DOCUMENT LIBRARY

FortiWiFi and FortiAP Configuration Guide

What's new in this release
Introduction
Getting started with FortiAP management
- Configuring the FortiGate interface to manage FortiAP units
- Discovering, authorizing, and deauthorizing FortiAP units
- FortiAP diagnostics and tools
- Setting up a mesh connection between FortiAP units
- Data channel security: clear-text, DTLS, and IPsec VPN
Wireless network configuration
- Wireless network configuration tasks
- Setting your geographic location
- Configuring the network interface for the AP unit
- Creating a FortiAP profile
- Defining a wireless network interface (SSID)
  - Changing SSID to VDOM only
  - Airtime fairness
- Configuring security
  - WPA2 Security
    - Configuring WPA2-Personal security
    - Configuring WPA2-Enterprise SSID
  - WPA3 Security
    - Generating SAE-PK private key and password
  - MPSK profiles
  - Captive Portal Security
  - Adding a MAC filter
  - Limiting the number of clients
  - Enabling multicast enhancement
  - Replacing WiFi certificate
  - Configuring WiFi with WSSO using Windows NPS and user groups
  - Enabling Beacon Protection
- Defining SSID groups
- Configuring dynamic user VLAN assignment
  - VLAN assignment by RADIUS
  - VLAN assignment by Name Tag
  - VLAN assignment by FortiAP group
  - VLAN assignment by VLAN pool
- Configuring wireless NAC support
- Configuring user authentication
  - WPA2 and WPA3 Enterprise authentication
    - Custom RADIUS NAS-ID
  - WiFi single sign-on (WSSO) authentication
  - Assigning WiFi users to VLANs dynamically
  - MAC-based authentication
  - User self-registration of MPSKs through FortiGuest
  - Authenticating guest WiFi users
  - Configuring 802.1X supplicant on LAN
  - Configure NAS-Filter-Rule attribute to set up dACL
- Configuring firewall policies for the SSID
- Configuring the built-in access point on a FortiWiFi unit
- Enforcing UTM policies on a local bridge SSID
- Configuring a Syslog profile
- Understanding Distributed Radio Resource Provisioning
  - Configuring Distributed Radio Resource Provisioning
- Translating WiFi QoS WMM marking to DSCP values
- Configuring Layer 3 roaming
  - Configuring L3 Roaming for Tunnel Mode SSIDs
  - Configuring L3 Roaming for Bridge Mode SSIDs
- Advanced Wireless Features
  - Operations Profiles Entry
  - Connectivity Profiles Entry
  - Protection Profiles Entry
  - Advanced SSID options
  - Advanced WiFi Settings options
- Configuring UNII-4 5GHz radio bands
- Configuring Agile Multiband Operation
Access point configuration
- Network topology of managed APs
- Discovery and authorization of APs
- Register a FortiAP to FortiCloud
- FortiAP CLI access
- FortiAP Configuration mode
- FortiAP unit firmware upgrade
- Advanced WiFi controller discovery
  - Configure automatic AP reboot
- Wireless client load balancing for high-density deployments
- FortiAP groups
- LAN port options
  - MAC Authentication for LAN port hosts
- LAN port aggregation and redundancy
  - LAN port uplink redundancy without LACP
- CAPWAP
- LED options
- Configure FortiAP MIMO values
- Configure Fortinet external antenna parameters for specific FortiAPs
- Configure third-party antennas in select FortiAP models
- Configure FortiAP USB port status
Wireless mesh configuration
- Configuring a meshed WiFi network
- Configuring a point-to-point bridge
Hotspot 2.0 ANQP configuration
- Configuring OpenRoaming on FortiAP
Wireless network with wired LAN configuration
- How to configure a FortiAP local bridge (private cloud-managed AP)
- How to increase the number of supported FortiAPs
- How to implement multi-processing for large-scale FortiAP management
Remote WLAN FortiAPs
Features for high-density deployments
Wireless network protection
- Wireless Intrusion Detection System
- WiFi data channel encryption
- Protected Management Frames and Opportunistic Key Caching support
- Preventing local bridge traffic from reaching the LAN
- FortiAP-S and FortiAP-U bridge mode security profiles
- DHCP snooping and option-82 data insertion
- DHCP address enforcement
- Disabling FortiAP port access
- Suppressing phishing SSID
Wireless network monitoring
- Monitoring wireless health and clients
- Monitoring rogue APs
- Suppressing rogue APs
- Monitoring wireless clients
- Monitoring wireless clients over IPv6 traffic
- Monitoring application usage for clients connected to bridge mode SSIDs
- Monitoring FortiAP with SNMP
- Monitoring FortiAP temperatures
- Enabling spectrum analysis
- Disable dedicated scanning on FortiAP F-Series profiles
- Enabling AP scan channel lists to optimize foreground scanning
- Optimizing memory storage by limiting monitoring data
Wireless network examples
- Basic wireless network example
- Wireless network example with FortiSwitch
- Complex wireless network example
- FortiGate WiFi controller 1+1 fast failover example
- CAPWAP hitless failover using FGCP
- Wireless network with segregated WLAN traffic
FortiWiFi unit as a wireless client
- Configuring a FortiWiFi unit as a wireless client
- Enabling EAP/TLS authentication on a FortiWiFi unit in client mode
- Configuring WPA3 security modes on FortiWiFi units operating in client mode
WiFi maps
Bluetooth Low Energy scan
- Pole Star NAO Cloud service integration
- Eddystone BLE beacon profile integration
Location-based services
- Configuring location tracking
- Viewing device location data on a FortiGate unit
- Configuring FortiPresence
Support for Electronic Shelf Label systems
Troubleshooting
- FortiAP shell command
- Signal strength issues
- Throughput issues
- Client connection issues
- FortiAP connection issues
- Testing wireless network health with SAM
- Determining the coverage area of a FortiAP
- Best practices for OSI common sources of wireless issues
- Extended logging
- Packet sniffer
- Debug commands
- Disabling 802.11d for client backward compatibility
FortiAP CLI configuration and diagnostics commands
FortiAP API
Change log

Home FortiAP / FortiWiFi 7.6.0 FortiWiFi and FortiAP Configuration Guide

7.6.0

Configuring L3 Roaming for Tunnel Mode SSIDs

To configure Intra-Controller L3 roaming - CLI:

Configure the client-idle-rehome-timeout (default is 20 seconds):

config wireless-controller timers
  set client-idle-rehome-timeout 20
end

configure the L3 roaming support SSID:

config wireless-controller vap
  edit "l3_rm1"
    set ssid "l3.roaming"
    set passphrase ENC 
    set schedule "always"
    set l3-roaming enable
  next
end
config system interface
  edit "l3_rm1"
    set vdom "root"
    set ip 10.40.1.1 255.255.255.0
    set allowaccess ping
    set type vap-switch
    set role lan
    set snmp-index 18
  next
end

Assign L3 roaming VAP to FAP433F:

config wireless-controller wtp-profile
  edit "433F"
    config platform
      set type 433F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set allowaccess ssh
    config radio-1
      set mode disabled
    end
    config radio-2
      set band 802.11ax-5G
      set power-mode dBm
      set power-value 1
      set channel "36"
      set vap-all manual
      set vaps "13_rm1"
    end
    config radio-3
      set mode monitor
    end
  next
end
config wireless-controller wtp
  edit "FP433FXX00000000"
    set uuid b04f1cca-8528-51ec-2dc0-c744cbef4179
    set admin enable
    set wtp-profile "433F"
    config radio-2
    end
  next
end

Assign L3 roaming VAP to FAP831F:

config wireless-controller wtp-profile
  edit "831F"
    config platform
      set type 831F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set allowaccess ssh
    config radio-1
      set mode disabled
    end
    config radio-2
      set band 802.11ax-5G
      set channel "36" "40"
      set vap-all manual
      set vaps "13_rm1"					
    end
    config radio-3
      set mode disabled
    end
  next
end
config wireless-controller wtp
  edit "FP831FXX00000000"
    set uuid 23ed4966-af92-51ec-44e8-3c1318698661
    set admin enable
    set wtp-profile "831F"
    config radio-2
    end
  next
end

To configure Inter-Controller L3 roaming - CLI:

This configuration requires two FortiGate units. In order to enable L3 roaming supported VAP, both FortiGate units must have the same SSID, security, and passphrase.

The following example uses:

AC1 as FGT40F
- FAP1 as FAP433E
AC2 as FGT81EP
- FAP2 as FAP831F

Configure the L3 roaming peer IP for AC1 (FGT-40F):

config system interface
  edit "wan"
    set vdom "root"
    set ip 10.43.1.40 255.255.255.0
    set allowaccess ping https ssh http fabric
    set type physical
    set role wan
    set snmp-index 1
  next
end
config wireless-controller inter-controller
  set l3-roaming enable
  config inter-controller-peer
    edit 1
      set peer-ip 10.43.1.81
    next
  end
end

Configure the client-idle-rehome-timeout (default is 20 seconds):

config wireless-controller timers
  set client-idle-rehome-timeout 20
end

configure the L3 roaming support SSID:

config wireless-controller vap
  edit "l3_rm1"
    set ssid "l3.roaming"
    set passphrase ENC 
    set schedule "always"
    set l3-roaming enable
  next
end
config system interface
  edit "l3_rm1"
    set vdom "root"
    set ip 10.40.1.1 255.255.255.0
    set allowaccess ping
    set type vap-switch
    set role lan
    set snmp-index 18
  next
end

Assign L3 roaming VAP to FAP433F:

config wireless-controller wtp-profile
  edit "433F"
    config platform
      set type 433F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set allowaccess ssh
    config radio-1
      set mode disabled
    end
    config radio-2
      set band 802.11ax-5G
      set power-mode dBm
      set power-value 1
      set channel "36"
      set vap-all manual
      set vaps "13_rm1"							
    end
    config radio-3
      set mode monitor
    end
  next
end
config wireless-controller wtp
  edit "FP433FXX00000000"
    set uuid b04f1cca-8528-51ec-2dc0-c744cbef4179
    set admin enable
    set wtp-profile "433F"
    config radio-2
    end
  next
end

Configure the L3 roaming peer IP for AC2 (FGT-81EP):

config system interface
  edit "wan"
    set vdom "root"
    set ip 10.43.1.81 255.255.255.0
    set allowaccess ping https ssh http fabric
    set type physical
    set role wan
    set snmp-index 1
  next
end
config wireless-controller inter-controller
  set l3-roaming enable
  config inter-controller-peer
    edit 1
      set peer-ip 10.43.1.40
    next
  end
end

Configure the client-idle-rehome-timeout (default is 20 seconds):

config wireless-controller timers
  set client-idle-rehome-timeout 20
end

configure the L3 roaming support SSID:

config wireless-controller vap
  edit "l3_rm1"
    set ssid "l3.roaming"
    set passphrase ENC 
    set schedule "always"
    set l3-roaming enable
  next
end
config system interface
  edit "l3_rm1"
    set vdom "root"
    set 10.81.2.1 255.255.255.0
    set allowaccess ping speed-test
    set type vap-switch
    set role lan
    set snmp-index 23
  next
end

Assign L3 roaming VAP to FAP831F:

config wireless-controller wtp-profile
  edit "831F"
    config platform
      set type 831F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set allowaccess ssh
    config radio-1
      set mode disabled
    end
    config radio-2
      set band 802.11ax-5G
      set channel "36" "40"
      set vap-all manual
      set vaps "l3_rm1"
    end
    config radio-3
      set mode disabled
    end
  next
end
config wireless-controller wtp
  edit "FP831FXX00000000"
    set uuid 23ed4966-af92-51ec-44e8-3c1318698661
    set admin enable
    set wtp-profile "831F"
    config radio-2
    end
  next
end

Check the peer status from AC1 (FGT-40F):

FortiGate-40F  # diagnose wireless-controller wlac -c ha
WC fast failover info
    mode    : disabled 
    l3r     : enabled 
    peer cnt: 1 
              FG81EPXX00000000 10.43.1.81:5246       UP 2

Check the peer status from AC2 (FGT-81EP):

FortiGate-81E-POE # diagnose wireless-controller wlac -c ha
WC fast failover info
    mode    : disabled 
    l3r     : enabled 
    peer cnt: 1 
              FGT40FXX00000000 10.43.1.40:5246       UP 3

Understanding L3 roaming events for inter-controller L3 roaming for a tunnel mode SSID

When the wireless client is connected with "l3.roaming" on AP1 in AC1, the client receives IP 10.40.1.10 from AP1 in AC1:

FortiGate-40F # diagnose wireless-controller wlac -d sta online
   vf=0 wtp=2 rId=2 wlan=l3_rm1 vlan_id=0 ip=10.40.1.10 ip6=fe80::7766:7ffe:ee4d:c396 mac=a4:c3:f0:6d:69:33 vci= host=test-wifi user= group= signal=-65 noise=-95 idle=1 bw=3 use=7 chan=36 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,1 10.43.1.81:5247 -- 10.43.1.40:5247 33,0 online=yes mimo=2

When the client leaves AP1 and roams towards AP2, it connects with the same SSID "l3.roaming" on AP2. Wireless traffic passed from AP2 and is sent to AC2. Eventually the wireless traffic is transferred from AC2 to AC1 and traffic is maintained from AC1. The wireless client maintains the original IP of 10.40.1.10:

FortiGate-81E-POE # diagnose wireless-controller wlac -d sta online
   vf=0 wtp=3 rId=2 wlan=l3_rm1 vlan_id=0 ip=10.40.1.10 ip6=:: mac=a4:c3:f0:6d:69:33 vci= host= user= group= signal=-66 noise=-95 idle=0 bw=2 use=7 chan=36 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=0,1 0.0.0.0:0 -- 0.0.0.0:0 0,0 online=yes mimo=2

If the wireless client idle time exceeds client-idle-rehome-timeout, it triggers the rehome event. The wireless client will send a DHCP request and obtain a new IP address from AC2 (10.81.2.20). Now the wireless client traffic is maintained from AC2:

FortiGate-81E-POE # diagnose wireless-controller wlac -d sta online
   vf=0 wtp=3 rId=2 wlan=l3_rm1 vlan_id=0 ip=10.81.2.20 ip6=:: mac=a4:c3:f0:6d:69:33 vci= host=test-wifi user= group= signal=-65 noise=-95 idle=0 bw=0 use=6 chan=36 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,0 0.0.0.0:0 -- 0.0.0.0:0 0,0 online=yes mimo=2

Configuring L3 Roaming for Tunnel Mode SSIDs

To configure Intra-Controller L3 roaming - CLI:

Configure the client-idle-rehome-timeout (default is 20 seconds):

config wireless-controller timers
  set client-idle-rehome-timeout 20
end

configure the L3 roaming support SSID:

config wireless-controller vap
  edit "l3_rm1"
    set ssid "l3.roaming"
    set passphrase ENC 
    set schedule "always"
    set l3-roaming enable
  next
end
config system interface
  edit "l3_rm1"
    set vdom "root"
    set ip 10.40.1.1 255.255.255.0
    set allowaccess ping
    set type vap-switch
    set role lan
    set snmp-index 18
  next
end

Assign L3 roaming VAP to FAP433F:

config wireless-controller wtp-profile
  edit "433F"
    config platform
      set type 433F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set allowaccess ssh
    config radio-1
      set mode disabled
    end
    config radio-2
      set band 802.11ax-5G
      set power-mode dBm
      set power-value 1
      set channel "36"
      set vap-all manual
      set vaps "13_rm1"
    end
    config radio-3
      set mode monitor
    end
  next
end
config wireless-controller wtp
  edit "FP433FXX00000000"
    set uuid b04f1cca-8528-51ec-2dc0-c744cbef4179
    set admin enable
    set wtp-profile "433F"
    config radio-2
    end
  next
end

Assign L3 roaming VAP to FAP831F:

config wireless-controller wtp-profile
  edit "831F"
    config platform
      set type 831F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set allowaccess ssh
    config radio-1
      set mode disabled
    end
    config radio-2
      set band 802.11ax-5G
      set channel "36" "40"
      set vap-all manual
      set vaps "13_rm1"					
    end
    config radio-3
      set mode disabled
    end
  next
end
config wireless-controller wtp
  edit "FP831FXX00000000"
    set uuid 23ed4966-af92-51ec-44e8-3c1318698661
    set admin enable
    set wtp-profile "831F"
    config radio-2
    end
  next
end

To configure Inter-Controller L3 roaming - CLI:

This configuration requires two FortiGate units. In order to enable L3 roaming supported VAP, both FortiGate units must have the same SSID, security, and passphrase.

The following example uses:

AC1 as FGT40F
- FAP1 as FAP433E
AC2 as FGT81EP
- FAP2 as FAP831F

Configure the L3 roaming peer IP for AC1 (FGT-40F):

config system interface
  edit "wan"
    set vdom "root"
    set ip 10.43.1.40 255.255.255.0
    set allowaccess ping https ssh http fabric
    set type physical
    set role wan
    set snmp-index 1
  next
end
config wireless-controller inter-controller
  set l3-roaming enable
  config inter-controller-peer
    edit 1
      set peer-ip 10.43.1.81
    next
  end
end

Configure the client-idle-rehome-timeout (default is 20 seconds):

config wireless-controller timers
  set client-idle-rehome-timeout 20
end

configure the L3 roaming support SSID:

config wireless-controller vap
  edit "l3_rm1"
    set ssid "l3.roaming"
    set passphrase ENC 
    set schedule "always"
    set l3-roaming enable
  next
end
config system interface
  edit "l3_rm1"
    set vdom "root"
    set ip 10.40.1.1 255.255.255.0
    set allowaccess ping
    set type vap-switch
    set role lan
    set snmp-index 18
  next
end

Assign L3 roaming VAP to FAP433F:

config wireless-controller wtp-profile
  edit "433F"
    config platform
      set type 433F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set allowaccess ssh
    config radio-1
      set mode disabled
    end
    config radio-2
      set band 802.11ax-5G
      set power-mode dBm
      set power-value 1
      set channel "36"
      set vap-all manual
      set vaps "13_rm1"							
    end
    config radio-3
      set mode monitor
    end
  next
end
config wireless-controller wtp
  edit "FP433FXX00000000"
    set uuid b04f1cca-8528-51ec-2dc0-c744cbef4179
    set admin enable
    set wtp-profile "433F"
    config radio-2
    end
  next
end

Configure the L3 roaming peer IP for AC2 (FGT-81EP):

config system interface
  edit "wan"
    set vdom "root"
    set ip 10.43.1.81 255.255.255.0
    set allowaccess ping https ssh http fabric
    set type physical
    set role wan
    set snmp-index 1
  next
end
config wireless-controller inter-controller
  set l3-roaming enable
  config inter-controller-peer
    edit 1
      set peer-ip 10.43.1.40
    next
  end
end

Configure the client-idle-rehome-timeout (default is 20 seconds):

config wireless-controller timers
  set client-idle-rehome-timeout 20
end

configure the L3 roaming support SSID:

config wireless-controller vap
  edit "l3_rm1"
    set ssid "l3.roaming"
    set passphrase ENC 
    set schedule "always"
    set l3-roaming enable
  next
end
config system interface
  edit "l3_rm1"
    set vdom "root"
    set 10.81.2.1 255.255.255.0
    set allowaccess ping speed-test
    set type vap-switch
    set role lan
    set snmp-index 23
  next
end

Assign L3 roaming VAP to FAP831F:

config wireless-controller wtp-profile
  edit "831F"
    config platform
      set type 831F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set allowaccess ssh
    config radio-1
      set mode disabled
    end
    config radio-2
      set band 802.11ax-5G
      set channel "36" "40"
      set vap-all manual
      set vaps "l3_rm1"
    end
    config radio-3
      set mode disabled
    end
  next
end
config wireless-controller wtp
  edit "FP831FXX00000000"
    set uuid 23ed4966-af92-51ec-44e8-3c1318698661
    set admin enable
    set wtp-profile "831F"
    config radio-2
    end
  next
end

Check the peer status from AC1 (FGT-40F):

FortiGate-40F  # diagnose wireless-controller wlac -c ha
WC fast failover info
    mode    : disabled 
    l3r     : enabled 
    peer cnt: 1 
              FG81EPXX00000000 10.43.1.81:5246       UP 2

Check the peer status from AC2 (FGT-81EP):

FortiGate-81E-POE # diagnose wireless-controller wlac -c ha
WC fast failover info
    mode    : disabled 
    l3r     : enabled 
    peer cnt: 1 
              FGT40FXX00000000 10.43.1.40:5246       UP 3

Understanding L3 roaming events for inter-controller L3 roaming for a tunnel mode SSID

When the wireless client is connected with "l3.roaming" on AP1 in AC1, the client receives IP 10.40.1.10 from AP1 in AC1:

FortiGate-40F # diagnose wireless-controller wlac -d sta online
   vf=0 wtp=2 rId=2 wlan=l3_rm1 vlan_id=0 ip=10.40.1.10 ip6=fe80::7766:7ffe:ee4d:c396 mac=a4:c3:f0:6d:69:33 vci= host=test-wifi user= group= signal=-65 noise=-95 idle=1 bw=3 use=7 chan=36 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,1 10.43.1.81:5247 -- 10.43.1.40:5247 33,0 online=yes mimo=2

FortiGate-81E-POE # diagnose wireless-controller wlac -d sta online
   vf=0 wtp=3 rId=2 wlan=l3_rm1 vlan_id=0 ip=10.40.1.10 ip6=:: mac=a4:c3:f0:6d:69:33 vci= host= user= group= signal=-66 noise=-95 idle=0 bw=2 use=7 chan=36 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=0,1 0.0.0.0:0 -- 0.0.0.0:0 0,0 online=yes mimo=2

FortiGate-81E-POE # diagnose wireless-controller wlac -d sta online
   vf=0 wtp=3 rId=2 wlan=l3_rm1 vlan_id=0 ip=10.81.2.20 ip6=:: mac=a4:c3:f0:6d:69:33 vci= host=test-wifi user= group= signal=-65 noise=-95 idle=0 bw=0 use=6 chan=36 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,0 0.0.0.0:0 -- 0.0.0.0:0 0,0 online=yes mimo=2

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

FortiWiFi and FortiAP Configuration Guide

Configuring L3 Roaming for Tunnel Mode SSIDs

Configuring L3 Roaming for Tunnel Mode SSIDs

To configure Intra-Controller L3 roaming - CLI:

To configure Inter-Controller L3 roaming - CLI:

Understanding L3 roaming events for inter-controller L3 roaming for a tunnel mode SSID

Configuring L3 Roaming for Tunnel Mode SSIDs

Configuring L3 Roaming for Tunnel Mode SSIDs

To configure Intra-Controller L3 roaming - CLI:

To configure Inter-Controller L3 roaming - CLI:

Understanding L3 roaming events for inter-controller L3 roaming for a tunnel mode SSID