Fortinet black logo

New Features

DHCP address enforcement

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:414566
Download PDF

DHCP address enforcement ensures that clients who connect must complete the DHCP process to obtain an IP address; otherwise, they are disconnected from the SSID. This prevents users with static addresses that may conflict with the DHCP address scheme, or users that fail to obtain a DHCP IP assignment to connect to the SSID.

To configure DHCP address enforcement in FortiOS:
config wireless-controller vap
    edit "test-tunnel"
        set ssid "test-tunnel"
        set passphrase ********
        set schedule "always"
        set dhcp-address-enforcement enable
    next
end
Note

The default setting for dhcp-address-enforcement is disable.

To view the diagnostics in FortiAP:
# cw_diag -c vap-cfg
-------------------------------VAP Configuration    1----------------------------
Radio Id  1 WLAN Id  0 test-tunnel ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan11, vap=0x1d481ae, bssid=90:6c:ac:4e:47:c1
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=disabled split_tunnel=disabled
           intra_ssid_priv=disabled
           mcast_enhance=disabled igmp_snooping=disabled
           mac_auth=disabled fail_through_mode=disabled sta_info=2/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=enabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled           dhcp_option82_insertion=disabled
           dhcp_enforcement=enabled
           access_control_list=disabled
           bc_suppression=dhcp dhcp-ucast arp 
           auth=WPA2, PSK, AES WPA keyIdx=1, keyLen=16, keyStatus=1, gTsc=000000000000
           key=3c0b3084 639b28d9 07448633 55e9adda
           pmf=disable
           okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled
           voice_ent(802.11kv)=disabled, fast_bss_trans(802.11r)=disabled
           airfairness weight: 20%
           schedules=SMTWTFS 00:00->00:00, 
           ratelimit(Kbps): ul=0 dl=0 ul_user=0 dl_user=0 burst=disabled
           rates control configuration: No data rate is configured
-------------------------------Total    1 VAP Configurations----------------------------
Sample FortiOS WiFi events log:
1: date=2021-02-26 time=11:35:14 eventtime=1614368114443516023 tz="-0800" logid="0104043709" type="event" subtype="wireless" level="warning" vd="vdom1" logdesc="Wireless client denied by DHCP enforcement for using static IP address" sn="FP423E3X00000000" ap="TEST-FAP-423E" vap="test-tunnel" ssid="test-tunnel" stamac="ac:1f:74:12:40:86" security="WPA2 Personal" encryption="AES" action="DHCP-enforcement" reason="N/A" msg="Client ac:1f:74:12:40:86 denied by DHCP enforcement for using static IP 10.8.0.5" remotewtptime="3314.349637"

In this example, a client configured with static IP address was rejected.

To view the diagnostics in FortiOS:
# execute dhcp lease-list
test-tunnel
  IP          MAC-Address        Hostname     VCI          SSID           AP               Expiry
  10.8.0.3    b2:4a:c0:37:9f:0b  Testhost           test-tunnel    FP423E3X00000000 Sat Feb 27 17:40:15 2021
# diagnose wireless-controller wlac -d sta
   vf=1 wtp=1 rId=2 wlan=test-tunnel vlan_id=0 ip=10.8.0.3 ip6=fe80::1c3b:cefd:790b:20cc mac=b2:4a:c0:37:9f:0b vci= host=Testhost  user= group= signal=-55 noise=-95 idle=2 bw=0 use=6 chan=144 radio_type=11AC security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=1
                ip6=*fe80::1c3b:cefd:790b:20cc,12, 

In this example, a client with a DHCP assigned IP address was able to join the SSID.

DHCP address enforcement ensures that clients who connect must complete the DHCP process to obtain an IP address; otherwise, they are disconnected from the SSID. This prevents users with static addresses that may conflict with the DHCP address scheme, or users that fail to obtain a DHCP IP assignment to connect to the SSID.

To configure DHCP address enforcement in FortiOS:
config wireless-controller vap
    edit "test-tunnel"
        set ssid "test-tunnel"
        set passphrase ********
        set schedule "always"
        set dhcp-address-enforcement enable
    next
end
Note

The default setting for dhcp-address-enforcement is disable.

To view the diagnostics in FortiAP:
# cw_diag -c vap-cfg
-------------------------------VAP Configuration    1----------------------------
Radio Id  1 WLAN Id  0 test-tunnel ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan11, vap=0x1d481ae, bssid=90:6c:ac:4e:47:c1
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=disabled split_tunnel=disabled
           intra_ssid_priv=disabled
           mcast_enhance=disabled igmp_snooping=disabled
           mac_auth=disabled fail_through_mode=disabled sta_info=2/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=enabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled           dhcp_option82_insertion=disabled
           dhcp_enforcement=enabled
           access_control_list=disabled
           bc_suppression=dhcp dhcp-ucast arp 
           auth=WPA2, PSK, AES WPA keyIdx=1, keyLen=16, keyStatus=1, gTsc=000000000000
           key=3c0b3084 639b28d9 07448633 55e9adda
           pmf=disable
           okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled
           voice_ent(802.11kv)=disabled, fast_bss_trans(802.11r)=disabled
           airfairness weight: 20%
           schedules=SMTWTFS 00:00->00:00, 
           ratelimit(Kbps): ul=0 dl=0 ul_user=0 dl_user=0 burst=disabled
           rates control configuration: No data rate is configured
-------------------------------Total    1 VAP Configurations----------------------------
Sample FortiOS WiFi events log:
1: date=2021-02-26 time=11:35:14 eventtime=1614368114443516023 tz="-0800" logid="0104043709" type="event" subtype="wireless" level="warning" vd="vdom1" logdesc="Wireless client denied by DHCP enforcement for using static IP address" sn="FP423E3X00000000" ap="TEST-FAP-423E" vap="test-tunnel" ssid="test-tunnel" stamac="ac:1f:74:12:40:86" security="WPA2 Personal" encryption="AES" action="DHCP-enforcement" reason="N/A" msg="Client ac:1f:74:12:40:86 denied by DHCP enforcement for using static IP 10.8.0.5" remotewtptime="3314.349637"

In this example, a client configured with static IP address was rejected.

To view the diagnostics in FortiOS:
# execute dhcp lease-list
test-tunnel
  IP          MAC-Address        Hostname     VCI          SSID           AP               Expiry
  10.8.0.3    b2:4a:c0:37:9f:0b  Testhost           test-tunnel    FP423E3X00000000 Sat Feb 27 17:40:15 2021
# diagnose wireless-controller wlac -d sta
   vf=1 wtp=1 rId=2 wlan=test-tunnel vlan_id=0 ip=10.8.0.3 ip6=fe80::1c3b:cefd:790b:20cc mac=b2:4a:c0:37:9f:0b vci= host=Testhost  user= group= signal=-55 noise=-95 idle=2 bw=0 use=6 chan=144 radio_type=11AC security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=1
                ip6=*fe80::1c3b:cefd:790b:20cc,12, 

In this example, a client with a DHCP assigned IP address was able to join the SSID.