Testing wireless network health with SAM
Fortinet's Service Assurance Manager (SAM) is a predictive diagnostic software for remotely diagnosing the health of wireless networks without requiring overlay sensors. With Service Assurance Manager, the network automatically performs predictive health checks and reports any issues before end users are impacted.
FortiAPs can be configured to run in Service Assurance Management mode, where a radio is designated to operate as a client and perform tests against another AP. Ping tests and iPerf tests can be run on interval, with results captured in the WiFi event logs. This allows the FortiGate to verify and ensure that an existing Wi-Fi network can provide acceptable services.
To configure a FortiAP profile to run in SAM mode - CLI
-
Configure the FAP profile to enable SAM ping test.
config wireless-controller wtp-profile
edit "FAP231E-sam"
config radio-2
set mode sam
set sam-ssid "test-sam"
set sam-bssid 00:00:00:00:00:00
set sam-security-type wpa-personal
set sam-captive-portal disable
set sam-password ENC +Yo/ZS
set sam-test ping
set sam-server "iperf.he.net"
set sam-report-intv 60
end
next
end
-
Check configurations received on the FAP side in the "
rcfg
" output.sam ssid : test-sam
sam bssid : 00:00:00:00:00:00
sam security type : Personal
sam captive portal : disabled
sam test : Ping
sam server ip : iperf.he.net
sam report interval: 60
sam iperf port : 5001
sam iperf protocol : TCP
To configure a FortiAP profile to run the iperf test - CLI
The SAM test also supports the "iperf
" test.
-
FOS side configuration:
config wireless-controller wtp-profile
edit "FAP231E-sam"
config radio-2
set mode sam
set sam-ssid "test-sam"
set sam-bssid 00:00:00:00:00:00
set sam-security-type wpa-personal
set sam-captive-portal disable
set sam-password ENC +Yo/ZS
set sam-test iperf
set sam-server "iperf.he.net"
set iperf-server-port 5001
set iperf-protocol tcp
set sam-report-intv 60
end
next
end
-
Configuration received on FAP side:
sam ssid : test-sam
sam bssid : 00:00:00:00:00:00
sam security type : Personal
sam captive portal : disabled
sam test : Iperf
sam server ip : iperf.he.net
sam report interval: 60
sam iperf port : 5001
sam iperf protocol : TCP
Captive portal authentication in service assurance management (SAM) mode
When configuring a radio in service assurance management (SAM) mode, a client can be configured to authenticate with the captive portal. The captive portal match, success, and failure strings must be specified to automatically detect the authentication success or failure.
Example specification
config wireless-controller wtp-profile
edit <name>
config radio-1
set sam-cwp-username "wifi"
set sam-cwp-password ENC
set sam-cwp-test-url "www.fortinet.com"
set sam-cwp-match-string "Login"
set sam-cwp-success-string "Success"
set sam-cwp-failure-string "again"
end
next
end
sam-cwp-username |
Enter the username for captive portal authentication. |
sam-cwp-password |
Enter the password for captive portal authentication. |
sam-cwp-test-url |
Enter the website the client is trying to access. |
sam-cwp-match-string |
Enter the identification string from the captive portal login form. |
sam-cwp-success-string |
Enter the success identification text to appear on the page after a successful login. |
sam-cwp-failure-string |
Enter the failure identification text on the page after an incorrect login. |
To perform a SAM test with captive portal authentication, create an SSID with captive portal authentication and broadcast it on a FortiAP (FAP_A). Then configure SAM with captive portal settings in the wtp-profile on a second FortiAP (FAP_B).
Configuring an SSID with captive portal authentication
Configure the following steps on FAP_A.
-
Configure the RADIUS server:
config user radius
edit "172.18.56.161"
set server "172.18.56.161"
set secret ENC
next
end
-
Configure the VAP:
config wireless-controller vap
edit "test-sam"
set ssid "TEST-SAM"
set security captive-portal
set external-web "http://172.18.56.163/portal/index.php"
set radius-server "172.18.56.161"
set local-bridging enable
set portal-type external-auth
set schedule "always"
next
end
-
Configure the FortiAP profile:
config wireless-controller wtp
edit "FP423E3X16000020" << A FAP423E is configured to broadcast test SSID.
set uuid 404a75f2-c3ca-51eb-eb61-7678e900029c
set admin enable
set wtp-profile "FAP423E-default"
config radio-1
set override-vaps enable
set vap-all manual
set vaps "test-sam"
end
config radio-2
set override-vaps enable
set vap-all manual
end
next
end
Configuring SAM with captive portal settings
Configure the following steps on FAP_B.
-
Configure the FortiAP profile:
config wireless-controller wtp-profile
edit "FAP231E-default"
config platform
set type 231E
set ddscan enable
end
set handoff-sta-thresh 55
set allowaccess https ssh snmp
config radio-1
set mode sam
set sam-ssid "TEST-SAM"
set sam-captive-portal enable
set sam-cwp-username "tester"
set sam-cwp-password ENC
set sam-cwp-test-url "https://www.fortinet.com"
set sam-cwp-match-string "fgtauth" << This string is a part of the URL of the Captive Portal redirect page.
set sam-cwp-success-string "Fortinet"
set sam-cwp-failure-string "failed"
set sam-password ENC
set sam-test ping
set sam-server-type ip
set sam-server-ip 8.8.8.8
set sam-report-intv 60
end
config radio-2
unset band
end
config radio-3
set mode monitor
end
next
end
-
Configure the managed FortiAP settings:
config wireless-controller wtp
edit "FP231ETF20000449"
set uuid 404c8e50-c3ca-51eb-f111-040b31b593a1
set admin enable
set wtp-profile "FAP231E-default"
config radio-2
end
next
end
Check the managed FortiAP to verify SAM settings
After a few minutes, check the FAP_B configuration in the managed FortiAP:
FortiAP-231E # rcfg
Radio 0: AP
...
sam ssid : TEST-SAM
sam bssid : 00:00:00:00:00:00
sam security type : Open
sam captive portal : enabled
sam cwp test url : https://www.fortinet.com
sam cwp match string : fgtauth
sam cwp success string : Fortinet
sam cwp failure string : failed
sam test : Ping
sam server : 8.8.8.8
sam report interval: 60
sam iperf port : 5001
sam iperf protocol : UDP
...