Fortinet black logo

CLI Reference

wireless-controller wtp-profile

wireless-controller wtp-profile

Use this command to configure WTP profiles (or FortiAP Profiles as shown in the GUI), which define radio settings for a particular platform/FortiAP model. FortiAP units contain two radio transceivers, making it possible to provide both 2.4GHz 802.11b/g/n and 5GHz 802.11a/n service from the same AP. The profile also selects which SSIDs the APs will carry.

For example, a FortiAP can be configured to carry all SSIDs on one radio, while the other only carries a specific SSID. The radios can also be used for monitoring, used for the Rogue AP detection feature. See Monitoring rogue APs for more details, and config wireless-controller wids-profile for various AP detection settings.

Note: Radio 2 settings are only available for FortiAP models with dual radios.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set control-message-offload {ebp-frame | aeroscout-tag | ap-list | sta-list | sta-cap-list | stats | aeroscout-mu}

Configure CAPWAP control message data channel offload.

config lbs

...

Configuration method to set various location based service (LBS) options.

Enable or disable and configure various options including Ekahua blink mode, AeroScout Real Time Location Service (RTLS) support, FortiPresence monitoring, and client station locating services.

set ext-info-enable {enable | disable}

Enable or disable station/VAP/radio extension information, providing more detailed statistics for troubleshooting purposes.

set lldp {enable | disable}

Enable or disable (by default) Link Layer Discovery Protocol (LLDP) for the WTP or FortiAP.

config wireless-controller wtp-profile
    edit {name}
    # Configure WTP profiles or FortiAP profiles that define radio settings for manageable FortiAP platforms.
        set name {string}   WTP (or FortiAP or AP) profile name. size[35]
        set comment {string}   Comment. size[255]
        config platform
            set type {option}   WTP, FortiAP or AP platform type. There are built-in WTP profiles for all supported FortiAP models. You can select a built-in profile and customize it or create a new profile.
                    AP-11N  Default 11n AP.
                    220B    FAP220B/221B.
                    210B    FAP210B.
                    222B    FAP222B.
                    112B    FAP112B.
                    320B    FAP320B.
                    11C     FAP11C.
                    14C     FAP14C.
                    223B    FAP223B.
                    28C     FAP28C.
                    320C    FAP320C.
                    221C    FAP221C.
                    25D     FAP25D.
                    222C    FAP222C.
                    224D    FAP224D.
                    214B    FK214B.
                    21D     FAP21D.
                    24D     FAP24D.
                    112D    FAP112D.
                    223C    FAP223C.
                    321C    FAP321C.
                    C220C   FAPC220C.
                    C225C   FAPC225C.
                    C23JD   FAPC23JD.
                    C24JE   FAPC24JE.
                    S321C   FAPS321C.
                    S322C   FAPS322C.
                    S323C   FAPS323C.
                    S311C   FAPS311C.
                    S313C   FAPS313C.
                    S321CR  FAPS321CR.
                    S322CR  FAPS322CR.
                    S323CR  FAPS323CR.
                    S421E   FAPS421E.
                    S422E   FAPS422E.
                    S423E   FAPS423E.
                    421E    FAP421E.
                    423E    FAP423E.
                    221E    FAP221E.
                    222E    FAP222E.
                    223E    FAP223E.
                    224E    FAP224E.
                    S221E   FAPS221E.
                    S223E   FAPS223E.
                    U421E   FAPU421EV.
                    U422EV  FAPU422EV.
                    U423E   FAPU423EV.
                    U221EV  FAPU221EV.
                    U223EV  FAPU223EV.
                    U24JEV  FAPU24JEV.
                    U321EV  FAPU321EV.
                    U323EV  FAPU323EV.
        set control-message-offload {option}   Enable/disable CAPWAP control message data channel offload.
                ebp-frame      Ekahau blink protocol (EBP) frames.
                aeroscout-tag  AeroScout tag.
                ap-list        Rogue AP list.
                sta-list       Rogue STA list.
                sta-cap-list   STA capability list.
                stats          WTP, radio, VAP, and STA statistics.
                aeroscout-mu   AeroScout Mobile Unit (MU) report.
        set ble-profile {string}   Bluetooth Low Energy profile name. size[35] - datasource(s): wireless-controller.ble-profile.name
        set wan-port-mode {wan-lan | wan-only}   Enable/disable using a WAN port as a LAN port.
                wan-lan   Enable using a WAN port as a LAN port.
                wan-only  Disable using a WAN port as a LAN port.
        config lan
            set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port-ssid {string}   Bridge LAN port to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 1 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port1-ssid {string}   Bridge LAN port 1 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 2 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port2-ssid {string}   Bridge LAN port 2 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 3 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port3-ssid {string}   Bridge LAN port 3 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 4 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port4-ssid {string}   Bridge LAN port 4 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 5 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port5-ssid {string}   Bridge LAN port 5 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 6 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port6-ssid {string}   Bridge LAN port 6 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 7 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port7-ssid {string}   Bridge LAN port 7 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 8 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port8-ssid {string}   Bridge LAN port 8 to SSID. size[15] - datasource(s): wireless-controller.vap.name
        set energy-efficient-ethernet {enable | disable}   Enable/disable use of energy efficient Ethernet on WTP.
        set led-state {enable | disable}   Enable/disable use of LEDs on WTP (default = disable).
        config led-schedules
            edit {name}
            # Recurring firewall schedules for illuminating LEDs on the FortiAP. If led-state is enabled, LEDs will be visible when at least one of the schedules is valid. Separate multiple schedule names with a space.
                set name {string}   LED schedule name. size[35] - datasource(s): firewall.schedule.group.name,firewall.schedule.recurring.name
            next
        set dtls-policy {clear-text | dtls-enabled | ipsec-vpn}   WTP data channel DTLS policy (default = clear-text).
                clear-text    Clear Text Data Channel.
                dtls-enabled  DTLS Enabled Data Channel.
                ipsec-vpn     IPsec VPN Data Channel.
        set dtls-in-kernel {enable | disable}   Enable/disable data channel DTLS in kernel.
        set max-clients {integer}   Maximum number of stations (STAs) supported by the WTP (default = 0, meaning no client limitation). range[0-4294967295]
        set handoff-rssi {integer}   Minimum received signal strength indicator (RSSI) value for handoff (20 - 30, default = 25). range[20-30]
        set handoff-sta-thresh {integer}   Threshold value for AP handoff. range[0-4294967295]
        set handoff-roaming {enable | disable}   Enable/disable client load balancing during roaming to avoid roaming delay (default = disable).
        config deny-mac-list
            edit {id}
            # List of MAC addresses that are denied access to this WTP, FortiAP, or AP.
                set id {integer}   ID. range[0-4294967295]
                set mac {mac address}   A WiFi device with this MAC address is denied access to this WTP, FortiAP or AP.
            next
        set ap-country {option}   Country in which this WTP, FortiAP or AP will operate (default = NA, automatically use the country configured for the current VDOM).
                NA  NO_COUNTRY_SET
                AL  ALBANIA
                DZ  ALGERIA
                AO  ANGOLA
                AR  ARGENTINA
                AM  ARMENIA
                AU  AUSTRALIA
                AT  AUSTRIA
                AZ  AZERBAIJAN
                BH  BAHRAIN
                BD  BANGLADESH
                BB  BARBADOS
                BY  BELARUS
                BE  BELGIUM
                BZ  BELIZE
                BO  BOLIVIA
                BA  BOSNIA AND HERZEGOVINA
                BR  BRAZIL
                BN  BRUNEI DARUSSALAM
                BG  BULGARIA
                KH  CAMBODIA
                CL  CHILE
                CN  CHINA
                CO  COLOMBIA
                CR  COSTA RICA
                HR  CROATIA
                CY  CYPRUS
                CZ  CZECH REPUBLIC
                DK  DENMARK
                DO  DOMINICAN REPUBLIC
                EC  ECUADOR
                EG  EGYPT
                SV  EL SALVADOR
                EE  ESTONIA
                FI  FINLAND
                FR  FRANCE
                GE  GEORGIA
                DE  GERMANY
                GR  GREECE
                GL  GREENLAND
                GD  GRENADA
                GU  GUAM
                GT  GUATEMALA
                HT  HAITI
                HN  HONDURAS
                HK  HONG KONG
                HU  HUNGARY
                IS  ICELAND
                IN  INDIA
                ID  INDONESIA
                IR  IRAN
                IE  IRELAND
                IL  ISRAEL
                IT  ITALY
                JM  JAMAICA
                JO  JORDAN
                KZ  KAZAKHSTAN
                KE  KENYA
                KP  NORTH KOREA
                KR  KOREA REPUBLIC
                KW  KUWAIT
                LV  LATVIA
                LB  LEBANON
                LI  LIECHTENSTEIN
                LT  LITHUANIA
                LU  LUXEMBOURG
                MO  MACAU SAR
                MK  MACEDONIA, FYRO
                MY  MALAYSIA
                MT  MALTA
                MX  MEXICO
                MC  MONACO
                MA  MOROCCO
                MZ  MOZAMBIQUE
                MM  MYANMAR
                NP  NEPAL
                NL  NETHERLANDS
                AN  NETHERLANDS ANTILLES
                AW  ARUBA
                NZ  NEW ZEALAND
                NO  NORWAY
                OM  OMAN
                PK  PAKISTAN
                PA  PANAMA
                PG  PAPUA NEW GUINEA
                PY  PARAGUAY
                PE  PERU
                PH  PHILIPPINES
                PL  POLAND
                PT  PORTUGAL
                PR  PUERTO RICO
                QA  QATAR
                RO  ROMANIA
                RU  RUSSIA
                RW  RWANDA
                SA  SAUDI ARABIA
                RS  REPUBLIC OF SERBIA
                ME  MONTENEGRO
                SG  SINGAPORE
                SK  SLOVAKIA
                SI  SLOVENIA
                ZA  SOUTH AFRICA
                ES  SPAIN
                LK  SRI LANKA
                SE  SWEDEN
                SD  SUDAN
                CH  SWITZERLAND
                SY  SYRIAN ARAB REPUBLIC
                TW  TAIWAN
                TZ  TANZANIA
                TH  THAILAND
                TT  TRINIDAD AND TOBAGO
                TN  TUNISIA
                TR  TURKEY
                AE  UNITED ARAB EMIRATES
                UA  UKRAINE
                GB  UNITED KINGDOM
                US  UNITED STATES2
                PS  UNITED STATES (PUBLIC SAFETY)
                UY  URUGUAY
                UZ  UZBEKISTAN
                VE  VENEZUELA
                VN  VIET NAM
                YE  YEMEN
                ZB  ZAMBIA
                ZW  ZIMBABWE
                JP  JAPAN14
                CA  CANADA2
        set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}   Select how to prevent IP fragmentation for CAPWAP tunneled control and data packets (default = tcp-mss-adjust).
                tcp-mss-adjust    TCP maximum segment size adjustment.
                icmp-unreachable  Drop packet and send ICMP Destination Unreachable
        set tun-mtu-uplink {integer}   Uplink CAPWAP tunnel MTU (0, 576, or 1500 bytes, default = 0). range[576-1500]
        set tun-mtu-downlink {integer}   Downlink CAPWAP tunnel MTU (0, 576, or 1500 bytes, default = 0). range[576-1500]
        set split-tunneling-acl-path {tunnel | local}   Split tunneling ACL path is local/tunnel.
                tunnel  Split tunneling ACL list traffic will be tunnel.
                local   Split tunneling ACL list traffic will be local NATed.
        set split-tunneling-acl-local-ap-subnet {enable | disable}   Enable/disable automatically adding local subnetwork of FortiAP to split-tunneling ACL (default = disable).
        config split-tunneling-acl
            edit {id}
            # Split tunneling ACL filter list.
                set id {integer}   ID. range[0-4294967295]
                set dest-ip {ipv4 classnet}   Destination IP and mask for the split-tunneling subnet.
            next
        set allowaccess {telnet | http | https | ssh}   Control management access to the managed WTP, FortiAP, or AP. Separate entries with a space.
                telnet  TELNET access.
                http    HTTP access.
                https   HTTPS access.
                ssh     SSH access.
        set login-passwd-change {yes | default | no}   Change or reset the administrator password of a managed WTP, FortiAP or AP (yes, default, or no, default = no).
                yes      Change the managed WTP, FortiAP or AP's administrator password. Use the login-password option to set the password.
                default  Keep the managed WTP, FortiAP or AP's administrator password set to the factory default.
                no       Do not change the managed WTP, FortiAP or AP's administrator password.
        set login-passwd {password_string}   Set the managed WTP, FortiAP, or AP's administrator password. size[31]
        set lldp {enable | disable}   Enable/disable Link Layer Discovery Protocol (LLDP) for the WTP, FortiAP, or AP (default = disable).
        set poe-mode {auto | 8023af | 8023at | power-adapter}   Set the WTP, FortiAP, or AP's PoE mode.
                auto           Automatically detect the PoE mode.
                8023af         Use 802.3af PoE mode.
                8023at         Use 802.3at PoE mode.
                power-adapter  Use the power adapter to control the PoE mode.
        config radio-1
            set radio-id {integer}   radio-id range[0-2]
            set mode {disabled | ap | monitor | sniffer}   Mode of radio 1. Radio 1 can be disabled, configured as an access point, a rogue AP monitor, or a sniffer.
                    disabled  Radio 1 is disabled.
                    ap        Radio 1 operates as an access point that allows WiFi clients to connect to your network.
                    monitor   Radio 1 operates as a dedicated monitor. As a monitor, the radio scans for other WiFi access points and adds them to the Rogue AP monitor list.
                    sniffer   Radio 1 operates as a sniffer capturing WiFi frames on air.
            set band {option}   WiFi band that Radio 1 operates on.
                    802.11a          802.11a.
                    802.11b          802.11b.
                    802.11g          802.11g/b.
                    802.11n          802.11n/g/b at 2.4GHz.
                    802.11n-5G       802.11n/a at 5GHz.
                    802.11ac         802.11ac/n/a.
                    802.11n,g-only   802.11n/g at 2.4GHz.
                    802.11g-only     802.11g.
                    802.11n-only     802.11n at 2.4GHz.
                    802.11n-5G-only  802.11n at 5GHz.
                    802.11ac,n-only  802.11ac/n.
                    802.11ac-only    802.11ac.
            set protection-mode {rtscts | ctsonly | disable}   Enable/disable 802.11g protection modes to support backwards compatibility with older clients (rtscts, ctsonly, disable).
                    rtscts   Enable 802.11g protection RTS/CTS mode.
                    ctsonly  Enable 802.11g protection CTS only mode.
                    disable  Disable 802.11g protection mode.
            set powersave-optimize {option}   Enable client power-saving features such as TIM, AC VO, and OBSS etc.
                    tim                 TIM bit for client in power save mode.
                    ac-vo               Use AC VO priority to send out packets in the power save queue.
                    no-obss-scan        Do not put OBSS scan IE into beacon and probe response frames.
                    no-11b-rate         Do not send frame using 11b data rate.
                    client-rate-follow  Adapt transmitting PHY rate with receiving PHY rate from a client.
            set transmit-optimize {option}   Packet transmission optimization options including power saving, aggregation limiting, retry limiting, etc. All are enabled by default.
                    disable      Disable packet transmission optimization.
                    power-save   Tag client as operating in power save mode if excessive transmit retries occur.
                    aggr-limit   Set aggregation limit to a lower value when data rate is low.
                    retry-limit  Set software retry limit to a lower value when data rate is low.
                    send-bar     Limit transmission of BAR frames.
            set amsdu {enable | disable}   Enable/disable 802.11n AMSDU support. AMSDU can improve performance if supported by your WiFi clients (default = enable).
            set coexistence {enable | disable}   Enable/disable allowing both HT20 and HT40 on the same radio (default = enable).
            set short-guard-interval {enable | disable}   Use either the short guard interval (Short GI) of 400 ns or the long guard interval (Long GI) of 800 ns.
            set channel-bonding {80MHz | 40MHz | 20MHz}   Channel bandwidth: 80, 40, or 20MHz. Channels may use both 20 and 40 by enabling coexistence.
                    80MHz  80 MHz channel width.
                    40MHz  40 MHz channel width.
                    20MHz  20 MHz channel width.
            set auto-power-level {enable | disable}   Enable/disable automatic power-level adjustment to prevent co-channel interference (default = disable).
            set auto-power-high {integer}   Automatic transmit power high limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295]
            set auto-power-low {integer}   Automatic transmission power low limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295]
            set power-level {integer}   Radio power level as a percentage of the maximum transmit power (0 - 100, default = 100). range[0-100]
            set dtim {integer}   DTIM interval. The frequency to transmit Delivery Traffic Indication Message (or Map) (DTIM) messages (1 - 255, default = 1). Set higher to save client battery life. range[1-255]
            set beacon-interval {integer}   Beacon interval. The time between beacon frames in msec (the actual range of beacon interval depends on the AP platform type, default = 100). range[0-65535]
            set rts-threshold {integer}   Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS (256 - 2346 bytes, default = 2346). range[256-2346]
            set frag-threshold {integer}   Maximum packet size that can be sent without fragmentation (800 - 2346 bytes, default = 2346). range[800-2346]
            set ap-sniffer-bufsize {integer}   Sniffer buffer size (1 - 32 MB, default = 16). range[1-32]
            set ap-sniffer-chan {integer}   Channel on which to operate the sniffer (default = 6). range[0-4294967295]
            set ap-sniffer-addr {mac address}   MAC address to monitor.
            set ap-sniffer-mgmt-beacon {enable | disable}   Enable/disable sniffer on WiFi management Beacon frames (default = enable).
            set ap-sniffer-mgmt-probe {enable | disable}   Enable/disable sniffer on WiFi management probe frames (default = enable).
            set ap-sniffer-mgmt-other {enable | disable}   Enable/disable sniffer on WiFi management other frames  (default = enable).
            set ap-sniffer-ctl {enable | disable}   Enable/disable sniffer on WiFi control frame (default = enable).
            set ap-sniffer-data {enable | disable}   Enable/disable sniffer on WiFi data frame (default = enable).
            set channel-utilization {enable | disable}   Enable/disable measuring channel utilization.
            set spectrum-analysis {enable | disable}   Enable/disable spectrum analysis to find interference that would negatively impact wireless performance.
            set wids-profile {string}   Wireless Intrusion Detection System (WIDS) profile name to assign to the radio. size[35] - datasource(s): wireless-controller.wids-profile.name
            set darrp {enable | disable}   Enable/disable Distributed Automatic Radio Resource Provisioning (DARRP) to make sure the radio is always using the most optimal channel (default = disable).
            set max-clients {integer}   Maximum number of stations (STAs) or WiFi clients supported by the radio. Range depends on the hardware. range[0-4294967295]
            set max-distance {integer}   Maximum expected distance between the AP and clients (0 - 54000 m, default = 0). range[0-54000]
            set frequency-handoff {enable | disable}   Enable/disable frequency handoff of clients to other channels (default = disable).
            set ap-handoff {enable | disable}   Enable/disable AP handoff of clients to other APs (default = disable).
            set vap-all {enable | disable}   Enable/disable the automatic inheritance of all Virtual Access Points (VAPs) (default = enable).
            config vaps
                edit {name}
                # Manually selected list of Virtual Access Points (VAPs).
                    set name {string}   Virtual Access Point (VAP) name. size[35] - datasource(s): wireless-controller.vap-group.name,wireless-controller.vap.name
                next
            config channel
                edit {chan}
                # Selected list of wireless radio channels.
                    set chan {string}   Channel number. size[3]
                next
            set call-admission-control {enable | disable}   Enable/disable WiFi multimedia (WMM) call admission control to optimize WiFi bandwidth use for VoIP calls. New VoIP calls are only accepted if there is enough bandwidth available to support them.
            set call-capacity {integer}   Maximum number of Voice over WLAN (VoWLAN) phones supported by the radio (0 - 60, default = 10). range[0-60]
            set bandwidth-admission-control {enable | disable}   Enable/disable WiFi multimedia (WMM) bandwidth admission control to optimize WiFi bandwidth use. A request to join the wireless network is only allowed if the access point has enough bandwidth to support it.
            set bandwidth-capacity {integer}   Maximum bandwidth capacity allowed (1 - 600000 Kbps, default = 2000). range[1-600000]
        config radio-2
            set radio-id {integer}   radio-id range[0-2]
            set mode {disabled | ap | monitor | sniffer}   Mode of radio 2. Radio 2 can be disabled, configured as an access point, a rogue AP monitor, or a sniffer.
                    disabled  Radio 2 is disabled.
                    ap        Radio 2 operates as an access point that allows WiFi clients to connect to your network.
                    monitor   Radio 2 operates as a dedicated monitor. As a monitor, the radio scans for other WiFi access points and adds them to the Rogue AP monitor list.
                    sniffer   Radio 2 operates as a sniffer capturing WiFi frames on air.
            set band {option}   WiFi band that Radio 2 operates on.
                    802.11a          802.11a.
                    802.11b          802.11b.
                    802.11g          802.11g/b.
                    802.11n          802.11n/g/b at 2.4GHz.
                    802.11n-5G       802.11n/a at 5GHz.
                    802.11ac         802.11ac/n/a.
                    802.11n,g-only   802.11n/g at 2.4GHz.
                    802.11g-only     802.11g.
                    802.11n-only     802.11n at 2.4GHz.
                    802.11n-5G-only  802.11n at 5GHz.
                    802.11ac,n-only  802.11ac/n.
                    802.11ac-only    802.11ac.
            set protection-mode {rtscts | ctsonly | disable}   Enable/disable 802.11g protection modes to support backwards compatibility with older clients (rtscts, ctsonly, disable).
                    rtscts   Enable 802.11g protection RTS/CTS mode.
                    ctsonly  Enable 802.11g protection CTS only mode.
                    disable  Disable 802.11g protection mode.
            set powersave-optimize {option}   Enable client power-saving features such as TIM, AC VO, and OBSS etc.
                    tim                 TIM bit for client in power save mode.
                    ac-vo               Use AC VO priority to send out packets in the power save queue.
                    no-obss-scan        Do not put OBSS scan IE into beacon and probe response frames.
                    no-11b-rate         Do not send frame using 11b data rate.
                    client-rate-follow  Adapt transmitting PHY rate with receiving PHY rate from a client.
            set transmit-optimize {option}   Packet transmission optimization options including power saving, aggregation limiting, retry limiting, etc. All are enabled by default.
                    disable      Disable packet transmission optimization.
                    power-save   Tag client as operating in power save mode if excessive transmit retries occur.
                    aggr-limit   Set aggregation limit to a lower value when data rate is low.
                    retry-limit  Set software retry limit to a lower value when data rate is low.
                    send-bar     Limit transmission of BAR frames.
            set amsdu {enable | disable}   Enable/disable 802.11n AMSDU support. AMSDU can improve performance if supported by your WiFi clients (default = enable).
            set coexistence {enable | disable}   Enable/disable allowing both HT20 and HT40 on the same radio (default = enable).
            set short-guard-interval {enable | disable}   Use either the short guard interval (Short GI) of 400 ns or the long guard interval (Long GI) of 800 ns.
            set channel-bonding {80MHz | 40MHz | 20MHz}   Channel bandwidth: 80, 40, or 20MHz. Channels may use both 20 and 40 by enabling coexistence.
                    80MHz  80 MHz channel width.
                    40MHz  40 MHz channel width.
                    20MHz  20 MHz channel width.
            set auto-power-level {enable | disable}   Enable/disable automatic power-level adjustment to prevent co-channel interference (default = disable).
            set auto-power-high {integer}   Automatic transmit power high limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295]
            set auto-power-low {integer}   Automatic transmission power low limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295]
            set power-level {integer}   Radio power level as a percentage of the maximum transmit power (0 - 100, default = 100). range[0-100]
            set dtim {integer}   DTIM interval. The frequency to transmit Delivery Traffic Indication Message (or Map) (DTIM) messages (1 - 255, default = 1). Set higher to save client battery life. range[1-255]
            set beacon-interval {integer}   Beacon interval. The time between beacon frames in msec (the actual range of beacon interval depends on the AP platform type, default = 100). range[0-65535]
            set rts-threshold {integer}   Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS (256 - 2346 bytes, default = 2346). range[256-2346]
            set frag-threshold {integer}   Maximum packet size that can be sent without fragmentation (800 - 2346 bytes, default = 2346). range[800-2346]
            set ap-sniffer-bufsize {integer}   Sniffer buffer size (1 - 32 MB, default = 16). range[1-32]
            set ap-sniffer-chan {integer}   Channel on which to operate the sniffer (default = 6). range[0-4294967295]
            set ap-sniffer-addr {mac address}   MAC address to monitor.
            set ap-sniffer-mgmt-beacon {enable | disable}   Enable/disable sniffer on WiFi management Beacon frames (default = enable).
            set ap-sniffer-mgmt-probe {enable | disable}   Enable/disable sniffer on WiFi management probe frames (default = enable).
            set ap-sniffer-mgmt-other {enable | disable}   Enable/disable sniffer on WiFi management other frames  (default = enable).
            set ap-sniffer-ctl {enable | disable}   Enable/disable sniffer on WiFi control frame (default = enable).
            set ap-sniffer-data {enable | disable}   Enable/disable sniffer on WiFi data frame (default = enable).
            set channel-utilization {enable | disable}   Enable/disable measuring channel utilization.
            set spectrum-analysis {enable | disable}   Enable/disable spectrum analysis to find interference that would negatively impact wireless performance.
            set wids-profile {string}   Wireless Intrusion Detection System (WIDS) profile name to assign to the radio. size[35] - datasource(s): wireless-controller.wids-profile.name
            set darrp {enable | disable}   Enable/disable Distributed Automatic Radio Resource Provisioning (DARRP) to make sure the radio is always using the most optimal channel (default = disable).
            set max-clients {integer}   Maximum number of stations (STAs) or WiFi clients supported by the radio. Range depends on the hardware. range[0-4294967295]
            set max-distance {integer}   Maximum expected distance between the AP and clients (0 - 54000 m, default = 0). range[0-54000]
            set frequency-handoff {enable | disable}   Enable/disable frequency handoff of clients to other channels (default = disable).
            set ap-handoff {enable | disable}   Enable/disable AP handoff of clients to other APs (default = disable).
            set vap-all {enable | disable}   Enable/disable the automatic inheritance of all Virtual Access Points (VAPs) (default = enable).
            config vaps
                edit {name}
                # Manually selected list of Virtual Access Points (VAPs).
                    set name {string}   Virtual Access Point (VAP) name. size[35] - datasource(s): wireless-controller.vap-group.name,wireless-controller.vap.name
                next
            config channel
                edit {chan}
                # Selected list of wireless radio channels.
                    set chan {string}   Channel number. size[3]
                next
            set call-admission-control {enable | disable}   Enable/disable WiFi multimedia (WMM) call admission control to optimize WiFi bandwidth use for VoIP calls. New VoIP calls are only accepted if there is enough bandwidth available to support them.
            set call-capacity {integer}   Maximum number of Voice over WLAN (VoWLAN) phones supported by the radio (0 - 60, default = 10). range[0-60]
            set bandwidth-admission-control {enable | disable}   Enable/disable WiFi multimedia (WMM) bandwidth admission control to optimize WiFi bandwidth use. A request to join the wireless network is only allowed if the access point has enough bandwidth to support it.
            set bandwidth-capacity {integer}   Maximum bandwidth capacity allowed (1 - 600000 Kbps, default = 2000). range[1-600000]
        config lbs
            set ekahau-blink-mode {enable | disable}   Enable/disable Ekahau blink mode (now known as AiRISTA Flow) to track and locate WiFi tags (default = disable).
            set ekahau-tag {mac address}   WiFi frame MAC address or WiFi Tag.
            set erc-server-ip {ipv4 address any}   IP address of Ekahau RTLS Controller (ERC).
            set erc-server-port {integer}   Ekahau RTLS Controller (ERC) UDP listening port. range[1024-65535]
            set aeroscout {enable | disable}   Enable/disable AeroScout Real Time Location Service (RTLS) support (default = disable).
            set aeroscout-server-ip {ipv4 address any}   IP address of AeroScout server.
            set aeroscout-server-port {integer}   AeroScout server UDP listening port. range[1024-65535]
            set aeroscout-mu {enable | disable}   Enable/disable AeroScout Mobile Unit (MU) support (default = disable).
            set aeroscout-ap-mac {bssid | board-mac}   Use BSSID or board MAC address as AP MAC address in AeroScout AP messages (default = bssid).
                    bssid      Use BSSID as AP MAC address in AeroScout AP messages.
                    board-mac  Use board MAC address as AP MAC address in AeroScout AP messages.
            set aeroscout-mmu-report {enable | disable}   Enable/disable compounded AeroScout tag and MU report (default = enable).
            set aeroscout-mu-factor {integer}   AeroScout MU mode dilution factor (default = 20). range[0-4294967295]
            set aeroscout-mu-timeout {integer}   AeroScout MU mode timeout (0 - 65535 sec, default = 5). range[0-65535]
            set fortipresence {foreign | both | disable}   Enable/disable FortiPresence to monitor the location and activity of WiFi clients even if they don't connect to this WiFi network (default = disable).
                    foreign  FortiPresence monitors foreign channels only. Foreign channels means all other available channels than the current operating channel of the WTP, AP, or FortiAP.
                    both     Enable FortiPresence on both foreign and home channels. Select this option to have FortiPresence monitor all WiFi channels.
                    disable  Disable FortiPresence.
            set fortipresence-server {ipv4 address any}   FortiPresence server IP address.
            set fortipresence-port {integer}   FortiPresence server UDP listening port (default = 3000). range[300-65535]
            set fortipresence-secret {password_string}   FortiPresence secret password (max. 16 characters). size[123]
            set fortipresence-project {string}   FortiPresence project name (max. 16 characters, default = fortipresence). size[16]
            set fortipresence-frequency {integer}   FortiPresence report transmit frequency (5 - 65535 sec, default = 30). range[5-65535]
            set fortipresence-rogue {enable | disable}   Enable/disable FortiPresence finding and reporting rogue APs.
            set fortipresence-unassoc {enable | disable}   Enable/disable FortiPresence finding and reporting unassociated stations.
            set station-locate {enable | disable}   Enable/disable client station locating services for all clients, whether associated or not (default = disable).
        set ext-info-enable {enable | disable}   Enable/disable station/VAP/radio extension information.
    next
end

Additional information

The following section is for those options that require additional explanation.

config platform

A configuration method to assign the AP hardware type.

type <platform>

WTP platform type/model. For a full list of options, enter set type ? (or see wireless-controller wtp-group). The default is set to 220B.

config deny-mac-list

A configuration methods to deny specific wireless MAC addresses.

mac <mac-address>

Wireless MAC address to deny.

config split-tunneling-acl

A configuration method to set various split tunneling access control list (ACL) filter lists.

dest-ip <ipv4-netmask>

IPv4 destination address to be added to the ACL filter.

config {radio-1 | radio-2}

A configuration method to set various options for Radio 1 and/or Radio 2.

mode {disabled | ap | monitor | sniffer}

Radio mode for the AP:

  • disabled: Radio is not used; all other entries are unavailable except powersave-optimize.
  • ap: Radio provides wireless AP service (set by default); all other entries are available.
  • monitor: Radio performs monitoring only; the only other entries available when this is set are powersave-optimize, spectrum-analysis, and wids-profile.
  • sniffer: Radio performs scanning only; the only other entries available when this is set are powersave-optimize, all ap-sniffer related entries, and spectrum-analysis.

band {802.11b | 802.11g | 802.11n | 802.11n,g-only | 802.11g-only | 802.11n-only}

Band of AP-mode radio. The n bands operate at 2.4GHz.

protection-mode {rtscts | ctsonly | disable}

Note: This entry is only available under radio-2. 802.11g protection mode:

  • rtscts: Enables 802.11g protection in Request to Send/Clear to Send (RTS/CTS) mode, reducing frame collisions
  • ctsonly: Enables 802.11g protection in CTS mode
  • disable: Disables 802.11g protection

powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate-follow}

Power-saving optimization options:

  • tim: Set traffic indication map (TIM) bit for client in power save mode. TIM bit mask indicates to any sleeping listening stations if the AP has any buffered frames present.
  • ac-vo: Use Access Category (AC) Voice (VO) priority to send packets in the power save queue. AC VO is one of the highest classes/priority levels used to ensure quality of service (QoS).
  • no-obss-scan: Do not put Overlapping Basic Service Set (OBSS), or high-noise (i.e. non-802.11), scan IE into a Beacon or Probe Response frame.
  • no-11b-rate: Do not send frame using 11b data rate.
  • client-rate-follow: Adapt transmitted PHY rate to PHY rate received from client.

Separate each value with a space to add multiple values. Values can also be added using append.

ap-sniffer-bufsize <mb>

Note: This entry is only available when mode is set to sniffer. AP's sniffer buffer size in MB. Set the value between 1-32. The default is set to 16.

ap-sniffer-chan <channel>

Note: This entry is only available when mode is set to sniffer. Channel on which to operate the sniffer. The default is set to 6.

ap-sniffer-addr <mac-address>

Note: This entry is only available when mode is set to sniffer. MAC address to monitor.

ap-sniffer-mgmt-beacon {enable | disable}

Note: This entry is only available when mode is set to sniffer. Enable (by default) or disable sniffer on WiFi management Beacon frame.

ap-sniffer-mgmt-probe {enable | disable}

Note: This entry is only available when mode is set to sniffer. Enable (by default) or disable sniffer on WiFi management Probe frame.

ap-sniffer-mgmt-other {enable | disable}

Note: This entry is only available when mode is set to sniffer. Enable (by default) or disable sniffer on WiFi management Other frame.

ap-sniffer-ctl {enable | disable}

Note: This entry is only available when mode is set to sniffer. Enable (by default) or disable sniffer on WiFi Control frame.

ap-sniffer-data {enable | disable}

Note: This entry is only available when mode is set to sniffer. Enable (by default) or disable sniffer on WiFi Data frame.

transmit-optimize {disable | power-save | aggr-limit | retry-limit | send-bar}

Packet transmission optimization options (enabled by default; all options except disable):

  • disable: No packet transmission optimization
  • power-save: Tags client as operating in power save mode if excessive transmit retries occur
  • aggr-limit: Sets a lower aggregation limit when the data rate is low
  • retry-limit: Sets a lower retry limit when data rate is low
  • send-bar: Limit transmission of Block Acknowledgement Request (BAR) frames

Separate each value with a space to add multiple values. Values can also be added using append.

amsdu {enable | disable}

Note: This entry is only available under radio-2. Enable (by default) or disable Aggregate MAC Service Data Unit (A-MSDU) support, allowing multiple frames to be combined into one larger frame.

coexistence {enable | disable}

Note: This entry is only available under radio-2. Enable (by default) or disable HT20/HT40 coexistence support, where bandwidths that use 20MHz and 40MHz can be used in the same channel.

channel-bonding {40MHz | 20MHz}

Note: This entry is only available under radio-2. Channel bandwidth: either 40MHz or 20MHz. Channels may use both by enabling the coexistence entry (see above).

auto-power-level {enable | disable}

Enable or disable (by default) automatic power-level adjustment to prevent co-channel interference. When enabled, use the auto-power-high and auto-power-low entries to configure the high and low limitations. When disabled, use the power-level entry to configure the power level percentage.

auto-power-high <dBm>

Note: This entry is only available when auto-power-level is set to enable. Automatic transmission power high limit in decibels (dB) of the measured power referenced to one milliwatt (mW), or dBm. Set the value between 10-17. The default is set to 17.

auto-power-low <dBm>

Note: This entry is only available when auto-power-level is set to enable. Automatic transmission power low limit in dBm. Set the value between 1-17. The default is set to 10.

power-level <percentage>

Note: This entry is only available when auto-power-level is set to disable. Radio power level as a percentage; as such, set the value between 0-100. The default is set to 100. The maximum power level (i.e. 100%) will set to the regulatory maximum for your region, as determined by the country entry under config wireless-controller setting.

dtim <interval>

Interval between an Delivery Traffic Indication Message (DTIM), a kind of TIM that informs clients about the presence of buffered multicast/broadcast data on the AP. Set the value between 1-255. The default is set to 1.

beacon-interval <milliseconds>

Interval between beacon packets. AP broadcast beacons or TIMs to synchronize wireless networks. Set the value between 40-3500 (or 40 milliseconds to 3.5 seconds). The default is set to 100 (or a tenth of a second). In an environment with high interference, a low beacon-interval value might improve network performance. In a location with few wireless nodes, you can increase this value.

rts-threshold <bytes>

Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS. This will consume more bandwidth, therefore reducing the throughput, however the more RTS packets there are the fewer instances of packet loss will occur. Set the value between 256-2346 (or 256 bytes to over 2kB). The default is set to 2346, meaning that effectively it will never be used, as the maximum packet size in Ethernet networks can only be 1518 bytes (including all headers and maximum data size).

channel-utilization {enable | disable}

Enableor disable (by default) channel utilization measurement.

frag-threshold <bytes>

Note: This entry is only available when band has been set. Maximum packet size that can be sent without fragmentation. Range is 800 to 2346 bytes. Set the value between 256-2346 (or 256 bytes to over 2kB).

spectrum-analysis {enable | disable}

Enable or disable (by default) spectrum analysis, a method for finding interference that would negatively impact wireless performance.

wids-profile

Note: This entry in only available when mode is set to either ap or monitor. WIDS profile name to assign to the radio, as configured under the wireless-controller wids-profile command.

darrp {enable | disable}

Enable or disable (by default) Distributed Automatic Radio Resource Provisioning (DARRP), a feature that autonomously and periodically determines the best-suited channel for wireless communication. This allows FortiAP units to select their channel so they do not interfere with each other in large-scale deployments. You can optimize DARRP further under the wireless-controller timers command.

max-clients <integer>

Maximum expected number of STAs supported by the radio. The default is set to 0.

max-distance <meters>

Maximum expected distance in meters between the AP and clients. This adjusts the ACK timeout to maintain throughput at the maximum distance. Set the value between 0-54000 (or no distance to just over 33.5 miles). The default is set to 0.

frequency-handoff {enable | disable}

Enable or disable (by default) frequency handoff of clients to other channels. When enabled, you can optimize handoff further by using the handoff-rssi and handoff-sta-thresh entries.

ap-handoff {enable | disable}

Enable or disable (by default) handoff of clients to other APs.

vap-all {enable | disable}

Enable (by default) or disable the automatic inheritance of all VAPs.

vaps <vaps>

Specific VAPs carried on this physical AP. Separate each value with a space to add multiple VAPs. A maximum of eight VAPs may be added. Values can also be added using append.

channel {1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11}

Wireless radio channels. Separate each value with a space to add multiple channels. Values can also be added using append.

config lbs

A configuration method to set various location based service (LBS) options.

ekahau-blink-mode {enable | disable}

Enable or disable (by default)

ekahau-tag <mac-address>

WiFi frame MAC address.

erc-energy-ip <ip-address>

IP address of the Ekahau real-time location system (RTLS) controller.

er-server-port <port>

Ekahau RTLS controller UDP listening port.

aeroscout {enable | disable}

Enable or disable (by default) AeroScout support.

aeroscout-server-ip <ip-address>

AeroScout server IP address.

aeroscout-server-port <port>

AeroScout server UDP listening port.

aeroscout-mu-factor <mu-factor>

AeroScout Mobile Unit (MU) mode dilution factor. The default is set to 20.

aeroscout-mu-timeout <seconds>

AeroScout MU mode timeout in seconds. Set the value between 0-65535 (or not timeout to over 18 hours). The default is set to 5.

fortipresence {enable | disable}

Enable or disable (by default) FortiPresence support.

fortipresence-server <ip-address>

FortiPresence server IP address.

fortipresence-port <port>

FortiPresence server UDP listening port. Set the value between 300-65535. The default is set to 3000.

fortipresence-secret <password>

FortiPresence secret password, with a maximum length of eight characters.

fortipresence-project <name>

Name of the FortiPresence project, with a maximum length of 16 characters. The default is set to fortipresence.

fortipresence-frequency <seconds>

FortiPresence report transmit frequency in seconds. Set the value between 5-65535 (or five seconds to over 18 hours). The default is set to 30.

fortipresence-rogue {enable | disable}

Enable or disable (by default) FortiPresence reporting Rogue APs.

fortipresence-unassoc {enable | disable}

Enable or disable (by default) FortiPresence reporting unassociated stations.

station-locate {enable | disable}

Enable or disable (by default) client station locating services for all clients, whether associated or not.

comment [string]

Optional comments.

led-state {enable | disable}

Enable (by default) or disable use of LEDs on WTP.

dtls-policy {clear-text | dtls-enabled}

WTP data channel DTLS policy.

  • clear-text: (set by default).
  • dtls-enabled:

Separate each value with a space to add multiple options. Values can also be added using append.

max-clients <number>

The default is set to 0, meaning there is no client limitation.

handoff-rssi <rssi>

Minimum received signal strength indicator (RSSI) value for handoff. Set the value between 20-30. The default is set to 25.

handoff-sta-thresh <threshold>

Threshold value for AP handoff. Set the value between 5-35. The default is set to 30.

handoff-roaming {enable | disable}

Enable (by default) or disable client load balancing during roaming to avoid roaming delay.

ap-country <country>

Country in which this AP will operate. To display all available countries, enter set country ?. The default is set to US (United States).

ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}

Method by which IP fragmentation is prevented for CAPWAP tunneled control and data packets:

  • tcp-mss-adjust: TCP maximum segment adjustment (by default).
  • icmp-unreachable: Drop packet and send an Internet Control Message Protocol (ICMP) Destination Unreachable error message.

Separate with a space to add both values. Values can also be added using append.

tun-mtu-uplink <bytes>

Uplink tunnel maximum transmission unit (MTU) in octets (eight-bit bytes). An MTU is the largest size packet or frame that can be sent in a packet. Set the value to either 0 (by default), 576, or 1500.

tun-mtu-downlink <bytes>

Downlink tunnel MTU in octets. Set the value to either 0 (by default), 576, or 1500.

split-tunneling-acl-local-ap-subnet {enable | disable}

Enable or disable (by default) specified destinations to be accessed locally instead of through the WiFi controller.

allowaccess {telnet | http | https | ssh}

Protocols to allow management-access to managed APs: telnet, http, https, and ssh. Separate each value with a space to add multiple protocols. Values can also be added using append.

login-passwd-change {yes | default | no}

Login password options:

  • yes: Change login password of the managed AP
  • default: Reset login password to factory default
  • no: Do not change login password (by default)

When set to yes, use the login-passwd entry to determine the password of the managed AP.

login-passwd <password>

Note: This entry is only available when login-passwd-change is set to yes. Login password of the managed AP.

lldp {enable | disable}

Enable or disable (by default) Link Layer Discovery Protocol (LLDP), a vendor-neutral link layer protocol used by network devices for advertising their identity, capabilities, and neighbours.

wireless-controller wtp-profile

Use this command to configure WTP profiles (or FortiAP Profiles as shown in the GUI), which define radio settings for a particular platform/FortiAP model. FortiAP units contain two radio transceivers, making it possible to provide both 2.4GHz 802.11b/g/n and 5GHz 802.11a/n service from the same AP. The profile also selects which SSIDs the APs will carry.

For example, a FortiAP can be configured to carry all SSIDs on one radio, while the other only carries a specific SSID. The radios can also be used for monitoring, used for the Rogue AP detection feature. See Monitoring rogue APs for more details, and config wireless-controller wids-profile for various AP detection settings.

Note: Radio 2 settings are only available for FortiAP models with dual radios.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set control-message-offload {ebp-frame | aeroscout-tag | ap-list | sta-list | sta-cap-list | stats | aeroscout-mu}

Configure CAPWAP control message data channel offload.

config lbs

...

Configuration method to set various location based service (LBS) options.

Enable or disable and configure various options including Ekahua blink mode, AeroScout Real Time Location Service (RTLS) support, FortiPresence monitoring, and client station locating services.

set ext-info-enable {enable | disable}

Enable or disable station/VAP/radio extension information, providing more detailed statistics for troubleshooting purposes.

set lldp {enable | disable}

Enable or disable (by default) Link Layer Discovery Protocol (LLDP) for the WTP or FortiAP.

config wireless-controller wtp-profile
    edit {name}
    # Configure WTP profiles or FortiAP profiles that define radio settings for manageable FortiAP platforms.
        set name {string}   WTP (or FortiAP or AP) profile name. size[35]
        set comment {string}   Comment. size[255]
        config platform
            set type {option}   WTP, FortiAP or AP platform type. There are built-in WTP profiles for all supported FortiAP models. You can select a built-in profile and customize it or create a new profile.
                    AP-11N  Default 11n AP.
                    220B    FAP220B/221B.
                    210B    FAP210B.
                    222B    FAP222B.
                    112B    FAP112B.
                    320B    FAP320B.
                    11C     FAP11C.
                    14C     FAP14C.
                    223B    FAP223B.
                    28C     FAP28C.
                    320C    FAP320C.
                    221C    FAP221C.
                    25D     FAP25D.
                    222C    FAP222C.
                    224D    FAP224D.
                    214B    FK214B.
                    21D     FAP21D.
                    24D     FAP24D.
                    112D    FAP112D.
                    223C    FAP223C.
                    321C    FAP321C.
                    C220C   FAPC220C.
                    C225C   FAPC225C.
                    C23JD   FAPC23JD.
                    C24JE   FAPC24JE.
                    S321C   FAPS321C.
                    S322C   FAPS322C.
                    S323C   FAPS323C.
                    S311C   FAPS311C.
                    S313C   FAPS313C.
                    S321CR  FAPS321CR.
                    S322CR  FAPS322CR.
                    S323CR  FAPS323CR.
                    S421E   FAPS421E.
                    S422E   FAPS422E.
                    S423E   FAPS423E.
                    421E    FAP421E.
                    423E    FAP423E.
                    221E    FAP221E.
                    222E    FAP222E.
                    223E    FAP223E.
                    224E    FAP224E.
                    S221E   FAPS221E.
                    S223E   FAPS223E.
                    U421E   FAPU421EV.
                    U422EV  FAPU422EV.
                    U423E   FAPU423EV.
                    U221EV  FAPU221EV.
                    U223EV  FAPU223EV.
                    U24JEV  FAPU24JEV.
                    U321EV  FAPU321EV.
                    U323EV  FAPU323EV.
        set control-message-offload {option}   Enable/disable CAPWAP control message data channel offload.
                ebp-frame      Ekahau blink protocol (EBP) frames.
                aeroscout-tag  AeroScout tag.
                ap-list        Rogue AP list.
                sta-list       Rogue STA list.
                sta-cap-list   STA capability list.
                stats          WTP, radio, VAP, and STA statistics.
                aeroscout-mu   AeroScout Mobile Unit (MU) report.
        set ble-profile {string}   Bluetooth Low Energy profile name. size[35] - datasource(s): wireless-controller.ble-profile.name
        set wan-port-mode {wan-lan | wan-only}   Enable/disable using a WAN port as a LAN port.
                wan-lan   Enable using a WAN port as a LAN port.
                wan-only  Disable using a WAN port as a LAN port.
        config lan
            set port-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port-ssid {string}   Bridge LAN port to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port1-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 1 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port1-ssid {string}   Bridge LAN port 1 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port2-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 2 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port2-ssid {string}   Bridge LAN port 2 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port3-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 3 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port3-ssid {string}   Bridge LAN port 3 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port4-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 4 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port4-ssid {string}   Bridge LAN port 4 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port5-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 5 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port5-ssid {string}   Bridge LAN port 5 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port6-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 6 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port6-ssid {string}   Bridge LAN port 6 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port7-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 7 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port7-ssid {string}   Bridge LAN port 7 to SSID. size[15] - datasource(s): wireless-controller.vap.name
            set port8-mode {offline | nat-to-wan | bridge-to-wan | bridge-to-ssid}   LAN port 8 mode.
                    offline         Offline.
                    nat-to-wan      NAT WTP LAN port to WTP WAN port.
                    bridge-to-wan   Bridge WTP LAN port to WTP WAN port.
                    bridge-to-ssid  Bridge WTP LAN port to SSID.
            set port8-ssid {string}   Bridge LAN port 8 to SSID. size[15] - datasource(s): wireless-controller.vap.name
        set energy-efficient-ethernet {enable | disable}   Enable/disable use of energy efficient Ethernet on WTP.
        set led-state {enable | disable}   Enable/disable use of LEDs on WTP (default = disable).
        config led-schedules
            edit {name}
            # Recurring firewall schedules for illuminating LEDs on the FortiAP. If led-state is enabled, LEDs will be visible when at least one of the schedules is valid. Separate multiple schedule names with a space.
                set name {string}   LED schedule name. size[35] - datasource(s): firewall.schedule.group.name,firewall.schedule.recurring.name
            next
        set dtls-policy {clear-text | dtls-enabled | ipsec-vpn}   WTP data channel DTLS policy (default = clear-text).
                clear-text    Clear Text Data Channel.
                dtls-enabled  DTLS Enabled Data Channel.
                ipsec-vpn     IPsec VPN Data Channel.
        set dtls-in-kernel {enable | disable}   Enable/disable data channel DTLS in kernel.
        set max-clients {integer}   Maximum number of stations (STAs) supported by the WTP (default = 0, meaning no client limitation). range[0-4294967295]
        set handoff-rssi {integer}   Minimum received signal strength indicator (RSSI) value for handoff (20 - 30, default = 25). range[20-30]
        set handoff-sta-thresh {integer}   Threshold value for AP handoff. range[0-4294967295]
        set handoff-roaming {enable | disable}   Enable/disable client load balancing during roaming to avoid roaming delay (default = disable).
        config deny-mac-list
            edit {id}
            # List of MAC addresses that are denied access to this WTP, FortiAP, or AP.
                set id {integer}   ID. range[0-4294967295]
                set mac {mac address}   A WiFi device with this MAC address is denied access to this WTP, FortiAP or AP.
            next
        set ap-country {option}   Country in which this WTP, FortiAP or AP will operate (default = NA, automatically use the country configured for the current VDOM).
                NA  NO_COUNTRY_SET
                AL  ALBANIA
                DZ  ALGERIA
                AO  ANGOLA
                AR  ARGENTINA
                AM  ARMENIA
                AU  AUSTRALIA
                AT  AUSTRIA
                AZ  AZERBAIJAN
                BH  BAHRAIN
                BD  BANGLADESH
                BB  BARBADOS
                BY  BELARUS
                BE  BELGIUM
                BZ  BELIZE
                BO  BOLIVIA
                BA  BOSNIA AND HERZEGOVINA
                BR  BRAZIL
                BN  BRUNEI DARUSSALAM
                BG  BULGARIA
                KH  CAMBODIA
                CL  CHILE
                CN  CHINA
                CO  COLOMBIA
                CR  COSTA RICA
                HR  CROATIA
                CY  CYPRUS
                CZ  CZECH REPUBLIC
                DK  DENMARK
                DO  DOMINICAN REPUBLIC
                EC  ECUADOR
                EG  EGYPT
                SV  EL SALVADOR
                EE  ESTONIA
                FI  FINLAND
                FR  FRANCE
                GE  GEORGIA
                DE  GERMANY
                GR  GREECE
                GL  GREENLAND
                GD  GRENADA
                GU  GUAM
                GT  GUATEMALA
                HT  HAITI
                HN  HONDURAS
                HK  HONG KONG
                HU  HUNGARY
                IS  ICELAND
                IN  INDIA
                ID  INDONESIA
                IR  IRAN
                IE  IRELAND
                IL  ISRAEL
                IT  ITALY
                JM  JAMAICA
                JO  JORDAN
                KZ  KAZAKHSTAN
                KE  KENYA
                KP  NORTH KOREA
                KR  KOREA REPUBLIC
                KW  KUWAIT
                LV  LATVIA
                LB  LEBANON
                LI  LIECHTENSTEIN
                LT  LITHUANIA
                LU  LUXEMBOURG
                MO  MACAU SAR
                MK  MACEDONIA, FYRO
                MY  MALAYSIA
                MT  MALTA
                MX  MEXICO
                MC  MONACO
                MA  MOROCCO
                MZ  MOZAMBIQUE
                MM  MYANMAR
                NP  NEPAL
                NL  NETHERLANDS
                AN  NETHERLANDS ANTILLES
                AW  ARUBA
                NZ  NEW ZEALAND
                NO  NORWAY
                OM  OMAN
                PK  PAKISTAN
                PA  PANAMA
                PG  PAPUA NEW GUINEA
                PY  PARAGUAY
                PE  PERU
                PH  PHILIPPINES
                PL  POLAND
                PT  PORTUGAL
                PR  PUERTO RICO
                QA  QATAR
                RO  ROMANIA
                RU  RUSSIA
                RW  RWANDA
                SA  SAUDI ARABIA
                RS  REPUBLIC OF SERBIA
                ME  MONTENEGRO
                SG  SINGAPORE
                SK  SLOVAKIA
                SI  SLOVENIA
                ZA  SOUTH AFRICA
                ES  SPAIN
                LK  SRI LANKA
                SE  SWEDEN
                SD  SUDAN
                CH  SWITZERLAND
                SY  SYRIAN ARAB REPUBLIC
                TW  TAIWAN
                TZ  TANZANIA
                TH  THAILAND
                TT  TRINIDAD AND TOBAGO
                TN  TUNISIA
                TR  TURKEY
                AE  UNITED ARAB EMIRATES
                UA  UKRAINE
                GB  UNITED KINGDOM
                US  UNITED STATES2
                PS  UNITED STATES (PUBLIC SAFETY)
                UY  URUGUAY
                UZ  UZBEKISTAN
                VE  VENEZUELA
                VN  VIET NAM
                YE  YEMEN
                ZB  ZAMBIA
                ZW  ZIMBABWE
                JP  JAPAN14
                CA  CANADA2
        set ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}   Select how to prevent IP fragmentation for CAPWAP tunneled control and data packets (default = tcp-mss-adjust).
                tcp-mss-adjust    TCP maximum segment size adjustment.
                icmp-unreachable  Drop packet and send ICMP Destination Unreachable
        set tun-mtu-uplink {integer}   Uplink CAPWAP tunnel MTU (0, 576, or 1500 bytes, default = 0). range[576-1500]
        set tun-mtu-downlink {integer}   Downlink CAPWAP tunnel MTU (0, 576, or 1500 bytes, default = 0). range[576-1500]
        set split-tunneling-acl-path {tunnel | local}   Split tunneling ACL path is local/tunnel.
                tunnel  Split tunneling ACL list traffic will be tunnel.
                local   Split tunneling ACL list traffic will be local NATed.
        set split-tunneling-acl-local-ap-subnet {enable | disable}   Enable/disable automatically adding local subnetwork of FortiAP to split-tunneling ACL (default = disable).
        config split-tunneling-acl
            edit {id}
            # Split tunneling ACL filter list.
                set id {integer}   ID. range[0-4294967295]
                set dest-ip {ipv4 classnet}   Destination IP and mask for the split-tunneling subnet.
            next
        set allowaccess {telnet | http | https | ssh}   Control management access to the managed WTP, FortiAP, or AP. Separate entries with a space.
                telnet  TELNET access.
                http    HTTP access.
                https   HTTPS access.
                ssh     SSH access.
        set login-passwd-change {yes | default | no}   Change or reset the administrator password of a managed WTP, FortiAP or AP (yes, default, or no, default = no).
                yes      Change the managed WTP, FortiAP or AP's administrator password. Use the login-password option to set the password.
                default  Keep the managed WTP, FortiAP or AP's administrator password set to the factory default.
                no       Do not change the managed WTP, FortiAP or AP's administrator password.
        set login-passwd {password_string}   Set the managed WTP, FortiAP, or AP's administrator password. size[31]
        set lldp {enable | disable}   Enable/disable Link Layer Discovery Protocol (LLDP) for the WTP, FortiAP, or AP (default = disable).
        set poe-mode {auto | 8023af | 8023at | power-adapter}   Set the WTP, FortiAP, or AP's PoE mode.
                auto           Automatically detect the PoE mode.
                8023af         Use 802.3af PoE mode.
                8023at         Use 802.3at PoE mode.
                power-adapter  Use the power adapter to control the PoE mode.
        config radio-1
            set radio-id {integer}   radio-id range[0-2]
            set mode {disabled | ap | monitor | sniffer}   Mode of radio 1. Radio 1 can be disabled, configured as an access point, a rogue AP monitor, or a sniffer.
                    disabled  Radio 1 is disabled.
                    ap        Radio 1 operates as an access point that allows WiFi clients to connect to your network.
                    monitor   Radio 1 operates as a dedicated monitor. As a monitor, the radio scans for other WiFi access points and adds them to the Rogue AP monitor list.
                    sniffer   Radio 1 operates as a sniffer capturing WiFi frames on air.
            set band {option}   WiFi band that Radio 1 operates on.
                    802.11a          802.11a.
                    802.11b          802.11b.
                    802.11g          802.11g/b.
                    802.11n          802.11n/g/b at 2.4GHz.
                    802.11n-5G       802.11n/a at 5GHz.
                    802.11ac         802.11ac/n/a.
                    802.11n,g-only   802.11n/g at 2.4GHz.
                    802.11g-only     802.11g.
                    802.11n-only     802.11n at 2.4GHz.
                    802.11n-5G-only  802.11n at 5GHz.
                    802.11ac,n-only  802.11ac/n.
                    802.11ac-only    802.11ac.
            set protection-mode {rtscts | ctsonly | disable}   Enable/disable 802.11g protection modes to support backwards compatibility with older clients (rtscts, ctsonly, disable).
                    rtscts   Enable 802.11g protection RTS/CTS mode.
                    ctsonly  Enable 802.11g protection CTS only mode.
                    disable  Disable 802.11g protection mode.
            set powersave-optimize {option}   Enable client power-saving features such as TIM, AC VO, and OBSS etc.
                    tim                 TIM bit for client in power save mode.
                    ac-vo               Use AC VO priority to send out packets in the power save queue.
                    no-obss-scan        Do not put OBSS scan IE into beacon and probe response frames.
                    no-11b-rate         Do not send frame using 11b data rate.
                    client-rate-follow  Adapt transmitting PHY rate with receiving PHY rate from a client.
            set transmit-optimize {option}   Packet transmission optimization options including power saving, aggregation limiting, retry limiting, etc. All are enabled by default.
                    disable      Disable packet transmission optimization.
                    power-save   Tag client as operating in power save mode if excessive transmit retries occur.
                    aggr-limit   Set aggregation limit to a lower value when data rate is low.
                    retry-limit  Set software retry limit to a lower value when data rate is low.
                    send-bar     Limit transmission of BAR frames.
            set amsdu {enable | disable}   Enable/disable 802.11n AMSDU support. AMSDU can improve performance if supported by your WiFi clients (default = enable).
            set coexistence {enable | disable}   Enable/disable allowing both HT20 and HT40 on the same radio (default = enable).
            set short-guard-interval {enable | disable}   Use either the short guard interval (Short GI) of 400 ns or the long guard interval (Long GI) of 800 ns.
            set channel-bonding {80MHz | 40MHz | 20MHz}   Channel bandwidth: 80, 40, or 20MHz. Channels may use both 20 and 40 by enabling coexistence.
                    80MHz  80 MHz channel width.
                    40MHz  40 MHz channel width.
                    20MHz  20 MHz channel width.
            set auto-power-level {enable | disable}   Enable/disable automatic power-level adjustment to prevent co-channel interference (default = disable).
            set auto-power-high {integer}   Automatic transmit power high limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295]
            set auto-power-low {integer}   Automatic transmission power low limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295]
            set power-level {integer}   Radio power level as a percentage of the maximum transmit power (0 - 100, default = 100). range[0-100]
            set dtim {integer}   DTIM interval. The frequency to transmit Delivery Traffic Indication Message (or Map) (DTIM) messages (1 - 255, default = 1). Set higher to save client battery life. range[1-255]
            set beacon-interval {integer}   Beacon interval. The time between beacon frames in msec (the actual range of beacon interval depends on the AP platform type, default = 100). range[0-65535]
            set rts-threshold {integer}   Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS (256 - 2346 bytes, default = 2346). range[256-2346]
            set frag-threshold {integer}   Maximum packet size that can be sent without fragmentation (800 - 2346 bytes, default = 2346). range[800-2346]
            set ap-sniffer-bufsize {integer}   Sniffer buffer size (1 - 32 MB, default = 16). range[1-32]
            set ap-sniffer-chan {integer}   Channel on which to operate the sniffer (default = 6). range[0-4294967295]
            set ap-sniffer-addr {mac address}   MAC address to monitor.
            set ap-sniffer-mgmt-beacon {enable | disable}   Enable/disable sniffer on WiFi management Beacon frames (default = enable).
            set ap-sniffer-mgmt-probe {enable | disable}   Enable/disable sniffer on WiFi management probe frames (default = enable).
            set ap-sniffer-mgmt-other {enable | disable}   Enable/disable sniffer on WiFi management other frames  (default = enable).
            set ap-sniffer-ctl {enable | disable}   Enable/disable sniffer on WiFi control frame (default = enable).
            set ap-sniffer-data {enable | disable}   Enable/disable sniffer on WiFi data frame (default = enable).
            set channel-utilization {enable | disable}   Enable/disable measuring channel utilization.
            set spectrum-analysis {enable | disable}   Enable/disable spectrum analysis to find interference that would negatively impact wireless performance.
            set wids-profile {string}   Wireless Intrusion Detection System (WIDS) profile name to assign to the radio. size[35] - datasource(s): wireless-controller.wids-profile.name
            set darrp {enable | disable}   Enable/disable Distributed Automatic Radio Resource Provisioning (DARRP) to make sure the radio is always using the most optimal channel (default = disable).
            set max-clients {integer}   Maximum number of stations (STAs) or WiFi clients supported by the radio. Range depends on the hardware. range[0-4294967295]
            set max-distance {integer}   Maximum expected distance between the AP and clients (0 - 54000 m, default = 0). range[0-54000]
            set frequency-handoff {enable | disable}   Enable/disable frequency handoff of clients to other channels (default = disable).
            set ap-handoff {enable | disable}   Enable/disable AP handoff of clients to other APs (default = disable).
            set vap-all {enable | disable}   Enable/disable the automatic inheritance of all Virtual Access Points (VAPs) (default = enable).
            config vaps
                edit {name}
                # Manually selected list of Virtual Access Points (VAPs).
                    set name {string}   Virtual Access Point (VAP) name. size[35] - datasource(s): wireless-controller.vap-group.name,wireless-controller.vap.name
                next
            config channel
                edit {chan}
                # Selected list of wireless radio channels.
                    set chan {string}   Channel number. size[3]
                next
            set call-admission-control {enable | disable}   Enable/disable WiFi multimedia (WMM) call admission control to optimize WiFi bandwidth use for VoIP calls. New VoIP calls are only accepted if there is enough bandwidth available to support them.
            set call-capacity {integer}   Maximum number of Voice over WLAN (VoWLAN) phones supported by the radio (0 - 60, default = 10). range[0-60]
            set bandwidth-admission-control {enable | disable}   Enable/disable WiFi multimedia (WMM) bandwidth admission control to optimize WiFi bandwidth use. A request to join the wireless network is only allowed if the access point has enough bandwidth to support it.
            set bandwidth-capacity {integer}   Maximum bandwidth capacity allowed (1 - 600000 Kbps, default = 2000). range[1-600000]
        config radio-2
            set radio-id {integer}   radio-id range[0-2]
            set mode {disabled | ap | monitor | sniffer}   Mode of radio 2. Radio 2 can be disabled, configured as an access point, a rogue AP monitor, or a sniffer.
                    disabled  Radio 2 is disabled.
                    ap        Radio 2 operates as an access point that allows WiFi clients to connect to your network.
                    monitor   Radio 2 operates as a dedicated monitor. As a monitor, the radio scans for other WiFi access points and adds them to the Rogue AP monitor list.
                    sniffer   Radio 2 operates as a sniffer capturing WiFi frames on air.
            set band {option}   WiFi band that Radio 2 operates on.
                    802.11a          802.11a.
                    802.11b          802.11b.
                    802.11g          802.11g/b.
                    802.11n          802.11n/g/b at 2.4GHz.
                    802.11n-5G       802.11n/a at 5GHz.
                    802.11ac         802.11ac/n/a.
                    802.11n,g-only   802.11n/g at 2.4GHz.
                    802.11g-only     802.11g.
                    802.11n-only     802.11n at 2.4GHz.
                    802.11n-5G-only  802.11n at 5GHz.
                    802.11ac,n-only  802.11ac/n.
                    802.11ac-only    802.11ac.
            set protection-mode {rtscts | ctsonly | disable}   Enable/disable 802.11g protection modes to support backwards compatibility with older clients (rtscts, ctsonly, disable).
                    rtscts   Enable 802.11g protection RTS/CTS mode.
                    ctsonly  Enable 802.11g protection CTS only mode.
                    disable  Disable 802.11g protection mode.
            set powersave-optimize {option}   Enable client power-saving features such as TIM, AC VO, and OBSS etc.
                    tim                 TIM bit for client in power save mode.
                    ac-vo               Use AC VO priority to send out packets in the power save queue.
                    no-obss-scan        Do not put OBSS scan IE into beacon and probe response frames.
                    no-11b-rate         Do not send frame using 11b data rate.
                    client-rate-follow  Adapt transmitting PHY rate with receiving PHY rate from a client.
            set transmit-optimize {option}   Packet transmission optimization options including power saving, aggregation limiting, retry limiting, etc. All are enabled by default.
                    disable      Disable packet transmission optimization.
                    power-save   Tag client as operating in power save mode if excessive transmit retries occur.
                    aggr-limit   Set aggregation limit to a lower value when data rate is low.
                    retry-limit  Set software retry limit to a lower value when data rate is low.
                    send-bar     Limit transmission of BAR frames.
            set amsdu {enable | disable}   Enable/disable 802.11n AMSDU support. AMSDU can improve performance if supported by your WiFi clients (default = enable).
            set coexistence {enable | disable}   Enable/disable allowing both HT20 and HT40 on the same radio (default = enable).
            set short-guard-interval {enable | disable}   Use either the short guard interval (Short GI) of 400 ns or the long guard interval (Long GI) of 800 ns.
            set channel-bonding {80MHz | 40MHz | 20MHz}   Channel bandwidth: 80, 40, or 20MHz. Channels may use both 20 and 40 by enabling coexistence.
                    80MHz  80 MHz channel width.
                    40MHz  40 MHz channel width.
                    20MHz  20 MHz channel width.
            set auto-power-level {enable | disable}   Enable/disable automatic power-level adjustment to prevent co-channel interference (default = disable).
            set auto-power-high {integer}   Automatic transmit power high limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295]
            set auto-power-low {integer}   Automatic transmission power low limit in dBm (the actual range of transmit power depends on the AP platform type). range[0-4294967295]
            set power-level {integer}   Radio power level as a percentage of the maximum transmit power (0 - 100, default = 100). range[0-100]
            set dtim {integer}   DTIM interval. The frequency to transmit Delivery Traffic Indication Message (or Map) (DTIM) messages (1 - 255, default = 1). Set higher to save client battery life. range[1-255]
            set beacon-interval {integer}   Beacon interval. The time between beacon frames in msec (the actual range of beacon interval depends on the AP platform type, default = 100). range[0-65535]
            set rts-threshold {integer}   Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS (256 - 2346 bytes, default = 2346). range[256-2346]
            set frag-threshold {integer}   Maximum packet size that can be sent without fragmentation (800 - 2346 bytes, default = 2346). range[800-2346]
            set ap-sniffer-bufsize {integer}   Sniffer buffer size (1 - 32 MB, default = 16). range[1-32]
            set ap-sniffer-chan {integer}   Channel on which to operate the sniffer (default = 6). range[0-4294967295]
            set ap-sniffer-addr {mac address}   MAC address to monitor.
            set ap-sniffer-mgmt-beacon {enable | disable}   Enable/disable sniffer on WiFi management Beacon frames (default = enable).
            set ap-sniffer-mgmt-probe {enable | disable}   Enable/disable sniffer on WiFi management probe frames (default = enable).
            set ap-sniffer-mgmt-other {enable | disable}   Enable/disable sniffer on WiFi management other frames  (default = enable).
            set ap-sniffer-ctl {enable | disable}   Enable/disable sniffer on WiFi control frame (default = enable).
            set ap-sniffer-data {enable | disable}   Enable/disable sniffer on WiFi data frame (default = enable).
            set channel-utilization {enable | disable}   Enable/disable measuring channel utilization.
            set spectrum-analysis {enable | disable}   Enable/disable spectrum analysis to find interference that would negatively impact wireless performance.
            set wids-profile {string}   Wireless Intrusion Detection System (WIDS) profile name to assign to the radio. size[35] - datasource(s): wireless-controller.wids-profile.name
            set darrp {enable | disable}   Enable/disable Distributed Automatic Radio Resource Provisioning (DARRP) to make sure the radio is always using the most optimal channel (default = disable).
            set max-clients {integer}   Maximum number of stations (STAs) or WiFi clients supported by the radio. Range depends on the hardware. range[0-4294967295]
            set max-distance {integer}   Maximum expected distance between the AP and clients (0 - 54000 m, default = 0). range[0-54000]
            set frequency-handoff {enable | disable}   Enable/disable frequency handoff of clients to other channels (default = disable).
            set ap-handoff {enable | disable}   Enable/disable AP handoff of clients to other APs (default = disable).
            set vap-all {enable | disable}   Enable/disable the automatic inheritance of all Virtual Access Points (VAPs) (default = enable).
            config vaps
                edit {name}
                # Manually selected list of Virtual Access Points (VAPs).
                    set name {string}   Virtual Access Point (VAP) name. size[35] - datasource(s): wireless-controller.vap-group.name,wireless-controller.vap.name
                next
            config channel
                edit {chan}
                # Selected list of wireless radio channels.
                    set chan {string}   Channel number. size[3]
                next
            set call-admission-control {enable | disable}   Enable/disable WiFi multimedia (WMM) call admission control to optimize WiFi bandwidth use for VoIP calls. New VoIP calls are only accepted if there is enough bandwidth available to support them.
            set call-capacity {integer}   Maximum number of Voice over WLAN (VoWLAN) phones supported by the radio (0 - 60, default = 10). range[0-60]
            set bandwidth-admission-control {enable | disable}   Enable/disable WiFi multimedia (WMM) bandwidth admission control to optimize WiFi bandwidth use. A request to join the wireless network is only allowed if the access point has enough bandwidth to support it.
            set bandwidth-capacity {integer}   Maximum bandwidth capacity allowed (1 - 600000 Kbps, default = 2000). range[1-600000]
        config lbs
            set ekahau-blink-mode {enable | disable}   Enable/disable Ekahau blink mode (now known as AiRISTA Flow) to track and locate WiFi tags (default = disable).
            set ekahau-tag {mac address}   WiFi frame MAC address or WiFi Tag.
            set erc-server-ip {ipv4 address any}   IP address of Ekahau RTLS Controller (ERC).
            set erc-server-port {integer}   Ekahau RTLS Controller (ERC) UDP listening port. range[1024-65535]
            set aeroscout {enable | disable}   Enable/disable AeroScout Real Time Location Service (RTLS) support (default = disable).
            set aeroscout-server-ip {ipv4 address any}   IP address of AeroScout server.
            set aeroscout-server-port {integer}   AeroScout server UDP listening port. range[1024-65535]
            set aeroscout-mu {enable | disable}   Enable/disable AeroScout Mobile Unit (MU) support (default = disable).
            set aeroscout-ap-mac {bssid | board-mac}   Use BSSID or board MAC address as AP MAC address in AeroScout AP messages (default = bssid).
                    bssid      Use BSSID as AP MAC address in AeroScout AP messages.
                    board-mac  Use board MAC address as AP MAC address in AeroScout AP messages.
            set aeroscout-mmu-report {enable | disable}   Enable/disable compounded AeroScout tag and MU report (default = enable).
            set aeroscout-mu-factor {integer}   AeroScout MU mode dilution factor (default = 20). range[0-4294967295]
            set aeroscout-mu-timeout {integer}   AeroScout MU mode timeout (0 - 65535 sec, default = 5). range[0-65535]
            set fortipresence {foreign | both | disable}   Enable/disable FortiPresence to monitor the location and activity of WiFi clients even if they don't connect to this WiFi network (default = disable).
                    foreign  FortiPresence monitors foreign channels only. Foreign channels means all other available channels than the current operating channel of the WTP, AP, or FortiAP.
                    both     Enable FortiPresence on both foreign and home channels. Select this option to have FortiPresence monitor all WiFi channels.
                    disable  Disable FortiPresence.
            set fortipresence-server {ipv4 address any}   FortiPresence server IP address.
            set fortipresence-port {integer}   FortiPresence server UDP listening port (default = 3000). range[300-65535]
            set fortipresence-secret {password_string}   FortiPresence secret password (max. 16 characters). size[123]
            set fortipresence-project {string}   FortiPresence project name (max. 16 characters, default = fortipresence). size[16]
            set fortipresence-frequency {integer}   FortiPresence report transmit frequency (5 - 65535 sec, default = 30). range[5-65535]
            set fortipresence-rogue {enable | disable}   Enable/disable FortiPresence finding and reporting rogue APs.
            set fortipresence-unassoc {enable | disable}   Enable/disable FortiPresence finding and reporting unassociated stations.
            set station-locate {enable | disable}   Enable/disable client station locating services for all clients, whether associated or not (default = disable).
        set ext-info-enable {enable | disable}   Enable/disable station/VAP/radio extension information.
    next
end

Additional information

The following section is for those options that require additional explanation.

config platform

A configuration method to assign the AP hardware type.

type <platform>

WTP platform type/model. For a full list of options, enter set type ? (or see wireless-controller wtp-group). The default is set to 220B.

config deny-mac-list

A configuration methods to deny specific wireless MAC addresses.

mac <mac-address>

Wireless MAC address to deny.

config split-tunneling-acl

A configuration method to set various split tunneling access control list (ACL) filter lists.

dest-ip <ipv4-netmask>

IPv4 destination address to be added to the ACL filter.

config {radio-1 | radio-2}

A configuration method to set various options for Radio 1 and/or Radio 2.

mode {disabled | ap | monitor | sniffer}

Radio mode for the AP:

  • disabled: Radio is not used; all other entries are unavailable except powersave-optimize.
  • ap: Radio provides wireless AP service (set by default); all other entries are available.
  • monitor: Radio performs monitoring only; the only other entries available when this is set are powersave-optimize, spectrum-analysis, and wids-profile.
  • sniffer: Radio performs scanning only; the only other entries available when this is set are powersave-optimize, all ap-sniffer related entries, and spectrum-analysis.

band {802.11b | 802.11g | 802.11n | 802.11n,g-only | 802.11g-only | 802.11n-only}

Band of AP-mode radio. The n bands operate at 2.4GHz.

protection-mode {rtscts | ctsonly | disable}

Note: This entry is only available under radio-2. 802.11g protection mode:

  • rtscts: Enables 802.11g protection in Request to Send/Clear to Send (RTS/CTS) mode, reducing frame collisions
  • ctsonly: Enables 802.11g protection in CTS mode
  • disable: Disables 802.11g protection

powersave-optimize {tim | ac-vo | no-obss-scan | no-11b-rate | client-rate-follow}

Power-saving optimization options:

  • tim: Set traffic indication map (TIM) bit for client in power save mode. TIM bit mask indicates to any sleeping listening stations if the AP has any buffered frames present.
  • ac-vo: Use Access Category (AC) Voice (VO) priority to send packets in the power save queue. AC VO is one of the highest classes/priority levels used to ensure quality of service (QoS).
  • no-obss-scan: Do not put Overlapping Basic Service Set (OBSS), or high-noise (i.e. non-802.11), scan IE into a Beacon or Probe Response frame.
  • no-11b-rate: Do not send frame using 11b data rate.
  • client-rate-follow: Adapt transmitted PHY rate to PHY rate received from client.

Separate each value with a space to add multiple values. Values can also be added using append.

ap-sniffer-bufsize <mb>

Note: This entry is only available when mode is set to sniffer. AP's sniffer buffer size in MB. Set the value between 1-32. The default is set to 16.

ap-sniffer-chan <channel>

Note: This entry is only available when mode is set to sniffer. Channel on which to operate the sniffer. The default is set to 6.

ap-sniffer-addr <mac-address>

Note: This entry is only available when mode is set to sniffer. MAC address to monitor.

ap-sniffer-mgmt-beacon {enable | disable}

Note: This entry is only available when mode is set to sniffer. Enable (by default) or disable sniffer on WiFi management Beacon frame.

ap-sniffer-mgmt-probe {enable | disable}

Note: This entry is only available when mode is set to sniffer. Enable (by default) or disable sniffer on WiFi management Probe frame.

ap-sniffer-mgmt-other {enable | disable}

Note: This entry is only available when mode is set to sniffer. Enable (by default) or disable sniffer on WiFi management Other frame.

ap-sniffer-ctl {enable | disable}

Note: This entry is only available when mode is set to sniffer. Enable (by default) or disable sniffer on WiFi Control frame.

ap-sniffer-data {enable | disable}

Note: This entry is only available when mode is set to sniffer. Enable (by default) or disable sniffer on WiFi Data frame.

transmit-optimize {disable | power-save | aggr-limit | retry-limit | send-bar}

Packet transmission optimization options (enabled by default; all options except disable):

  • disable: No packet transmission optimization
  • power-save: Tags client as operating in power save mode if excessive transmit retries occur
  • aggr-limit: Sets a lower aggregation limit when the data rate is low
  • retry-limit: Sets a lower retry limit when data rate is low
  • send-bar: Limit transmission of Block Acknowledgement Request (BAR) frames

Separate each value with a space to add multiple values. Values can also be added using append.

amsdu {enable | disable}

Note: This entry is only available under radio-2. Enable (by default) or disable Aggregate MAC Service Data Unit (A-MSDU) support, allowing multiple frames to be combined into one larger frame.

coexistence {enable | disable}

Note: This entry is only available under radio-2. Enable (by default) or disable HT20/HT40 coexistence support, where bandwidths that use 20MHz and 40MHz can be used in the same channel.

channel-bonding {40MHz | 20MHz}

Note: This entry is only available under radio-2. Channel bandwidth: either 40MHz or 20MHz. Channels may use both by enabling the coexistence entry (see above).

auto-power-level {enable | disable}

Enable or disable (by default) automatic power-level adjustment to prevent co-channel interference. When enabled, use the auto-power-high and auto-power-low entries to configure the high and low limitations. When disabled, use the power-level entry to configure the power level percentage.

auto-power-high <dBm>

Note: This entry is only available when auto-power-level is set to enable. Automatic transmission power high limit in decibels (dB) of the measured power referenced to one milliwatt (mW), or dBm. Set the value between 10-17. The default is set to 17.

auto-power-low <dBm>

Note: This entry is only available when auto-power-level is set to enable. Automatic transmission power low limit in dBm. Set the value between 1-17. The default is set to 10.

power-level <percentage>

Note: This entry is only available when auto-power-level is set to disable. Radio power level as a percentage; as such, set the value between 0-100. The default is set to 100. The maximum power level (i.e. 100%) will set to the regulatory maximum for your region, as determined by the country entry under config wireless-controller setting.

dtim <interval>

Interval between an Delivery Traffic Indication Message (DTIM), a kind of TIM that informs clients about the presence of buffered multicast/broadcast data on the AP. Set the value between 1-255. The default is set to 1.

beacon-interval <milliseconds>

Interval between beacon packets. AP broadcast beacons or TIMs to synchronize wireless networks. Set the value between 40-3500 (or 40 milliseconds to 3.5 seconds). The default is set to 100 (or a tenth of a second). In an environment with high interference, a low beacon-interval value might improve network performance. In a location with few wireless nodes, you can increase this value.

rts-threshold <bytes>

Maximum packet size for RTS transmissions, specifying the maximum size of a data packet before RTS/CTS. This will consume more bandwidth, therefore reducing the throughput, however the more RTS packets there are the fewer instances of packet loss will occur. Set the value between 256-2346 (or 256 bytes to over 2kB). The default is set to 2346, meaning that effectively it will never be used, as the maximum packet size in Ethernet networks can only be 1518 bytes (including all headers and maximum data size).

channel-utilization {enable | disable}

Enableor disable (by default) channel utilization measurement.

frag-threshold <bytes>

Note: This entry is only available when band has been set. Maximum packet size that can be sent without fragmentation. Range is 800 to 2346 bytes. Set the value between 256-2346 (or 256 bytes to over 2kB).

spectrum-analysis {enable | disable}

Enable or disable (by default) spectrum analysis, a method for finding interference that would negatively impact wireless performance.

wids-profile

Note: This entry in only available when mode is set to either ap or monitor. WIDS profile name to assign to the radio, as configured under the wireless-controller wids-profile command.

darrp {enable | disable}

Enable or disable (by default) Distributed Automatic Radio Resource Provisioning (DARRP), a feature that autonomously and periodically determines the best-suited channel for wireless communication. This allows FortiAP units to select their channel so they do not interfere with each other in large-scale deployments. You can optimize DARRP further under the wireless-controller timers command.

max-clients <integer>

Maximum expected number of STAs supported by the radio. The default is set to 0.

max-distance <meters>

Maximum expected distance in meters between the AP and clients. This adjusts the ACK timeout to maintain throughput at the maximum distance. Set the value between 0-54000 (or no distance to just over 33.5 miles). The default is set to 0.

frequency-handoff {enable | disable}

Enable or disable (by default) frequency handoff of clients to other channels. When enabled, you can optimize handoff further by using the handoff-rssi and handoff-sta-thresh entries.

ap-handoff {enable | disable}

Enable or disable (by default) handoff of clients to other APs.

vap-all {enable | disable}

Enable (by default) or disable the automatic inheritance of all VAPs.

vaps <vaps>

Specific VAPs carried on this physical AP. Separate each value with a space to add multiple VAPs. A maximum of eight VAPs may be added. Values can also be added using append.

channel {1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11}

Wireless radio channels. Separate each value with a space to add multiple channels. Values can also be added using append.

config lbs

A configuration method to set various location based service (LBS) options.

ekahau-blink-mode {enable | disable}

Enable or disable (by default)

ekahau-tag <mac-address>

WiFi frame MAC address.

erc-energy-ip <ip-address>

IP address of the Ekahau real-time location system (RTLS) controller.

er-server-port <port>

Ekahau RTLS controller UDP listening port.

aeroscout {enable | disable}

Enable or disable (by default) AeroScout support.

aeroscout-server-ip <ip-address>

AeroScout server IP address.

aeroscout-server-port <port>

AeroScout server UDP listening port.

aeroscout-mu-factor <mu-factor>

AeroScout Mobile Unit (MU) mode dilution factor. The default is set to 20.

aeroscout-mu-timeout <seconds>

AeroScout MU mode timeout in seconds. Set the value between 0-65535 (or not timeout to over 18 hours). The default is set to 5.

fortipresence {enable | disable}

Enable or disable (by default) FortiPresence support.

fortipresence-server <ip-address>

FortiPresence server IP address.

fortipresence-port <port>

FortiPresence server UDP listening port. Set the value between 300-65535. The default is set to 3000.

fortipresence-secret <password>

FortiPresence secret password, with a maximum length of eight characters.

fortipresence-project <name>

Name of the FortiPresence project, with a maximum length of 16 characters. The default is set to fortipresence.

fortipresence-frequency <seconds>

FortiPresence report transmit frequency in seconds. Set the value between 5-65535 (or five seconds to over 18 hours). The default is set to 30.

fortipresence-rogue {enable | disable}

Enable or disable (by default) FortiPresence reporting Rogue APs.

fortipresence-unassoc {enable | disable}

Enable or disable (by default) FortiPresence reporting unassociated stations.

station-locate {enable | disable}

Enable or disable (by default) client station locating services for all clients, whether associated or not.

comment [string]

Optional comments.

led-state {enable | disable}

Enable (by default) or disable use of LEDs on WTP.

dtls-policy {clear-text | dtls-enabled}

WTP data channel DTLS policy.

  • clear-text: (set by default).
  • dtls-enabled:

Separate each value with a space to add multiple options. Values can also be added using append.

max-clients <number>

The default is set to 0, meaning there is no client limitation.

handoff-rssi <rssi>

Minimum received signal strength indicator (RSSI) value for handoff. Set the value between 20-30. The default is set to 25.

handoff-sta-thresh <threshold>

Threshold value for AP handoff. Set the value between 5-35. The default is set to 30.

handoff-roaming {enable | disable}

Enable (by default) or disable client load balancing during roaming to avoid roaming delay.

ap-country <country>

Country in which this AP will operate. To display all available countries, enter set country ?. The default is set to US (United States).

ip-fragment-preventing {tcp-mss-adjust | icmp-unreachable}

Method by which IP fragmentation is prevented for CAPWAP tunneled control and data packets:

  • tcp-mss-adjust: TCP maximum segment adjustment (by default).
  • icmp-unreachable: Drop packet and send an Internet Control Message Protocol (ICMP) Destination Unreachable error message.

Separate with a space to add both values. Values can also be added using append.

tun-mtu-uplink <bytes>

Uplink tunnel maximum transmission unit (MTU) in octets (eight-bit bytes). An MTU is the largest size packet or frame that can be sent in a packet. Set the value to either 0 (by default), 576, or 1500.

tun-mtu-downlink <bytes>

Downlink tunnel MTU in octets. Set the value to either 0 (by default), 576, or 1500.

split-tunneling-acl-local-ap-subnet {enable | disable}

Enable or disable (by default) specified destinations to be accessed locally instead of through the WiFi controller.

allowaccess {telnet | http | https | ssh}

Protocols to allow management-access to managed APs: telnet, http, https, and ssh. Separate each value with a space to add multiple protocols. Values can also be added using append.

login-passwd-change {yes | default | no}

Login password options:

  • yes: Change login password of the managed AP
  • default: Reset login password to factory default
  • no: Do not change login password (by default)

When set to yes, use the login-passwd entry to determine the password of the managed AP.

login-passwd <password>

Note: This entry is only available when login-passwd-change is set to yes. Login password of the managed AP.

lldp {enable | disable}

Enable or disable (by default) Link Layer Discovery Protocol (LLDP), a vendor-neutral link layer protocol used by network devices for advertising their identity, capabilities, and neighbours.