FortiWiFi and FortiAP Configuration Guide

What's new in this release
Introduction
Getting started with FortiAP management
- Configuring the FortiGate interface to manage FortiAP units
- Discovering, authorizing, and deauthorizing FortiAP units
- FortiAP diagnostics and tools
- Setting up a mesh connection between FortiAP units
- Data channel security: clear-text, DTLS, and IPsec VPN
Wireless network configuration
- Wireless network configuration tasks
- Setting your geographic location
- Configuring the network interface for the AP unit
- Creating a FortiAP profile
- Defining a wireless network interface (SSID)
  - Changing SSID to VDOM only
  - Airtime fairness
- Configuring security
  - WPA2 Security
    - Configuring WPA2-Personal security
    - Configuring WPA2-Enterprise SSID
  - WPA3 Security
    - Generating SAE-PK private key and password
  - MPSK profiles
  - Captive Portal Security
  - Adding a MAC filter
  - Limiting the number of clients
  - Enabling multicast enhancement
  - Replacing WiFi certificate
  - Configuring WiFi with WSSO using Windows NPS and user groups
  - Enabling Beacon Protection
- Defining SSID groups
- Configuring dynamic user VLAN assignment
  - VLAN assignment by RADIUS
  - VLAN assignment by Name Tag
  - VLAN assignment by FortiAP group
  - VLAN assignment by VLAN pool
- Configuring wireless NAC support
- Configuring user authentication
  - Custom RADIUS NAS-ID
- Configuring firewall policies for the SSID
- Configuring the built-in access point on a FortiWiFi unit
- Enforcing UTM policies on a local bridge SSID
- Configuring a Syslog profile
- Understanding Distributed Radio Resource Provisioning
  - Configuring Distributed Radio Resource Provisioning
- Translating WiFi QoS WMM marking to DSCP values
- Configuring Layer 3 roaming
  - Configuring L3 Roaming for Tunnel Mode SSIDs
  - Configuring L3 Roaming for Bridge Mode SSIDs
- Advanced Wireless Features
  - Operations Profiles Entry
  - Connectivity Profiles Entry
  - Protection Profiles Entry
  - Advanced SSID options
  - Advanced WiFi Settings options
- Configuring UNII-4 5GHz radio bands
- Configuring Agile Multiband Operation
Access point configuration
- Network topology of managed APs
- Discovery and authorization of APs
- Register a FortiAP to FortiCloud
- FortiAP CLI access
- FortiAP Configuration mode
- FortiAP unit firmware upgrade
- Advanced WiFi controller discovery
  - Configure automatic AP reboot
- Wireless client load balancing for high-density deployments
- FortiAP groups
- LAN port options
  - MAC Authentication for LAN port hosts
- LAN port aggregation and redundancy
  - LAN port uplink redundancy without LACP
- CAPWAP
- LED options
- Configure FortiAP MIMO values
- Configure Fortinet external antenna parameters for specific FortiAPs
- Configure third-party antennas in select FortiAP models
- Configure FortiAP USB port status
Wireless mesh configuration
- Configuring a meshed WiFi network
- Configuring a point-to-point bridge
Hotspot 2.0 configuration
Wireless network with wired LAN configuration
- How to configure a FortiAP local bridge (private cloud-managed AP)
- How to increase the number of supported FortiAPs
- How to implement multi-processing for large-scale FortiAP management
Remote WLAN FortiAPs
Features for high-density deployments
Wireless network protection
- Wireless Intrusion Detection System
- WiFi data channel encryption
- Protected Management Frames and Opportunistic Key Caching support
- Preventing local bridge traffic from reaching the LAN
- FortiAP-S and FortiAP-U bridge mode security profiles
- DHCP snooping and option-82 data insertion
- DHCP address enforcement
- Disabling FortiAP port access
- Configuring 802.1X supplicant on LAN
- Configure NAS-Filter-Rule attribute to set up dACL
- Suppressing phishing SSID
Wireless network monitoring
- Monitoring wireless health and clients
- Monitoring rogue APs
- Suppressing rogue APs
- Monitoring wireless clients
- Monitoring wireless clients over IPv6 traffic
- Monitoring application usage for clients connected to bridge mode SSIDs
- Monitoring FortiAP with SNMP
- Monitoring FortiAP temperatures
- Enabling spectrum analysis
- Disable dedicated scanning on FortiAP F-Series profiles
- Enabling AP scan channel lists to optimize foreground scanning
- Optimizing memory storage by limiting monitoring data
Wireless network examples
- Basic wireless network example
- Wireless network example with FortiSwitch
- Complex wireless network example
- FortiGate WiFi controller 1+1 fast failover example
- CAPWAP hitless failover using FGCP
FortiWiFi unit as a wireless client
- Configuring a FortiWiFi unit as a wireless client
- Enabling EAP/TLS authentication on a FortiWiFi unit in client mode
- Configuring WPA3 security modes on FortiWiFi units operating in client mode
WiFi maps
Bluetooth Low Energy scan
- BLE Real-Time-Location Services
- Eddystone BLE beacon profile integration
Support for location-based services
- Configuring location tracking
- Viewing device location data on a FortiGate unit
- Configuring FortiPresence
Support for Electronic Shelf Label systems
Troubleshooting
- FortiAP shell command
- Signal strength issues
- Throughput issues
- Client connection issues
- FortiAP connection issues
- Testing wireless network health with SAM
- Determining the coverage area of a FortiAP
- Best practices for OSI common sources of wireless issues
- Extended logging
- Packet sniffer
- Debug commands
- Disabling 802.11d for client backward compatibility
FortiAP CLI configuration and diagnostics commands
FortiAP API
Change log

Home FortiAP / FortiWiFi 7.4.5 FortiWiFi and FortiAP Configuration Guide

7.4.5

Wireless Intrusion Detection System

The FortiGate Wireless Intrusion Detection System (WIDS) monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected the FortiGate unit records a log message.

You can create a WIDS profile to enable these types of intrusion detection:

Asleap Attack—ASLEAP is a tool used to perform attacks against LEAP authentication.
Association Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
Authentication Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
Broadcasting De-authentication—This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-authenticate, then re-authenticate with their AP.
EAPOL Packet Flooding—Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack. Several types of EAPOL packets are detected: EAPOL-FAIL, EAPOL-LOGOFF, EAPOL-START, EAPOL-SUCC.
Invalid MAC OUI—Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.
Long Duration Attack—To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200.
Null SSID Probe Response—When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.
Spoofed De-authentication—Spoofed de-authentication frames are a denial of service attack. They cause all clients to disconnect from the AP.
Weak WEP IV Detection—A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.
Wireless Bridge—WiFi frames with both the fromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.

You can enable WIDS by enabling and selecting a WIDS Profile on a designated radio from a FortiAP profile.

To create a WIDS Profile - GUI:

Go to WiFi and Switch Controller > WIDS Profiles.
Select a profile to edit or select Create New.
Under Intrusion Detection Settings, enable the intrusion types you want protect against.
When you are finished, click OK.

Once you create a WIDS profile, you can enable WIDS Profile on a specified radio under a FortiAP profile.

To create a WIDS Profile - CLI:

config wireless-controller wids-profile
  edit "example-wids-profile"
    set ap-scan enable
    ...
  next
end

To apply a WIDS Profile to a FortiAP - CLI:

config wireless-controller wtp-profile
  edit "example-FAP-profile"
    config platform
      set type <FAP-model-number>
    end
    set handoff-sta-thresh 55
    set ap-country US
    config radio-1
      set band 802.11n
      set wids-profile "example-wids-profile"
      set vap-all disable
    end
    config radio-2
      set band 802.11ac
      set vap-all disable
    end
  next
end

Rogue AP detection

The WIDS profile includes settings for detection of unauthorized (rogue) access points in your wireless network. For more information, see Monitoring rogue APs.

WIDS client de-authentication rate for DoS attacks

As part of mitigating a Denial of Service (DoS) attack, the FortiGate sends de-authentication packets to unknown clients. In an aggressive attack, this de-authentication activity can prevent the processing of packets from valid clients. A WIDS Profile option in the CLI limits the de-authentication rate.

config wireless-controller wids-profile

edit default

set deauth-unknown-src-thresh <1-65535>

end

The value set is a measure of the number of de-authorizations per second. 0 means no limit. The default is 10.