Add profile support for Wi-Fi 7 on FortiAP K-series models 7.4.4

This information is also available in the FortiWiFi and FortiAP 7.4 Configuration Guide: To configure a FortiAP profile with Wi-Fi 7

The release adds Wi-Fi 7 (IEEE 802.11be) profile support for FortiAP K-series models, which currently includes FAP-441K, 443K, 241K, and 243K. When creating or editing a FortiAP profile for a FortiAP K-series model, you can select the new 802.11be band for 5GHz and 6GHz radios.

To configure a FortiAP profile with Wi-Fi 7 - GUI:

1. Go to WiFi & Switch Controller > FortiAP Profiles and create or select a FortiAP K-series profile.

2. In Platform, select a FortiAP K-series model under WiFi 7.

   

3. In the 5GHz radio, add a Band and select 802.11be.

   

4. Once you select the 802.11be band on the 5GHz Radio, the 240MHz channel width is available.

   

5. Click Set Channels to set the DFS channels.

   

6. When you are finished, click OK.

7. In the 6GHz radio, add a Band and select 802.11be.

8. Once you select the 802.11be band on the 6GHz Radio, the 320MHz channel width is available.

   

9. Click Set Channels to set the Channel Bonding Extension. You can set your channel bandwidth extensions to 320MHz-1 or 320MHz-2, and then set channels accordingly.

   

10. When you are finished, click OK.

CLI changes

FortiAP profile

New FortiAP profile CLI options have been added to configure 802.11be on the 5GHz and 6GHz radios radio of FortiAP K-series models. When 802.11be is selected as the band for radio-3, new channel bonding options are available as well.

config wireless-controller wtp-profile
  edit <name>
    config radio-2
      set band 802.11be-5G
      set channel-bonding 240MHz
    end
    config radio-3
      set band 802.11be-6G
      set channel-bonding 320MHz
      set channel-bonding-ext {320MHz-1 | 320MHz-2}
    end
  next
end

channel-bonding-ext

Channel bandwidth extension: 320 MHz-1 and 320 MHz-2 (default = 320 MHz-2). 320MHz-1: 320 MHz channel with channel center frequency numbered 31, 95, and 159. 320MHz-2: 320 MHz channel with channel center frequency numbered 63, 127, and 191.

VAP

New VAP CLI options have been added.

config wireless-controller vap
  edit <name>
    set security wpa3-sae
    set akm24-only {enable | disable}
    set rates-11be-mcs-map <string>
    set rates-11be-mcs-map-160 <string>
    set rates-11be-mcs-map-320 <string>
  next
end

akm24-only	WPA3 SAE using group-dependent hash only (default = disable). disable: Disable WPA3 SAE using group-dependent hash only. enable: Enable WPA3 SAE using group-dependent hash only. akm24-only is only supported for Wi-Fi7 clients and there is no backward compatibility. If you know all the clients are Wi-Fi7 capable, then the VAPs can be configured with akm24-only enabled. Note: WPA3-SAE SSID allows configuring either of the akm24-only and additional-akms features.
additional-akms	Additional AKMs. akm6: Use AKM suite employing PSK_SHA256. akm24: Use AKM suite employing SAE_EXT. When additional-akms is enabled in the VAP, clients are given a choice to pick the highest akm they support. WPA3-SAE-Transition SSID allows backward compatibility and supports clients with mixed mode, so additional-akms has akm6 and akm24 options.
rates-11be-mcs-map	Comma separated list of max nss that supports EHT-MCS 0-9, 10-11, 12-13 for 20MHz/40MHz/80MHz bandwidth.
rates-11be-mcs-map-160	Comma separated list of max nss that supports EHT-MCS 0-9, 10-11, 12-13 for 160MHz bandwidth.
rates-11be-mcs-map-320	Comma separated list of max nss that supports EHT-MCS 0-9, 10-11, 12-13 for 320MHz bandwidth.

To configure a FortiAP profile with Wi-Fi 7 - CLI:

1. Create a WPA3-SAE security VAP with akm24-only enabled.

   config wireless-controller vap
     edit "sae-akm24"
       set ssid "sae-akm24"
       set security wpa3-sae
       set pmf enable
       set beacon-protection enable
       set sae-h2e-only enable
       set akm24-only enable
       set local-bridging enable
       set schedule "always"
       set sae-password ENC
     next
   end

2. Create a WPA3-SAE-Transition security VAP with additional-akms enabled.

   config wireless-controller vap
     edit "sae-trans-akm"
       set ssid "sae-trans-akm"
       set security wpa3-sae-transition
       set pmf optional
       set beacon-protection enable
       set additional-akms akm24
       set passphrase ENC
       set sae-h2e-only enable
       set local-bridging enable
       set schedule "always"
       set sae-password ENC
     next
   end

3. Create a FortiAP profile for a FortiAP K-series model with Wi-Fi 7 enabled on the radio. This example uses FAP441K.

   config wireless-controller wtp-profile
     edit "FAP441K-profile"
       config platform
         set type 441K
         set ddscan enable
       end
       set handoff-sta-thresh 55
       set allowaccess ssh
       config radio-1
         set band 802.11ax-2G
         set vap-all manual
       end
       config radio-2
         set band 802.11be-5G
         set channel-bonding 40MHz
         set vap-all manual
         set vaps "sae-trans-akm"
         set channel "44" "48"
       end
       config radio-3
         set band 802.11be-6G
         set channel-bonding 320MHz
         set channel-bonding-ext 320MHz-1
         set vap-all manual
         set vaps "sae-akm24"
         set channel "45" "49" "65" "69" "73" "77" "81" "85" "89" "93" "97" "101" "105" "109" "113" "117" "121" "125"
       end
       config radio-4
         set mode monitor
       end
     next
   end

4. Assign the FortiAP profile to the FortiAP device.

   config wireless-controller wtp
     edit "FP441KTF23000051"
       set wtp-profile "FAP441K-profile"
     next
   end
   

5. To verify that configurations have been successfully applied, run the rcfg commands on the FortiAP to see the assigned Radio band and Channels

   FortiAP-441K # rcfg
   Radio 0: AP
      country        : cfg=US oper=US
      countryID      : cfg=841 oper=841
      802.11d enable  : enabled
      802.11mc enable : disabled
      sta info       : 0/0
      radio type     : 11AX_2.4G (pure G)
      ...
      channel        : num=0
      oper_chan      : 1
      r_ac md_cap    :   1,   6,  11,
      r_ac chan list :   1,   6,  11,
           chan list :   1,   6,  11,
      hw_chan list   :   1,   2,   3,   4,   5,   6,   7,   8,   9,  10,  11,
      ...
   Radio 1: AP
      ...
      channel        : num=44
      oper_chan      : 44+48
      r_ac md_cap    :  44,  48,
      r_ac chan list :  44,  48,
           chan list :  44,  48,
      hw_chan list   :  36,  40,  44,  48, 149, 153, 157, 161, 165, 169, 173, 177,
      ...
   Radio 2: AP
      ...
      oper_chan      : 45
      r_ac md_cap    :  45,  49,  65,  69,  73,  77,  81,  85,  89,  93,  97, 101, 105, 109, 113, 117, 121, 125,
      r_ac chan list :  45,  49,  65,  69,  73,  77,  81,  85,  89,  93,  97, 101, 105, 109, 113, 117, 121, 125,
      chan list :  45,  49,  65,  69,  73,  77,  81,  85,  89,  93,  97, 101, 105, 109, 113, 117, 121, 125,
      hw_chan list   :   1,   5,   9,  13,  17,  21,  25,  29,  33,  37,  41,  45,  49,  53,  57,  61, 65,  69,  73,  77,  81, 85,  89,  93,  97, 101, 105, 109, 113, 117, 121, 125, 129, 133, 137, 141, 145, 149, 153, 157, 161, 165, 169, 173, 177, 181, 185, 189, 193, 197, 201, 205, 209, 213, 217, 221, 225, 229, 233,
      ...
   Radio 3: Monitor
      radio type     : 2.4G 5G 6G
      ...

6. Run the vcfg command to see the assigned SAE and SAE-Transition VAPs.

   FortiAP-441K # vcfg
   -------------------------------VAP Configuration    1----------------------------
   Radio Id  1 WLAN Id  0 sae-trans-akm ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
              vlanid=0, intf=wlan10, vap=0x54902c, bssid=38:c0:ea:f1:51:70
              11ax high-efficiency=enabled target-wake-time=enabled
              bss-color-partial=enabled
              mesh backhaul=disabled
              ...
              80211k=enabled, 80211v=enabled, fast_bss_trans(802.11r)=disabled, mbo=disabled, sae_h2e_only=enabled, sae_hnp_only=disabled, sae_pk=disabled, akm24_only=disabled
              ...
              ratelimit(Kbps): ul=0 dl=0 ul_user=0 dl_user=0 burst=disabled
              rates control configuration:
                  rates-11ac-mcs-map: 11,11,11,11,11,11,11,11.
                  rates-11ax-mcs-map: 11,11,11,11,11,11,11,11.
                  rates-11be-mcs-map-20 : 4,4,4,4  4444
   rates-11be-mcs-map-160: 4,4,4,4  4444
                  rates-11be-mcs-map-320: 4,4,4,4  4444
              primary wag:
              secondary wag:
              application detection engine: disabled
   -------------------------------VAP Configuration    2----------------------------
   Radio Id  2 WLAN Id  0 sae-akm24 ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
              vlanid=0, intf=wlan20, vap=0x5498c5, bssid=38:c0:ea:f1:51:78
              ...
              80211k=enabled, 80211v=enabled, fast_bss_trans(802.11r)=disabled, mbo=disabled, sae_h2e_only=enabled, sae_hnp_only=disabled, sae_pk=disabled, akm24_only=disabled
              neighbor_report_dual_band(802.11kv)=disabled
              ...
              ratelimit(Kbps): ul=0 dl=0 ul_user=0 dl_user=0 burst=disabled
              rates control configuration:
                  rates-11ac-mcs-map: 11,11,11,11,11,11,11,11.
                  rates-11ax-mcs-map: 11,11,11,11,11,11,11,11.
                  rates-11be-mcs-map-20 : 4,4,4,4  4444
                  rates-11be-mcs-map-160: 4,4,4,4  4444
                  rates-11be-mcs-map-320: 4,4,4,4  4444
              primary wag:
              secondary wag:
              application detection engine: disabled
   -------------------------------Total    2 VAP Configurations----------------------------