Testing wireless network health with SAM

Fortinet's Service Assurance Manager (SAM) is a predictive diagnostic software for remotely diagnosing the health of wireless networks without requiring overlay sensors. With Service Assurance Manager, the network automatically performs predictive health checks and reports any issues before end users are impacted.

FortiAPs can be configured to run in Service Assurance Management mode, where a radio is designated to operate as a client and perform tests against another AP. Ping tests and Iperf tests can be run on interval, with results captured in the WiFi event logs. This allows the FortiGate to verify and ensure that an existing Wi-Fi network can provide acceptable services.

To configure a FortiAP profile to run in SAM mode - CLI:

In this example, a FortiGate manages two FortiAPs. One FortiAP (FAP_1) broadcasts a test SSID using WPA3 security, while the second FortiAP (FAP_2) is configured as a SAM test client with the same WPA3 security method so it can connect with the SSID on FAP_1 and perform a SAM ping or Iperf test.

1. (Optional) Upload the CA certificate to verify the server certificate.

   1. Go to System > Certificates > Create/Import > CA Certificate and complete the fields to upload the certificate.

2. (Optional) Upload the client certificate with private key file.

   1. Go to System > Certificates > Create/Import > Certificate and click Import Certificate.

   2. Select Certificate or PKCS #12 Certificate, then follow the onscreen instructions to import the client certificate with private key file, and set the private-key-password.

3. Create an SSID and select an authentication method:

   WPA3 Enterprise authentication using EAP-TLS	WPA3-SAE authentication	OWE authentication
   config wireless-controller vap edit "sam-test-ent3" set ssid "sam-test-ent3" set security wpa3-only-enterprise set pmf enable set auth radius set radius-server "eap_tls" set schedule "always" next end	config wireless-controller vap edit "sam-test-sae" set ssid "sam-test-sae" set security wpa3-sae set pmf enable set schedule "always" set sae-password ENC next end	config wireless-controller vap edit "sam-test-owe" set ssid "sam-test-owe" set security owe set pmf enable set schedule "always" next end

4. Broadcast the SSID on FAP_1:

   WPA3 Enterprise authentication using EAP-TLS	WPA3-SAE authentication	OWE authentication
   config wireless-controller wtp-profile edit "FAP433F-sam-test" config platform set type 433F set ddscan enable end config radio-2 set band 802.11ax-5G set vap-all manual set vaps "sam-test-ent3" end next end	config wireless-controller wtp-profile edit "FAP433F-sam-test " config platform set type 433F set ddscan enable end config radio-2 set band 802.11ax-5G set vap-all manual set vaps "sam-test-sae" end next end	config wireless-controller wtp-profile edit "FAP433F-sam-test" config platform set type 433F set ddscan enable end config radio-2 set band 802.11ax-5G set vap-all manual set vaps "sam-test-owe" end next end

5. Configure the AP profile for FAP_2 to run in SAM mode and select a SAM security type. Then enable a SAM ping or Iperf test:

   SAM ping test with WPA3 Enterprise authentication using EAP-TLS	SAM Iperf test with WPA3-SAE authentication	SAM ping test with OWE authentication
   If the SAM security type is set to wpa-enterprise, you can configure SAM EAP methods and SAM certificate settings: config wireless-controller wtp-profile edit "FAP431F-sam-ent3" config radio-2 set mode sam set sam-ssid "sam-test-ent3" set sam-security-type wpa-enterprise set sam-eap-method tls set sam-client-certificate "client2.cert" set sam-private-key "client2.cert" set sam-private-key-password ENC set sam-ca-certificate "CA_Cert_1" set sam-username "tester" set sam-password ENC set sam-test ping set sam-server-ip 8.8.8.8 set sam-report-intv 60 end next end	config wireless-controller wtp-profile edit "FAP431F-sam-sae" config radio-2 set mode sam set sam-ssid "sam-test-sae" set sam-security-type wpa3-sae set sam-password ENC set sam-test iperf set sam-server-ip "172.18.56.99" set iperf-server-port 5201 set iperf-protocol tcp set sam-report-intv 60 end next end	config wireless-controller wtp-profile edit "FAP431F-sam-owe" config radio-2 set mode sam set sam-ssid "sam-test-owe" set sam-security-type owe set sam-server-ip 8.8.8.8 set sam-test ping set sam-report-intv 60 end next end

   When the "sam-eap-method" is "tls" or "both", the "sam-client-certificate", "sam-private-key", and "sam-private-key-password" settings are required. sam-client-certificate: The name of imported client certificate. sam-private-key: Uses the same name of imported client certificate. sam-private-key-password: Created when importing the client certificate. sam-ca-certificate: The name of the imported CA certificate.

6. Log in to the FAP_2 CLI to verify the configurations:

   SAM ping test with WPA3 Enterprise authentication using EAP-TLS	SAM Iperf test with WPA3-SAE authentication	SAM ping test with OWE authentication
   FortiAP-431F # rcfg < other output omitted > sam ssid : sam-test-ent3 sam bssid : 00:00:00:00:00:00 sam security type : Enterprise sam captive portal : disabled sam test : Ping sam server : 8.8.8.8 sam report interval: 60 sam eap method : EAP TLS sam client cert : 1 sam ca cert : 1 < other output omitted >	FortiAP-431F # rcfg sam ssid : sam-test-sae sam bssid : 00:00:00:00:00:00 sam security type : SAE sam captive portal : disabled sam test : Iperf sam server : 172.18.56.99 sam report interval: 60 sam iperf port : 5201 sam iperf protocol : TCP < other output omitted >	FortiAP-431F # rcfg < other output omitted > sam ssid : sam-test-owe sam bssid : 00:00:00:00:00:00 sam security type : OWE sam captive portal : disabled sam test : Ping sam server : 8.8.8.8 sam report interval: 60 < other output omitted >

7. The FortiOS WiFi event log shows the corresponding event:

   WPA3 Enterprise authentication using EAP-TLS	SAM Iperf test with WPA3-SAE authentication	SAM ping test with OWE authentication
   1: date=2023-11-10 time=12:02:16 eventtime=1699646536236321385 tz="-0800" logid="0104043711" type="event" subtype="wireless" level="notice" vd="root" logdesc="SAM ping test result" sn="FP431FTF23031585" ap="FP431FTF23031585" vap="sam-test-ent3" ssid="sam-test-ent3" stamac="80:80:2c:0c:01:9f" radioid=2 channel=161 security="WPA3 Enterprise Only" encryption="AES" action="sam-ping-result" msg="Connected to AP FP433FTF20001556, 0.0% packet loss" remotewtptime="3012.616987"	1: date=2023-11-10 time=12:20:31 eventtime=1699647630989156870 tz="-0800" logid="0104043710" type="event" subtype="wireless" level="notice" vd="root" logdesc="SAM iperf test result" sn="FP431FTF23031585" ap="FP431FTF23031585" vap="sam-test-sae" ssid="sam-test-sae" stamac="80:80:2c:0c:01:9f" radioid=2 channel=161 security="WPA3 SAE" encryption="AES" action="sam-iperf-result" msg="Connected to AP FP433FTF20001556, TCP, max rate 0.6 MB/s" remotewtptime="11.468787"	1: date=2023-11-10 time=12:28:11 eventtime=1699648091131525936 tz="-0800" logid="0104043711" type="event" subtype="wireless" level="notice" vd="root" logdesc="SAM ping test result" sn="FP431FTF23031585" ap="FP431FTF23031585" vap="sam-test-owe" ssid="sam-test-owe" stamac="80:80:2c:0c:01:9f" radioid=2 channel=161 security="OWE" encryption="AES" action="sam-ping-result" msg="Connected to AP FP433FTF20001556, 0.0% packet loss" remotewtptime="469.609833"

Captive portal authentication in service assurance management (SAM) mode

When configuring a radio in service assurance management (SAM) mode, a client can be configured to authenticate with the captive portal. The captive portal match, success, and failure strings must be specified to automatically detect the authentication success or failure.

Example specification:

config wireless-controller wtp-profile

edit <name>

config radio-1

set sam-cwp-username "wifi"

set sam-cwp-password ENC

set sam-cwp-test-url "www.fortinet.com"

set sam-cwp-match-string "Login"

set sam-cwp-success-string "Success"

set sam-cwp-failure-string "again"

end

next

end

sam-cwp-username	Enter the username for captive portal authentication.
sam-cwp-password	Enter the password for captive portal authentication.
sam-cwp-test-url	Enter the website the client is trying to access.
sam-cwp-match-string	Enter the identification string from the captive portal login form.
sam-cwp-success-string	Enter the success identification text to appear on the page after a successful login.
sam-cwp-failure-string	Enter the failure identification text on the page after an incorrect login.

To perform a SAM test with captive portal authentication, create an SSID with captive portal authentication and broadcast it on a FortiAP (FAP_A). Then configure SAM with captive portal settings in the wtp-profile on a second FortiAP (FAP_B).

Configuring an SSID with captive portal authentication:

Configure the following steps on FAP_A.

1. Configure the RADIUS server:

   config user radius

   edit "172.18.56.161"

   set server "172.18.56.161"

   set secret ENC

   next

   end

2. Configure the VAP:

   config wireless-controller vap

   edit "test-sam"

   set ssid "TEST-SAM"

   set security wpa3-sae

   set captive-portal enable

   set external-web "http://172.18.56.163/portal/index.php"

   set radius-server "172.18.56.161"

   set local-bridging enable

   set portal-type external-auth

   set schedule "always"

   next

   end

3. Configure the FortiAP profile:

   config wireless-controller wtp

   edit "FP423E3X16000020" << A FAP423E is configured to broadcast test SSID.

   set uuid 404a75f2-c3ca-51eb-eb61-7678e900029c

   set admin enable

   set wtp-profile "FAP423E-default"

   config radio-1

   set override-vaps enable

   set vap-all manual

   set vaps "test-sam"

   end

   config radio-2

   set override-vaps enable

   set vap-all manual

   end

   next

   end

Configuring SAM with captive portal settings:

Configure the following steps on FAP_B.

1. Configure the FortiAP profile:

   config wireless-controller wtp-profile

   edit "FAP231E-default"

   config platform

   set type 231E

   set ddscan enable

   end

   set handoff-sta-thresh 55

   set allowaccess https ssh snmp

   config radio-1

   set mode sam

   set sam-ssid "TEST-SAM"

   set sam-captive-portal enable

   set sam-cwp-username "tester"

   set sam-cwp-password ENC

   set sam-cwp-test-url "https://www.fortinet.com"

   set sam-cwp-match-string "fgtauth" << This string is a part of the URL of the Captive Portal redirect page.

   set sam-cwp-success-string "Fortinet"

   set sam-cwp-failure-string "failed"

   set sam-password ENC

   set sam-test ping

   set sam-server-type ip

   set sam-server-ip 8.8.8.8

   set sam-report-intv 60

   end

   config radio-2

   unset band

   end

   config radio-3

   set mode monitor

   end

   next

   end

2. Configure the managed FortiAP settings:

   config wireless-controller wtp

   edit "FP231ETF20000449"

   set uuid 404c8e50-c3ca-51eb-f111-040b31b593a1

   set admin enable

   set wtp-profile "FAP231E-default"

   config radio-2

   end

   next

   end

Check the managed FortiAP to verify SAM settings:

After a few minutes, check the FAP_B configuration in the managed FortiAP:

FortiAP-231E # rcfg

Radio 0: AP

...

sam ssid : TEST-SAM

sam bssid : 00:00:00:00:00:00

sam security type : Open

sam captive portal : enabled

sam cwp test url : https://www.fortinet.com

sam cwp match string : fgtauth

sam cwp success string : Fortinet

sam cwp failure string : failed

sam test : Ping

sam server : 8.8.8.8

sam report interval: 60

sam iperf port : 5001

sam iperf protocol : UDP

...