar 22 15:33:46 172.18.65.202 ALARM: 1205971257l | system | notice | NOT | controller license expires tonight at midnight. Notification that license expires by midnight. Install a license for the software.
LICENSE EXPIRED Mar 22 15:42:17 172.18.65.202 ALARM: 1206057655l | system | info | ALR | SOFTWARE LICENSE EXPIRED MAJOR controller license has already expired. License has expired. Install a license for the software.
LICENSE

EXPIRED

ALARM CLEAR

Mar 22 15:52:23 172.18.65.202 ALARM: 1206058262l | system | info | ALR | SOFTWARE LICENSE EXPIRED CLEAR controller License alarm cleared.  

Rogue AP

N+1 Redundancy
Event System Log Example Description Action
MASTER CONTROLLER

DOWN

Apr 19 14:24:26 172.18.253.203 nplus1_Slave: ALERT:

Master Controller has timed out: Regression1 172.18.253.201

Slave detects that master controller is not reachable. Slave moves to active state. Diagnose the master controller.
PASSIVE TO

ACTIVE SLAVE

STATE TRANSITION

Apr 19 14:24:26 172.18.253.203 nplus1_Slave: Slave State: Passive->Active Passive slave in transition to becoming active slave.  
ACTIVE SLAVE May 15 16:07:49 172.18.32.201 nplus1_Slave: Slave State: Active Slave in active state.  
ACTIVE TO

PASSIVE

SLAVE TRANSITION

May 15 16:07:59 172.18.32.201 nplus1_Slave: Slave State: Active->Passive Slave detected that master controller is reachable, so slave becomes passive again.  
ACTIVE TO

PASSIVE

SLAVE TRANSITION

Apr 19 14:40:21 172.18.253.203 nplus1_Slave: NOTICE:

Active Slave Controller (Regression1 172.18.253.201) ->

Passive Slave  (RegressionSlave 172.18.253.203)

Slave detected that master controller is reachable, so slave becomes passive again.  
PASSIVE SLAVE Apr 19 14:40:21 172.18.253.203 nplus1_Slave: Slave State: Passive Slave in passive state.  
MASTER CON-

TROLLER

DOWN ALARM

May 15 16:07:49 172.18.32.201 ALARM: 1210847902l | system | info | ALR | MASTER CONTROLER DOWN INFO Master controller down alarm.  

N+1 Redundancy

Event System Log Example Description Action
MASTER CONTROLLER UP

ALARM

May 15 16:07:59 172.18.32.201 ALARM: 1210847912l | system | info | ALR | MASTER CONTROLER UP INFO Master controller up alarm.  
SLAVE CONFIG

SYNC

Apr 19 14:51:07 172.18.253.201 sshd[7465]: PAM

_pam_init_handlers: no default config /etc/pam.d/other

Apr 19 14:51:07 172.18.253.201 sshd[7465]: PAM

_pam_init_handlers: no default config /etc/pam.d/other

Apr 19 14:51:07 172.18.253.201 sshd[7465]: Accepted publickey for root from 172.18.253.203 port 34674 ssh2

Apr 19 14:51:07 172.18.253.201 PAM-env[7465]: Unable to open config file: No such file or directory

SSH system log messages are shown while slave is syncing certain configuration files with the master controller using scp.  

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWLC – Events

Events

Events are similar to alarms in that they indicate that a specific action has taken place. However, while alarms typically require some form of user intervention to resolve the problem, events simply provide an indication that a change has been made. As such, this tab provides a reference to actions on the system.

Figure 88: Events Table

The table below provides a brief description of the columns provided in the Events table. TABLE 36: Events Table Columns

Column Description
Event Name The name of the event triggered.
Severity The severity level; can range from Information, Minor, Major, Critical.
Source The type of device that triggered the event (controller, AP).
FDN The name of the device that triggered the event.
Raised At The date and time at which the event was triggered.
Detail Detailed information regarding the event, including identifying device details.
Modifying Event Definitions

While FortiWLC (SD) provides a list of pre-configured events, users can also customize the events to the needs of their environment via the Events > Definition tab.

Events

Figure 89: Event Definitions

As shown above, each event has a predetermined severity level, trigger condition, and threshold, but these values can be modified by clicking the small pencil icon next to the desired alarm. This will pop up the Alarm Configuration window, as seen in Figure 87 on page 491. Figure 90: Editing an Event

Events

Use the drop-downs provided in the window to tailor the event to the deployment’s needs and click Save when finished. If desired, the user can click Reload Default to reset the event’s configuration to its original values.

The Threshold field’s units will vary depending on the event selected—for example, when modifying Alarm History Reaches Threshold, the Threshold is measured in percentage of overall alarm table history (and defaults to 90%). However, in an event such as RADIUS Server Switchover, no threshold is needed at all, as it is a binary alarm (i.e., it is triggered when the RADIUS server is switched—there is no percentage involved).

Events

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWLC – Alarms

Alarms

When alarms are generated, the user has the option to either Acknowledge or Clear them by simply checking the box alongside the desired alarm and clicking the appropriate button towards the bottom of the window.

  • Clear—Moves the alarm from the Active Alarms table into the Alarm History table.
  • Acknowledge—Marks the alarm as acknowledged in the UserAcknowledged column.

As seen in the figure above, the Active Alarms table provides several columns, as described below.

489

TABLE 35: Active Alarm Columns

Column Description
Alarm Name The name of the alarm triggered.
Severity The severity level; can range from Information, Minor, Major, Critical.
Source The type of device that triggered the alarm (controller, AP).
FDN The name of the device that triggered the alarm.
Raised At The date and time at which the alarm was triggered.
Detail Detailed information regarding the alarm, including identifying device details.
UserAcknowledged Indicates whether the alarm has been flagged as Acknowledged.
Modifying Alarm Definitions

While FortiWLC (SD) provides a list of pre-configured alarms, users can also customize the alarms to the needs of their environment via the Alarms > Definition tab.

Figure 86: Alarm Definitions

As shown above, each alarm has a predetermined severity level, trigger condition, and threshold, but these values can be modified by clicking the small pencil icon next to the desired alarm. This will pop up the Alarm Configuration window, as seen in Figure 87 on page 491.

 

Figure 87: Editing an Alarm

Use the drop-downs provided in the window to tailor the alarm to the deployment’s needs and click Save when finished. If desired, the user can click Reload Default to reset the alarm’s configuration to its original values.

The Threshold field’s units will vary depending on the alarm selected—for example, when modifying AP Memory Usage High, the Threshold is measured in percentage of overall system memory (and defaults to 70%). However, in an alarm such as Link Down, no threshold is needed at all, as it is a binary alarm (i.e., it is triggered when a link to an AP goes down—there is no percentage involved).

List of Alarms
No. Alarm Severity Source Explanation
1. Alarm link up information all controller models Physical link on controller is up.
2. Alarm link down critical all controller models Physical link on the controller is down; check the connection.
3. Alarm auth fail information controller models An administrator failed to log in to the GUI due to an authentication failure.
4. AP down critical all AP models An AP is down. Possible reasons for this are an AP reboot, an AP crash, or an Ethernet cable from the controller may be down. Also the AP may have connected to another controller.
5. Radio Failure critical all AP models An alarm is generated when the Radio fails to turn operational during Initial bootup. This is occurred due to some Hardware issue on the AP Radio.
6. Rogue AP detected critical all controller models A rogue AP has been detected on the network.

The message looks something like this: Rogue

AP Detected               Critical  06/04/2010

10:04:51  CONTROLLER (1:24194)  ROGUE AP DETECTED. Station mac=0c:60:76:2d:fe:d9 bss=00:02:6f:3a:fd:89 by AP Ben-Cubei (18)

See the chapter Rogue AP Detection and Mitigation.

7. AP software version mismatch critical all AP models The software version on the AP does not match the version on the controller. Automatic AP upgrade must have been turned off. Update the AP from the controller with either the CLI command upgrade ap same <ap id> force or upgrade ap same all force. You can also turn automatic upgrade back on by with the CLI command autoap-upgrade enable.
8. AP init failure major all AP models AP initialization failed.

 

No. Alarm Severity Source Explanation
9. Software license expired major all controller

models

Controller software license has expired. To obtain additional licenses, see www.merunetworks.com/ license.
10. 802.1X auth failure major, minor, information all controller

models

RADIUS server authentication failed. To find out why, look at the RADIUS server log for the error message and also check the station log. If this happens only occasionally, you can ignore it. However, if this message appears repeatedly, the authentication failures could prevent a station from entering the network. In this case, check the RADIUS server to make sure the client and server have the same credentials.
11. MIC failure AP major all controller models The Michael MIC Authenticator Tx/Rx Keys provided in the Group Key Handshake are only used if the network is using TKIP to encrypt the data. A failure of the Michael MIC in a packet usually indicates that the WPA WPSK password is wrong.
12. MIC countermeasure activation major all controller

models

Two consecutive MIC failures have occurred (see above).
13. RADIUS Server Switchover major all controller

models

A switchover from the Primary  Authentication

RADIUS Server to the Secondary Authentication RADIUS Server occurred. When this message occurs, the Primary RADIUS server is configured but not reachable and the Secondary RADIUS server is both configured and reachable.

This message is generated only for 802.1x switchover, not for Captive Portal switchover.

An example looks like this:

RADIUS Server Switchover        Major     06/07/ 2010 14:09:57  RADIUS Server switches over from Primary <172.18.1.7> to Secondary

<172.18.1.3> for Profile <wpa>

 

No. Alarm Severity Source Explanation
14. RADIUS Server Switchover Failed major all controller

models

A switchover from the Primary  Authentication

RADIUS Server to the Secondary Authentication RADIUS Server  failed because the secondary server is not configured. When this message occurs, the Primary RADIUS server is configured but not reachable and the Secondary RADIUS server is not configured.

This message is generated only for 802.1x switchover failure, not for Captive Portal switchover failure.

An example looks like this:

RADIUS Server Switchover Failed Major     06/

07/2010 14:02:47  Primary RADIUS Server

<172.18.1.7> failed. No valid Secondary RADIUS

Server present. Switchover FAILED for Profile

<wpa> Alarms Table(1 entry)

15. Restore Primary RADIUS Server major all controller

models

A switchover from the Secondary Authentication

RADIUS Server to the Primary Authentication RADIUS Server occurred. This alarm was generated while doing RADIUS fall back to the primary server after 15 minutes.

This message is generated only for 802.1x primary RADIUS restore, not for Captive Portal restore.

An example looks like this:

Restore Primary RADIUS Server   Major     06/07/ 2010 15:54:10  Security Profile <wpa> restored back to the Primary RADIUS server <172.18.1.7>

 

No. Alarm Severity Source Explanation
16. Acct RADIUS server switchover major all controller

models

A switchover from either Accounting RADIUS Server (primary or secondary) to the other one occurred. This message is generated only for 802.1x switchover, not for Captive Portal switchover.

An example when the primary to secondary switch occurred looks like this:

Accounting RADIUS Server Switch Major     06/ 07/2010 14:39:00  Accounting RADIUS Server switches over from Primary <172.18.1.7> to Secondary <172.18.1.3> for Profile <wpa>

17. Acct RADIUS server switchover failed major all controller models An attempted switchover from one Accounting RADIUS Server to the other server failed.When this message occurs, the Primary Accounting RADIUS server is configured but not reachable and the Secondary Accounting RADIUS server is not configured.

This message is generated only for 802.1x switchover failure, not for Captive Portal switchover fail lure.

An example looks like this:

Accounting RADIUS Server Switch Major     06/

07/2010 14:22:26  Primary Accounting RADIUS

Server <172.18.1.7> failed. No valid Secondary

Accounting RADIUS Server present. Switchover

FAILED for Profile <wpa>

18. Master down critical all controller models N+1 Master controller is down and no longer in control; the slave controller will now take over.
19. Master up critical all controller models N+1 Master controller is up and running; this controller will now take control away from the slave controller.
20. CAC limit reached major all controller models Admission control in ATM networks is known as Connection Admission Control (CAC) – this process determines which traffic is admitted into a network. If this message occurs, the maximum amount of traffic is now occurring on the network and no more can be added.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWLC – Fault Management

Fault Management

Alarm and event information can be found on the Monitor > Fault Management page. By default, the Active Alarms table is displayed, which indicates any alarms that have been recently triggered.

Figure 85: Fault Management Table

The Fault Management page provides information regarding two major types of events in FortiWLC (SD): Alarms and Events. Refer to their respective sections below for additional details.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWLC – Troubleshooting

Troubleshooting

  • Where Do I Start?
  • Error Messages
  • System Logs
  • System Diagnostics
  • Capturing Packets
  • FTP Error Codes

Where Do I Start?

We recommend that you start troubleshooting as follows:

Web UI or CLI? Problem Involves? Strategy
Web UI stations View station log history by clicking Monitor > Diagnostics > Station
Web UI radios View radio log history by clicking Monitor > Diagnostics > Radio

Where Do I Start?

Web UI or CLI? Problem Involves? Strategy
CLI stations View station-log history with one of these commands:

station-log show-mac=<affected MAC address> station-log show (if the MAC is not known)

If the problem is reproducible/occurring continually, log your terminal session, enter the station-log interface and add the affected MAC address using the command station add <MAC>. If you DON’T know the MAC address, enter event all all to capture all events for all MAC addresses.

CLI controller View controller-log history with the command diagnostics-controller

If the problem is reproducible/occurring continually, log your terminal session, enter the station-log interface with the command station-log, and add the affected MAC address using the command station add <MAC>. If you DON’T know the MAC address, type event all all to capture all events for all MAC addresses.

Error Messages

The following are common error messages that may occur either at the controller or at an AP.

Error Messages

Message Text Explanation
[07/20 13:02:11.122]

1m[35m**Warning**[0m

WMAC: Wif(0):SetTsf()

TSF[00000000:000006e3] ->

[00000033:77491cfd]thr[0000

0000:03938700]

May be observed on the AP command line or in trace log output from an AP after a full diagnostics gather.

The SetTsf() messages indicate that the AP has adjusted its TSF (TSF stands for Time Synchronization Function and is really the AP’s clock) forward by more than a certain threshold (the threshold is 5 seconds). The specific case above indicates that the AP has just booted up and adjusted its TSF value to its neighboring AP’s TSF value.

You can tell that the AP just booted because its current TSF is a low value (i.e. 6e3 microseconds). During initialization, the AP will synchronize its TSF to the TSF of its neighbors whenever the neighbors support a BSSID in common with this AP. That is a requirement to support Virtual Cell.

[07/31 14:01:33.506]

*****ERROR***** QOS: FlowMgr failed while processing flow request, reason= 5, srcMac[00:23:33:41:ed:27], dstMac[00:00:00:00:00:00].

May be observed in the controller’s CLI interface.

This error occurs when there is an attempt to either set up or remove an AP flow on a station that has started a phone call. “reason=5” means the cited station is not assigned to the AP where the attempt to set up/ remove the flow was made.

The presumed impact is that the stations (presumably phones) get lower than normal call quality since there are no QoS flows established on behalf of the MAC address.

Received non-local pkt on AP! This message may be observed on the serial console of a controller or in the dmesg.txt output included with a controller’s diagnostics. This message indicates that a Ethernet type 0x4001 or UDP port 5000 packet (L2 and L3 COMM respectively) was received by the controller’s Ethernet, but was not actually destined for the controller’s MAC or IP address.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!