Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

DHCP address enforcement

DHCP address enforcement ensures that clients who connect must complete the DHCP process to obtain an IP address; otherwise, they are disconnected from the SSID. This prevents users with static addresses that may conflict with the DHCP address scheme, or users that fail to obtain a DHCP IP assignment to connect to the SSID.

To configure DHCP address enforcement in FortiOS:
config wireless-controller vap
    edit "test-tunnel"
        set ssid "test-tunnel"
        set passphrase ********
        set schedule "always"
        set dhcp-address-enforcement enable
    next
end
Note

The default setting for dhcp-address-enforcement is disable.

To view the diagnostics in FortiAP:
# cw_diag -c vap-cfg
-------------------------------VAP Configuration    1----------------------------
Radio Id  1 WLAN Id  0 test-tunnel ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan11, vap=0x1d481ae, bssid=90:6c:ac:4e:47:c1
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=disabled split_tunnel=disabled
           intra_ssid_priv=disabled
           mcast_enhance=disabled igmp_snooping=disabled
           mac_auth=disabled fail_through_mode=disabled sta_info=2/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=enabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled           dhcp_option82_insertion=disabled
           dhcp_enforcement=enabled
           access_control_list=disabled
           bc_suppression=dhcp dhcp-ucast arp 
           auth=WPA2, PSK, AES WPA keyIdx=1, keyLen=16, keyStatus=1, gTsc=000000000000
           key=3c0b3084 639b28d9 07448633 55e9adda
           pmf=disable
           okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled
           voice_ent(802.11kv)=disabled, fast_bss_trans(802.11r)=disabled
           airfairness weight: 20%
           schedules=SMTWTFS 00:00->00:00, 
           ratelimit(Kbps): ul=0 dl=0 ul_user=0 dl_user=0 burst=disabled
           rates control configuration: No data rate is configured
-------------------------------Total    1 VAP Configurations----------------------------
Sample FortiOS WiFi events log:
1: date=2021-02-26 time=11:35:14 eventtime=1614368114443516023 tz="-0800" logid="0104043709" type="event" subtype="wireless" level="warning" vd="vdom1" logdesc="Wireless client denied by DHCP enforcement for using static IP address" sn="FP423E3X00000000" ap="TEST-FAP-423E" vap="test-tunnel" ssid="test-tunnel" stamac="ac:1f:74:12:40:86" security="WPA2 Personal" encryption="AES" action="DHCP-enforcement" reason="N/A" msg="Client ac:1f:74:12:40:86 denied by DHCP enforcement for using static IP 10.8.0.5" remotewtptime="3314.349637"

In this example, a client configured with static IP address was rejected.

To view the diagnostics in FortiOS:
# execute dhcp lease-list
test-tunnel
  IP          MAC-Address        Hostname     VCI          SSID           AP               Expiry
  10.8.0.3    b2:4a:c0:37:9f:0b  Testhost           test-tunnel    FP423E3X00000000 Sat Feb 27 17:40:15 2021
# diagnose wireless-controller wlac -d sta
   vf=1 wtp=1 rId=2 wlan=test-tunnel vlan_id=0 ip=10.8.0.3 ip6=fe80::1c3b:cefd:790b:20cc mac=b2:4a:c0:37:9f:0b vci= host=Testhost  user= group= signal=-55 noise=-95 idle=2 bw=0 use=6 chan=144 radio_type=11AC security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=1
                ip6=*fe80::1c3b:cefd:790b:20cc,12, 

In this example, a client with a DHCP assigned IP address was able to join the SSID.

DHCP address enforcement

DHCP address enforcement ensures that clients who connect must complete the DHCP process to obtain an IP address; otherwise, they are disconnected from the SSID. This prevents users with static addresses that may conflict with the DHCP address scheme, or users that fail to obtain a DHCP IP assignment to connect to the SSID.

To configure DHCP address enforcement in FortiOS:
config wireless-controller vap
    edit "test-tunnel"
        set ssid "test-tunnel"
        set passphrase ********
        set schedule "always"
        set dhcp-address-enforcement enable
    next
end
Note

The default setting for dhcp-address-enforcement is disable.

To view the diagnostics in FortiAP:
# cw_diag -c vap-cfg
-------------------------------VAP Configuration    1----------------------------
Radio Id  1 WLAN Id  0 test-tunnel ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan11, vap=0x1d481ae, bssid=90:6c:ac:4e:47:c1
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=disabled split_tunnel=disabled
           intra_ssid_priv=disabled
           mcast_enhance=disabled igmp_snooping=disabled
           mac_auth=disabled fail_through_mode=disabled sta_info=2/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=enabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled           dhcp_option82_insertion=disabled
           dhcp_enforcement=enabled
           access_control_list=disabled
           bc_suppression=dhcp dhcp-ucast arp 
           auth=WPA2, PSK, AES WPA keyIdx=1, keyLen=16, keyStatus=1, gTsc=000000000000
           key=3c0b3084 639b28d9 07448633 55e9adda
           pmf=disable
           okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled
           voice_ent(802.11kv)=disabled, fast_bss_trans(802.11r)=disabled
           airfairness weight: 20%
           schedules=SMTWTFS 00:00->00:00, 
           ratelimit(Kbps): ul=0 dl=0 ul_user=0 dl_user=0 burst=disabled
           rates control configuration: No data rate is configured
-------------------------------Total    1 VAP Configurations----------------------------
Sample FortiOS WiFi events log:
1: date=2021-02-26 time=11:35:14 eventtime=1614368114443516023 tz="-0800" logid="0104043709" type="event" subtype="wireless" level="warning" vd="vdom1" logdesc="Wireless client denied by DHCP enforcement for using static IP address" sn="FP423E3X00000000" ap="TEST-FAP-423E" vap="test-tunnel" ssid="test-tunnel" stamac="ac:1f:74:12:40:86" security="WPA2 Personal" encryption="AES" action="DHCP-enforcement" reason="N/A" msg="Client ac:1f:74:12:40:86 denied by DHCP enforcement for using static IP 10.8.0.5" remotewtptime="3314.349637"

In this example, a client configured with static IP address was rejected.

To view the diagnostics in FortiOS:
# execute dhcp lease-list
test-tunnel
  IP          MAC-Address        Hostname     VCI          SSID           AP               Expiry
  10.8.0.3    b2:4a:c0:37:9f:0b  Testhost           test-tunnel    FP423E3X00000000 Sat Feb 27 17:40:15 2021
# diagnose wireless-controller wlac -d sta
   vf=1 wtp=1 rId=2 wlan=test-tunnel vlan_id=0 ip=10.8.0.3 ip6=fe80::1c3b:cefd:790b:20cc mac=b2:4a:c0:37:9f:0b vci= host=Testhost  user= group= signal=-55 noise=-95 idle=2 bw=0 use=6 chan=144 radio_type=11AC security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no online=yes mimo=1
                ip6=*fe80::1c3b:cefd:790b:20cc,12, 

In this example, a client with a DHCP assigned IP address was able to join the SSID.