Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Configuration Guide

Testing wireless network health with SAM

Testing wireless network health with SAM

Fortinet's Service Assurance Manager (SAM) is a predictive diagnostic software for remotely diagnosing the health of wireless networks without requiring overlay sensors. With Service Assurance Manager, the network automatically performs predictive health checks and reports any issues before end users are impacted.

FortiAPs can be configured to run in Service Assurance Management mode, where a radio is designated to operate as a client and perform tests against another AP. Ping tests and iPerf tests can be run on interval, with results captured in the WiFi event logs. This allows the FortiGate to verify and ensure that an existing Wi-Fi network can provide acceptable services.

To configure a FortiAP profile to run in SAM mode - CLI
  1. Configure the FAP profile to enable SAM ping test.

    config wireless-controller wtp-profile

    edit "FAP231E-sam"

    config radio-2

    set mode sam

    set sam-ssid "test-sam"

    set sam-bssid 00:00:00:00:00:00

    set sam-security-type wpa-personal

    set sam-captive-portal disable

    set sam-password ENC +Yo/ZS

    set sam-test ping

    set sam-server "iperf.he.net"

    set sam-report-intv 60

    end

    next

    end

  2. Check configurations received on the FAP side in the "rcfg" output.

    sam ssid : test-sam

    sam bssid : 00:00:00:00:00:00

    sam security type : Personal

    sam captive portal : disabled

    sam test : Ping

    sam server ip : iperf.he.net

    sam report interval: 60

    sam iperf port : 5001

    sam iperf protocol : TCP

To configure a FortiAP profile to run the iperf test - CLI

The SAM test also supports the "iperf" test.

  1. FOS side configuration:

    config wireless-controller wtp-profile

    edit "FAP231E-sam"

    config radio-2

    set mode sam

    set sam-ssid "test-sam"

    set sam-bssid 00:00:00:00:00:00

    set sam-security-type wpa-personal

    set sam-captive-portal disable

    set sam-password ENC +Yo/ZS

    set sam-test iperf

    set sam-server "iperf.he.net"

    set iperf-server-port 5001

    set iperf-protocol tcp

    set sam-report-intv 60

    end

    next

    end

  2. Configuration received on FAP side:

    sam ssid : test-sam

    sam bssid : 00:00:00:00:00:00

    sam security type : Personal

    sam captive portal : disabled

    sam test : Iperf

    sam server ip : iperf.he.net

    sam report interval: 60

    sam iperf port : 5001

    sam iperf protocol : TCP

Captive portal authentication in service assurance management (SAM) mode

When configuring a radio in service assurance management (SAM) mode, a client can be configured to authenticate with the captive portal. The captive portal match, success, and failure strings must be specified to automatically detect the authentication success or failure.

Example specification

config wireless-controller wtp-profile

edit <name>

config radio-1

set sam-cwp-username "wifi"

set sam-cwp-password ENC

set sam-cwp-test-url "www.fortinet.com"

set sam-cwp-match-string "Login"

set sam-cwp-success-string "Success"

set sam-cwp-failure-string "again"

end

next

end

sam-cwp-username

Enter the username for captive portal authentication.

sam-cwp-password

Enter the password for captive portal authentication.

sam-cwp-test-url

Enter the website the client is trying to access.

sam-cwp-match-string

Enter the identification string from the captive portal login form.

sam-cwp-success-string

Enter the success identification text to appear on the page after a successful login.

sam-cwp-failure-string

Enter the failure identification text on the page after an incorrect login.

To perform a SAM test with captive portal authentication, create an SSID with captive portal authentication and broadcast it on a FortiAP (FAP_A). Then configure SAM with captive portal settings in the wtp-profile on a second FortiAP (FAP_B).

Configuring an SSID with captive portal authentication

Configure the following steps on FAP_A.

  1. Configure the RADIUS server:

    config user radius

    edit "172.18.56.161"

    set server "172.18.56.161"

    set secret ENC

    next

    end

  2. Configure the VAP:

    config wireless-controller vap

    edit "test-sam"

    set ssid "TEST-SAM"

    set security captive-portal

    set external-web "http://172.18.56.163/portal/index.php"

    set radius-server "172.18.56.161"

    set local-bridging enable

    set portal-type external-auth

    set schedule "always"

    next

    end

  3. Configure the FortiAP profile:

    config wireless-controller wtp

    edit "FP423E3X16000020" << A FAP423E is configured to broadcast test SSID.

    set uuid 404a75f2-c3ca-51eb-eb61-7678e900029c

    set admin enable

    set wtp-profile "FAP423E-default"

    config radio-1

    set override-vaps enable

    set vap-all manual

    set vaps "test-sam"

    end

    config radio-2

    set override-vaps enable

    set vap-all manual

    end

    next

    end

Configuring SAM with captive portal settings

Configure the following steps on FAP_B.

  1. Configure the FortiAP profile:

    config wireless-controller wtp-profile

    edit "FAP231E-default"

    config platform

    set type 231E

    set ddscan enable

    end

    set handoff-sta-thresh 55

    set allowaccess https ssh snmp

    config radio-1

    set mode sam

    set sam-ssid "TEST-SAM"

    set sam-captive-portal enable

    set sam-cwp-username "tester"

    set sam-cwp-password ENC

    set sam-cwp-test-url "https://www.fortinet.com"

    set sam-cwp-match-string "fgtauth" << This string is a part of the URL of the Captive Portal redirect page.

    set sam-cwp-success-string "Fortinet"

    set sam-cwp-failure-string "failed"

    set sam-password ENC

    set sam-test ping

    set sam-server-type ip

    set sam-server-ip 8.8.8.8

    set sam-report-intv 60

    end

    config radio-2

    unset band

    end

    config radio-3

    set mode monitor

    end

    next

    end

  2. Configure the managed FortiAP settings:

    config wireless-controller wtp

    edit "FP231ETF20000449"

    set uuid 404c8e50-c3ca-51eb-f111-040b31b593a1

    set admin enable

    set wtp-profile "FAP231E-default"

    config radio-2

    end

    next

    end

Check the managed FortiAP to verify SAM settings

After a few minutes, check the FAP_B configuration in the managed FortiAP:

FortiAP-231E # rcfg

Radio 0: AP

...

sam ssid : TEST-SAM

sam bssid : 00:00:00:00:00:00

sam security type : Open

sam captive portal : enabled

sam cwp test url : https://www.fortinet.com

sam cwp match string : fgtauth

sam cwp success string : Fortinet

sam cwp failure string : failed

sam test : Ping

sam server : 8.8.8.8

sam report interval: 60

sam iperf port : 5001

sam iperf protocol : UDP

...

Testing wireless network health with SAM

Testing wireless network health with SAM

Fortinet's Service Assurance Manager (SAM) is a predictive diagnostic software for remotely diagnosing the health of wireless networks without requiring overlay sensors. With Service Assurance Manager, the network automatically performs predictive health checks and reports any issues before end users are impacted.

FortiAPs can be configured to run in Service Assurance Management mode, where a radio is designated to operate as a client and perform tests against another AP. Ping tests and iPerf tests can be run on interval, with results captured in the WiFi event logs. This allows the FortiGate to verify and ensure that an existing Wi-Fi network can provide acceptable services.

To configure a FortiAP profile to run in SAM mode - CLI
  1. Configure the FAP profile to enable SAM ping test.

    config wireless-controller wtp-profile

    edit "FAP231E-sam"

    config radio-2

    set mode sam

    set sam-ssid "test-sam"

    set sam-bssid 00:00:00:00:00:00

    set sam-security-type wpa-personal

    set sam-captive-portal disable

    set sam-password ENC +Yo/ZS

    set sam-test ping

    set sam-server "iperf.he.net"

    set sam-report-intv 60

    end

    next

    end

  2. Check configurations received on the FAP side in the "rcfg" output.

    sam ssid : test-sam

    sam bssid : 00:00:00:00:00:00

    sam security type : Personal

    sam captive portal : disabled

    sam test : Ping

    sam server ip : iperf.he.net

    sam report interval: 60

    sam iperf port : 5001

    sam iperf protocol : TCP

To configure a FortiAP profile to run the iperf test - CLI

The SAM test also supports the "iperf" test.

  1. FOS side configuration:

    config wireless-controller wtp-profile

    edit "FAP231E-sam"

    config radio-2

    set mode sam

    set sam-ssid "test-sam"

    set sam-bssid 00:00:00:00:00:00

    set sam-security-type wpa-personal

    set sam-captive-portal disable

    set sam-password ENC +Yo/ZS

    set sam-test iperf

    set sam-server "iperf.he.net"

    set iperf-server-port 5001

    set iperf-protocol tcp

    set sam-report-intv 60

    end

    next

    end

  2. Configuration received on FAP side:

    sam ssid : test-sam

    sam bssid : 00:00:00:00:00:00

    sam security type : Personal

    sam captive portal : disabled

    sam test : Iperf

    sam server ip : iperf.he.net

    sam report interval: 60

    sam iperf port : 5001

    sam iperf protocol : TCP

Captive portal authentication in service assurance management (SAM) mode

When configuring a radio in service assurance management (SAM) mode, a client can be configured to authenticate with the captive portal. The captive portal match, success, and failure strings must be specified to automatically detect the authentication success or failure.

Example specification

config wireless-controller wtp-profile

edit <name>

config radio-1

set sam-cwp-username "wifi"

set sam-cwp-password ENC

set sam-cwp-test-url "www.fortinet.com"

set sam-cwp-match-string "Login"

set sam-cwp-success-string "Success"

set sam-cwp-failure-string "again"

end

next

end

sam-cwp-username

Enter the username for captive portal authentication.

sam-cwp-password

Enter the password for captive portal authentication.

sam-cwp-test-url

Enter the website the client is trying to access.

sam-cwp-match-string

Enter the identification string from the captive portal login form.

sam-cwp-success-string

Enter the success identification text to appear on the page after a successful login.

sam-cwp-failure-string

Enter the failure identification text on the page after an incorrect login.

To perform a SAM test with captive portal authentication, create an SSID with captive portal authentication and broadcast it on a FortiAP (FAP_A). Then configure SAM with captive portal settings in the wtp-profile on a second FortiAP (FAP_B).

Configuring an SSID with captive portal authentication

Configure the following steps on FAP_A.

  1. Configure the RADIUS server:

    config user radius

    edit "172.18.56.161"

    set server "172.18.56.161"

    set secret ENC

    next

    end

  2. Configure the VAP:

    config wireless-controller vap

    edit "test-sam"

    set ssid "TEST-SAM"

    set security captive-portal

    set external-web "http://172.18.56.163/portal/index.php"

    set radius-server "172.18.56.161"

    set local-bridging enable

    set portal-type external-auth

    set schedule "always"

    next

    end

  3. Configure the FortiAP profile:

    config wireless-controller wtp

    edit "FP423E3X16000020" << A FAP423E is configured to broadcast test SSID.

    set uuid 404a75f2-c3ca-51eb-eb61-7678e900029c

    set admin enable

    set wtp-profile "FAP423E-default"

    config radio-1

    set override-vaps enable

    set vap-all manual

    set vaps "test-sam"

    end

    config radio-2

    set override-vaps enable

    set vap-all manual

    end

    next

    end

Configuring SAM with captive portal settings

Configure the following steps on FAP_B.

  1. Configure the FortiAP profile:

    config wireless-controller wtp-profile

    edit "FAP231E-default"

    config platform

    set type 231E

    set ddscan enable

    end

    set handoff-sta-thresh 55

    set allowaccess https ssh snmp

    config radio-1

    set mode sam

    set sam-ssid "TEST-SAM"

    set sam-captive-portal enable

    set sam-cwp-username "tester"

    set sam-cwp-password ENC

    set sam-cwp-test-url "https://www.fortinet.com"

    set sam-cwp-match-string "fgtauth" << This string is a part of the URL of the Captive Portal redirect page.

    set sam-cwp-success-string "Fortinet"

    set sam-cwp-failure-string "failed"

    set sam-password ENC

    set sam-test ping

    set sam-server-type ip

    set sam-server-ip 8.8.8.8

    set sam-report-intv 60

    end

    config radio-2

    unset band

    end

    config radio-3

    set mode monitor

    end

    next

    end

  2. Configure the managed FortiAP settings:

    config wireless-controller wtp

    edit "FP231ETF20000449"

    set uuid 404c8e50-c3ca-51eb-f111-040b31b593a1

    set admin enable

    set wtp-profile "FAP231E-default"

    config radio-2

    end

    next

    end

Check the managed FortiAP to verify SAM settings

After a few minutes, check the FAP_B configuration in the managed FortiAP:

FortiAP-231E # rcfg

Radio 0: AP

...

sam ssid : TEST-SAM

sam bssid : 00:00:00:00:00:00

sam security type : Open

sam captive portal : enabled

sam cwp test url : https://www.fortinet.com

sam cwp match string : fgtauth

sam cwp success string : Fortinet

sam cwp failure string : failed

sam test : Ping

sam server : 8.8.8.8

sam report interval: 60

sam iperf port : 5001

sam iperf protocol : UDP

...