Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    New Features

    7.6.0
    8.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Support customizable DHCP Option 82 configurations 7.6.7

    Support customizable DHCP Option 82 configurations 7.6.7

    This release adds support for customizable DHCP Option 82 configurations, enabling administrators to select any combination of sub-options and specify a delimiter in the VAP. In previous releases, DHCP82 only had three pre-defined styles that were not customizable, and only one of them could be selected in the VAP. In a network that needs to customize a DHCP for different devices, the administrator can enable Option 82 to only deliver IP addresses to known devices, with custom configurations based on the information sent by the device the client is connected to.

    Note

    The FortiAP must be running firmware version 7.6.4 or later to support this feature.

    CLI changes

    A new command has been added to customize the delimiter for Circuit ID, and new options for set dhcp-option82-circuit-id-insertion and set dhcp-option82-remote-id-insertion are available:

    config wireless-controller vap
    edit <name>
        set ssid <name>
        set dhcp-option82-insertion enable
        set dhcp-option82-delimiter <string>
        set dhcp-option82-circuit-id-insertion [ap-mac | ap-model | ap-hostname | ssid | ssid-type | network-type | vlan | wtp-profile]
        set dhcp-option82-remote-id-insertion [client-mac]
    next
end

    dhcp-option82-delimiter

    If you want to use more than one Circuit ID, enter a delimiter to define the separate fields (Default = ;).

    dhcp-option82-circuit-id-insertion

    Select DHCP option 82 Circuit IDs:

    • ap-mac: AP MAC
    • ap-model: AP Model
    • ap-hostname: AP Hostname
    • ssid: SSID
    • ssid-type: SSID Type
    • network-type: Network Type
    • vlan: VLAN ID
    • wtp-profile: WTP Profile Name.

    dhcp-option82-remote-id-insertion

    Select DHCP option 82 Remote ID:

    • client-mac: Client MAC.

    After upgrading to this release, the FortiGate automatically converts any old commands to the following new configuration format:

    Commands

    Old configuration

    New configuration

    dhcp-option82-circuit-id-insertion

    		style-1

    ap-mac ssid ssid-type

    style-2

    ap-mac

    style-3

    network-type wtp-profile vlan ssid ap-model ap-hostname ap-mac

    dhcp-option82-remote-id-insertion

    style-1

    client-mac

    Example configuration

    To configure custom DHCP Option 82 configurations:

    1. From the VAP, enable custom DHCP option 82 and select the circuit-id and remote-id. If there is more than one Circuit ID, configure the delimiter.

      config wireless-controller vap
    edit "dhcp82"
        set ssid "dhcp82"
        set passphrase ENC 
        set schedule "always"
        set dhcp-option82-insertion enable
        set dhcp-option82-delimiter "+"
        set dhcp-option82-circuit-id-insertion ap-mac ap-model ap-hostname wtp-profile
        set dhcp-option82-remote-id-insertion client-mac
    next
end

    2. Apply the SSID to a FortiAP profile.

      config wireless-controller wtp-profile
    edit "23JK"
        config radio-1
            set vap-all manual
            set vaps "dhcp82"
        end
        config radio-2
            set vap-all manual
            set vaps "dhcp82"
        end
    next 
end

    3. From the FortiAP, verify that the configurations have been applied:

      FortiAP-23JK # vcfg
-------------------------------VAP Configuration    1----------------------------
Radio Id  0 WLAN Id  0 dhcp82 ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan00, vap=0xdc2d02c, bssid=48:3a:02:99:cb:f0
           11ax high-efficiency=enabled target-wake-time=enabled
           bss-color-partial=enabled
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=disabled split_tunnel=disabled layer3_roaming=disabled
           intra_ssid_priv=disabled lan_loc=enabled
           mcast_enhance=disabled igmp_snooping=disabled
           mac_auth=disabled fail_through_mode=disabled sta_info=0/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=enabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled, dhcp_option82_insertion=enabled(version 1/1)
           dho82_circuit_id=ap-mac+ap-model+ap-hostname+wtp-profile
           dho82_remote_id=client-mac
           dhcp_enforcement=disabled
           access_control_list=disabled
           bc_suppression=dhcp dhcp-ucast arp 
           auth=WPA2, PSK, AES WPA keyIdx=1, keyLen=16, keyStatus=1, gTsc=000000000000
           key=b1fc0607 e918996c 22eb39af b7000000
           pmf=disable
           okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled, mlo=disabled
           80211k=enabled, 80211v=enabled, fast_bss_trans(802.11r)=disabled, mbo=disabled, sae_h2e_only=disabled, sae_hnp_only=disabled, sae_pk=disabled, akm24_only=disabled
           neighbor_report_dual_band(802.11kv)=disabled
           port_macauth=disable
           airfairness weight: 20%
           schedules=SMTWTFS 00:00->00:00, 
           ratelimit(Kbps): ul=0 dl=0 ul_user=0 dl_user=0 burst=disabled
           rates control configuration:
               rates-11ac-mcs-map: 11,11,11,11,11,11,11,11.
               rates-11ax-mcs-map: 11,11,11,11,11,11,11,11.
               rates-11be-mcs-map-20 : 4,4,4,4  4444
               rates-11be-mcs-map-160: 4,4,4,4  4444
               rates-11be-mcs-map-320: 4,4,4,4  4444
           UTM=disabled
           application detection engine: disabled
    Previous
    Next

    Support customizable DHCP Option 82 configurations 7.6.7

    Support customizable DHCP Option 82 configurations 7.6.7

    This release adds support for customizable DHCP Option 82 configurations, enabling administrators to select any combination of sub-options and specify a delimiter in the VAP. In previous releases, DHCP82 only had three pre-defined styles that were not customizable, and only one of them could be selected in the VAP. In a network that needs to customize a DHCP for different devices, the administrator can enable Option 82 to only deliver IP addresses to known devices, with custom configurations based on the information sent by the device the client is connected to.

    Note

    The FortiAP must be running firmware version 7.6.4 or later to support this feature.

    CLI changes

    A new command has been added to customize the delimiter for Circuit ID, and new options for set dhcp-option82-circuit-id-insertion and set dhcp-option82-remote-id-insertion are available:

    config wireless-controller vap
    edit <name>
        set ssid <name>
        set dhcp-option82-insertion enable
        set dhcp-option82-delimiter <string>
        set dhcp-option82-circuit-id-insertion [ap-mac | ap-model | ap-hostname | ssid | ssid-type | network-type | vlan | wtp-profile]
        set dhcp-option82-remote-id-insertion [client-mac]
    next
end

    dhcp-option82-delimiter

    If you want to use more than one Circuit ID, enter a delimiter to define the separate fields (Default = ;).

    dhcp-option82-circuit-id-insertion

    Select DHCP option 82 Circuit IDs:

    • ap-mac: AP MAC
    • ap-model: AP Model
    • ap-hostname: AP Hostname
    • ssid: SSID
    • ssid-type: SSID Type
    • network-type: Network Type
    • vlan: VLAN ID
    • wtp-profile: WTP Profile Name.

    dhcp-option82-remote-id-insertion

    Select DHCP option 82 Remote ID:

    • client-mac: Client MAC.

    After upgrading to this release, the FortiGate automatically converts any old commands to the following new configuration format:

    Commands

    Old configuration

    New configuration

    dhcp-option82-circuit-id-insertion

    		style-1

    ap-mac ssid ssid-type

    style-2

    ap-mac

    style-3

    network-type wtp-profile vlan ssid ap-model ap-hostname ap-mac

    dhcp-option82-remote-id-insertion

    style-1

    client-mac

    Example configuration

    To configure custom DHCP Option 82 configurations:

    1. From the VAP, enable custom DHCP option 82 and select the circuit-id and remote-id. If there is more than one Circuit ID, configure the delimiter.

      config wireless-controller vap
    edit "dhcp82"
        set ssid "dhcp82"
        set passphrase ENC 
        set schedule "always"
        set dhcp-option82-insertion enable
        set dhcp-option82-delimiter "+"
        set dhcp-option82-circuit-id-insertion ap-mac ap-model ap-hostname wtp-profile
        set dhcp-option82-remote-id-insertion client-mac
    next
end

    2. Apply the SSID to a FortiAP profile.

      config wireless-controller wtp-profile
    edit "23JK"
        config radio-1
            set vap-all manual
            set vaps "dhcp82"
        end
        config radio-2
            set vap-all manual
            set vaps "dhcp82"
        end
    next 
end

    3. From the FortiAP, verify that the configurations have been applied:

      FortiAP-23JK # vcfg
-------------------------------VAP Configuration    1----------------------------
Radio Id  0 WLAN Id  0 dhcp82 ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan00, vap=0xdc2d02c, bssid=48:3a:02:99:cb:f0
           11ax high-efficiency=enabled target-wake-time=enabled
           bss-color-partial=enabled
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=disabled split_tunnel=disabled layer3_roaming=disabled
           intra_ssid_priv=disabled lan_loc=enabled
           mcast_enhance=disabled igmp_snooping=disabled
           mac_auth=disabled fail_through_mode=disabled sta_info=0/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=enabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled, dhcp_option82_insertion=enabled(version 1/1)
           dho82_circuit_id=ap-mac+ap-model+ap-hostname+wtp-profile
           dho82_remote_id=client-mac
           dhcp_enforcement=disabled
           access_control_list=disabled
           bc_suppression=dhcp dhcp-ucast arp 
           auth=WPA2, PSK, AES WPA keyIdx=1, keyLen=16, keyStatus=1, gTsc=000000000000
           key=b1fc0607 e918996c 22eb39af b7000000
           pmf=disable
           okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled, mlo=disabled
           80211k=enabled, 80211v=enabled, fast_bss_trans(802.11r)=disabled, mbo=disabled, sae_h2e_only=disabled, sae_hnp_only=disabled, sae_pk=disabled, akm24_only=disabled
           neighbor_report_dual_band(802.11kv)=disabled
           port_macauth=disable
           airfairness weight: 20%
           schedules=SMTWTFS 00:00->00:00, 
           ratelimit(Kbps): ul=0 dl=0 ul_user=0 dl_user=0 burst=disabled
           rates control configuration:
               rates-11ac-mcs-map: 11,11,11,11,11,11,11,11.
               rates-11ax-mcs-map: 11,11,11,11,11,11,11,11.
               rates-11be-mcs-map-20 : 4,4,4,4  4444
               rates-11be-mcs-map-160: 4,4,4,4  4444
               rates-11be-mcs-map-320: 4,4,4,4  4444
           UTM=disabled
           application detection engine: disabled
    Previous
    Next