wireless-controller wtp-profile
Use this command to configure WTP profiles (or FortiAP Profiles as shown in the GUI), which define radio settings for a particular platform/FortiAP model. FortiAP units contain two radio transceivers, making it possible to provide both 2.4GHz 802.11b/g/n and 5GHz 802.11a/n service from the same AP. The profile also selects which SSIDs the APs will carry.
For example, a FortiAP can be configured to carry all SSIDs on one radio, while the other only carries a specific SSID.
The radios can also be used for monitoring, used for the Rogue AP detection feature. See Monitoring rogue APs for more details, and config wireless-controller wids-profile
for various AP detection settings.
Note: Radio 2 settings are only available for FortiAP models with dual radios.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
set control-message-offload {ebp-frame | aeroscout-tag | ap-list | sta-list | sta-cap-list | stats | aeroscout-mu} |
Configure CAPWAP control message data channel offload. |
config lbs ... |
Configuration method to set various location based service (LBS) options. Enable or disable and configure various options including Ekahua blink mode, AeroScout Real Time Location Service (RTLS) support, FortiPresence monitoring, and client station locating services. |
set ext-info-enable {enable | disable} |
Enable or disable station/VAP/radio extension information, providing more detailed statistics for troubleshooting purposes. |
set lldp {enable | disable} |
Enable or disable (by default) Link Layer Discovery Protocol (LLDP) for the WTP or FortiAP. |
config wireless-controller wtp-profile edit {name} # Configure WTP profiles or FortiAP profiles that define radio settings for manageable FortiAP platforms. set name {string} WTP (or FortiAP or AP) profile name. size[35] set comment {string} Comment. size[255] config platform set type {option} WTP, FortiAP or AP platform type. There are built-in WTP profiles for all supported FortiAP models. You can select a built-in profile and customize it or create a new profile. AP-11N Default 11n AP. 220B FAP220B/221B. 210B FAP210B. 222B FAP222B. 112B FAP112B. 320B FAP320B. 11C FAP11C. 14C FAP14C. 223B FAP223B. 28C FAP28C. 320C FAP320C. 221C FAP221C. 25D FAP25D. 222C FAP222C. 224D FAP224D. 214B FK214B. 21D FAP21D. 24D FAP24D. 112D FAP112D. 223C FAP223C. 321C FAP321C. C220C FAPC220C. C225C FAPC225C. C23JD FAPC23JD. C24JE FAPC24JE. S321C FAPS321C. S322C FAPS322C. S323C FAPS323C. S311C FAPS311C. S313C FAPS313C. S321CR FAPS321CR. S322CR FAPS322CR. S323CR FAPS323CR. S421E FAPS421E. S422E FAPS422E. S423E FAPS423E. 421E FAP421E. 423E FAP423E. 221E FAP221E. 222E FAP222E. 223E FAP223E. 224E FAP224E. S221E FAPS221E. S223E FAPS223E. U421E FAPU421EV. U422EV FAPU422EV. U423E FAPU423EV. U221EV FAPU221EV. U223EV FAPU223EV. U24JEV FAPU24JEV. U321EV FAPU321EV. U323EV FAPU323EV. set control-message-offload {option} Enable/disable CAPWAP control message data channel offload. ebp-frame Ekahau blink protocol (EBP) frames. aeroscout-tag AeroScout tag. ap-list Rogue AP list. sta-list Rogue STA list. sta-cap-list STA capability list. stats WTP, radio, VAP, and STA statistics. aeroscout-mu AeroScout Mobile Unit (MU) report. set ble-profile {string} Bluetooth Low Energy profile name. size[35] - datasource(s): wireless-controller.ble-profile.name set wan-port-mode {wan-lan | wan-only} Enable/disable using a WAN port as a LAN port. wan-lan Enable using a WAN port as a LAN port. wan-only Disable using a WAN port as a LAN port. config lan set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port-ssid {string} Bridge LAN port to SSID. size[15] - datasource(s): wireless-controller.vap.name set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 1 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port1-ssid {string} Bridge LAN port 1 to SSID. size[15] - datasource(s): wireless-controller.vap.name set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 2 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port2-ssid {string} Bridge LAN port 2 to SSID. size[15] - datasource(s): wireless-controller.vap.name set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 3 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port3-ssid {string} Bridge LAN port 3 to SSID. size[15] - datasource(s): wireless-controller.vap.name set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 4 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port4-ssid {string} Bridge LAN port 4 to SSID. size[15] - datasource(s): wireless-controller.vap.name set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 5 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port5-ssid {string} Bridge LAN port 5 to SSID. size[15] - datasource(s): wireless-controller.vap.name set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 6 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port6-ssid {string} Bridge LAN port 6 to SSID. size[15] - datasource(s): wireless-controller.vap.name set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 7 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port7-ssid {string} Bridge LAN port 7 to SSID. size[15] - datasource(s): wireless-controller.vap.name set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid} LAN port 8 mode. offline Offline. nat-to-wan NAT WTP LAN port to WTP WAN port. bridge-to-wan Bridge WTP LAN port to WTP WAN port. bridge-to-ssid Bridge WTP LAN port to SSID. set port8-ssid {string} Bridge LAN port 8 to SSID. size[15] - datasource(s): wireless-controller.vap.name set energy-efficient-ethernet {enable | disable} Enable/disable use of energy efficient Ethernet on WTP. set led-state {enable | disable} Enable/disable use of LEDs on WTP (default = disable). config led-schedules edit {name} # Recurring firewall schedules for illuminating LEDs on the FortiAP. If led-state is enabled, LEDs will be visible when at least one of the schedules is valid. Separate multiple schedule names with a space. set name {string} LED schedule name. size[35] - datasource(s): firewall.schedule.group.name,firewall.schedule.recurring.name next set dtls-policy {clear-text | dtls-enabled | ipsec-vpn} WTP data channel DTLS policy (default = clear-text). clear-text Clear Text Data Channel. dtls-enabled DTLS Enabled Data Channel. ipsec-vpn IPsec VPN Data Channel. set dtls-in-kernel {enable | disable} Enable/disable data channel DTLS in kernel. set max-clients {integer} Maximum number of stations (STAs) supported by the WTP (default = 0, meaning no client limitation). range[0-4294967295] set handoff-rssi {integer} Minimum received signal strength indicator (RSSI) value for handoff (20 - 30, default = 25). range[20-30] set handoff-sta-thresh {integer} Threshold value for AP handoff. range[0-4294967295] set handoff-roaming {enable | disable} Enable/disable client load balancing during roaming to avoid roaming delay (default = disable). config deny-mac-list edit {id} # List of MAC addresses that are denied access to this WTP, FortiAP, or AP. set id {integer} ID. range[0-4294967295] set mac {mac address} A WiFi device with this MAC address is denied access to this WTP, FortiAP or AP. next set ap-country {option} Country in which this WTP, FortiAP or AP will operate (default = NA, automatically use the country configured for the current VDOM). NA NO_COUNTRY_SET AL ALBANIA DZ ALGERIA AO ANGOLA AR ARGENTINA AM ARMENIA AU AUSTRALIA AT AUSTRIA AZ AZERBAIJAN BH BAHRAIN BD BANGLADESH BB BARBADOS BY BELARUS BE BELGIUM BZ BELIZE BO BOLIVIA BA BOSNIA AND HERZEGOVINA BR BRAZIL BN BRUNEI DARUSSALAM BG BULGARIA KH CAMBODIA CL CHILE CN CHINA CO COLOMBIA CR COSTA RICA HR CROATIA CY CYPRUS CZ CZECH REPUBLIC DK DENMARK DO DOMINICAN REPUBLIC EC ECUADOR EG EGYPT SV EL SALVADOR EE ESTONIA FI FINLAND FR FRANCE GE GEORGIA DE GERMANY GR GREECE GL GREENLAND GD GRENADA GU GUAM GT GUATEMALA HT HAITI HN HONDURAS HK HONG KONG HU HUNGARY IS ICELAND IN INDIA ID INDONESIA IR IRAN IE IRELAND IL ISRAEL IT ITALY JM JAMAICA JO JORDAN KZ KAZAKHSTAN KE KENYA KP NORTH KOREA KR KOREA REPUBLIC KW KUWAIT LV LATVIA LB LEBANON LI LIECHTENSTEIN LT LITHUANIA LU LUXEMBOURG MO MACAU SAR MK MACEDONIA, FYRO MY MALAYSIA MT MALTA MX MEXICO MC MONACO MA MOROCCO MZ MOZAMBIQUE MM MYANMAR NP NEPAL NL NETHERLANDS AN NETHERLANDS ANTILLES AW ARUBA NZ NEW ZEALAND NO NORWAY OM OMAN PK PAKISTAN PA PANAMA PG PAPUA NEW GUINEA PY PARAGUAY PE PERU PH PHILIPPINES PL POLAND PT PORTUGAL PR PUERTO RICO QA QATAR RO ROMANIA RU RUSSIA RW RWANDA SA SAUDI ARABIA RS REPUBLIC OF SERBIA ME MONTENEGRO SG SINGAPORE SK SLOVAKIA SI SLOVENIA ZA SOUTH AFRICA ES SPAIN LK SRI LANKA SE SWEDEN SD SUDAN CH SWITZERLAND SY SYRIAN ARAB REPUBLIC TW TAIWAN TZ TANZANIA TH THAILAND TT TRINIDAD AND TOBAGO TN TUNISIA TR TURKEY AE UNITED ARAB EMIRATES UA UKRAINE GB UNITED KINGDOM US UNITED STATES2 PS UNITED STATES (PUBLIC SAFETY) UY URUGUAY UZ UZBEKISTAN VE VENEZUELA VN VIET NAM YE YEMEN ZB ZAMBIA ZW ZIMBABWE JP JAPAN14 CA CANADA2 set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable} Select how to prevent IP fragmentation for CAPWAP tunneled control and data packets (default = tcp-mss-adjust). tcp-mss-adjust TCP maximum segment size adjustment. icmp-unreachable Drop packet and send ICMP Destination Unreachable set tun-mtu-uplink {integer} Uplink CAPWAP tunnel MTU (0, 576, or 1500 bytes, default = 0). range[576-1500] set tun-mtu-downlink {integer} Downlink CAPWAP tunnel MTU (0, 576, or 1500 bytes, default = 0). range[576-1500] set split-tunneling-acl-path {tunnel | local} Split tunneling ACL path is local/tunnel. tunnel Split tunneling ACL list traffic will be tunnel. local Split tunneling ACL list traffic will be local NATed. set split-tunneling-acl-local-ap-subnet {enable | disable} Enable/disable automatically adding local subnetwork of FortiAP to split-tunneling ACL (default = disable). config split-tunneling-acl edit {id} # Split tunneling ACL filter list. set id {integer} ID. range[0-4294967295] set dest-ip {ipv4 classnet} Destination IP and mask for the split-tunneling subnet. next set allowaccess {telnet | http | https | ssh} Control management access to the managed WTP, FortiAP, or AP. Separate entries with a space. telnet TELNET access. http HTTP access. https HTTPS access. ssh SSH access. set login-passwd-change {yes | default | no} Change or reset the administrator password of a managed WTP, FortiAP or AP (yes, default, or no, default = no). yes Change the managed WTP, FortiAP or AP's administrator password. Use the login-password option to set the password. default Keep the managed WTP, FortiAP or AP's administrator password set to the factory default. no Do not change the managed WTP, FortiAP or AP's administrator password. set login-passwd {password_string} Set the managed WTP, FortiAP, or AP's administrator password. size[31] set lldp {enable | disable} Enable/disable Link Layer Discovery Protocol (LLDP) for the WTP, FortiAP, or AP (default = disable). set poe-mode {auto | 8023af | 8023at | power-adapter} Set the WTP, FortiAP, or AP's PoE mode. auto Automatically detect the PoE mode. 8023af Use 802.3af PoE mode. 8023at Use 802.3at PoE mode. power-adapter Use the power adapter to control the PoE mode. config radio-1 set radio-id {integer} radio-id range[0-2] set mode {disabled | ap | monitor | sniffer} Mode of radio 1. Radio 1 can be disabled, configured as an access point, a rogue AP monitor, or a sniffer. disabled Radio 1 is disabled. ap Radio 1 operates as an access point that allows WiFi clients to connect to your network. monitor Radio 1 operates as a dedicated monitor. As a monitor, the radio scans for other WiFi access points and adds them to the Rogue AP monitor list. sniffer Radio 1 operates as a sniffer capturing WiFi frames on air. set band {option} WiFi band that Radio 1 operates on. 802.11a 802.11a. 802.11b 802.11b. 802.11g 802.11g/b. 802.11n 802.11n/g/b at 2.4GHz. 802.11n-5G 802.11n/a at 5GHz. 802.11ac 802.11ac/n/a. 802.11n,g-only 802.11n/g at 2.4GHz. 802.11g-only 802.11g. 802.11n-only 802.11n at 2.4GHz. 802.11n-5G-only 802.11n at 5GHz. 802.11ac,n-only 802.11ac/n. 802.11ac-only 802.11ac. set protection-mode {rtscts | ctsonly | disable} Enable/disable 802.11g protection modes to support backwards compatibility with older clients (rtscts, ctsonly, disable). rtscts Enable 802.11g protection RTS/CTS mode. ctsonly Enable 802.11g protection CTS only mode. disable Disable 802.11g protection mode. set powersave-optimize {option} Enable client power-saving features such as TIM, AC VO, and OBSS etc. tim TIM bit for client in power save mode. ac-vo Use AC VO priority to send out packets in the power save queue. no-obss-scan Do not put OBSS scan IE into beacon and probe response frames. no-11b-rate Do not send frame using 11b data rate. client-rate-follow Adapt transmitting PHY rate with receiving PHY rate from a client. set transmit-optimize {option} Packet transmission optimization options including power saving, aggregation limiting, retry limiting, etc. All are enabled by default. disable Disable packet transmission optimization. power-save Tag client as operating in power save mode if excessive transmit retries occur. aggr-limit Set aggregation limit to a lower value when data rate is low. retry-limit Set software retry limit to a lower value when data rate is low. send-bar Limit transmission of BAR frames. set amsdu {enable | disable} Enable/disable 802.11n AMSDU support. AMSDU can improve performance if supported by your WiFi clients (default = enable). set coexistence {enable | disable} Enable/disable allowing both HT20 and HT40 on the same radio (default = enable). set short-guard-interval {enable | disable} Use either the short guard interval (Short GI) of 400 ns or the long guard interval (Long GI) of 800 ns. set channel-bonding {80MHz | 40MHz | 20MHz} Channel bandwidth: 80, 40, or 20MHz. Channels may use both 20 and 40 by enabling coexistence. 80MHz 80 MHz channel width. 40MHz 40 MHz channel width. 20MHz 20 MHz channel width. set auto-power-level {enable | disable} Enable/disable automatic power-level adjustment to prevent co-channel interference (default = disable). set auto-power-high {integer} Automatic transmit power high limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295] set auto-power-low {integer} Automatic transmission power low limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295] set power-level {integer} Radio power level as a percentage of the maximum transmit power (0 - 100, default = 100). range[0-100] set dtim {integer} DTIM interval. The frequency to transmit Delivery Traffic Indication Message (or Map) (DTIM) messages (1 - 255, default = 1). Set higher to save client battery life. range[1-255] set beacon-interval {integer} Beacon interval. The time between beacon frames in msec (the actual range of beacon interval depends on the AP platform type, default = 100). range[0-65535] set rts-threshold {integer} Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS (256 - 2346 bytes, default = 2346). range[256-2346] set frag-threshold {integer} Maximum packet size that can be sent without fragmentation (800 - 2346 bytes, default = 2346). range[800-2346] set ap-sniffer-bufsize {integer} Sniffer buffer size (1 - 32 MB, default = 16). range[1-32] set ap-sniffer-chan {integer} Channel on which to operate the sniffer (default = 6). range[0-4294967295] set ap-sniffer-addr {mac address} MAC address to monitor. set ap-sniffer-mgmt-beacon {enable | disable} Enable/disable sniffer on WiFi management Beacon frames (default = enable). set ap-sniffer-mgmt-probe {enable | disable} Enable/disable sniffer on WiFi management probe frames (default = enable). set ap-sniffer-mgmt-other {enable | disable} Enable/disable sniffer on WiFi management other frames (default = enable). set ap-sniffer-ctl {enable | disable} Enable/disable sniffer on WiFi control frame (default = enable). set ap-sniffer-data {enable | disable} Enable/disable sniffer on WiFi data frame (default = enable). set channel-utilization {enable | disable} Enable/disable measuring channel utilization. set spectrum-analysis {enable | disable} Enable/disable spectrum analysis to find interference that would negatively impact wireless performance. set wids-profile {string} Wireless Intrusion Detection System (WIDS) profile name to assign to the radio. size[35] - datasource(s): wireless-controller.wids-profile.name set darrp {enable | disable} Enable/disable Distributed Automatic Radio Resource Provisioning (DARRP) to make sure the radio is always using the most optimal channel (default = disable). set max-clients {integer} Maximum number of stations (STAs) or WiFi clients supported by the radio. Range depends on the hardware. range[0-4294967295] set max-distance {integer} Maximum expected distance between the AP and clients (0 - 54000 m, default = 0). range[0-54000] set frequency-handoff {enable | disable} Enable/disable frequency handoff of clients to other channels (default = disable). set ap-handoff {enable | disable} Enable/disable AP handoff of clients to other APs (default = disable). set vap-all {enable | disable} Enable/disable the automatic inheritance of all Virtual Access Points (VAPs) (default = enable). config vaps edit {name} # Manually selected list of Virtual Access Points (VAPs). set name {string} Virtual Access Point (VAP) name. size[35] - datasource(s): wireless-controller.vap-group.name,wireless-controller.vap.name next config channel edit {chan} # Selected list of wireless radio channels. set chan {string} Channel number. size[3] next set call-admission-control {enable | disable} Enable/disable WiFi multimedia (WMM) call admission control to optimize WiFi bandwidth use for VoIP calls. New VoIP calls are only accepted if there is enough bandwidth available to support them. set call-capacity {integer} Maximum number of Voice over WLAN (VoWLAN) phones supported by the radio (0 - 60, default = 10). range[0-60] set bandwidth-admission-control {enable | disable} Enable/disable WiFi multimedia (WMM) bandwidth admission control to optimize WiFi bandwidth use. A request to join the wireless network is only allowed if the access point has enough bandwidth to support it. set bandwidth-capacity {integer} Maximum bandwidth capacity allowed (1 - 600000 Kbps, default = 2000). range[1-600000] config radio-2 set radio-id {integer} radio-id range[0-2] set mode {disabled | ap | monitor | sniffer} Mode of radio 2. Radio 2 can be disabled, configured as an access point, a rogue AP monitor, or a sniffer. disabled Radio 2 is disabled. ap Radio 2 operates as an access point that allows WiFi clients to connect to your network. monitor Radio 2 operates as a dedicated monitor. As a monitor, the radio scans for other WiFi access points and adds them to the Rogue AP monitor list. sniffer Radio 2 operates as a sniffer capturing WiFi frames on air. set band {option} WiFi band that Radio 2 operates on. 802.11a 802.11a. 802.11b 802.11b. 802.11g 802.11g/b. 802.11n 802.11n/g/b at 2.4GHz. 802.11n-5G 802.11n/a at 5GHz. 802.11ac 802.11ac/n/a. 802.11n,g-only 802.11n/g at 2.4GHz. 802.11g-only 802.11g. 802.11n-only 802.11n at 2.4GHz. 802.11n-5G-only 802.11n at 5GHz. 802.11ac,n-only 802.11ac/n. 802.11ac-only 802.11ac. set protection-mode {rtscts | ctsonly | disable} Enable/disable 802.11g protection modes to support backwards compatibility with older clients (rtscts, ctsonly, disable). rtscts Enable 802.11g protection RTS/CTS mode. ctsonly Enable 802.11g protection CTS only mode. disable Disable 802.11g protection mode. set powersave-optimize {option} Enable client power-saving features such as TIM, AC VO, and OBSS etc. tim TIM bit for client in power save mode. ac-vo Use AC VO priority to send out packets in the power save queue. no-obss-scan Do not put OBSS scan IE into beacon and probe response frames. no-11b-rate Do not send frame using 11b data rate. client-rate-follow Adapt transmitting PHY rate with receiving PHY rate from a client. set transmit-optimize {option} Packet transmission optimization options including power saving, aggregation limiting, retry limiting, etc. All are enabled by default. disable Disable packet transmission optimization. power-save Tag client as operating in power save mode if excessive transmit retries occur. aggr-limit Set aggregation limit to a lower value when data rate is low. retry-limit Set software retry limit to a lower value when data rate is low. send-bar Limit transmission of BAR frames. set amsdu {enable | disable} Enable/disable 802.11n AMSDU support. AMSDU can improve performance if supported by your WiFi clients (default = enable). set coexistence {enable | disable} Enable/disable allowing both HT20 and HT40 on the same radio (default = enable). set short-guard-interval {enable | disable} Use either the short guard interval (Short GI) of 400 ns or the long guard interval (Long GI) of 800 ns. set channel-bonding {80MHz | 40MHz | 20MHz} Channel bandwidth: 80, 40, or 20MHz. Channels may use both 20 and 40 by enabling coexistence. 80MHz 80 MHz channel width. 40MHz 40 MHz channel width. 20MHz 20 MHz channel width. set auto-power-level {enable | disable} Enable/disable automatic power-level adjustment to prevent co-channel interference (default = disable). set auto-power-high {integer} Automatic transmit power high limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295] set auto-power-low {integer} Automatic transmission power low limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295] set power-level {integer} Radio power level as a percentage of the maximum transmit power (0 - 100, default = 100). range[0-100] set dtim {integer} DTIM interval. The frequency to transmit Delivery Traffic Indication Message (or Map) (DTIM) messages (1 - 255, default = 1). Set higher to save client battery life. range[1-255] set beacon-interval {integer} Beacon interval. The time between beacon frames in msec (the actual range of beacon interval depends on the AP platform type, default = 100). range[0-65535] set rts-threshold {integer} Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS (256 - 2346 bytes, default = 2346). range[256-2346] set frag-threshold {integer} Maximum packet size that can be sent without fragmentation (800 - 2346 bytes, default = 2346). range[800-2346] set ap-sniffer-bufsize {integer} Sniffer buffer size (1 - 32 MB, default = 16). range[1-32] set ap-sniffer-chan {integer} Channel on which to operate the sniffer (default = 6). range[0-4294967295] set ap-sniffer-addr {mac address} MAC address to monitor. set ap-sniffer-mgmt-beacon {enable | disable} Enable/disable sniffer on WiFi management Beacon frames (default = enable). set ap-sniffer-mgmt-probe {enable | disable} Enable/disable sniffer on WiFi management probe frames (default = enable). set ap-sniffer-mgmt-other {enable | disable} Enable/disable sniffer on WiFi management other frames (default = enable). set ap-sniffer-ctl {enable | disable} Enable/disable sniffer on WiFi control frame (default = enable). set ap-sniffer-data {enable | disable} Enable/disable sniffer on WiFi data frame (default = enable). set channel-utilization {enable | disable} Enable/disable measuring channel utilization. set spectrum-analysis {enable | disable} Enable/disable spectrum analysis to find interference that would negatively impact wireless performance. set wids-profile {string} Wireless Intrusion Detection System (WIDS) profile name to assign to the radio. size[35] - datasource(s): wireless-controller.wids-profile.name set darrp {enable | disable} Enable/disable Distributed Automatic Radio Resource Provisioning (DARRP) to make sure the radio is always using the most optimal channel (default = disable). set max-clients {integer} Maximum number of stations (STAs) or WiFi clients supported by the radio. Range depends on the hardware. range[0-4294967295] set max-distance {integer} Maximum expected distance between the AP and clients (0 - 54000 m, default = 0). range[0-54000] set frequency-handoff {enable | disable} Enable/disable frequency handoff of clients to other channels (default = disable). set ap-handoff {enable | disable} Enable/disable AP handoff of clients to other APs (default = disable). set vap-all {enable | disable} Enable/disable the automatic inheritance of all Virtual Access Points (VAPs) (default = enable). config vaps edit {name} # Manually selected list of Virtual Access Points (VAPs). set name {string} Virtual Access Point (VAP) name. size[35] - datasource(s): wireless-controller.vap-group.name,wireless-controller.vap.name next config channel edit {chan} # Selected list of wireless radio channels. set chan {string} Channel number. size[3] next set call-admission-control {enable | disable} Enable/disable WiFi multimedia (WMM) call admission control to optimize WiFi bandwidth use for VoIP calls. New VoIP calls are only accepted if there is enough bandwidth available to support them. set call-capacity {integer} Maximum number of Voice over WLAN (VoWLAN) phones supported by the radio (0 - 60, default = 10). range[0-60] set bandwidth-admission-control {enable | disable} Enable/disable WiFi multimedia (WMM) bandwidth admission control to optimize WiFi bandwidth use. A request to join the wireless network is only allowed if the access point has enough bandwidth to support it. set bandwidth-capacity {integer} Maximum bandwidth capacity allowed (1 - 600000 Kbps, default = 2000). range[1-600000] config lbs set ekahau-blink-mode {enable | disable} Enable/disable Ekahau blink mode (now known as AiRISTA Flow) to track and locate WiFi tags (default = disable). set ekahau-tag {mac address} WiFi frame MAC address or WiFi Tag. set erc-server-ip {ipv4 address any} IP address of Ekahau RTLS Controller (ERC). set erc-server-port {integer} Ekahau RTLS Controller (ERC) UDP listening port. range[1024-65535] set aeroscout {enable | disable} Enable/disable AeroScout Real Time Location Service (RTLS) support (default = disable). set aeroscout-server-ip {ipv4 address any} IP address of AeroScout server. set aeroscout-server-port {integer} AeroScout server UDP listening port. range[1024-65535] set aeroscout-mu {enable | disable} Enable/disable AeroScout Mobile Unit (MU) support (default = disable). set aeroscout-ap-mac {bssid | board-mac} Use BSSID or board MAC address as AP MAC address in AeroScout AP messages (default = bssid). bssid Use BSSID as AP MAC address in AeroScout AP messages. board-mac Use board MAC address as AP MAC address in AeroScout AP messages. set aeroscout-mmu-report {enable | disable} Enable/disable compounded AeroScout tag and MU report (default = enable). set aeroscout-mu-factor {integer} AeroScout MU mode dilution factor (default = 20). range[0-4294967295] set aeroscout-mu-timeout {integer} AeroScout MU mode timeout (0 - 65535 sec, default = 5). range[0-65535] set fortipresence {foreign | both | disable} Enable/disable FortiPresence to monitor the location and activity of WiFi clients even if they don't connect to this WiFi network (default = disable). foreign FortiPresence monitors foreign channels only. Foreign channels means all other available channels than the current operating channel of the WTP, AP, or FortiAP. both Enable FortiPresence on both foreign and home channels. Select this option to have FortiPresence monitor all WiFi channels. disable Disable FortiPresence. set fortipresence-server {ipv4 address any} FortiPresence server IP address. set fortipresence-port {integer} FortiPresence server UDP listening port (default = 3000). range[300-65535] set fortipresence-secret {password_string} FortiPresence secret password (max. 16 characters). size[123] set fortipresence-project {string} FortiPresence project name (max. 16 characters, default = fortipresence). size[16] set fortipresence-frequency {integer} FortiPresence report transmit frequency (5 - 65535 sec, default = 30). range[5-65535] set fortipresence-rogue {enable | disable} Enable/disable FortiPresence finding and reporting rogue APs. set fortipresence-unassoc {enable | disable} Enable/disable FortiPresence finding and reporting unassociated stations. set station-locate {enable | disable} Enable/disable client station locating services for all clients, whether associated or not (default = disable). set ext-info-enable {enable | disable} Enable/disable station/VAP/radio extension information. next end
Additional information
The following section is for those options that require additional explanation.
config platform
A configuration method to assign the AP hardware type.
type <platform>
WTP platform type/model. For a full list of options, enter set type ?
(or see wireless-controller wtp-group
). The default is set to 220B
.
config deny-mac-list
A configuration methods to deny specific wireless MAC addresses.
mac <mac-address>
Wireless MAC address to deny.
config split-tunneling-acl
A configuration method to set various split tunneling access control list (ACL) filter lists.
dest-ip <ipv4-netmask>
IPv4 destination address to be added to the ACL filter.
config {radio-1 | radio-2}
A configuration method to set various options for Radio 1 and/or Radio 2.
mode {disabled | ap | monitor | sniffer}
Radio mode for the AP:
- disabled: Radio is not used; all other entries are unavailable except
powersave-optimize
. - ap: Radio provides wireless AP service (set by default); all other entries are available.
- monitor: Radio performs monitoring only; the only other entries available when this is set are
powersave-optimize
,spectrum-analysis
, andwids-profile
. - sniffer: Radio performs scanning only; the only other entries available when this is set are
powersave-optimize
, all ap-sniffer related entries, andspectrum-analysis
.
band {802.11b | 802.11g | 802.11n | 802.11n,g-only | 802.11g-only | 802.11n-only}
Band of AP-mode radio. The n
bands operate at 2.4GHz.
protection-mode {rtscts | ctsonly | disable}
Note: This entry is only available under radio-2
.
802.11g protection mode:
- rtscts: Enables 802.11g protection in Request to Send/Clear to Send (RTS/CTS) mode, reducing frame collisions
- ctsonly: Enables 802.11g protection in CTS mode
- disable: Disables 802.11g protection
powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate-follow}
Power-saving optimization options:
- tim: Set traffic indication map (TIM) bit for client in power save mode. TIM bit mask indicates to any sleeping listening stations if the AP has any buffered frames present.
- ac-vo: Use Access Category (AC) Voice (VO) priority to send packets in the power save queue. AC VO is one of the highest classes/priority levels used to ensure quality of service (QoS).
- no-obss-scan: Do not put Overlapping Basic Service Set (OBSS), or high-noise (i.e. non-802.11), scan IE into a Beacon or Probe Response frame.
- no-11b-rate: Do not send frame using 11b data rate.
- client-rate-follow: Adapt transmitted PHY rate to PHY rate received from client.
Separate each value with a space to add multiple values. Values can also be added using append
.
ap-sniffer-bufsize <mb>
Note: This entry is only available when mode
is set to sniffer
.
AP's sniffer buffer size in MB. Set the value between 1-32. The default is set to 16
.
ap-sniffer-chan <channel>
Note: This entry is only available when mode
is set to sniffer
.
Channel on which to operate the sniffer. The default is set to 6
.
ap-sniffer-addr <mac-address>
Note: This entry is only available when mode
is set to sniffer
.
MAC address to monitor.
ap-sniffer-mgmt-beacon {enable | disable}
Note: This entry is only available when mode
is set to sniffer
.
Enable (by default) or disable sniffer on WiFi management Beacon frame.
ap-sniffer-mgmt-probe {enable | disable}
Note: This entry is only available when mode
is set to sniffer
.
Enable (by default) or disable sniffer on WiFi management Probe frame.
ap-sniffer-mgmt-other {enable | disable}
Note: This entry is only available when mode
is set to sniffer
.
Enable (by default) or disable sniffer on WiFi management Other frame.
ap-sniffer-ctl {enable | disable}
Note: This entry is only available when mode
is set to sniffer
.
Enable (by default) or disable sniffer on WiFi Control frame.
ap-sniffer-data {enable | disable}
Note: This entry is only available when mode
is set to sniffer
.
Enable (by default) or disable sniffer on WiFi Data frame.
transmit-optimize {disable | power-save | aggr-limit | retry-limit | send-bar}
Packet transmission optimization options (enabled by default; all options except disable
):
- disable: No packet transmission optimization
- power-save: Tags client as operating in power save mode if excessive transmit retries occur
- aggr-limit: Sets a lower aggregation limit when the data rate is low
- retry-limit: Sets a lower retry limit when data rate is low
- send-bar: Limit transmission of Block Acknowledgement Request (BAR) frames
Separate each value with a space to add multiple values. Values can also be added using append
.
amsdu {enable | disable}
Note: This entry is only available under radio-2
.
Enable (by default) or disable Aggregate MAC Service Data Unit (A-MSDU) support, allowing multiple frames to be combined into one larger frame.
coexistence {enable | disable}
Note: This entry is only available under radio-2
.
Enable (by default) or disable HT20/HT40 coexistence support, where bandwidths that use 20MHz and 40MHz can be used in the same channel.
channel-bonding {40MHz | 20MHz}
Note: This entry is only available under radio-2
.
Channel bandwidth: either 40MHz or 20MHz. Channels may use both by enabling the coexistence
entry (see above).
auto-power-level {enable | disable}
Enable or disable (by default) automatic power-level adjustment to prevent co-channel interference. When enabled, use the auto-power-high
and auto-power-low
entries to configure the high and low limitations. When disabled, use the power-level
entry to configure the power level percentage.
auto-power-high <dBm>
Note: This entry is only available when auto-power-level
is set to enable
.
Automatic transmission power high limit in decibels (dB) of the measured power referenced to one milliwatt (mW), or dBm. Set the value between 10-17. The default is set to 17
.
auto-power-low <dBm>
Note: This entry is only available when auto-power-level
is set to enable
.
Automatic transmission power low limit in dBm. Set the value between 1-17. The default is set to 10
.
power-level <percentage>
Note: This entry is only available when auto-power-level
is set to disable
.
Radio power level as a percentage; as such, set the value between 0-100. The default is set to 100
.
The maximum power level (i.e. 100%) will set to the regulatory maximum for your region, as determined by the country entry under config wireless-controller setting
.
dtim <interval>
Interval between an Delivery Traffic Indication Message (DTIM), a kind of TIM that informs clients about the presence of buffered multicast/broadcast data on the AP. Set the value between 1-255. The default is set to 1
.
beacon-interval <milliseconds>
Interval between beacon packets. AP broadcast beacons or TIMs to synchronize wireless networks. Set the value between 40-3500 (or 40 milliseconds to 3.5 seconds). The default is set to 100
(or a tenth of a second).
In an environment with high interference, a low beacon-interval
value might improve network performance. In a location with few wireless nodes, you can increase this value.
rts-threshold <bytes>
Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS. This will consume more bandwidth, therefore reducing the throughput, however the more RTS packets there are the fewer instances of packet loss will occur.
Set the value between 256-2346 (or 256 bytes to over 2kB). The default is set to 2346
, meaning that effectively it will never be used, as the maximum packet size in Ethernet networks can only be 1518 bytes (including all headers and maximum data size).
channel-utilization {enable | disable}
Enableor disable (by default) channel utilization measurement.
frag-threshold <bytes>
Note: This entry is only available when band
has been set.
Maximum packet size that can be sent without fragmentation. Range is 800 to 2346 bytes. Set the value between 256-2346 (or 256 bytes to over 2kB).
spectrum-analysis {enable | disable}
Enable or disable (by default) spectrum analysis, a method for finding interference that would negatively impact wireless performance.
wids-profile
Note: This entry in only available when mode
is set to either ap
or monitor
.
WIDS profile name to assign to the radio, as configured under the wireless-controller wids-profile
command.
darrp {enable | disable}
Enable or disable (by default) Distributed Automatic Radio Resource Provisioning (DARRP), a feature that autonomously and periodically determines the best-suited channel for wireless communication. This allows FortiAP units to select their channel so they do not interfere with each other in large-scale deployments.
You can optimize DARRP further under the wireless-controller timers
command.
max-clients <integer>
Maximum expected number of STAs supported by the radio. The default is set to 0
.
max-distance <meters>
Maximum expected distance in meters between the AP and clients. This adjusts the ACK timeout to maintain throughput at the maximum distance. Set the value between 0-54000 (or no distance to just over 33.5 miles). The default is set to 0
.
frequency-handoff {enable | disable}
Enable or disable (by default) frequency handoff of clients to other channels. When enabled, you can optimize handoff further by using the handoff-rssi
and handoff-sta-thresh
entries.
ap-handoff {enable | disable}
Enable or disable (by default) handoff of clients to other APs.
vap-all {enable | disable}
Enable (by default) or disable the automatic inheritance of all VAPs.
vaps <vaps>
Specific VAPs carried on this physical AP. Separate each value with a space to add multiple VAPs. A maximum of eight VAPs may be added. Values can also be added using append
.
channel {1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11}
Wireless radio channels. Separate each value with a space to add multiple channels. Values can also be added using append
.
config lbs
A configuration method to set various location based service (LBS) options.
ekahau-blink-mode {enable | disable}
Enable or disable (by default)
ekahau-tag <mac-address>
WiFi frame MAC address.
erc-energy-ip <ip-address>
IP address of the Ekahau real-time location system (RTLS) controller.
er-server-port <port>
Ekahau RTLS controller UDP listening port.
aeroscout {enable | disable}
Enable or disable (by default) AeroScout support.
aeroscout-server-ip <ip-address>
AeroScout server IP address.
aeroscout-server-port <port>
AeroScout server UDP listening port.
aeroscout-mu-factor <mu-factor>
AeroScout Mobile Unit (MU) mode dilution factor. The default is set to 20
.
aeroscout-mu-timeout <seconds>
AeroScout MU mode timeout in seconds. Set the value between 0-65535 (or not timeout to over 18 hours). The default is set to 5
.
fortipresence {enable | disable}
Enable or disable (by default) FortiPresence support.
fortipresence-server <ip-address>
FortiPresence server IP address.
fortipresence-port <port>
FortiPresence server UDP listening port. Set the value between 300-65535. The default is set to 3000
.
fortipresence-secret <password>
FortiPresence secret password, with a maximum length of eight characters.
fortipresence-project <name>
Name of the FortiPresence project, with a maximum length of 16 characters. The default is set to fortipresence
.
fortipresence-frequency <seconds>
FortiPresence report transmit frequency in seconds. Set the value between 5-65535 (or five seconds to over 18 hours). The default is set to 30
.
fortipresence-rogue {enable | disable}
Enable or disable (by default) FortiPresence reporting Rogue APs.
fortipresence-unassoc {enable | disable}
Enable or disable (by default) FortiPresence reporting unassociated stations.
station-locate {enable | disable}
Enable or disable (by default) client station locating services for all clients, whether associated or not.
comment [string]
Optional comments.
led-state {enable | disable}
Enable (by default) or disable use of LEDs on WTP.
dtls-policy {clear-text | dtls-enabled}
WTP data channel DTLS policy.
- clear-text: (set by default).
- dtls-enabled:
Separate each value with a space to add multiple options. Values can also be added using append
.
max-clients <number>
The default is set to 0
, meaning there is no client limitation.
handoff-rssi <rssi>
Minimum received signal strength indicator (RSSI) value for handoff. Set the value between 20-30. The default is set to 25
.
handoff-sta-thresh <threshold>
Threshold value for AP handoff. Set the value between 5-35. The default is set to 30
.
handoff-roaming {enable | disable}
Enable (by default) or disable client load balancing during roaming to avoid roaming delay.
ap-country <country>
Country in which this AP will operate. To display all available countries, enter set country ?
. The default is set to US
(United States).
ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}
Method by which IP fragmentation is prevented for CAPWAP tunneled control and data packets:
- tcp-mss-adjust: TCP maximum segment adjustment (by default).
- icmp-unreachable: Drop packet and send an Internet Control Message Protocol (ICMP) Destination Unreachable error message.
Separate with a space to add both values. Values can also be added using append
.
tun-mtu-uplink <bytes>
Uplink tunnel maximum transmission unit (MTU) in octets (eight-bit bytes). An MTU is the largest size packet or frame that can be sent in a packet.
Set the value to either 0
(by default), 576
, or 1500
.
tun-mtu-downlink <bytes>
Downlink tunnel MTU in octets. Set the value to either 0
(by default), 576
, or 1500
.
split-tunneling-acl-local-ap-subnet {enable | disable}
Enable or disable (by default) specified destinations to be accessed locally instead of through the WiFi controller.
allowaccess {telnet | http | https | ssh}
Protocols to allow management-access to managed APs: telnet
, http
, https
, and ssh
.
Separate each value with a space to add multiple protocols. Values can also be added using append
.
login-passwd-change {yes | default | no}
Login password options:
- yes: Change login password of the managed AP
- default: Reset login password to factory default
- no: Do not change login password (by default)
When set to yes
, use the login-passwd
entry to determine the password of the managed AP.
login-passwd <password>
Note: This entry is only available when login-passwd-change
is set to yes
.
Login password of the managed AP.
lldp {enable | disable}
Enable or disable (by default) Link Layer Discovery Protocol (LLDP), a vendor-neutral link layer protocol used by network devices for advertising their identity, capabilities, and neighbours.