FortiWLC Study Guide Online PDF

DO NOT REPRINT
© FORTINET
FortiWLC Study Guide

for FortiWLC 8.2
DO NOT REPRINT
© FORTINET
Fortinet Training
http://www.fortinet.com/training
Fortinet Document Library
http://docs.fortinet.com
Fortinet Knowledge Base
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE)

https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback
Email: courseware@fortinet.com
5/16/2018
DO NOT REPRINT
© FORTINET
TABLE OF CONTENTS
01 Introduction to FortiWLC 4
02 Radio Frequency Planning 45
03 Plan and Design a Network 105
04 Controller Installation 166
05 Network Intergration 221
06 Access Point Integration 248
07 Installation of Access Points 302
08 Building Wireless Networks 353
09 Monitoring the Wireless Network 409
10 Troubleshooting--Gathering Information 461
11 Troubleshooting--Resolving Issues 521
12 Managing and Maintaining the Network 548
DO NOT REPRINT Introduction to FortiWLC
© FORTINET
In this lesson, you will examine some of the basic concepts of single channel and virtual cell technology,
and compare those technologies with traditional microcell technology.
You will also be introduced to the basic architecture of and the products used in a FortiWLC wireless
deployment.
FortiWLC 8.2 Study Guide 4

© FORTINET
In this lesson, you will explore the following topics:

• Virtual cell radio frequency (RF) virtualisation, and how it differs from traditional wireless technologies
• The limitations of virtual cell technology
• The components used in a FortiWLC solution

© FORTINET
After completing this section, you should be able to:

• Describe the differences between traditional wireless LAN technologies and virtual cell technology
• Understand the benefits of virtual cell technology

© FORTINET
Before you learn about about virtual cell technology, you need to understand the limitations of traditional
WLAN architecture.
Since being standardized in the late 1990s, WLAN technology has grown and evolved; however, the
fundamental operating principles have not changed. This has caused challenges because wireless
networks have grown bigger.
Early wireless networks consisted of one access point. Clients associated with this single access point to
gain network access. In order to communicate, the client and the access point needed to be tuned to the
same radio channel. Similar to a two-way radio system, the client and access point radios could only
transmit or receive communications. In networking terms, this is referred to as half duplex.
A radio has to listen to its assigned channel to hear if any other radio is talking before it could transmit. It
listens for and decodes wireless lan frames it hears, this is known as clear channel assessment (CCA).
CCA allows the radio to determine if the channel is being used my another wireless lan radio. It can also
work out how long the channel is going to be used for as it can read certain fields in the frame header that
set how long that transmission is expected to last (in microseconds). This is set by the sending radio.
The radio will also listen for more general wireless energy using a process known as energy detect (or
ED). This allows the radio to detect any other types of radio signal that might interfere with successful
transmission. This could be all sorts of non-wireless lan signal sources, but also could be distant wireless
lan radios that are no longer de-codeable.
The radio will use a combination of CCA and ED to determine if the channel is free, typically CCA first and
then ED. Note that all wireless lan radios in the same area will be using the same mechanism.

© FORTINET
If the channel is judged to be free, then the radio will change to transmit mode and begin transmitting.
When operating in transmit mode, a radio can’t hear its own transmissions or any other transmissions,
so it’s impossible for the radio to determine if a transmission is successful. They could not, for instance,
‘hear’ if another radio was transmitting at the same time.
Transmissions are not centrally coordinated; the access point is not in charge and channel access is
granted on a first come, first served basis. This means that clients and access points frequently assess
a channel at the same time, determine it to be ‘free’ and transmit at the same time, resulting in a
collision.
In wireless networks, collisions are managed by a variation of carrier sense multiple access (CSMA)
called collision avoidance. When collision avoidance is used, a radio issues an acknowledgement
(ACK) when it successfully receives a transmission. The ACK allows the sending radio to know that the
transmission was successful. If no ACK is received, the sending radio assumes that the transmission
was unsuccessful and it resends the transmission, duplicating the original frame.
Sending the duplicate frame requires airtime and reduces the amount airtime available for other
devices. The more interference or collisions occur, the more retries are generated. The more retries,
the lower the net throughput of the wirelines network. When the number of retries becomes excessive,
problems start occurring. For example, a retry rate of 50% means that 50% of your air time is being
used to resend data, which essentially means that you have lost half of your wireless network capacity.

© FORTINET
Radio transmissions in wireless networks are governed by strict transmission power regulations.
Think of each AP as an island; A single wireless network island covers a relatively small area. To cover a
larger area, multiple islands need to be deployed, as shown in this slide. Also, to ensure that the signal
remains consistent as clients moved around, some overlap is necessary.
However, if all of the APs on the neighbouring islands are trying to transmit on the same channel without
any coordination, this will cause transmission interference, also known as co-channel interference (CCI).

© FORTINET
WLANs are allowed to operate in relatively small parts of the radio spectrum. You will learn more about
this in another lesson.
The small part of the spectrum that WLANS are allowed to use is divided into multiple channels. One of
the early methods used to accommodate multiple access points was to assign each island its own
channel. This means that conversations occurring on different islands can take place simultaneously
without interfering with, colliding with, or inhibiting each other.
The initial portion of the spectrum released for WLAN use was in the 2.4 GHz range. It was subdivided into
14 channels; however, some practical limitations meant that only three channels were usable. Later, more
of the spectrum was released in the 5 GHz range, making more channels available. However, there were
limitations around using these channels as well.

© FORTINET
When different islands are assigned their own channels, the network coverage can grow. However, due to
there only being three usable channels in 2.4 GHz, in any network that has more than three APs, channels
have to be reused. To avoid CCI, radios on the same channel need to be kept as far apart as possible.
Enforcing this can lead to a very complicated exercise of planning.
Often, you have to cope with a reduced number of channels, channels being unavailable or unreliable, and
in the case of a 5 GHz space, dealing with limitations such as dynamic frequency selection (DFS).
In addition to planning channels, you also the need to ensure that the signal is strong and consistent, with
minimal drops in connection or performance. To achieve performance strength and consistency, APs
need to be closer together than is advised from a channel planning point of view. In addition, modern
wireless standards now require ever stronger signals, again leading to APs needing to be placed close
together. In addition to planning the spacing of the APs, you must also often plan the two radio channels
associated with each AP, one in 2.4GHz and one in 5GHz
This is known as a microcell architecture, and each island is referred to as a cell. Planning and
implementing efficient microcell networks is the most difficult part of deploying large wireless networks .

© FORTINET
Each transmission contains a BBSID and SSID that identify the originating AP. The BSSID is the address
of the radio. When clients need to send data to APs, they require an address to send the data to.
In WLAN standards, the address of the radio is the Ethernet MAC address assigned by the manufacturer.
The standard also include ability for the AP to broadcast a service set identifier (SSID), which users can
use to identify the network.
Data in the wireless network is moving at Layer 2 and is referred to as frames. Layer three protocols sit on
top of the layer two and use it as a transport.
Wireless APs bridge frames from the wireless side of the network to the wired side of the network and the
reverse. The AP functions as an Ethernet bridge.

© FORTINET
To manage larger networks with multiple APs and ensure that only one SSID is required to access that
network, an extended service set identifier (ESSID) is used.
When an ESSID is used, even though each individual AP radio still has BSSID, the entire network is
represented by a single ‘name’.

© FORTINET
Each AP in the network advertises itself using beacons. A beacon is a specific type of frame that
broadcasts:
• The SSID it supports
• The BSSID (unique identity) of the AP
• A selection of other configuration information, such as supported link rates
Beacons go out approximately every 100 millseconds, or 1/10th of a second. Beacons are part of a class of
frames that are used for the management and maintenance of the wireless network.
Because beacons are a type of broadcast frame, they do not require clients to acknowledge them. They
carry information around the wireless network, but they do not carry client data. The more management
frames are in the air, the less airtime is available to send useful data.
When a client arrives and wants to join a wireless network, it starts gathering lists of available networks,
identified by BSSIDs, from the beacons that it receives.
When evaluating which network to join, the client looks at:

• Signal strength
• Supported rates
• The SSID offered
• Various other information
After performing the evaluation, the client makes a list of preferred candidate BSSIDs.

© FORTINET
To join a network, a client:

1. Selects a BSSID to connect to
2. Issues a sequence a probe request through a series of management frames
3. Receives a probe response
4. Initiates a connection
The client updates their list of preferred BSSIDs on a regular basis, performing a background scan to keep
its list up-to-date.
The client is in control of the BSSID selection process and is making all the choices in the process.
Sometimes, the client choices are not ideal. The selection of a BSSID is heavily influenced by the driver of
the client’s wireless card. The quality of network card driver is a major factor in the reliability and
performance of wireless client.
Often, many devices are produced to a cost and, potentially, are only expected to work in a home network
environment with a single AP. The design and testing of the device and driver reflect this. Introducing a
client device like this into an enterprise wireless network can lead to issues.

© FORTINET
If a client stays in the same place, then their connection stays stable and there’ll be no reason to select
another AP. However, clients are generally mobile and don’t stay in one place. When clients move farther
away from the associated AP, the signal often drops.

© FORTINET
Clients are often constantly monitoring the strength of the signal to the AP they are connected to. As the
signal strength changes as the client moves, the client should start looking at its list of APs to see if there
is a better AP to connect to. If the client does decide to disconnect from the original AP and connect to a
new AP, this is called roaming.

© FORTINET
Clients don’t always make the best of decisions, and many of the decisions they make depend on the
quality of their wireless chipset and the driver that supports that chipset.
Clients that are used mostly in the home market often choose not to roam. Instead, they choose to remain
with the original AP, even when signal strength is poor or the signal drops. As the signal drops, the link
rates drops, and the amount of data that the client can transfer is reduced. These types of clients are often
referred to as sticky clients.
This not only leads to poor performance on that client, it also takes up more airtime to transfer data. This
can impact other clients that are associated to the same AP.
Airtime fairness is a mechanism that can help in these types of scenarios.

© FORTINET
Another side effect of sticky clients is that they extend the area of the CCI. While trying to make low speed
transmissions back to the AP they are associated to, they are also potentially colliding with transmissions
from another AP in the building, impacting the performance of that AP and the clients associated to it.

© FORTINET
In summary, when designing and implementing a traditional or microcell wireless LAN:

• With a limited number of channels it is not easy to arrange the channels to minimise CCI.
• Minimizing CCI by reducing AP transmission power or disabling radios usually results performance
drop due to reduced link rates.
• Using wide channels is possible with many frequencies; however, in enterprise environments, you need
more channels, so you may need to use a narrower channels, again sacrificing performance.
• CCI is always an issue. It can never really be eliminated, specially modern networks where clients need
good signal strength to achieve the advertised transmission rates.
• The client is always in control and often the client does not make the best decisions.

© FORTINET
So, what are the alternatives to microcell networks?
Dr Vaduvur Bharghavan, one of the founders of Meru networks, originated the concepts behind airtime
fairness and virtual cell, applying principles of cellular mobile phone networks to wireless LANs. This
involved the development of many patents in data transmission technology and the mobility of clients.
Meru networks was founded in June 2002 and developed and sold single channel technology as an
alternative to traditional microcell, gaining great traction in high-density environments such as education
and healthcare.
Meru networks was acquired by Fortinet in 2015 and the technology and patents have since been brought
into the Fortinet Wireless Technology portfolio.

© FORTINET
There are two key features of air time fairness in FortiWLC wireless networks: give preferential airtime
access for the AP, and minimizes the effect of slow clients.
In wireless networks, the AP is the main transmitter and recipient of all wireless traffic in the cell. When a
client sends traffic to a server or to the Internet, it is sending it through the AP. When a client is downloads
files from the server or the Internet, it is downloading through the AP. The AP is constantly sending,
receiving, and acknowledging data transmissions, and sending management traffic. In order to do all of
this, the AP requires a large share of airtime. By default. the AP radio is treated like a client radio; it gets
no preferential treatment. As a result, the AP can become a bottleneck.
FortiWLC airtime fairness technology give preferential treatment to the AP radio. The AP is allowed to use
upto 50% of the radio air time for its transmissions, if needed. The AP radio has enough air time to do the
job properly, and will not be a bottleneck for the clients connected to it.
A client can be slow because is too far from the AP, or because is using an older wireless standard. In
either case, the client is using lower link rates and consuming large amounts air time. Slow clients
dominate airtime, leaving very little for other clients. The network may contain faster clients that could
make better use of the airtime, but are not allowed to do so.
Airtime fairness introduces the ability to control transmissions to and, to a limited extent, from clients. This
means that the AP can prevent slow clients from using a disproportionate amount of airtime, allowing
faster clients access to the channel.
The AP uses a token bucket mechanism to assign airtime to clients. Each client is given tokens based on
its link rate in Mbps, divided by the number of active clients on the AP. For example, a client connected at
150 Mbps to an AP that has 10 active clients associated to it, will be assigned 15 Mbps worth of tokens.

© FORTINET
In summary, airtime fairness:

• Works on a per AP basis. Even if you have a network with just one AP you will have airtime fairness.
• Works on both virtual cell and native cell technology
• Is turned on by default
• Does not require any configuration
When airtime fairness is implemented slower clients may suffer a minor slowdown, but faster clients will
perform much more efficiently. Overall, the client experience is far more consistent. Also, the careful
balancing of airtime allows for a far higher density of clients than is possible with traditional wireless APs.

© FORTINET
Virtual Cell is the latest generation of network virtualization technology. It is implemented on top of a single
channel architecture.
As the name suggests, single channel architecture (SCA) requires that all radios be transmitting on the
same channel.
Single channel, Virtual Cell, and network virtualisation have all been Wi-Fi Alliance certified and are fully
standards compliant.
Virtual cell provides the platform for ‘network in control’, the technology that controls where workstations
are assigned in a FortiWLC network.
Virtual cell also allows the simple, linear expansion of your Wireless Network using the concept of channel
layering.

© FORTINET
(slide contains animations)

Each AP radio is on the same channel, so they can all be assigned the same BSSID. The term Network
Virtualization comes from the fact that the network appears to broadcast from a single virtual AP.
(click)
You can add as many AP interfaces as required in the same virtual cell. You can increase the coverage of
the wireless signal by adding APs. All of the APs in a cell broadcast the same BSSID so, to the client, they
appear as a single AP.

© FORTINET

When virtual cell technology is used, the client’s BSSID list only contains one AP. Because the client is
only aware of one AP, it never attempts to roam.
When a client moves, the controller monitors the client’s signal strength.
(click)
When signal strength drops and an adjacent AP is in a better position to service the moving client, the
controller ‘assigns’ that adjacent AP to transmit data to and receive data from the client.
The client will be unaware of the change of APs because they are still receiving data from the same
BSSID. The move from one AP to another is seamless performed by the controller.

© FORTINET
The combination of single channel and virtual cell together with ‘network in control’ ensures that every
workstation or wireless client is connected at the highest possible link rate, to the most appropriate AP.
High link rate connections use high signal modulation rates. To recognize and decode highly modulated
signals, a radio must receive them at a high signal strength and with a high signal-to-noise ratio (SnR).
Because of these requirements, signals using high link rates can’t travel far before they degrade and
become unrecognizable as wireless LAN signals. Therefore, they are considered fragile. Once a client can
no longer recognise a signal, it classifies that signal as noise.
When a wireless radio detects a wireless LAN signal, the wireless radio does not transmit its own signal, it
will wait for the channel to become clear in order to avoid collisions.
However, when a wireless radio hears noise below a certain signal strength level, known as the energy
detect threshold, it still transmits its own signal.
When signals use high link rates, the channel can be reused faster because the fragile high link rate
signals quickly degrade to noise. This in turn allows nearby APs and clients to have a conversation.

© FORTINET
In summary, Virtual Cell networks are simpler to deploy and expand than complex microcell networks.
In virtual cell networks:

• ‘Network in control’ means that the client is always connected to the best AP.
• A single channel allows a wider 80MHz channel to be used, rather than a 20 MHZ or 40 MHz channel.
(Microcell networks traditionally use narrower channels to minimise CCI)
• There is reduced CCI.
• Unlike microcell AP radios, transmission power is at maximum or near maximum, allowing better link
rates at a distance.
• Clients operate at the maximum efficiency.
Transmitting at maximum or near maximum power, and connected to the best AP, clients in virtual cell
networks are working at the maximum link rates that they are capable of. This ensures that airtime
utilization is maximized.
Because airtime is being used more efficiently, there is more far more air time available for use; either by
clients associated to the AP, or by clients from neighbouring AP islands.
In virtual cell networks, CCI is substantially lower than in any other type of network, and the area of CCI,
known as the interference region, is much smaller.

© FORTINET
Despite the many benefits, Virtual Cell may not be the solution for all network scenarios.
The FortWLC wireless solution also offers the ability to operate like a microcell network, this is known as
‘native cell’ mode.
In native cell configurations, a unique BSSID is enabled for each AP interface, just like a microcell wireless
network. As a result, the network needs to be channelized like a normal wireless network, and it is subject
to all of the same microcell problems.
Native cell is typically used in very high-density scenarios where mobility is not an issue, such as
stadiums. It is also used when location services applications require that each radio to have an individual
BSSID.
APs can transmit a mix of virtual cell and native cell networks, if required, but this can mean a compromise
as far as radio channel settings are concerned. For Virtual Cell network to be of benefit, all radios must be
configured for the same channel. If the APs are also transmitting a native cell, this can mean that the
adjacent native cells are on the same channel and as such will generate CCI.

© FORTINET
Good job! You now understand more about virtual cell and is benefits over standard microcell based
wireless. Now you’ll examine some of the limitations of virtual cell.

© FORTINET
After completing this section, you will understand about the limitations of virtual cell.

© FORTINET
There is no limit to the number of interfaces that can be in a virtual cell; however, each radio in a virtual
cell must be from the same family of APs. For virtual cell to work properly, each radio needs to be
identical in specification; this means that the radio needs to use the same standard, have the same
capabilities, and use the same chipset. Usually, this means that all of the APs in the cell need to be the
same model.
There is a limit of 2007 clients per virtual cell. This limit is applied by the IEEE standard. So, virtual cells
can be large from an AP point of view, so you need to carefully consider the number of clients that will be
connecting a virtual cell network, especially in large environments with large controllers.
In large environments, you may need to configure multiple smaller virtual cells to account for a large
number of clients. For example, you could configure a virtual cell for each building or for each floor in a
building. Organizing virtual cells this way means that clients only need to perform a traditional ‘roam’ when
they move between buildings or floors.

© FORTINET

Imagine a very simple virtual cell consisting of three APs with a single interface. The APs are relatively
close together to ensure consistent signal strength. Also, assume that there are no major obstructions
between the APs. For example, they are located in an open space such as an atrium or large hall.
(click)
Now, place some clients around this network.
(click)
Start a transmission between the left-hand AP and a nearby client. The client is relatively close and the
transmission is easily received by both the client and the AP.
The lack of walls and signal strength of the transmission means that the signal propagates further than
required.
(click)
Imagine the transmission trying to take place on the centre AP.
(click)
The first transmission signal is powerful enough to interrupt the conversation that is trying to occur on the
centre AP, resulting in a collision.
(click)
In this example, any conversations that take place in this area are considered be in the same interference
region, in that any transmissions inside this region will result in a collision.

© FORTINET
The airtime in this region is effectively shared between the clients and APs.

© FORTINET

Now imagine a conversation on the right-hand AP.
(click)
It would also interfere with a conversation on the centre AP.
(click)
These two APs are also part of the same interference region.

© FORTINET

Now consider conversations occurring on the two outermost APs.
(click)
The right-hand AP and an associated client begin to communicate.
They are close in proximity and networking control ensures that the best AP is servicing the client. As a
result, the highest link rates are used, resulting in a high rate of modulation which, in turn, makes the signal
fragile.
In order to decode these transmissions successfully, any radio receiving them must:
• Receive them at a strong signal strength
• Receive them at a good SnR
(click)
As the signal moves away from the original AP, the signal quickly reduces below the signal strength
required to decode it.
As result, to any other radio, the signal appears as noise, not a wireless signal.
(click)
If this noise is below the noise threshold, the energy detect threshold, required by the left-hand AP and
client, then that AP and client will reuse the channel to start having their own conversation. This happens
because the right-hand and left-hand APs are not in the same interference region.

© FORTINET
The AP neighbor count is used to estimate of the size of interference regions.
When there are many interfaces sharing the same channel, the interference region gets larger. This can
result in air time being shared across greater numbers of clients and a reduction in performance.
The guideline number for AP neighbors is 10. Although many networks can operate satisfactorily with
more than 10 AP neighbors, having 10 AP neighbors is a good guideline to follow when you design
networks.
The survey tools that you use during the design phase allow you to simulate your AP layout, including the
number of neighbouring APs. This allows you to see any potential AP neighbor issues during the design
stage.
Additionally, it is possible to query the system to get a real-time measure of how many AP neighbours
each access point has.
In most installations, walls and RF barriers prevent signals travelling too far and creating problems caused
by AP neighbour count. However, there are scenarios, such as exhibition halls and stadiums, where AP
neighbour can become a problem. You will learn more about how to deal with high AP neighbour counts in
another part of this course.

© FORTINET
Good job! You now understand some of the limitations of virtual cell. Now you’ll examine what makes up a
FortiWLC wireless solution.

© FORTINET
After completing this section, you will be able to:

• Describe the components used in a FortiWLC solution.
• Describe the architecture of a FortiWLC solution.

© FORTINET
The minimum requirements of a FortiWLC wireless network are a controller and one AP.
The management and monitoring of a virtual cell solution requires significant CPU and memory. An AP by
itself does not have the power required to manage and maintain a virtual cell of any size. The controller
acts as a central point of coordination.
Controllers are available in both hardware and virtual forms. There are also multiple models of controllers.
The size of the controller that is used in a network is based on the number of Aps and wireless clients that
are to be supported. When selecting a controller, it is important to remember that users often carry more
than one wireless device, so when making calculations around client count, you should always assume
more than one client per user.
Not all Fortinet APs can be used in a FortiWLC solution. Different APs support different RF standards:
there are 802.11N AP’s and 802.11ac Wave 1 and Wave 2 APs
When you select and AP, you will consider budget, throughput requirements, and client standards. For
example, you wouldn’t select an 802.11ac AP unless your clients can support those standards.
As well as supporting different RF standards, there are Fortinet AP models with internal antennas or
external antennas, as well as weather proof APs that can be placed outdoors.

© FORTINET
A FortiWLC solution can contain an optional component: Fortinet Wireless Manager. Fortinet Wireless
Manager is also available in a hardware or virtual format.
Fortinet Wireless Manager performs central management and monitoring functions that allow an enterprise
to manage and monitor multiple controllers in their organization. It provides extended and extensive
logging and monitoring capability that can store up to a years worth of monitoring data for many
controllers.
Fortinet Wireless Manager also gives you the capability to centrally configure wireless services on multiple
controllers simultaneously, avoiding the need to go to each controller to perform network configuration.
There are a number of optional software modules that can be added to extend the functionality of Fortinet
Wireless Manager.
Service Assurance Manager provides a self-test function for your wireless network. This is particularly
useful in scenarios where a service level agreement (SLA) is in place. You can use Service Assurance
Manager to do automated testing of the wireless network. You can then compare those test results against
a baseline, allowing the monitoring of real performance over time.
Spectrum Manager provides centralized spectrum analysis for capable APs. Some APs can switch from
AP mode to dedicated spectrum analysis mode. They will then report spectrum data back to a centralised
software module on the network manager. This allows spectrum analysis to be conducted together with
automated detection of interferers and proactive warning of an interference problem.
Wireless Intrusion Protection (WIPS) provides additional rogue AP detection, analysis, and mitigation
functionality, increasing the security of your wireless network.

© FORTINET
FortiWLC components can be arranged in two different configurations, depending on the type of services
that you need to offer.
In the examples shown in this slide, a large school has a locally managed wireless controller, owned and
maintained by the school, that supports the APs in the school. The controller can also support remote APs
such as the teacher who is working from home using an AP in their home. This allows the school’s
wireless network and security policies to extend into the teacher’s home and allow the teacher to access
all of the school services seamlessly.
You may choose to have some services hosted centrally, in a data centre. For example, it is possible to
have a centrally hosted network manager that can look after a branch office controller and Aps. This is
shown in slide in the diagram in the green box. You can also have a centrally hosted controller that
provides wireless service to smaller branch offices, as shown in the diagram in the blue box.
There are multiple options for how you deploy this equipment to allow maximum flexibility.

© FORTINET
Congratulations! You have completed this lesson.

© FORTINET
This lesson covered the following objectives:

• Describe the differences between traditional wireless LAN technologies and virtual cell.
• Understand the benefits of virtual cell.
• Understand the limitations of virtual cell.
• Describe the components of a FortiWLC solution.
• Describe the architecture options for FortiWLC solution.

Radio Frequency Planning
DO NOT REPRINT
© FORTINET
In this lesson, you will examine some of the basic concepts of wireless communication, and how we can use
these concepts to plan the configuration of a FortiWLC based wireless network.

DO NOT REPRINT
© FORTINET

• Fundamentals of radio transmission
• Wireless LAN frequencies and channels
• Channel selection
• AP families

DO NOT REPRINT
© FORTINET

• Describe the fundamental principle of data transmission across a wireless signal.
• Describe the various properties of RF signals.
• Describe some of the fundamental limitations of transferring information across an RF signal

 Routing
DO NOT REPRINT
© FORTINET
As you know, when computers talk in binary, they communicate in strings of ones and zeros.
Traditional wireless signals behave differently. They use alternating analog electromagnetic waves to
communicate information between two points that are not physically connected.
Typically, radio signals are transmitted or radiated in the form of a sine wave, often known as a carrier signal.
This carrier signal has a constant, predictable pattern alternating between two energy levels. By itself, a signal
does not carry any information, at least not until it is modulated.
Wireless LAN technology uses encoded binary signals. Traditional radio and TV stations send encoded
music, voice, or video signals.
Wireless LANs can use many different types of signal modulation. The type depends on the wireless standard
in use, and the health of the wireless connection between radios.
Modulation changes various parameters of the signal. Those changes can be used to encode information onto
the carrier signal.
Changes in wave form are transmitted across free space until they reach a receiver. During that time they are
subject to various laws of physics which can change the properties of the signal, some of which can affect the
quality of the signal, and, as a result, the performance of the wireless connection.
Assuming the signal reaches the receiving radio in a good condition, the receiving radio compares the sine
wave pattern with the encoded version to detect the changes made during modulation and then decode the
information that was sent.

 Routing
DO NOT REPRINT
© FORTINET
The defining property of RF signals is frequency. Frequency is a measure of how many times the wave
alternates from a lower energy state to a higher energy state in a second.
For an extremely low frequency signal of 2 Hz, the wave will cycle two times a second. The higher the
frequency, the more times the signal will alternate.
A useful analogy is sound which, although it’s not traditionally considered to be part of the electromagnetic
spectrum, exhibits similar properties to radio waves. The human ear can detect a range of frequencies of
sound, from the lowest at 20 Hz, to the highest at 20,000 Hz. The lower the frequency, the lower the tone. For
example, a fog horn typically emits a signal at about 150 Hz which results in a sound that can travel a long
way. A high-pitch scream emits a signal at approximately 3000 Hz.
This higher frequency sound wave typically requires more energy to generate. Similarly, higher frequency
wireless signals will also require more energy, this can have implications for battery usage.
Radio waves adopt the same principles, but are considered to be part of the electromagnetic spectrum—a
range of frequencies that includes extremely low frequency radio up to radio waves, microwaves, visible light,
and finally up to ultraviolet, x-rays, and gamma radiation.
Radios typically operate in a frequency range between 3 kHz, a signal that alternates 3000 times a second, up
to 300 GHz, which is a signal that alternates 300 billion times a second. Wireless LANs typically use
frequencies of approximately 2.4 GHz, or 2.4 billion cycles a second, and five GHz, or five billion times a
second, or approximately twice as many cycles a second.
Each cycle of a wave allows the possibility of modulation so, in theory, higher frequency waves can carry
more information.

 Routing
DO NOT REPRINT
© FORTINET
So, you can transmit signals in waves that cycle a different number of times a second. Each wave operates in
its own precise part of the electromagnetic spectrum. If you transmit a signal at a two different frequencies,
the two waves do not interact or interfere with each other. This is why some access points can transmit 2.4
and 5 GHz signals at the same time, through the same antenna.
If you transmit two signals on the same frequency, those signals can interfere with each other. The waves will
interact with each other, altering the wave forms and corrupting any modulated signal.
Because radios are not perfect at transmitting in a precise frequency, the energy spills over into adjacent
frequencies. The result is that two radios transmitting on adjacent frequencies can interfere with each other.
The closer the radios are in frequency, the more likely that interference will occur.
In general, antennas and radios can receive signals that are in a broader range of frequencies, like a the radio
receiver in your car that can be ‘tuned’ into a different radio stations, an AP radio can be tuned in to only one
frequency (or channel) for both receiving and transmitting wireless signals.

 Routing
DO NOT REPRINT
© FORTINET
Another important property of radio signals is a amplitude. Amplitude is a measure of the amount energy in
the signal. It is measured as the difference in energy level from a point of equilibrium and the peak signal
oscillation.
If you compare amplitude with sound, amplitude is the loudness of the signal. On earth, the signal has to
travel through various types of mediums. The medium will absorb energy from the radio signal and, as a
result, the amplitude of the signal is reduced or attenuated. Different materials have different abilities to
absorb energy. Air has very little attenuation whereas walls, water, human bodies, and so on, can attenuate
much more.
As the amplitude, or loudness, of the signal is reduced, there will a point where it is difficult for the receiver to
understand or decode the information in the signal. For example, if you are having a conversation with a friend
at a normal volume and your friend is standing six feet away from you, they will easily be able to hear and
understand what you’re saying. However, If your friend moves 100 feet away, and you carry on the
conversation at the same volume, your friend will no longer be able to hear clearly what you are saying. They
may hear you talking—they can hear a signal—but they will not be able to understand or decode what you’re
saying. To allow your friend to hear what you’re saying, you could increase the amplitude, or loudness, of your
voice, otherwise known as shouting.
In theory, the frequency of a signal does not make any difference to the distance that it travels. Only the
amplitude matters. However, one of the practical side effects of different frequencies is that antennas send
and receive different frequencies at different efficiency rates. A feature of antenna design, called the antenna
aperture, means that higher frequency signals are harder to receive successfully than lower frequency ones.
This means, practically, that higher frequency signals have a shorter range.

DO NOT REPRINT
© FORTINET
Another major impact on the energy level of radio signals is the inverse square law. It is not a property of the
signal but it does affect the reception of all types of electromagnetic signals significantly.
The inverse square law states that “the intensity or power of a signal changes in inverse proportion to the
square of the distance from the source.” As the signal leaves its source, it has to cover more and more space.
Because there is only a fixed amount energy to begin with, the energy dissipates as the volume of space
grows.

DO NOT REPRINT
© FORTINET
If a radio signal is being transmitted from a single point, such as a signal of one watt being transmitted from an
antenna, the signal travels in all directions at the same time.
As the signal travels out, the volume of space that that one watt has to illuminate increases and the quantity of
signal to cover the space decreases.
This happens regardless of the medium involved.

 Routing
DO NOT REPRINT
© FORTINET

To see how this affects energy levels for radios, the table on this slide shows the strength of the signal power
plotted against the distance from the AP. The scale is 1 to 30. The unit doesn’t matter—it could be inches,
yards, miles, or even light years.
(click)
As the client moves away from the signal source, the signal strength rapidly drops. Even at very short
distances, the signal is reduced to one-quarter or one-ninth of the power, but as the clinet moves farther out
the rate of reduction in power decreases. Even so, at 25 yards the signal is approximately 1/625th of the power
level emitted by the antenna. However, the signal strength never actually reaches zero. In theory, you could
place the AP on the moon and some of its energy would still reach the wireless client on earth, although its
energy level would be miniscule. This is why you can see stars from the other side of the galaxy, countless
light years away. Some of the photons of light still manage to reach the earth because of the inverse square
law.
This reduction in signal strength can have an enormous effect on the wireless signal received by your clients.

 Routing
DO NOT REPRINT
© FORTINET
So how do you measure amplitude or power?
To correctly install and monitor a wireless network, it is necessary to have a basic understanding of RF
mathematics. You must be able to take signal strength measurements and do signal strength calculations to
ensure that you select, for example, the right antenna and don’t exceed any legal power limits.
Light is measured in the form of watts, for example, a 60w light bulb or 10w LED. But the signal strength of
radio waves is measured in dBm, or decibels referenced to 1 millwatt. Most access points can transmit at up
to 200 mW or 0.2 of a watt.
Consider the previous slide and the reduction in power that occurs over relatively short distances. By the time
the client is any distance away, the received signal strength is very small. The actual signal strength the client
can decode is the smallest number shown on the previous slide.
The watt scale is linear. It makes working with very large and very small numbers difficult and does not reflect
the logarithmic nature of the inverse square law. Imagine asking an end user what their client’s received
signal strength is and having them read out 0.0000, and so on.

 Routing
DO NOT REPRINT
© FORTINET
Instead of using the watt scale to measure RF signal strength, use the decibel measure. The decibel measure
reflects the logarithmic nature of the inverse square law.
dB by itself is a ratio—the difference between two signal levels—and does not indicate quantity until it is
referenced to something. In the case of dBm, dB is referenced to 1 milliwatt, which indicates a quantity. So,
when dealing with smaller power levels, instead of having to talk about all those zeros, you can talk about
dBm, which is a much easier way to express RF signal strength. For example, the maximum transmission
power of an AP is 200 mW, which equals 23 dBm.

 Routing
DO NOT REPRINT
© FORTINET
The table on this slide shows some common decibel to watt/mw conversions. The blue area shows the power
levels that the radios transmit in. The green areas show the power of the same signal when it arrives at the
receiving radio. Remember the power of the inverse square law, and see the difference in power levels.
The power of the dBm scale is that at one end it can represent the power of the sun at 296 DBm, and at the
other end it can represent the weakest wireless LAN or GPS signal, all within four characters.
Remember decibels are logarithmic, so be aware that increasing the power of the signal by 3 dB effectively
doubles the power, while decreasing the power of the signal by 3 halves the power.

DO NOT REPRINT
© FORTINET
Along with frequency and amplitude, signals occupy bandwidth.
Often radio signals are not transmitted on a single frequency, but on a range of frequencies, known as the
frequency band, or in the wireless LAN world, a channel.
Usually, the wider the channel the more frequency space is available for transmission. In modern wireless
networks, the more frequency space that is available to transmit signals, the more data the channel can carry.
The screenshots on this slide show images taken on a spectrum analyser. The images show different types of
wireless signals being transmitted at different bandwidths. Incidentally, is also possible to see the noise floor
as well. Noise will be covered later in this lesson.

DO NOT REPRINT
© FORTINET
Because the frequency range assigned for wireless LAN use is limited, the wider the channel the fewer the
channels that you can fit into the assigned frequency space. This can limit the number of traditional access
points that you can efficiently deploy in a network.
Current Wireless standards allow the use of multiple channel widths, from 20 MHz up to 160 MHz. However,
this depends on the standards in use. The practical applications of the wider channel widths depend on the
wireless technology in use and the environment the network is operating in. It is widely acknowledged that
traditional microcell networks will not be able to use 160Mhz channels in anything more than a single AP
home environment. There simply are not enough 160 MHz channels available to accommodate the multiple
channels that are required for a larger microcell network to minimise CCI.
In principle, a Virtual Cell network will operate successfully on a 160MHz channel.

DO NOT REPRINT
© FORTINET
Noise is the presence of a unintended signal in the same frequency as the one the that you’re trying to listen
to.
People old enough to remember listening to radio stations on long wave or AM will remember having to tune
the radio precisely to get the best quality signal. Even then, you would often hear a constant background
hiss—unintended signals or background noise transmitted on the same frequency at the same time from
another source. Often, this background noise, while annoying, did not stop you from listening to the radio
station. You could still decode the signal.
However, if someone turned on an electrical appliance, such as a vacuum cleaner, the interference on the
radio could increase dramatically, possibly to the point where you could no longer hear the radio station
clearly.
Signals could be from another radio device that is allowed to use the same frequency—for example, a baby
monitor or garage door remote control. Or, it could be random energy from a device such as a microwave,
which uses the energy of microwaves to heat the water in food.
Wherever the signal comes from, it could be at a signal level that drowns out the signal you are trying to hear,
making it impossible to understand what is being transmitted.

DO NOT REPRINT
© FORTINET
It is important to note that noise can be additive, meaning that multiple noise signals from various sources add
up, increasing the total noise signal. In wireless networks, the effect of noise is usually measured using the
term signal-to-noise ratio, or, SnR. SnR is the number of decibels difference in signal strength between the
noise signal(s), sometimes called the noise floor, and the signal strength of the intended signal.
Most enterprise wireless systems have the ability to measure the noise floor. It is one of the most important
measurements to monitor in a wireless environment.
However, these measurements are usually taken at access points. As the diagram on the slide shows, the
amount noise can vary depending on the location of the noise source, the clients connecting to the AP, and
the location of the AP. So, even though the APs may not be measuring a very high noise floor, your clients
could still be suffering from a noise problem.
All wireless lan radios have to detect the noise floor to operate properly, but reporting that measurement is
another matter. Some clients have the ability to report the noise level detected, but the ability to do so
depends on the client, the operating system, and whether the noise level is reported in a useful format. Often,
you have to use another type of device to take precise measurements of noise in different parts of the
network.

DO NOT REPRINT
© FORTINET
The device used detect and measure noise is a spectrum analyzer. However, this is usually expensive and
requires complex chipsets and radios, so spectrum analyzers are used for in-depth troubleshooting of
interference issues.
Most of the time, the access points do a reasonable job of estimating the noise floor around an AP. However,
the primary job of APs is to transmit and receive data traffic so they don’t always contain the type or quality of
radio needed to perform spectrum analysis.
APs also measure the signal received from the client, which allows you to use basic math to calculate the
signal-to-noise ratio.
All radio connections require a reasonable signal-to-noise ratio in order to operate. For wireless LANs, the
minimum SnR for a usable connection is 15 decibels, so a difference of at least 15 decibels is needed
between the signal strength of the client and the estimated signal strength of the noise floor. Higher
connection speeds and more advanced wireless technologies require a cleaner spectrum and, therefore, a
greater SnR—in many cases up to 36 decibels.
Again, always remember that these measurements are often conducted from the access points and may not
reflect noise local to the client.
Some enterprise access points have the ability to operate in two modes. One mode is the normal day-to-day
servicing of clients, and the other mode is the ability to switch into a dedicated spectrum analysis mode, which
is useful for in-depth troubleshooting

DO NOT REPRINT
© FORTINET
The properties of wireless signals, such as signal strength, noise and bandwidth, affect the reliability and
speed of the wireless network.
Link rates, also known as MCS rates, are used to assess this reliability and speed and are defined as part of
the wireless standards. Link rates define the quantity of data that can be encoded and modulated onto a
signal at any given time. The higher the link rate, the less time that is spent transmitting data and the more
data that can be sent in any given time period.
Transmissions in each direction have a link rate—one link rate from the AP to the station, and one from the
station to the AP. Both the station and the AP will negotiate a link rate based upon the health of the
connection. The connection health is measured using the received signal strength of the other radio, the
signal-to-noise ratio, and the channel width in use. There are other factors to take into account, but these are
the main ones.
Each radio will attempt to use the highest link rate that conditions allow, however, both radios will continually
monitor the link rates and, if the health of the connection changes, will their link rates up or down. For
example, if the station moves farther away from an access point, the client will measure the reduction in AP
signal strength and reduce its link rates accordingly.
Likewise, if the noise floor increases for any reason, the signal-to-noise ratio will decrease resulting in the
radios involved reducing their link rates.
A major part of wireless design, implementation and monitoring is ensuring that your clients achieve the
highest link rates possible.

DO NOT REPRINT
© FORTINET

This slide shows the original set of link rates used by one of the original wireless standards, 802.11b. With
only four link rates, it was a fairly simple process. However, wireless standards have advanced and there are
many more link rates that can be used.
(click)
Here are the link rates used by the latest wireless standard, 802.11ac. The data rates have increased
substantially, from 11 Mbps to 1300 or even 2340 Mbps for the faster 802.1ac standards. However, these data
rates come at a cost of more battery power, stronger signals, and lower noise floors.
Some of the faster link rates that use 160 MHz channels and four radio streams which are not supported yet
in the real world. The chips may not exist or, if they do, would demand a lot of battery power to work at those
high rates. This makes these chips impractical for general use in battery powered devices.
In addition, some of the high modulation rates also require a strong signal and a low noise floor. In the real
world, this is not always possible and often requires line of sight to the access point. To get the fastest rates, a
client would have to be located within a few feet of the access point.

DO NOT REPRINT
© FORTINET
In summary, the higher the frequency, the more data than can be carried. This is why 5 GHz is now the only
frequency that supports the highest connection rates. Additionally, the higher frequency usually also means an
higher encoding rate. Higher connection and encoding rate usually require more power to transmit. The higher
data transmission rates can, as a result, consume more battery power, which affects handheld devices.
For practical purposes, the higher the frequency, the shorter the distance the wireless signal will travel. 2.4
GHz signals are usually better than five GHz at distance. This sounds bad to most people who are unfamiliar
with wireless technology. After all, most people want to deploy as little equipment as possible to meet
requirements, but APs cost money.
However, from a wireless performance point of view, the shorter distance the signal travels, the quicker the
signal can be reused again. This means it is possible to deploy access points in greater density, allowing for
more bandwidth to be concentrated in one location.
Remember, access points operate as islands of coverage. Each island has only a limited quantity of
bandwidth. The smaller the islands, the more islands that can fit into an area, resulting in more bandwidth
available to your clients.

DO NOT REPRINT
© FORTINET
Good job! You now understand the fundamentals of radio transmission.
Now, you will examine wireless LAN frequencies and channels.

DO NOT REPRINT
© FORTINET

• Describe commonly used wireless frequencies and their benefits and risks
• Describe the concepts of channels and channel width

DO NOT REPRINT
© FORTINET
Because the nature of wireless transmission and how far signals can propagate, the transmission frequency
and the power of signals is strictly controlled to avoid an unrestricted free-for-all when using the radio
spectrum. The allocation of spectrum to different uses is managed by the International Telecommunication
Union (ITU), an organization attached to the United Nations that is responsible for coordinating local
organizations across the world. This minimizes the chance of a country’s radio links interfering with another
country’s satellite transmissions.
In North America, the Federal Communications Commission (FCC) is responsible for controlling the
spectrum. In the UK, it is Ofcom. Other parts of the world have their own organizations with similar
responsibilities. The ITU defines the broad use for a spectrum, but local authorities are responsible for
implementing the precise regulations for transmission frequency and power. Different parts of the world use
different wireless frequencies at different power levels, as you will see later in this lesson.
The regulations implemented by local authorities are usually laws. Breaking these laws can mean significant
fines or even jail time, depending on the country in which the laws are broken. If you don’t understand the
rules and regulations about the use of wireless devices in your country, especially the channels to use and at
which power levels, you should refer to your local regulatory body for guidance. For example, don’t use
wireless equipment in North America that is designed for use in Europe or use wireless equipment in Europe
that is designed for use in North America. However, most equipment is multi-standard, which means it can be
configured to operate in different parts the world.
The purpose of this course is not to describe the precise rules and regulations for each part of the world, but
to give you guidance on choosing the right channels and deployment of equipment. It is up to you to ensure
that you are obeying local regulations.

DO NOT REPRINT
© FORTINET
The most commonly used wireless LAN frequencies across the world are the 2.4 GHz range and the 5 GHz
range. The 2.4 GHz range, supported in the 802.11b/g/n standards, was the first and, initially, the most
commonly used frequency. It consists of 14 channels of which only three are usable. The amount of
bandwidth available on 2.4 GHz is relatively small compared to 5 GHz. The lack of bandwidth combined with
the lower frequency means that data rates are limited. The positive side of using 2.4 GHz was that the
equipment tended to be cheaper and, as a result, it was more popular during the early days of wireless
technology. However, as bandwidth requirements have increased, the lack of channels and capacity means
that 2.4 GHz is much less popular today.
Initially, the 5 GHz range was less popular in some parts of the world because of local regulations and the
cost of equipment. However, there is more spectrum available for the 5 GHz channels. Combined with the
higher frequency, this usually means that the capacity or throughput of 5 GHz is much greater than 2.4 GHz.
Over the years, the 5 GHz spectrum around the world has been deregulated and released from other
purposes, and is increasingly being used for wireless LAN transmission. This means that it is possible to have
up to 19 channels available for wireless use, depending on the channel width and global location. As it stands
today, more 5 GHz frequency space will be released, however, there are some limitations over channel use,
as you will explore in this lesson.
Note the numbers quoted on this slide—600 Mbps for 2.4 GHz and 3390 for 5GHz—are not real data
throughput. Real data throughput would be the rate at which you could, for example, copy a file across a
wireless link. The numbers quoted on this slide and on the specification sheets of wireless equipment specify
the physical layer (PHY) throughput number. Wireless transmission involves a lot of administration and
management traffic and processes to make the wireless link work successfully. As a result, some of the
headline capacity quoted here is always used for management frames and is not available for carrying real
data. These PHY numbers also vary based on the capability of the wireless equipment. Not all APs and
clients are created equal in terms of radio capacity.

DO NOT REPRINT
© FORTINET
Increasingly, you will see references to other frequencies. As the use of wireless technology is increasing
exponentially, more and more frequency space is being sought to add capacity.
In the future, you’ll see references to 900 MHz technology based on 802.11ah, which provides lower
bandwidth but greater range.
3.6 GHz technology based on 802.11y, releases spectrum between 2.4 GHz and 5 GHz. Currently, it is
proposed for use only in North America, but other parts the world may follow. It is usually used for campus,
outdoor, and last-mile connectivity.
Finally, 60 GHz is a very high-frequency technology that provides very high bandwidth. Based on 802.11ad, it
is likely to offer only in-room access for high-bandwidth media devices, for example, streaming high-
bandwidth video. Currently, Fortinet does not have any equipment the operates in this range, but the company
is continually reviewing the market and available technologies.

DO NOT REPRINT
© FORTINET
The 2.4 GHz frequencies were the first to be released for use. These frequencies are known as unlicensed
frequencies, which means that you do not need a licence to use them. Commonly known as the ISM bands,
the 2.4 GHz frequencies have been internationally reserved by the ITU for industrial, scientific, and medical
applications. These frequencies can be used for many radio purposes—wireless LANs and Bluetooth use 2.4
GHz.
Many other devices use wireless communication, such as cordless phones, remote garage door openers,
security cameras, and so on. The point is that if you want to use wireless communication and do not want to
apply for a licence to use it, then 2.4 GHz is the frequency to use. The result is that 2.4 GHz is a very busy
frequency.

DO NOT REPRINT
© FORTINET
The ITU defined the frequencies between 2.412 and 2.484 GHz for ISM use. That frequency space is split into
14 channels approximately 20 to 22 MHz wide. However not all of these channels are available in all parts the
world, depending on the local regulatory requirements and the transmission power you’re allowed to use.
These channels overlap, which can cause confusion. For example, if you try to use channels one and two,
which occupy almost the same frequency space, the signals transmitted on either channel will interfere with
the other. This is typically known as adjacent channel interference (ACI). This is probably one of the biggest
sources of confusion when configuring requirements for 2.4 GHz. Many users do not know about the channel
overlap and potential effects and, as result, might choose inappropriate channels.

DO NOT REPRINT
© FORTINET
As previously mentioned, different parts of the world to use different frequencies. In North America, only
channels one through eleven and are available but, because they overlap, you can only use channels 1, 6,
and 11, as shown on the slide.
If you are setting up a a small wireless network in the middle of nowhere that has two APs, then there will be
no problem with channel choice. The two APs can use two of those channels. You can add a third AP without
any issue but, as soon as you try and add a fourth AP, you must reuse one of the channels. Each time you
reuse a channel, you risk causing interference with one of the other APs using the same channel. This is
known as co-channel interference (CCI).
The other issue is that often wireless networks are set up in locations where other wireless networks are
present. Because 2.4 GHz propagates well, there will be wireless signals coming from other APs in your area,
which can generate CCI. This makes planning an enterprise wireless network on 2.4 GHz tricky because of
the sheer number of APs that can be needed to cover the building. Designing a channel plan is, at best, is a
compromise.
It is also possible, using 802.11n, to bond channels together to provide more bandwidth. However, while this
might work for a home environment with a single AP, it will make channel planning in enterprise environments
very difficult.

DO NOT REPRINT
© FORTINET
In Europe there are more channels available—up to channel 13. However, channels overlap and, as a result,
only channels 1, 7, and 13 are usable. Otherwise, the same issues exist for 2.4 GHz wireless LAN channels in
Europe as North America.

DO NOT REPRINT
© FORTINET
A legacy issue exists that can affect channel use in Europe. A large number of the initial deployments in
Europe use the same channel scheme as North America, so there are large numbers of networks that use
channels 1, 6, and 11. Additionally, a number of the early wireless clients were designed for use in the United
States only. As a result, if you published an AP on channel 13, you would find that a large number your clients
would never be aware of it. This means that channels 1,6, and 11 became the standard, even with the
availability of channel 13.
As the illustration on the slide shows, if you adopt channels 1, 7, and 13, you will generate a lot of ACI with
any existing APs using the 1,6 & 11 scheme. This will cause problems for APs on your channel, as well as
neighbouring AP’s on the ACI channels.
It is usually better to have APs on the same channel to enable the APs to better manage the coexistence. If
the channels are adjacent, as shown on this slide, the overall impact on performance can be far greater.

DO NOT REPRINT
© FORTINET
The following list is a summary of best practices when using 2.4 GHz wireless channels:
• Use only channels 1, 6, and 11. Avoid using any other channel scheme.
• Never use any of the intervening channels for any reason. You will make yourself a bad RF neighbour and
cause issues for yourself and other users of the spectrum.
• If you are installing a FortiWLC single channel/Virtual Cell network, you can use the maximum
transmission power. You will also find that channel 1 is the best channel to use as your starter channel. It
tends to be the least busy and the least interfered with.
• If you are deploying a traditional microcell or native mode network, you will need to create a channel plan
to make the best use of the channels available.
• You can use a survey tool that performs a predictive site survey, such as FortiPlanner or Ekahau Site
Survey.
• For microcell networks it is also possible to use automatic radio resource provisioning (ARRP). This allows
you to set up the network, install the access points, and then perform an automatic set up process, which
allows the controller to select the best channel and power level to use.
• In a microcell network, 40 MHz channel usage will work in a single AP environment. If you are deploying
more than one AP do not use 40MHz channels.
• Because of the nature of a single channel, it is technically possible to publish a 40 MHz channel layer
across your entire network. For a single channel, this is acceptable, however, if you are planning multiple
channel layers in 2.4 GHz, you should use 20 MHz.
• Not all clients support or work reliably at 40 MHZ. If you are planning to deploy at 40 MHz, then you must
ensure that you test and monitor clients to ensure that they do not have compatibility issues.

DO NOT REPRINT
© FORTINET
In the five GHz frequency range, there is far more bandwidth available. In theory, the ITU has released a total
37 possible 20 Mhz channels. It should be emphasized that these are possible frequencies and have not been
adopted globally.
Unlike 2.4 GHz, the channel numbers shown on this slide are distinct and do not overlap, so you can safely
use channels adjacent to each other without any risk of adjacent channel interference (ACI), providing the
AP’s are spaced at least the minimum distance apart.

DO NOT REPRINT
© FORTINET
The 5GHz frequency space is not without limitations. Because this frequency space is also used by other
licenced applications, wireless LANs have to use a specific method to gain access to certain higher
frequencies. This method is known as dynamic frequency selection (DFS).
Specific types of radar, such as an airport, weather, military, and shipping radar, operate in the 5 GHz range.
Because radar depends on very weak signals returned from airplanes, ships, and so on, radar antennas must
be very sensitive. This sensitivity makes it very easy for low-powered access points or wireless clients to
interfere with a radar system.
So, to enable wireless LANs to share the 5GHz spectrum, equipment has to conform and be certified to an
additional set of wireless standards detailed in the 802.11h standard.

DO NOT REPRINT
© FORTINET
This slide generally describes how APs and clients should behave when operating in frequencies that are
designated as DFS.
When an AP starts, it should scan for the presence of a radar signature in the channel that it is being
configured for. It performs this scanning for a fixed amount time and, if it detects a radio signature that looks
like a radar system, the AP selects an alternative channel to use before it starts.
If the AP has started using a channel, then it should conduct periodic checks to ensure it does not detect
radar. If it does detect radar, it should issue a channel change message to any associated clients, and then
move itself to the a new channel.

DO NOT REPRINT
© FORTINET
Trying to use DFS frequencies can be challenging, especially close to airports, harbours, military installations,
and so on. Legitimate radar detection can cause frequent channel changes and disruptions to the network.
Clients do not always follow the AP successfully after a channel change and, as a result, can suffer a loss of
connection. Large numbers of DFS events can result in large numbers of APs trying to occupy the same
channels, resulting in an impact on performance.
An access point makes its best guess when detecting radar and, as result, false positives sometimes occur as
other 5 GHz devices can be mistaken for radar. This can be very confusing when trying to install networks far
from an airport or similar installation, yet DFS events continue to cause channel moves.
The final thing to note is that many low-cost 5 GHz adapters are not certified for use on DFS channels.
Certification is optional and costs money, so, as a result, many cheaper clients simply are not tested. This
means that they are not allowed to use those DFS channels, so you may well design a network using DFS
channels only to find that a proportion of your clients will never actually see or connect to the APs on those
channels.
Therefore, do not assume automatically that all 5 GHz clients will able to connect to APs on DFS channels. If
in doubt, ensure that you perform testing on any suspect client.

DO NOT REPRINT
© FORTINET
This slide shows the 5 GHz channel set that is available in North America. This is the most current
information, however, it is expected to change so make sure you are aware of the latest regulations.
The FCC splits the frequency range into UNII-1, UNII-2, UNII-2 extended, and UNII-3. UNII-2 and UNII-2
extended are governed by DFS regulations. In addition, specific channels are completely unavailable because
they are used by weather radar at airports across the USA, indicated on this slide by the channels
crosshatched in red. It should also be noted that channels 116 and 132 are potentially unusable if the
installation is located within a certain distance of an airport.
Fortunately, there are two sections of channels that are not governed by DFS: UNII-1 and UNII-3. Both
contain either 40 MHZ or 80 MHz channels, which can be used without any issues caused by DFS. If you are
planning a microcell-based wireless network, these four channels might be adequate for your channel plan. A
single channel network made up of two 80 MHz channel layers provides significant flexibility without needing
to go into DFS.
Note that the transmission power in these two bands is 36 dBm. While some access points can operate at this
power level, it is not considered to be a good configuration for AP radios that serve clients. Many clients are
capable of transmitting at only 15 dBm. As a result, a scenario could arise in which a client can hear an AP
because of the AP’s high power, but is unable to transmit back to the AP because of its own low tx power.
For a single channel scenario, a best practice would be to keep the transmission power of the APs running
between 20 and 23 dBm. DFS channels are usable providing you understand their limitations, note that they
are limited to 23dBm of transmission power. In a single channel network it would be best practice to use non-
DFS channels for the ‘base’ channel layer, the channel layer that will be available across the whole
installation, whilst using DFS channel layers for any additional channel layers. Any DFS events that occur
would only disrupt the additional channels layers and not the main connectivity channel layer.

DO NOT REPRINT
© FORTINET
Currently, in Europe there are fewer channels than there are in North America, however, the situation is
changing as more frequency space will be allocated in the future.
The only channels that are free of DFS are the bottom four channels, 36 through 48. All other channels
require DFS certification. Also note that in some areas of Europe there is an extended DFS wait time on
channels 120 through 128. On these channels, the AP must wait for up to 10 minutes before commencing
transmission. This often means that vendors choose not to support these channels.
When planning a microcell network you will be able to deploy the network using the lower 4 channels if you
limit the channel width to 20Mhz. However if you want to benefit from the increased performance of 40 and 80
MHz channels you will have to use a selection of DFS channels.
For a single-channel architecture, your base single channel layer should be in the lower channel range and
default to an 80Mhz channel width. This will maximize performance for all your 80 MHz clients and the
compatibility for those clients that do not support DFS or wider channels.

DO NOT REPRINT
© FORTINET
As you noted in the previous channel plan, there are a variety of available channel widths. How does this
work?
For the original wireless standards, 802.11 through 802.11g, 40 MHz channels were not supported, at least in
the standards, only 20 MHz channels were. 802.11n provided the ability to extend channels into 40 MHZ.
Usually, you specify a base channel or a primary channel and then select and extension channel above or
below this channel in the radio settings. These extension channels still follow the channel plan diagrams.
For instance, channel 36 can be extended up to include channel 40, and channel 40 can be extended down to
include channel 36. Channel 44 can be extended up to 48, and channel 48 can be extended down to 44.
However, you cannot extend 40 up to 44—you have to stay within the 40 MHz channel defined by the channel
diagrams. After the channel is defined, the radios will use the entire 40 MHz, regardless of how much usage
there is.
Note that many channel diagrams will assign 40 MHz and 80 MHz channels different channel numbers. In the
example shown on this slide, channel 38 shares the channel width with channel 46. This channel numbering
convention is not well used. Most equipment manufacturers use the 20 MHz channel number as the channel
identity, including Fortinet.

DO NOT REPRINT
© FORTINET
Channels that operate according to the 802.11ac standard operate differently. This standard introduced the
concept of dynamic bandwidth operation, which allows AC radios to change channel width dynamically
depending on the demands of the traffic.
First, you must define the primary channel, which is the base 20 MHz channel. Then, you must define the
maximum channel width that the radio can expand to, for instance 40 MHZ, 80 MHz, or, in some cases, 160
MHz.
The radio uses the primary channel first and, when additional capacity is needed, it expands to 40 MHz. If
more bandwidth is required, it expands to 80 MHz, and so on, to the maximum configured channel width.
Initially, this was done to allow radios to co-exist in the same 80 MHz channel space. This slide shows that
channel 48 is the primary, and channel 36 is the secondary, which allows the two radios to expand from 20 to
40 MHz without interfering with each other, and potentially up to 80 MHz if additional channel space is
available.
This slide also shows that channels expand in specific ways—channel 38 expands from 36 MHz to 40 MHz,
and then channel 42 expands to 160 megahertz.
In theory, this method should allow up to four AC APs to be assigned a primary channel, and then allow them
to share the 40 and 80 MHz channel width. However, in the real world, it is not clear whether this provides a
benefit over using DFS channels instead.

DO NOT REPRINT
© FORTINET
When deciding on the channels to use for your 5 GHz radios, consider the following:
• For a single channel network, you should always place your primary channel layer in the lower, non-DFS
channel range.
• Selecting channel 48 as the starter channel often will avoid other, legacy APs that may be on channel 36.
Remember, even though you set the primary channel to 48, the AP will still expand and use the entire 80
MHz, as detailed previously.
• For additional channel layers and stripes, use the lower DFS channels first—channels 52 through 64—then
select the higher channels, if necessary.
• By default, for single channel, transmission power should be at least 20 dBm (again depending on your
local regulations). For most installations, it is not necessary to go lower.
• If you are planning a microcell network, you are likely to have to use DFS channels. Use the lower
channels first before selecting the higher channels. 80Mhz channels will be difficult to plan and most
microcell networks default to 40Mhz channel width which can give the best compromise between
performance and channel re-use.
• Create a predictive plan using FortiPlanner or Ekahau Site Survey to help plan channels for maximum
reuse. As a rule, you should avoid setting radios at power levels less than 10 dBm when planning a
microcell deployment.
• It is also possible to install the network with the APs in the correct location, and then use ARRP to create a
channel plan.

DO NOT REPRINT
© FORTINET
As said, in microcell networks, you should avoid using the 80 MHz channel width because usually there are
not enough spare to allow an effective channel plan.
For single channels, 80 MHz is the preferred channel width. The current generation of APs do not yet support
the 160 MHz channel width and, even when they do, it is still be identified whether this is a best-practice
configuration.
In scenarios where you have very high number of clients, such as stadiums, conference centres, and large
lecture halls, it is usually best to minimize channel width in order to maximize the number of radios that you
can put into the location.
Ultimately, the number of radios available drives the number of clients that you can support. This is true for
both microcell and single channel networks.

DO NOT REPRINT
© FORTINET
Good job! You now understand wireless LAN frequencies and channels.
Now, you will examine channel selection.

DO NOT REPRINT
© FORTINET
After completing this section, you should be able to understand how to select channels.

DO NOT REPRINT
© FORTINET
Remember, the vast majority of modern access points are dual radio, which means they are equipped with
two radio chips that allow simultaneous transmission. Most APs consist of a 5 GHz radio chipset and a 2.4
GHz radio chipset. Usually, but not always, you must assign a channel to both of these interfaces. Sometimes
you might want to reserve a radio on an access point for a specific use, such as spectrum analysis or wireless
intrusion protection (WIPS). Radios used for these purposes do not need a dedicated channel—often part of
their function is to scan multiple channels.

DO NOT REPRINT
© FORTINET
Some APs have dual radios that are both capable of 5 GHz operation. They can be configured to transmit
simultaneously in dual 5 GHz mode. This provides the maximum capacity for an AP that has a single network
cable.
AP832 is an example of an AP that can support two 5 GHz interfaces that can both operate at up to 1300
Mbps per second, which adds up to a potential 2600 Mbps.
However, for optimal performance and to prevent co-channel interference, you should use an AP that has
external antennas. You can use an AP that has internal antennas, but there is significant loss of performance
on both radios when operating in dual 5GHz mode.

DO NOT REPRINT
© FORTINET
If you are using dual 5 GHz mode, for best performance, you should use external antennas separated by 8
feet (2.5 metres).
Be aware that these configurations can require additional power. You might need to use higher power PoE+
(802.3at).
Also, it is possible that the throughput of both radios could exceed the capacity of a single gigabit cable. In
some scenarios, you might also need to install a second uplink for the AP and enable link aggregation.

DO NOT REPRINT
© FORTINET
Choosing channels is a two-stage process.
First, you must define the starting channels for the Aps. For a single-channel network, select channel 1 in the
2.4 GHz channel range as your starter channel. If you have additional channel layers or stripes, then select
channels 6 or 11.
In the 5 GHz channel range, you usually select channel 48 or channel 36 as the starter channel. If you have
additional channel layers or stripes, select non-DFS channels first, and then select DFS channels if
necessary.
In microcell networks, you can use by FortiPlanner or Ekahau Site Survey to create a channel plan or, after
the APs are installed, you can create the initial channel plan using ARRP.
After you deploy the channel plan, you should optimize your channel choices. After the network is in place, the
access points will operate as sensors, allowing you to assess the RF environment. Then, you can use
FortiWLC to rank and rate channels based on AP count and interference level. If you discover that the starter
channels are no longer the best channels, you can use the information to select the most appropriate
alternatives.
The process of optimization is covered later in this course.

DO NOT REPRINT
© FORTINET
Good job! You now understand channel selection.
Now, you will examine AP families.

DO NOT REPRINT
© FORTINET
After completing this section, you should be able to understand the concept and importance of AP families in a
FortWLC based wireless network.

DO NOT REPRINT
© FORTINET
Over the years, there have been many different wireless standards, supporting many different connection
rates and capabilities, beginning with 802.11 b/g/n through 802.11ac.
Each generation of standard has introduced different radio capabilities to enable increasingly faster wireless
connection speeds. For example, the modulation types and rates have increased, and the concept of multiple
streams has emerged. As a result, radio chipset have changed to support these new features in both access
points and clients. As a rule, the newer the AP, the faster the standard it supports, and the newer the chipset.
Typically each model of AP uses a different radio chipset although not always. For instance the AP300,
AP301 and AP320 all have different model numbers to designate difference in their configuration, but all use
the same radio chipset. They are deemed to be members of the same AP ‘family’.

DO NOT REPRINT
© FORTINET

AP families can affect how you build virtual cells. Imagine a floor of a building without any walls, as shown on
this slide. You can position access points across this floor using a predictive or virtual site survey, which tells
you where to place the APs to provide optimal coverage for your clients. Some areas of the floor have few
clients, so only basic coverage is needed.
(click)
You want to advertise a single wireless network to the clients, so you must create an ESS profile and tell the
APs to advertise it.
(click)
When you start a client in the room, it will listen for signals from any wireless networks within range and build
a list of those that match it the SSID it wants to join. A virtual cell transmits one BSSID, no matter how many
physical APs are part of the virtual cell, so the client will detect one AP. It will issue a probe request, and the
controller will respond and assign the most appropriate AP to support the client. The client and AP negotiate a
connection, exchanging link rates, stream count supported, and other wireless details to make sure they can
understand each other.
(click)
In the example on the slide, the client has associated with an 802.11n AP that supports two streams, so the
communication is based on that capability.
(click)
If the client’s changes location to the opposite side of the building, the signal to the original AP drops and as it
move closer to the AP shown at the top of the slide. The controller will assign the client to the new AP.

DO NOT REPRINT
© FORTINET
(click)
No traditional roam has occurred. The client is not aware that it has changed APs. It has not re-
associated or renegotiated supported link rates or standards. It is essentially still trying to communicate
using 802.11n with the new AP, however, the new AP is communicating back using 802.11ac. The
client and the AP are essentially talking different languages. As a result, the connection fails. The client
and the AP each could communicate but, but because the client has not roamed and re-associated,
they have not had a chance to agree on connection properties.
This scenario will occur between APs that support different wireless standards and wireless properties.
Even if two APs use the same standard, if they are from two different families, they will likely have
different wireless chipsets. Small differences in chipset support will also mean that the connection will
fail.
This means that you cannot mix APs from different families in the same virtual cell.

DO NOT REPRINT
© FORTINET

The controller knows that you cannot mix APs from different families in the same virtual cell. If you try to
create an ESS profile that contains two families in the ESS-AP table, the ESS profile will protect the network.
It will automatically create two separate BSSIDs, each containing a different AP family.
(click)
This scenario has some disadvantages. Because the APs were originally destined to be in the same channel
layer, they will have the channel settings.
(click)
In the example shown on this slide, the APs use channels 1 and 36. And because there are now two BSSIDs,
there are now two virtual APs on the same channel—one virtual AP made up of the AP1020s, and one virtual
AP made up of the AP822s.
(click)
Note the length of the boundary between the virtual cells, which is very long because of the location of the
APs. Along this boundary, two things will happen:
1. Clients will roam – The longer the boundaries or the more boundaries there are, the more roaming you
will occur. This might not be what you want, especially if you are trying to deploy a virtual cell to minimize
roaming. Perhaps you are trying to deploy a voice network and you want seamless roaming for your voice
clients.
2. Co-channel Interference (CCI) – The two virtual APs now operate as adjacent islands of wireless
coverage, just like normal APs. Therefore, they will generate CCI in the boundary area, potentially
suffering a loss in performance.

DO NOT REPRINT
© FORTINET

In an ideal world, you would want to avoid deploying APs from different families. If you design or deploy a new
installation, make sure, wherever possible, that you use only one AP model.
However, in the real world this is not always possible. In many scenarios there is requirement to use different
AP types. Sometimes to support a faster wireless standard in a certain part of a building or perhaps to expand
a network that has older Aps.
If you have to install multiple AP families in the same area, it is best to locate the APs together in groups to
minimize the boundary area, as shown in the slide.
(click)
The bondary is now as short as possible for the design of the building, minimizing size of the boundary area
and limiting the CCI and roaming.

DO NOT REPRINT
© FORTINET

It is a best practice to deploy a channel stripe to minimize CCI. The two Virtual Cells will then no longer
interfere with each other as they are on a different channel.
(click)
In the example shown on this slide, the AP822 AP’s have been configured into a second channel stripe on
channels 11 and 64.
The channel stripe is not always necessary. If there aren’t any available channels, it is acceptable to leave the
APs on the same channel. However, you should monitor performance in those areas in case any issues arise
in the future.
(click)
Roaming will still occur, whether you use a channel stripe or not. However, as seen, minimizing the size of the
boundary can help minimize the roaming.

DO NOT REPRINT
© FORTINET

The diagram shown on this slide is of a real-world example. It shows a floor plan, which is the ground floor of
a student residence. A variety of areas require coverage.
The small rooms at the bottom and left side of the floor plan are dorm rooms. Usually, only one student
occupies each room, so the density is very low.
The open areas are also relatively low density, with the exception of the three rooms in the center of the floor
plan. These rooms are lecture halls, which have a higher density of students and therefore require more
bandwidth.
It is not cost effective, nor is it necessary to specify high performance APs table for the open areas or the
student accommodation. Instead, deploy a mix of AP families using cost-effective AP1020s to support the
majority of the network and the U421EV to support the high-density lecture halls. Because these APs are from
different families, you must isolate them from each other. They are already as geographically isolated as
possible, with the minimum boundary that is possible. This minimises the amount of roaming to the minimum
required to roam into the high performance area.
To minimize CCI and maximize performance, particularly in the lecture theatres, define a channel stripe for
the AP1020s using channels 1 and 36.
(click)
For the U421EV, use channels 11 and 64.
(click)
Now that you know how you are going to isolate the families of APs from a physical and RF point of view, how

DO NOT REPRINT
© FORTINET
do you do that from a controller configuration point of view? You can do this using a configuration
element called the ESS profile. The ESS profile is a controller configuration element that defines the
radio properties for a wireless network. It’s main purpose is to define the SSID and security of the
wireless network, but you can also use it to define virtual cells.
(click)
In the diagram shown on this slide, you can see the list of ESS profiles configured on the controller.
The ESS profile names help indicate the purpose for the profile. In the diagram shown on this slide,
one ESS profile has 1020 in the description, the other has 822. You have essentially defined two
separate virtual cells by defining two ESS profiles. Both of these profiles are advertising the same
SSID—corpnet—and the same security profile. This is necessary to enable seamless mobility between
the areas of coverage.
(click)
The first profile will contain all of the access points that are assigned to the low density areas.
(click)
A second profile will contain all of the access points that are assigned to the high density lecture
theatres. Each ESS profile has its own ESS-AP table. This configuration table allows you to add AP
interfaces to the virtual cell, or remove them from the virtual cell.
(click)
The diagram on this slide shows a table on the left side that contains two sets of interfaces for the APs
that are in the common areas. Both the channel 1 and the channel 36 interfaces, 2.4 and 5GHz, are
added to the AP table.
The table on the right side of the diagram contains the interfaces of the APs located in the lecture
theatres.
(click)
Notice the BSSID column in both tables. There are BSSIDs for the 5 GHz interfaces and BSSIDs for
the 2.4 GHz interfaces, and they are the same for all three physical radios in each band.
There are four separate BSSIDs, so there will be four virtual APs advertised on the same SSID.
• Two virtual APs on 5GHz – one on channel 36, one on channel 64

• Two virtual APs on 2.4GHz – one on channel 1, one on channel 11
This means that you have correctly configured the network, isolating the AP families while preserving
the virtual cell where possible.

DO NOT REPRINT
© FORTINET
In summary, use the following best practices:

• Avoid multiple AP families if possible. Configuration will be considerably simpler if you only have to deal
with one type of AP. The table shown on the right side of the slide defines the families of APs that can
coexist with each other. APs that have the same colour can typically coexist in the same ESS profile. For
example, all of the four-series APs can coexist in the same ESS profile. The three series Aps in yellow can
coexist in the same virtual cell, with the exception of a 332, which despite having the same major model
number does have a different radio and so is considered a separate family.
• The slightly unusual family is the 832/822. Both APs use identical chipsets, however, the 822 supports only
two stream whereas the 832 supports three stream. It is possible to demote an 832 to exist in the same
virtual cell as an 822. This is done by configuring the radios from three stream down to two stream. This
effectively makes the 832 an 822 by configuration. However, this configuration does not make use of the
maximum capability of the 832.
• If, for any reason, you need to deploy multiple AP families, make sure you isolate them geographically by
creating areas covered by individual AP families, floors covered by individual AP families, or even buildings
covered by individual AP families. If the channel stripes must be on the same channel, minimise the
boundary as much as possible to reduce the amount roaming and the potential for CCI.
• Always define a separate profile for families of APs. Technically, it is possible to put AP families in the
same ESS profile, however, it is best to create a separate ESS profile.
• It is possible to have adjacent ESS profiles on the same channel. A virtual cell is far more resistant to CCI
than other technologies, however, for optimal performance it is best to assign separate channels in the
form of a stripe, if possible. This maximises channel reuse and, as a result, minimises CCI.

DO NOT REPRINT
© FORTINET
This lesson covered the following topics:

• Fundamentals of radio transmission
• Wireless LAN frequencies and channels
• How to select channels
• AP families

Plan and Design a Network
DO NOT REPRINT
© FORTINET
In this lesson, you will learn about how to plan and design a basic single channel, virtual cell based FortiWLC
network.

DO NOT REPRINT
© FORTINET

• Design process
• Planning methods
• Customer requirements and information gathering
• Deployment planning
• Equipment size and selection
• Implementation planning

DO NOT REPRINT
© FORTINET
In this lesson, you will learn how to design a simple Virtual Cell based wireless network that is suitable for use
in a small-to-medium density environment, such as a school classroom or office space.
You will not learn how to design networks to cover more challenging environments, such as sports stadiums,
convention centers, and installations that require complex channel layering. You will also not learn about the
challenges and problems posed by planning networks for unique environments, such as elevators. These
topics are covered in advanced design courses.
This lesson does not cover physical survey methods; it focuses on the more common virtual methods.
This lesson does not cover complex microcell surveys. In FortiWLC-based networks, the vast majority of
deployments use Virtual Cell technology. Microcell, or native cell technology, is generally only used in special
or ‘edge’ case scenarios. As such, it is not covered in great detail.
What you will be able to do after completing this lesson is:
• Produce an AP layout that fulfills the requirements of most wireless installations

• Select the correct supporting equipment
• Produce design documentation that can be handed over to an installation or implementation engineer

DO NOT REPRINT
© FORTINET
After completing this section, you should be able to describe the key stages of designing a FortiWLC-based
wireless network.

DO NOT REPRINT
© FORTINET
There is no right way to design a wireless network. Wireless network design, particularly the placement of
APs, is often described as more of an art, than a science.
It’s possible to teach people how to hold the brush and paint a picture relatively quickly; however, that does
not mean that they will be able to paint a masterpiece on their first attempt. Similarly, having the proper tools
to design a wireless network is often not enough; time, patience, and experience are also needed to become a
Michelangelo of wireless networks.

DO NOT REPRINT
© FORTINET
The design process is composed of five broad stages.
The first stage is to identify customer requirements. Understanding what the customer wants from the wireless
network is the most important aspect of any design. This is also an opportunity to set expectations.
Many end-users and customers base their experience of wireless on the router they have a home. Typically,
the performance they experience when they are connected at home–to a single AP supporting a small
number of users–is very different from the performance they experience when the are connected to a wireless
network in an enterprise environment. Sometimes, this can lead to unrealistic expectations of performance. If
you can understand the customer’s performance expectations early in the design process, you can design the
network these expectations, or moderate the customer’s expectations to more closely match the reality of the
network capabilities.
The next stage in the process is to determine the AP count. The AP count depends on the size and type of
area that needs covering, as well as the quality or capacity of the wireless coverage required in those areas.
After you have accurately determined the AP count, you can move on to the next stage: selecting the
supporting hardware. The supporting hardware includes the APs, controllers and other supporting hardware
such as mounting brackets, along with associated licenses.
Once you have selected the supporting hardware and gathered to associated license information, you can
build the bill of materials.
In the final stage of the process, you produce one of the major outputs: the implementation plan. Typically, the
implementation plan includes AP location and configuration specifications.

DO NOT REPRINT
© FORTINET
Good job! You now have a high-level understanding of the design process. Now you will learn about some of
the different planning methodologies that you can use.

DO NOT REPRINT
© FORTINET
In this section, you will learn about some of the different methods that you can use to plan and design a
wireless network AP layout. You will also look at some of the pros and cons of each method.

DO NOT REPRINT
© FORTINET
Wireless networks can be planned in multiple ways and many vendors have their own terminology for
referring to or identifying different network planning methods.
When planning FortiWLC networks, four main methods are used. Of the four methods, AP per space
estimation is the least accurate, but quickest method to plan a wireless network. Full survey methods are the
most accurate. In between those two methods are virtual site survey methods, which are sometimes referred
to a simulated or predictive.
The time and effort required to perform a survey for each planning method shown in this slide increases from
left to right. A full active survey is the most expensive in both cost and time, but it is also the most accurate in
terms of coverage and AP count.

DO NOT REPRINT
© FORTINET
The AP per space method is not survey based. It is a method of estimating the number of APs needed for an
installation, based on the physical spaces where coverage is required. It is usually used to estimate costs
when no other information is available.
For customers with high density and high throughput requirements, such as educational facilities, you can
estimate one AP for every space or classroom.
For customers with lower density and lower throughput requirements, such as hotels and offices, you can
estimate one AP for every other space. This estimate is based on the assumption that each AP will cover the
space or room that they are stationed in, as well as the adjacent space or room. If you are planning
requirements for an open office space, then the estimate of one AP for every 20 metres is often used.
AP per space method does not work well when planning microcell-based networks, where co-channel
interference (CCI) will be an issue in this type of scenario. However, does work well when working with Virtual
Cell networks as the technology does not suffer from CCI in the same way.

DO NOT REPRINT
© FORTINET
There are clear pros and cons to using the AP per space method.
These are the pros:

• It is a simple process and requires not special tools, such as FortiPlanner or an Ekahau site survey.
• It does not require floorplans.
Floorplans can be difficult to procure, especially during the early stages of projects, and for some
installations, no floorplans are available at all.
• It is a quick budgetary tool.
• It is practical for planning small virtual cell deployments of 10 spaces or fewer.
Many small to medium sized FortiWLC based networks have been planned in this way.
These are the cons:

• It often results in the presence of more APs than are truly required for an installation.
A virtual site survey aims for for optimal AP placement and would likely result in a lower estimated number
of APs.
• There is potential for an over deployment scenario.
When a large number of APs is estimated and installed, it can lead to a high AP neighbour count and result
in reduced performance. When planning networks with 10 spaces or fewer, this is not a potential issue.
• It is impossible to guarantee the ability to connect to a network or connection quality.
Without having an indication of the shape, size, or structure of the building, making guarantees about the
ability to connect to the network or connection quality is next to impossible. Often, you can only guarantee
a connection if you can see the APs.
• It is not possible to account for environmental challenges such as interference or large numbers of
neighbouring wireless networks.

DO NOT REPRINT
© FORTINET
The most commonly used method use in modern wireless network design is virtual site survey. This method is
also known as predictive or simulated. The virtual site survey method uses a predictive planning tool to
simulate wireless signal propagation and coverage.
Virtual site survey allow you to model different installations and configurations of APs, allowing the
optimization of AP numbers and minimizing the potential cost of equipment.
The tools provide the ability to produce graphical and textual reports, which are very useful when
communicating information to end users and customers.

DO NOT REPRINT
© FORTINET
There are pros and cons to the virtual site survey planning method.
These are the pros:

• It provides a far greater level of accuracy than the AP per space method.
• It allows for detailed modelling of AP placement to maximize signal quality and minimize AP count.
APs can be easily moved and you can immediately calculate the effect of that move on network coverage.
• There is no requirement to go to site if adequate floorplans and structural information are available.
These are the cons:

• It doesn’t account for local RF conditions.
Because this method does not include a site visit, you don’t have the opportunity to assess any potential
interference sources or neighbouring networks.
• It requires a significant investment.
Conducting this level of simulation requires professional planning software tools and powerful hardware,
which can be costly.
• It relies on accurate, scaled floorplans with accurate information.
• It can be time consuming, depending on the network size.
Large, multi-floor or multi-building installations that cover a lot floor space can take many hours to set up
and simulate.

DO NOT REPRINT
© FORTINET
The hybrid survey method is a variation of the virtual site survey. Like the virtual site method, this method also
requires floorplans, building information, and professional planning tools. However, unlike virtual site survey,
this method also includes the option for a site visit.
Including an onsite visit gives you the opportunity to assess interference levels and the RF environment. It
also allows you to examine the structural materials and measure wall thickness so that you can validate your
virtual site survey, and recalibrate where necessary.
However, it is important to note that this site visit is not a full walkthrough of the site. It is only an opportunity to
validate and refine the virtual site survey results.

DO NOT REPRINT
© FORTINET
There are pros and cons to the hybrid site planning method.
These are the pros:

• It provides you with the opportunity to perform an active site survey.
You can survey a small portion of the building and then compare the results of your partial site survey to
the results of your virtual site survey. Then, you can adjust settings where necessary to make your virtual
site survey match the active survey.
• It provides you with an opportunity to inspect:
• Some of the wired infrastructure onsite
• Switch types and specifications
• The location of any network outlets
• It gives you the option to inspect the types of building materials and the potential mounting options for APs.
Different mounting kits are required for different materials and a visit a site will quickly tell you which
mounting kit may or may not be required
These are the cons:

• It can be expensive.
A two- to-three hour site visit and meeting can be costly to the project.

DO NOT REPRINT
© FORTINET
The final planning method is full passive or active survey.
This method is substantially more detailed than the other survey methods because it often includes a full walk
around the site. Site plans and appropriate survey tools are still required, but this method also includes the
option to perform either a passive survey or an active survey.
Both passive and active surveys involve measuring the RF environment. The major difference is that a
passive survey involves collecting RF information listening with an appropriate adapter and, optionally, a
spectrum analysis device. This for allows the collection of detailed information that can help you optimize your
wireless network planning.
When you perform an active survey, you position an active wireless signal source and plot the signal power
around it. This allows you to take an accurate measurement of propagation across the building. The RF signal
source is typically an AP that is installed on a movable mount. This is where the term AP on a stick comes
from.
You move the AP to different locations around the floor plan and survey around it. This allows you to take real
measurement of signal propagation and is possibly the most accurate way to plan a wireless network.

DO NOT REPRINT
© FORTINET
There are pros and cons to the active and passive survey methods.
These are the pros:

• It is possibly the most accurate way to measure the propagation of a wireless signal across a building
• It allows you to set the power level and channel settings precisely, knowing the RF environment
The cons are:

• Both can be extremely time consuming.
They require extensive walking to do building assessments. The illustration on this slide shows the type of
path that a typical active or passive survey requires. The active method also involves installing and moving
physical equipment, which also increases the amount time required and the disruption level.
Active and passive surveys are increasingly less used as simulation tools are becoming more accurate.
Virtual Cell is also easier to plan and does not require the level of information that a active or passive survey
provides.
It the past, these types of surveys were especially good for minimizing the number of APs in an installation.
However APs are becoming less expensive whilst engineer time is generally getting more so.
Today coverage, capacity, and the ability to deliver a large amount of bandwidth to an individual area are the
top concerns. It becomes more about how many APs you can fit in an area, rather than how few APs you can
to cover it.

DO NOT REPRINT
© FORTINET

In summary, these are four planning methods available. Because you are designing a low-to-medium density
wireless network, a hybrid or full passive/active survey is not cost effective.
(click)
So, you will focus on the AP per space and virtual site survey methodologies.

DO NOT REPRINT
© FORTINET
Good job! You now understand the possible planning methods that you can use when designing a network.
Now, you will learn about the information that you need to gather prior design.

DO NOT REPRINT
© FORTINET
After completing this section, you will know some of the key information that you gather before starting a
network design.

DO NOT REPRINT
© FORTINET
Regardless of which planning method you use, there are some questions that you need to ask in order to
gather key information that you need have before you design your network.
• Which areas of the building require coverage?

It’s easy to assume that entire areas of the building require coverage and, sometimes, the customer might
also believe that this is a requirement. Making this assumption can be costly in terms of equipment,
particularly if unusual spaces such as washrooms and stairwells are included. When assessing coverage
requirements, it is best to ensure that the customer understands that there is likely to be additional cost if
these low priority areas are to be covered. There might also be areas that you assume require coverage
but the customer does not. It is advisable use a copy of the floorplan to consult with the customer and
clearly mark all areas that will be covered, so that there will not be any confusion.
• What is the client count?

It is important to consider not only the current client count, but also the potential future count as well. When
a wireless network is installed and working well, people tend to bring more wireless devices. Is important
for you to encourage the customer to consider the likely increase of client numbers in the future and plan
accordingly.
• What types of clients will be using the network and what are their capabilities?
It is important and understand the types of clients that will be using the network to ensure that you select
the correct AP. Are the clients older 2.4 GHz client, 5 GHz clients or both? What standard are the clients
using? Are clients two-stream capable? Are client three-stream capable? All of these factors will impact the
type of AP you select. It is generally believed that, the older the clients, the less capable the wireless
chipset. In high-density scenarios in particular, this can have an impact on the overall performance of the
network.

DO NOT REPRINT
© FORTINET
Equally important are the applications that client will be using. When usage is typically limited to
basic file sharing, printing, email, and web browsing, this can mean that more clients can operate in
any individual area, supported by a single radio. When clients have a high bandwidth requirements,
such an in educational facility where video streaming is happening to multiple students
simultaneously, this can significantly change the number of clients that can be supported by each
radio. Unfortunately, there is no easy formula for working out throughput requirements for a mix of
clients and applications. Often, there is such a wide variety of standards being used across a wide
variety of applications, that the best course of action is monitoring post installation to identify any
areas that require additional capacity. Adding more capacity is easy to do with virtual cell
technology by stacking channel layers.
• What type of wireless network is required and how many?

Another major impact on network design is the type and number of wireless networks that the
customer requires. As a general guide, is best to avoid advertising more than five wireless networks
in any given location. An excessive number of wireless networks can lead to a reduction in the
efficiency of the wireless network due to the sheer amount of management traffic that each SSID
generates.
Each wireless network requires an SSID–a name that it broadcasts to identify itself its the purpose.
The SSID should be short, obvious, have no spaces, and not include excessively long strings.
• What are the security requirements?

Each network requires a method of authentication. For the vast majority of enterprise networks, this
will be some form of user name and password authentication. This type of authentication requires a
RADIUS server. The RADIUS server provides an interface to some form of user database such as
Microsoft active directory, LDAP, or similar. If a customer doesn’t already have this service
installed, the installation will require additional time and resources.
Pre-shared key (PSK) authentication is a good alternative to RADIUS, particularly on smaller sites.
It is inherently less secure and harder to control, but it provides a simpler method for enabling
access to the wireless network. PSK authentication is not recommended.
• Is a guest network required?

Some customers require a guest network that allows temporary access to visitors. Guest networks
are often delivered by captive portal, like you see in coffee shops. Using a captive portal to facilitate
a guest network does require the purchase of additional services and products.
• Are there any other requirements?

Another factor that can affect design includes the requirement to run voice over WiFi. Virtual cell is
well-suited to supporting voice applications due to the seamless roaming that is allowed by a
network in control; however, you need to be careful of the placement of APs in a network that
supports voice.
Another factor that you may need to consider is the presence of VLANs. Many customers have
VLANs in place for security reasons. Sometime, customers have a requirement for traffic from a
wireless network to egress into a particular VLAN. It important to capture this information to ensure
that the proper configuration is applied to the controller.

DO NOT REPRINT
© FORTINET
There are also infrastructure requirements that you need to consider when planning a network. One of the
main requirements that you must address is the availability of switching for APs. APs can pass a substantial
amount traffic as they move data from multiple wireless clients, and, as a result, a gigabit or more switching
capability is often required for multiple APs.
APs also require power. Some APs can be powered by an external PSU; however, the vast majority are
powered by power over Ethernet (PoE). Using PoE requires that the switch that the APs are connected to
support PoE. If the switch does not, often it is possible to use an inline injector; a separate box that can ‘inject’
power into an Ethernet link. It is also important to consider the standard of PoE. Most legacy PoE is known as
standard power or 802.3af. This standard of PoE provides approximately 13 W of power to the AP. Older APs
can usually operate lower power PoE, but more modern wireless standards with higher throughput use APs
that require higher power PoE+, known as the 802.3at standard. Often, swapping switches out to support a
higher power PoE can be a significant expense. So, when planning the network, you should pay close attention
to the PoE capability of any existing switches and the AP selected.
Installing an AP on a ceiling or wall can often mean that there is no outlet available. At least one outlet is
required at each AP location. For the purpose of future expansion, it is good idea to install multiple outlets at a
high level. It is easier to install two cables initially rather than go back and install a second cable after the initial
installation. The cable should be cat5E or better and should be no more than 90 metres from the switch, to
minimize power loss.
Finally, you need to consider the mechanical requirements of mounting the AP. Some customers have
aesthetic requirements for AP mounting–preferring that APs be hidden and not mounted in clear view. Hiding
an AP often means that it will be mounted inside a suspended ceiling space. Being mounted in this location
can significantly impact the performance of the AP because the antenna is often obstructed or shielded. As a
compromise, it is often possible to fit APs with external antennas. This allows the APs to be located in the
ceiling space out of sight, while the antennas, which are much lower profile, are mounted in the open. If you
are planning to use different antennas, you need to factor them in when performing the survey. You should
also note that placing equipment in a suspended ceiling space usually requires a plenum fire rated certification.
DO NOT REPRINT
© FORTINET
If you are using a survey tool, then you will require as a minimum a graphical site floorplan and structure
information. Ideally, the floorplan for each floor of a building is delivered to you as a separate file, and the
floorplans are CAD (computer aided design) files or CAD quality-drawings. Some survey applications support
the direct import of CAD drawings, which makes other planning tasks significantly easier. If CAD-quality
drawings are not available, floorplans in a common graphic format, such as .jpg, .png, or .bmp is usually
sufficient.
All floorplans must be up-to-date and to scale. They should also include the dimensions and be as large as
possible. This allows the survey application to scale the floor plan once it is imported. It is possible to scale
the floor plan without the dimensions, but this can be risky as not all floorplans are a standard size, and this
can lead to scaling errors.
Information about the walls is also important. Internal walls are typically partitions or single brick walls.
Outside walls and stairwells are typically made of concrete. Exact information is not always required but, the
more detail that is provided, the more accurately you can plan. If the building is an unusual construction, then
a visit a site maybe required. In some cases, you might need to perform a full active survey. The majority of
modern buildings are built from fairly standard materials, and are easy to simulate.
Other information, such as AP type; client count; any antennas in use; client type, count and distribution; and
application usage, will help refine the design, however a basic AP count and layout can be produced using a
planning tool, provided the minimum information can be supplied.

DO NOT REPRINT
© FORTINET
Good job! You now know what information you need to gather to plan a deployment. Now, you will learn more
about the process planning a deployment.

DO NOT REPRINT
© FORTINET
After completing this section, you will:

• Understand what decisions need to be made prior to planning the AP layout
• Be able to produce an AP per space plan
• Be able to use Ekahau site survey to produce a simple virtual or predictive site survey

DO NOT REPRINT
© FORTINET
There are some decisions that you need to be make before starting the survey. These decisions will vary
depending on the type of network that you’re going to design.
The decisions that you make about coverage and capacity affect the number of APs that are required, so this
is a key area to discuss with the customer.
Different wireless data rates demand different wireless signal strengths. Typically, the faster the connection,
the stronger the signal required from the APs. This ultimately means that the higher the required data rates,
the higher the density of APs.
Data rates are broadly categorized as high throughput (HT), or very high throughput (VHT). HT is based on
the 802.11n standards and VHT is based on the 802.11ac standard. There are some subtle differences
depending on whether you you’re using 40 or 80 MHz channels, or if you plan to deploy voice. However, in
principle, there are two different signal strengths that a client could require.
You need to decide, in conjunction with the customer, whether HT or VHT rates need to be available in all
parts the building. It does not have to be all or nothing. Often, VHT rates are required in classrooms or office
spaces that are close to the clients, while HT rates may be sufficient in spaces that are further away. If a
customer decides that they want VHT rates everywhere, then a strong strength is required.
As mentioned earlier, the choice of AP will also make a difference. If you have a high number of clients that
use three streams, then selecting an AP that can support those clients would make sense. Conversely if you
have clients that use two stream 802.11ac or 802.11n, it may be best to select an AP that supports only those
rates. In some scenarios, you may need to have different AP models coexist in the same design. In these
cases, you need to pay careful attention to the AP family limitations, which you will learn about in this course.

DO NOT REPRINT
© FORTINET
The orientation and height of APs is also important. If you are working with non-standard ceiling heights, or
you are planning to mount to an AP on the wall, you will need to make sure that the APs or antennas are
correctly orientated in the survey application. Additionally, if you’re using a non-standard antennas, ones that
is not supplied with the AP, you will need to configure the antenna in the survey application to ensure the
proper coverage simulation.
If you are performing an AP per space estimate, then the decisions are simpler. You just need to decide what
wireless standard is required and the number of streams that the clients will need.
In general, if you can see an AP, as you would in an AP per space scenario, you can almost guarantee that
you will have a high enough signal strength for VHT rates. If this is the case, the only other things that you
have to consider are which AP best suits the clients needs and any mounting or antenna considerations.
Again, it is possible to mix AP families, but generally not recommended. With an AP per space design, it is
best to keep things simple, such as using only a single AP model.

DO NOT REPRINT
© FORTINET
This table lists the coverage requirements you will use when planning a Virtual Cell based wireless network.
It is broadly split in two parts. Reading from left to right, the first two columns show the HT rates and settings
required for a standard data and voice network.
The third column shows the high speed 802.11ac VHT rates. The default for virtual cell, in the majority of
environments, is an 80MHz channel width, although this can be narrowed to 40MHz or even 20mhz, if the
environment requires that.
It is also possible to deploy a voice network using VHT rates, if the signal strength is strong enough to support
voice roaming. There are no specific voice settings for VHT.
Unlike microcell networks where radio power varies to limit CCI, in a virtual cell network, the transmission
power is configured to almost maximum by default.
The transmission power for Europe and North America are shown in the table. For other parts the world, you
will need to consult local regulations.
Some regulatory domains allow much stronger transmission power. However, although most clients can
receive a signal from a high power AP, they lack the power to transmit a signal back successfully. This
resulting asymmetry can lead to performance and reliability issues. Both the European and the American
regulation allow 30db transmission power for APs in the upper DFS 5GHz frequencies. However, this power
level is not often used for client connections, due to the asymmetry issues that it can cause. It is mostly used
for point-to-point AP communications that are used in bridging and mesh configurations.

DO NOT REPRINT
© FORTINET
As we can see in the table, signal strength requirements can vary considerably, depending on the
technology that’s being used. If you want to use VHT rates and 80MHz channels in every part of the
building, then every part of the building must be able to receive a signal strength of -56dBm or
stronger. Again, this must be discussed in detail with the customer because it impacts the design
considerably.
Other requirements, such as SNR, minimum number of APs, and AP neighbour count, are critical to
the health of the network. These can be stimulated in the survey application, however signal strength is
usually the primary requirement when placing APs.
The entries in green are specific to Ekahau site survey. These are the settings that the Fortinet
professional services team have found to be optimal when performing a virtual site survey for a virtual
cell based wireless network.

DO NOT REPRINT
© FORTINET
This chart lists the recommended client to interface (or radio) ratio to use when deciding how many APs to
place in a location. There is a hard limit of 128 clients per interface, or 256 per AP.
For the type of network that you are designing in this lesson, client density is defined as typical. Typical client
density is used when clients are using file and print services, together with video streaming that is consistent
with classroom or managed corporate desktop use. For this type of usage, we recommend that you aim for a
ratio of 30 clients per radio.
In BYOD environments, where users might have multiple devices and only be using basic browsing and other
lower bandwidth applications, you would aim for a ratio of 80 clients per radio specified by the high density
option.
Most APs have two radios, a 2.4GHz radio and a 5 GHz radio. When advertising the same wireless network
on both frequency bands it is not always possible to predict exactly which interface a dual band capable client
will join. Modern 802.11ac clients should always favour the superior 5GHz band as that will provide the most
capacity, so if the majority of your clients are modern you might perform your client to interface calculations
using the 5GHz interface only. This would potentially leave the 2.4GHz relatively unused unless you forced
clients to use this band by advertising networks only on the 2.4GHz interface. Indeed, many wireless network
utilise the 2.4GHz range by only advertising guest networks on that band, this leaves the superior 5GHz band
less congested for the corporate or school clients.
These numbers are only a guide, they will get your AP count into the right ‘ball park’. The network will not
break if you exceed the ‘typical’ or ‘high’ numbers, but it is reasonable to assume that performance will be
impacted, the more that you exceed these guidelines. In reality you have to monitor the network post
installation to determine if any part of the network is under pressure. If it is, it is possible to easily add capacity
using Virtual Cell channel layering. Channel layering is an advanced topic which is not covered in this course.

DO NOT REPRINT
© FORTINET
In a FortiWLC based network, the choice of APs is fairly straightforward. Key things to note when selecting
APs:
• The AP series of devices work ONLY with FortiWLC controller.
• The FortiAP-U universal series of devices can operate with a FortiWLC or a FortiGate
• All other FortiAP operate only with the FortiGate or FortiCloud
After that, the choices you have to make are about AP usage, the number of streams and the wireless
standard that the client requires.
When considering APs, it’s always a good idea to consider the future. It is important to ensure that you build in
a certain amount of future proofing as more modern clients arrive in your network. It is best to pick the AP that
you think can support your network for the next five years.
Some APs that have unique uses, such as the AP122. The AP122 is designed for in-room use, typically in a
hotel or dorm room scenario. In addition to wireless, it also supports multiple wired connections. This allows
you to connect other types of equipment that might be in the room, such as phones, wired laptops, or
entertainment devices.
Some APs include additional functionality, such as built in spectrum analysis, Bluetooth beaconing, and
wireless intrusion protection. As APs evolve to include more features, it is important to ensure that you’re
familiar with the capabilities and specification of the current range of APs.

DO NOT REPRINT
© FORTINET

The majority of APs installed in FortiWLC networks only ever used with the supplied antennas. However,
there are some scenarios when antennas can be useful, other than for the aesthetic purpose of hiding the AP.
Antennas can change the coverage pattern, and focus the wireless signal into a particular coverage pattern
(click)
The diagrams in this slide show two APs transmitting a wireless signal with the same power; however, two
different antennas are used. The first is an omnidirectional antenna which projects the signal in 360° circle
around the AP. The second is a directional Yagi antenna, which allows a greater distance to be covered, at
the expense of coverage area.
Different antennas have different coverage patterns. You can read about the coverage patterns on the
antenna data sheet, that is supplied with the AP. You can also simulate the coverage using the site survey
program, so that you can experiment with different antenna an AP combinations, to provide the best coverage
for your solution.
Typically, external antennas are used in areas where client density is not an issue, for example, in
warehouses, where a large amount floor space needs to be covered, but there are few wireless clients. It may
not make financial sense to install several APs for a small number of clients. In scenarios like these, the
coverage pattern of a small number of APs can be extended to cover a larger amount of space. Using a
survey program and a detailed floor plan can help you optimize coverage using antennas and APs.
On occasion, you need to cover outdoor areas. Fortinet has a range of external grade APs that can be
installed indoors or outdoors. It is also possible to install an AP inside building and connect to an antenna on
the outside of the building. You can use this type of installation to provide coverage for areas such as parking

DO NOT REPRINT
© FORTINET
lots, playgrounds, or sports fields.

DO NOT REPRINT
© FORTINET
There are some general guidelines to follow when positioning APs using the survey applications.
If you are planning a multi-floor building, ensure that you import each floor as a separate project. Virtual cell
networks do not require you to simulate coverage between floors. To minimize the amount time spent
processing the simulation, it is best to import each floor as a separate project.
Drawing walls on the plan is also part of the process. You should try to be as accurate as possible in
identifying the material that the wall are made of. However, when drawing walls in the plans, it is not
necessary to include door or windows. It is far more efficient to draw across them and treat them as part of the
wall, the difference in coverage between painstakingly changing material to draw a short length is simply not
worth the extra time.
When you are creating simulations, use the same type of APs and antennas that you plan to use in the actual
installation. This will ensure that you get an accurate simulation of the coverage.
Always try to place APs as close as possible to clients. When you are planning the placement of APs, it is
important to understand the purpose of the space that you are placing the APs in. If you place APs to provide
optimal coverage in a space where not many clients are located, you will be providing coverage where it is not
really needed.
When placing APs, you should always optimize coverage for 5 GHz. Most survey applications give you the
ability to simulate coverage in 2.4 or 5GHz. Typically 5 GHz has a shorter range. If you optimize coverage for
2.4 GHz, you might find APs in your 5 GHz coverage where the signal drops below the required signal
strength. Virtual cell is very tolerant and spacing out 2.4 GHz radios is not as critical as it would be in a
microcell network.

DO NOT REPRINT
© FORTINET
When placing APs, use the signal strength visualization option of the survey application. This allows you to
‘paint’ the floor with the required signal strength. Be aware that, in addition to verifying the primary coverage,
you also need to ensure that a secondary AP is available.
In an Ekahau survey you can verify secondary signal strength using the second strongest signal visualization.
That way, wherever your station is in the building, you will have one AP available at the required primary
signal strength and one available and the secondary. It recommended that you have a second AP available,
albeit at a lower signal strength, to optimize operation of Virtual Cell and ensure a certain amount of RF
redundancy in the event of a primary AP failure.
Ensure that you to simulate using the recommended client adapter. Refer to the coverage requirements. If you
are using Ekahau, once you have placed the APs in accordance to the primary and secondary coverage
requirements, you can cross check using the network health and network issues visualisation option. This will
help ensure that you are meeting the coverage requirements specified by displaying coverage across the
plan. The colour green is used to show a pass and red for a fail.
You can also check that the AP neighbour count. By looking at the number of APs that are in the visualisation,
you can estimate whether or not the network is going to be over deployed or have too many AP neighbours.
It is not always necessary to paint of the entire area green. Some corners of a room may not quite meet the
requirements. Trying to paint every corner of every room green can lead you to use more APs than are truly
required. The signal strength that you see in the simulation will not always match excactly what you see on
the ground in the actual deployment.
When placing APs, take the time to annotate the plan with AP names and channel settings. Entering this
information at this point simplifies the generation of design and handover docs.

DO NOT REPRINT
© FORTINET

When figuring out a general placement plan for larger spaces, consider a simple rectangle.
(click)
In the example shown in this slide, an AP that has a certain signal strength at a certain distance. If we use this
distance as a standard, we can begin to cover the area with additional APs.
(click)
Here is a second AP, and we add a third to cover the area between the first two APs, putting the third AP as
close as we can without overlap.
(click)
We now add two more, again putting the APs as close as we can without overlap, and so on.
(click)
Now that we have our coverage placed, let’s see if there are any general patterns that emerge. First, we
remove the coverage circles.
(click)
Now we can see that we could describe the lay out as a zig-zag pattern.
(click)
We can replicate this pattern across the entire floor area. If this is done in conjunction with the signal strength
visualisation, it should be fairly easy to paint the floor with quality coverage

DO NOT REPRINT
© FORTINET
If seamless roaming for voice purposes is important, the best practice is to ensure that the corners of all
corridors are covered.
If we consider the client walking down the corridor and turning the corner, we can see that placing an AP at
the apex the corner ensures that the client receive signal in both the ends of the corridor.

DO NOT REPRINT
© FORTINET
Placing APs in corridors should be avoided where possible. It can cause the signal to travel further than
expected due to the wave guide effect of a signal bouncing down a corridor.
Placing APs in rooms limits the signal to a particular area and potentially decreases the size of the
interference region. It can also minimize the opportunity for clients to stick, if the network is configured for
native cell mode.
There are some edge case scenarios where a corridor AP might be required. Some voice solutions are more
reliable if there are APs occasionally positioned corridors, as well as one positioned in rooms.

DO NOT REPRINT
© FORTINET
Now you will watch a video of a simple Ekahau base site survey. The basic principles demonstrated in the
video apply to most planning tools.
The video covers the creation of a basic site survey for a small hotel. It demonstrates basic techniques and
the process for placing APs to optimize both primary and secondary coverage. It also demonstrates a survey
for HT rates that require a primary signal coverage of -64dBm.
The techniques and the principles shown in the video are the same for a larger deployments. You would use
exactly the same method for placing the APs, verifying that the coverage is correct, and cross checking,
regardless of the size of the deployment.
The video also demonstrates how to configure Ekahau to plan a virtual cell network and it also shows how to
change settings to enable the most accurate virtual cell survey.
Ekahau site survey is a complex product. This video shows you a subset of its functionality, purely for the
purposes of planning a virtual cell network. If you are planning to do regular deployments of wireless
networks, spending more time learning the product and, potentially, attending a training course, is highly
recommended.

DO NOT REPRINT
© FORTINET
<<VIDEO WILL AUTO PLAY>>

DO NOT REPRINT
© FORTINET
Now that you have seen how to perform a virtual site survey using HT rates, here is the results of the process
run a second time, using VHT rates. You see the increase in the AP count required to provide the signal
coverage.
Even with this increase, you will that that there is still not 100% coverage, as some areas the building do not
quite have the -56dBm coverage required for full 802.11ac rates at 80Mhz. When you are conducting a
survey, you must confer with the customer to agree on the acceptable level of coverage. It is unlikely that
every corner of a floor requires the highest connection rates.
You could continue adding APs in an effort to paint the whole area green; however, at a certain point, you
would need to consider implementing a channel stripe to reduce the neighbour count. When you implement a
channel stripe, half of the APs in your plan would move to a different channel that is part of the stripe. This
would keep the neighbour count from growing to large and affecting service levels.

DO NOT REPRINT
© FORTINET
The AP per space method is simpler than any of the other survey methods. Sizing an AP per space
installation involves determining the number of spaces or rooms that require coverage and then placing an AP
in each of them.
When you use this method, you aim to place the AP near the centre of the room and avoid placing it too close
to walls or other obstacles that can disrupt the signal. You can also wall or ceiling mount the AP without
significantly affecting coverage in the room.
It is often advisable to factor an additional 20 percent on to the AP count to act as a safety margin. For
example, when sizing installations in small schools, although it is typically the classrooms that require
coverage, adding 20 percent to the AP count allows for coverage in other areas, such as staff rooms. Also
some areas, such as restaurants, qualify as one space; however, when that space is large or heavily used by
clients, more than one AP might be required to provide adequate coverage. So in these cases, planning for
some contingency is advisable.
Once you have completed the installation, you should perform an AP neighbour check. You can query the
controller to get a list of neighbouring APs and their count. If the recommended AP neighbour count is
exceeded, network performance can suffer.
When a deployment includes a large room where only one AP installed, you should perform a coverage check
to verify that there is sufficient coverage in each area of the room.

DO NOT REPRINT
© FORTINET
Good job! You have now learned how to perform a site survey to determine the number of APs required to
provide wireless coverage across a facility. Now you will learn how to select the most appropriate controllers
to support the installation.

DO NOT REPRINT
© FORTINET

• Understand the key metrics used in controller sizing
• Be able to select the best controller for a network
• Be able to deploy multiple controllers to support a large number of APs and clients

DO NOT REPRINT
© FORTINET
FortiWLC devices come in a variety of sizes and on a number of platforms. They can be characterized in
three groups: entry level controllers, mid-range controllers, and high-end controllers.
The main metric used to categorize a controller is the maximum number of APs that it can support. The name
and model number of the controller often reflects this of AP count.
At the entry level, the FWC-50D supports up to 50 APs. At the high end, the largest controller, the FWC-
3000D, supports up to 3000 APs.

DO NOT REPRINT
© FORTINET
This table lists the current range of FortiWLC devices available.
Older Meru controllers are prefixed with MC and the newer Fortinet are prefixed with FWC. Note that the
newer Fortinet platforms will work only with version 8 or later of System Director. This means that older Meru
branded APs cannot be added to a FortiWLC branded controller. To confirm which APs are supported by a
specific version of System Director, always refer to the release notes.
All Fortinet controllers are physical, hardware-based appliances. The older Meru controllers came in both
virtual appliance or physical appliance formats. The virtual edition is currently available only as a VMWare
image. The virtual controller and physical controller specifications are the same; that is, they are capable of
supporting the same stations, Aps, and so on.
When sizing controllers, the station count and the throughput capability of the controller are very important
factors to consider. You should also consider the number of SSIDs, service control locations, and service
control discovery list entries that the controller supports.
Service control is a software mechanism that is available on controllers. It allows for the precise control of
multicast DNS. Apple’s BonJour protocol uses multicast DNS to enable Airplay and Airprint services between
Apple devices. Service control is used to control multicast DNS traffic in a wireless environment. If you or a
customer are planning to use service control to manage Apple Bonjour traffic, be aware that there are
limitations based on controller size.
For more information about service control, see the Service Control Deployment Guide on the Fortinet
Knowledge Base.

DO NOT REPRINT
© FORTINET
The prime metrics used in controller sizing are: AP count, client count, and controller throughput.
1. AP Count
Your survey should help you determine the required number of Aps; however, you should always size a
controller to support more than the number of APs indicated by the survey. This allows you to deal with
network growth by adding more APs at a later date, without having to upgrade the controller. Best practice
suggests that you size the controller to support at least 20% more than the number of APs that you have in
your survey.
Some FortiWLC APs have can perform full VPN encryption of the control and data plane traffic. This is useful
when APs are remotely based across a public Internet connection. However, full VPN encryption applies
additional load at both the controller and the APs. As a result, the number of VPN encrypted APs that the
controller can support is limited. If you are planning to deploy multiple VPN encrypted APs, you should contact
Fortinet for assistance.

DO NOT REPRINT
© FORTINET
2. Client Count
Client count is increasingly important when sizing controllers. As BYOD has grown in popularity, you
increasingly see users equipped with multiple wireless devices: laptops, tablets, and smart phones.
Each wireless client in the network consumes a resource at the controller. As a result, each controller has a
recommended user limit. For example, that the FWC-500D has a recommended user limit of 6250 devices. If
you use the recommended ratio of three devices to one person, then this controller is capable of supporting
just over 2000 users at a time. The user limit is a recommendation, and not a hard limit; however,
performance will suffer as you to exceed these numbers.
Again, you should always consider a growth factor, when planning for the number of users. Just like APs, best
practice suggests that you plan for at least 20% more than the number planned for the network at the outset.
3. Controller Throughput
By default, FortiWLC APs tunnel traffic back to the controller. The traffic is then processed by the controller,
and egresses from the controller ports. This operating mode is known as a tunnel mode and is the default
mode for the network.
The FortiWLC controller supports several network connection types. Higher end controllers offer 10 Gbe
connectivity, whilst the base connectivity is 1Gbe. Knowing exactly how much data will be crossing your
network at any one time is difficult to calculate unless you can use the throughput numbers for some specific
applications to form an estimate. If you are using an entry-level or a mid-range controller and you determine
that your throughput is reaching the limit of the controller connections, then you have the option to upgrade to
high-end controller or use the AP to bridge traffic to the LAN directly in order to manage throughput.

DO NOT REPRINT
© FORTINET
You might need to consider including multiple controllers to support your network when the network is located
on a large campus or when the existing controller has run out of capacity.
You can add additional controllers to a network to work alongside an existing controllers. This is sometimes
referred to as multiple active controllers; however, you should note that this does not imply any form of fault
tolerance, it simply refers to the fact that there are multiple controllers in a network that are actively supporting
APs and clients.
Each additional controller should be considered as a discrete wireless network:

• It is not possible for virtual cells to span controllers.
• Clients cannot roam between controllers. Moving from an area supported by one controller to an area
supported by another will result in a full layer three disconnection and reconnection, complete with DHCP
and re-authentication. There is an option called inter-controller roaming (ICR) that allows clients roaming to
another controller to tunnel their way back to the original controller.

DO NOT REPRINT
© FORTINET
When you deploy multiple controllers, you want to try to minimize any connectivity disruption that a client
experiences when they move between areas supported by controllers. When you deploy multiple controllers in
multiple buildings, the recommended best practice is to assign one controller per building or group of
buildings. When multiple controllers are organized this way, clients have all the benefits of virtual cell when
they are inside a building or group of buildings, and when they move to another of building or building group,
they have perform layer three roaming only once.
The diagram on this slide depicts a campus with many buildings. Each group of buildings has been assigned
its own colour to indicate the controller which is assigned to it. Where possible, and practical, buildings have
been grouped together to minimize roaming events for the clients.
Do not mix of APs from different controllers in the same building or on the same floor.
Don’t forget to always allow for a growth factor.
Each controller is a discrete network, as a result each controller requires its own unique controller index to
identify it and it’s a own management IP. It is also highly recommended that each controller have its own
VLAN to support its Aps.
When you have multiple controllers on a campus, it is highly recommended that you also install FortiWLM
network manager appliances to simplify the management and monitoring of multiple controllers.

DO NOT REPRINT
© FORTINET
In tall buildings or skyscrapers, it may not be possible for one controller support the entire building. In cases
like this, you can divide the building into stripes or blocks of floors. Each stripe or block is supported by a
controller, with the goal of minimizing the roaming required for clients moving around the building.

DO NOT REPRINT
© FORTINET
Once you’ve selected a controller, you may need to consider licensing.
If you’ve selected a legacy Meru controller or you are expanding a network that contains a legacy Meru
controller, you’ll need to ensure that you have the correct licenses.
Legacy controllers can support up to 50, 200 or 500 APs, depending on the model. However, each AP has to
be licensed separately. It’s possible to purchase an MC 4200 that supports up to 500 APs from a hardware
capability point if view; however, it’s still necessary to buy AP licences for each AP you’re deploying.
You also require licenses for spectrum management functionality and N+1 redundancy. Spectrum manager is
licensed by the number of sensors. The sensor is an AP that can be turned into a spectrum manager device
or a dedicated spectrum sensor, such as a PSM3x.
N+1 redundancy is licensed by the number of primary controllers that a single standby controller can support.
When you are dealing with older legacy Meru controllers, be aware that there are licensing considerations.

DO NOT REPRINT
© FORTINET
FortiWLC devices do not require a licence. They will automatically support up to the maximum number of AP's
that the controller is capable of supporting.
In addition, N+1 redundancy and spectrum manager licences for up to 10 sensors are also included with all
controllers.

DO NOT REPRINT
© FORTINET
Good job! You have learned about sizing and selecting equipment for your deployment. Now, you will learn
about creating an implementation plan.

DO NOT REPRINT
© FORTINET
After completing this section, you should know what information is required to create an implementation plan
that you can hand over to the installation team.

DO NOT REPRINT
© FORTINET
However you choose to communicate it, this is the information required by whoever is installing the network.
Controllers require a dedicated management IP, preferably in a VLAN that is dedicated to networking devices.
A DNS hostname is required together with a DNS suffix. Resolving DNS and NTP servers is highly
recommended. Time synchronization is very important when you are implementing virtual controllers, multiple
active controllers, or a FortiWLM management appliance.
If the customer requires traffic to egress in to VLANs, then we need to know the tag. The controller also needs
an IP in the VLAN. Even though the controller deals with frames and is not a router, it sometimes has to deal
with IP traffic. When it does, it needs an IP assigned in each VLAN.
In large installations, it’s very likely that RADIUS authentication will be required. As a result, RADIUS server
details will be required. Is also worth emphasizing that the RADIUS server administrator for the network will
also need to be aware of the need to set up the controller as a RADIUS client.
The controller is supplied with a self-signed web certificate. This is used for encrypting web server traffic,
which is used for the controller configuration web interface and captive portal. If you are planning to offer
captive portal guest networks to end users, then a public signed certificate is highly recommended.
For the wireless networks, the installation engineer needs to know:

• The SSID
• The dataplane mode – is it bridged or tunnelled?
• On which interface each SSID will be available
• Available on 2.4 GHz only or both 2.4 and 5 GHz
• The nature of the authentication: preshared key or RADIUS enterprise authenticated

DO NOT REPRINT
© FORTINET
For each AP, the installation engineer needs to know:

• It’s location, preferably marked on a plan
• The AP name
• Which controller is supporting it
For each AP radio or interface, the installation engineer will needs to know:
• The channel setting and width
• The power setting
• If using non standard antennas, which one and the gain in decibels
Spreadsheets are commonly used to track this information. If you are going to be deploying wireless networks
on a regular basis, you might want to formulate your own spreadsheet template.

DO NOT REPRINT
© FORTINET
If you have used Ekahau site survey to create an AP deployment plan, you have already seen in the video
demonstration the ability to print out AP location plans but also the ability to print out AP configuration
information.
As you can see from the animation running here on slide, it is possible to utilise the survey reports to cut and
paste information into a template.
Once in this template you can organize the information to include the name of the AP (if not already in the
report), channel setting and the power setting of the radios.
Note of the Ekahau exports by transmission power in milliwatts. You need to change this to reflect the settings
in dB. The controller uses db to set the transmission power
You can also include VLAN tag information for each AP where networks will be bridged and include
information about which radios will broadcast which SSID’s
The format the spreadsheet is of course up to you, but by using the Ekahau report as a source for this
information it can be a significant time saver.
(animation will continually loop – do not wait for it to finish)

DO NOT REPRINT
© FORTINET
Good job! You now understand how to plan an implementation.

DO NOT REPRINT
© FORTINET
Congratulations! You have completed the lesson. In this lesson, the following topics were covered:
• Design process
• Deployment methods
• Customer requirements and information gathering
• Deployment planning
• Equipment sizing and selection
• Implementation planning

DO NOT REPRINT Controller Installation
© FORTINET
In this lesson, you will learn how to install both a physical and virtual controller and perform the initial setup
of System Director. This will result in a basic configuration that is ready for integration into the core
network, the installation of APs, the and configuration of wireless networks.

© FORTINET
After completing this lesson, you should be able to:

• Select a System Director software version
• Connect and configure the controller
• Access the Controller
• Configure System Director
• Upgrade System Director

© FORTINET
In this section you will learn how to locate and select the correct version of System Director for your
installation.

© FORTINET
System Director (SD) is the Linux-based operating system, initially developed by Meru networks, that is
installed in the local storage of controllers. SD coordinates all the activity on the network, ensuring that the
client connectivity and AP radio configuration is optimal.
SD is installed on both physical and virtual controllers. Each model of controller has its own image of SD
and the images cannot be interchanged. For example, A FortiWLC-50D image cannot be installed on to a
FortiWLC-200D.
APs also run a version of system director, they come pre-installed with an image from the factory.
Controllers also contain AP software images that are used during AP upgrades.

© FORTINET
On hardware controllers, the SD image is installed during build in the factory; however, the version
installed at factory may not be latest version. Unless there’s a specific reason not to, you should use the
most current version of SD.
If you are upgrading by several versions, you need to follow the upgrade path specified in the release
notes for the upgrade.
The release notes also provide details about any new functionality or changes in support that are included
in the update. You should pay careful attention to the release notes before updating to ensure that you do
not cause a loss of service to areas using the older APs.
Typically there are between two and three software updates per year, depending on the release of new
wireless standards and APs. Updates are available from the Fortinet support site and are currently free to
customers that have the existing support contracts.
It is not necessary to update APs separately. The software images for the APs are stored inside the
controller software image. The controller automatically manages the software images on the connected
APs.

© FORTINET
You should review the customer support bulletin to read the latest information about SD releases.

© FORTINET
Once you know which version of SD you require, you can download it from the Fortinet customer service
and support portal.
On the Fortinet Customer Service & Support webpage, the release notes are posted on the Home tab.
1. On the Fortinet Customer Service & Support page, click the Download.
2. From the Select Product dropdown menu, select FortiWLC-SD to see all the available software
downloads for the controller.
Note: Older versions of SD are available for backwards compatibility.
The folder that contains the update files also contains installation, configuration and deployment guides. If
you do not have copies of these already then download them.

© FORTINET
The update files are organized according controller model. Physical controllers have only upgrade files.
Virtual controllers have three sets of files:

• An upgrade file that ends in rpm.tar.
• A collection of installation image files for the North American market, which is hard coded with the
wireless region code. These files are appended with –US
• A collection of installation image files for the rest of the world, which are configurable for different
regions during the setup process. These files are appended with –INTL
Note: There are several files associated with the virtual image that you will need to download.

© FORTINET
Good job! You now know how to locate and select the correct version of System Director for your
installation. Now, you will learn how to connect and configure the controller.

© FORTINET
In this section, you will learn how to install and connect a hardware controller

© FORTINET
Controllers require a minimum 1Gb Ethernet connection to the network. Lower speed connections can
work, but would cause a significant performance impact.
Most controllers have multiple Ethernet connections available. Modern controllers have a minimum 4 Gb
connections or the option for 10 Gb connections. Depending on the size and configuration of your wireless
network, you may need to consider utilising multiple ports or installing a 10 Gb connection on the
controller.
If your controller has additional connectivity options, such as SFP or 10 GB modules, installing or enabling
them disables any other ports. You can only use one or the other.
When you aggregate links, static aggregation is the only mode that is supported. LACP, 802.11ad, or later
dynamic link aggregation is not currently supported at the controller.
When configuring the controller for the first time, you should connect the first port on the controller to a
switch.
Power is also an important consideration. In a default configuration, if your controller loses power, the
entire wireless network fails. So, for critical networks, the controller should be backed up by an
uninterruptible power supply (UPS). Redundant controllers should also be connected to a UPS.

© FORTINET
The controller has a serial console port that provides access to the controller software. It is used during the
initial setup and for upgrades.
The console port is located on the front of the controller. On newer controllers, the port is an RJ 45 socket.
Controllers include a serial console cable, but the pin configuration is an industry standard, so cables from
other vendors may also work. Most newer laptops do not have a serial ports, so an additional USB-to-
serial converter may be required.
If the controller is connected to a network connection that provides DHCP, then it will attempt to claim a
DHCP address. If a DHCP is not provided, the controller uses the default IP, 192.168.1.12. If required, you
can use this IP address to set up the controller using the web interface or an SSH session.

© FORTINET
If you are planning to connect to the controller using the console, you need to use a terminal program,
such as PuTTY or Teraterm.
One major difference between the FortiWLC controllers and other networking equipment is the baud rate
that the console operates at. To connect to the controller, you will need to configure the client for 115200
baud. The other settings are more standard: eight data bits, one stop bit, no parity, and no flow control.
You select the a COM port based on your system setup.

© FORTINET
The controller also has USB ports, but they are not used. Some controllers have a reset button, which,
generally, triggers a hard reset of the controller.
LEDs show the status of the power and when the controller is writing to the storage. The status LED lights
up in the event of a controller malfunction

© FORTINET
Virtual controllers are virtual versions of physical controllers. There are virtual versions of the MC1550,
MC3200, and MC4200, which are all separate virtual images.
At this point, only the older Meru controllers are supported as virtual images, virtual versions of the newer
FortiWLC controller will be released in due course.
Virtual controllers have the same AP and user capacity as their physical counterparts. They also use the
same number of CPU cores, memory, and network interfaces.
Unlike physical controllers, virtual controllers include a 90 day license for two APs, which makes virtual
controllers very useful for training and testing purposes.
A virtual controller can act as a standby for another virtual controller of for a physical controller; however, a
physical controller can’t act as a standby for a virtual controller.
If you have an advanced VMware installation with multiple hosts please be aware that VMWare fault
tolerance is not supported.

© FORTINET
Currently, only versions 4.0 through to 6.0 of VMware ESXi are supported. At this point, only VMWare
based virtualization is supported, other hypervisor support will be coming in due course.
Current controller VMware images contain a compatibility issue with VMware fusion. They need to be
imported into ESX (free will be fine) and then exporting out again.
By default, in production environment, it is very highly recommended that each host that will support a
virtual controller has a dedicated network card solely for use by the controller. It is possible for a virtual
controller to share a network card with other applications running on the host, however this is only ever
really recommended with training or testing environments that are dealing with small amounts of wireless
traffic and are non-mission critical.
One of the benefits of virtualization is the ability to oversubscribe memory and CPU Resources on a virtual
host, again for proper operation of the Wireless Network, particularly a very busy Wireless Network, it is
important that the controller resources not be compromised by VMWare CPU or memory management. As
a result, in these types of environments, it is highly advisable that the controller has both memory and CPU
cycles reserved for it.

© FORTINET
One of the other areas of host configuration that is important to get right is the network configuration.
Virtual controllers have specific requirements when it comes to the number of virtual network interface
cards and the virtual switch and port group configuration.
As the virtual controllers match their physical counterparts as far as network port configuration, it is
important to ensure that the virtual controllers have the same number of virtual ports. Physical MC4200
hardware appliances will have four gigabit Ethernet ports, therefore the virtual version of the MC4200 also
needs 4 virtual network cards (or vNICS) configured.
One major difference between the virtual and physical controllers is the type of ethernet adaptor that can
be configured. On the physical appliance the hardware ports are gigabit, virtual controllers on the other
hand are configured with the VMXNet3 virtual network card. As this is a 10 gigabit card, the throughput
capability of the virtual controllers is greater than that of its physical counterpart.

© FORTINET
It is best practice for each controller vNIC to have its own dedicated port group and vSwitch. The example
in this slide shows a virtual MC4200. This requires four virtual NICs to match its physical counterpart.
VMware demands that each vNIC has a network configured. This means you must create at least four port
groups and vSwitchs.
It is important that you do not connect multiple controller vNICs to the same port group because this can
cause a network loop.
A minimum of one physical network adaptor is required to connect to the network infrastructure. vNICs are
10GBe, so it is unlikely that more than one will needed for the majority of installations. However, if more
than one is required, then each vSwitch will require a dedicated physical Ethernet adaptor on the host. The
additional physical adaptors should only be used for extra capacity. Unlike physical controllers,
active/passive redundant connections are not supported on virtual controllers.

© FORTINET
After creating each vSwitch, you need to update the settings for the port groups
Virtual controller configurations require you to enable promiscuous mode on the port group. This allows
the virtual controller to see all the frames being delivered by the physical network, and is necessary for
proper wireless network operation.
By default, the vSwitch removes the VLAN tags of frames coming from the physical adaptors. If you’re
planning to have VLANs on the wireless network, then the VLAN ID should be set to All (4095). This
configures the vSwitch to pass through all frames without changing or stripping tags.
It is possible to team multiple physical adaptors on a single Vswitch for link redundancy purposes, but if
you do so, you need to configure the load balancing algorithm as Route based on IP Hash.

© FORTINET
Good job! You now know how to connect and configure the controller. Now, you’ll learn how to access the
controller.

© FORTINET
After completing this section, you should be able to use the two methods available to access the controller.

© FORTINET
There are two ways to access the controller management interfaces: CLI and GUI.
The GUI is the method that most people use. The GUI uses the installed web server and allows access to
the most of the management and monitoring functions of the controller. Because it is a GUI, some
elements of controller information are better presented in graphs and tables. You need a network
connection to use the GUI and there are a few functions that are not available through the web interface,
such as the ability to power down the controller. This can be done through the CLI.
You can also access the controller through the CLI. You can access the CLI over the network or through a
serial connection to the console port on the front of the controller. You need a terminal program to use
either access method. You can access the console of a virtual controller through the VMWare utilities. You
can also access the CLI through the GUI using a Java-based applet.
You can access all configuration an monitoring options through the CLI; however, you can’t view data in a
graph format and some tables have limited functionality.
It is recommended that you use the CLI as the access method when you perform the initial setup of the
controller.

© FORTINET
You can access the GUI through an IP address or the optional DNS host name, if it’s been set up. All
commonly used browsers are supported and, by default, an encrypted web page is presented.
The default the web page is encrypted using a self-signed certificate installed at the factory. Because it is
self-signed, most browsers will present a certificate warning. It is possible to replace the self-signed
certificate with it publicly-signed certificate, if required. To authenticate on the encrypted web page, the
default username is admin and the default password is admin.

© FORTINET
The first screen that you see after logging in is the main system dashboard. The dashboard is designed to
give you an overview of the status of the controller, presenting all the important information in one place.
The dashboard comprises four main areas: header bar, footer bar, capabilities menu, and main information
window, which dynamically updates.
The dynamic updates occur every 60 seconds. You can disable the dynamic updates by clearing the Auto
Refresh check box in the top right-hand corner. There is also a manual refresh option that can be used at
any time. It is not possible to change the auto refresh period from 60 seconds.

© FORTINET
The header bar is located at the top of the GUI and is persistent across all of the GUI screens.
It supplies information about the controller, the controller type, software version, IP address, and
hostname. The header bar is also where you can determine whether the controller is virtual or physical, by
looking for the –VE on the end of the model name.
The header bar is also where you save the controller configuration. Although any changes you make to the
controller configuration take effect immediately, you need to save them in order to make them persistent
when the controller is restarted.
Also from the header bar, you can access the CLI, see the current user, see the security level, and log out
of the GUI.

© FORTINET
The capabilities menu is the main navigation menu for the controller. It allows access to all the major
configuration, maintenance, and monitoring functions of the controller. It is persistent, meaning that is
always visible, making navigation to different parts of the interface very straightforward. It can be hidden, if
required, by clicking on the indicated button.
The menu is split into four categories:
Monitor: This category contains all information related to the status and performance of the controller and
APs.
Configuration: This category contains all of the options related to the configuration of the controller, APs,
and wireless networks.
Maintenance: This category contains all the functions related to the maintenance of a controller, such as
backups, logs, and the ability to restart the network.
Wizards: This category contains wizards that help you configure the controller and wireless networks.

© FORTINET
The footer bar is also persistent across all screens. It gives quick access to the status of the network,
showing the number of alarms that are in effect, the number rogue devices, APs, stations, and networks
that are configured. It also shows the uptime for the controller and the current system utilization.
The icons on the footer bar dynamically update every 60 seconds. Most of the icons are clickable.
Hovering over the icon shows you hover text and clicking on them takes you to more information. For
example, clicking on the Alarms icon takes you to the alarms table.

© FORTINET
The main information window changes dynamically according to the selected capabilities. Some windows
have additional tabs that are allow you to change the views.
The main system dashboard is consists of three areas. The top area contains information about the
controller load and load trends, shown in a graphical format. It shows details about throughput, which is the
data that crosses the controller. It is split into receive (RX) and transmit (TX). This throughput information
pertains to the controller and APs. It is based on data received from (RX) and sent to (TX) the wireless
clients. A vertical scale is shown in MB per second and it auto scales, according to the data. Hovering over
various points on the graph will display a pop up a window that contains more information. The graph
shows the peak data value on a minute by minute basis. If you click on the graph and drag, you can
highlight areas of the graph and zoom in. Double click to zoom out.
The station counts graph shows counts of 5 GHz and 2.4 GHz stations associated to the network.
Hovering shows more information. Clicking and dragging allows you to zoom in. The stations count show
the peak station count across a minute.
You cannot change the graphs that are displayed. The maximum time displayed his 24 hours, so you’ll
only see the last 24 hours of throughput and station counts.
The middle area contains the distribution pie charts. These charts give you a quick visual indication of the
status of your network. They are not changeable. The pie charts detail, starting from the left-hand side, the
alarms that are active on the controller. When the pie is gray, this indicates that there are no alarms
currently active. Alarm numbers and severity are shown as pieces of pie. Three alarm severities are
shown: critical alarms in red, major alarms in orange, and minor alarms in blue. The size of the slice of pie
depends on the number of alarms that are active. When there are multiple slices of pie showing different
alarms, you can click on the pie piece to see the underlying alarm table for more information.

© FORTINET
The alarms distribution pie chart gives you an immediate indication of the status of your network. Red
pie pieces generally indicate a significant issue with your wireless network.
The middle two pie charts break down of stations by the wireless network that they are connected to
and the frequency band they are connected on. As become more familiar with your network and the
type the clients that connect to it, you may be able use these distribution pie charts as an indication of
underlying problems.
The final distribution pie chart displays the breakdown of client operating systems that have connected
and then being detected using DHCP fingerprinting. The controller has the ability to recognise common
types of clients using fingerprints held in a database on the controller. It then displays the different
operating systems detected as pieces of pie. Where pie slice is listed as unknown, this indicates that
the controller has detected a fingerprint but has no matching entry in its database. Currently this OS
information is used for display only, the controller does not perform a the action based on type of OS.
This information can be passed to Fortinet Connect and this can optionally control access to the
network based on the OS type.
The bottom panel details the current Wireless Networks that are configured on the controller, here you
can see a summary of the configuration elements such as the security used, the SSID broadcast and
the number of radio interfaces that are broadcasting the network. It is possible to directly edit the
configuration using the pencil icon on the left hand side of the table.

© FORTINET
The main screen will also include a black ? Icon that will link to help text that is specific to the screen that
your viewing, where there are additional graphs you may also see a link that gives help on the contents of
the graph.

© FORTINET
The easiest and quickest way to get access to the cli is via the web interface. The controller has a built in
the java applet that allows simple access to the command line interface, it is started from the icon located
in the header bar.
It’s useful for very quick and easy commands but there are limitations, for instance whilst it is possible to
copy and paste within the java session is not possible to copy information out to an external application
such as notepad. It is also not possible to capture the output of the cli which can be very useful when
debugging issues.

© FORTINET
A fully functioning command line interface is available when using a third party terminal client such as putty
or teraterm.
Access can be via the serial console port on the front of a physical controller or the VMWare console
application for a virtual controller.
Connections can also be made across the network using an ssh connection to either the IP address or the
DNS hostname if one is being set up. The ssh connection is encrypted using the same self-signed
certificate that is used for the web interface, as a result you will see a warning when connecting over ssh
which is to be expected.
Most terminal client have the ability to capture the output from the terminal session, this makes the
capturing of information for diagnostic purposes very straightforward. It is also possible to copy and paste
in and out of the terminal client.

© FORTINET
There is a help system available in the cli accessed simply by typing help or ?
This will list all the commands are available in the current context.
For specific help on commands simply type help followed by command.
A full System Director command line reference guide is available from the Fortinet document library.

© FORTINET
Typing the first few characters of the command and then in the TAB key will cause the CLI at return the list
of commands the beginning with the characters you’ve typed, so in this example we have typed relo and
then the TAB key. This shows us all the commands that begin with RELO.
If there is only one command that begins with the characters you’ve types and then the cli simply auto
completes the line so for instance if you typed PIN and then TAB key it will auto completes to ping to as
there are no other commands beginning with PIN.
Arrow up and arrow down will also recall previously entered the command lines.
By default when you log on to the controller CLI if you’re already in privileged exec mode. This mode
allows monitoring, diagnostics and configuration review commands to be issued.
To make the majority of configuration changes you need to be in global configuration mode. This is
entered by using the commands configure terminal.
From here it is possible to issue various configuration commands to change or add to controller
configuration. To undo or delete configuration, many commands have the no form. For instance in this
example we can create a vlan with the command vlan guest tag 10. It is then possible to delete the
vlan with the no version of the command – no vlan guest
Commands that are available in privileged exec mode are not available whilst in global configuration mode
by default, however, prefixing a privileged exec command with do will allow the temporary execution of
commands whilst in global config mode. To leave global configuration use the end or exit commands.

© FORTINET

© FORTINET
Now we have connected the controller, in this next section will talk about what is required to configure
system director on the controller.

© FORTINET
There are two methods for setting up system director, the first and preferred method is to run the setup
script over the CLI. Through this setup script you get access to all the configuration options required to
setup the controller in an enterprise environment.
It is also possible to run the easy setup wizard through the web interface, however some configuration
options are not configured as part of the wizard. The benefit of the wizard is that in addition to setting up
the controller the wizard will take you through adding APs and creating a basic Wireless Network. For this
reason is only really suitable for setting up very small Wireless Networks.

© FORTINET
Some key information is required before running the setup script or completing the Ezsetup wizard.
The controller will need a management IP address, subnet mask, gateway and a hostname. The IP or
hostname will be used for managing the controller and the default address used by the access points. On
larger networks this may well be an IP in a VLAN dedicated to Network Devices such as switches and
routers. On small networks this could be an IP in the range allocated to servers, security best practice
dictates that this IP should not be exposed to end users devices.
There is the option to allocate the IP via DHCP, but a static IP would be preferred in most environments to
minimize the chance of a controller IP address changing and thus causing problems with the Wireless
Network.
Both DNS and NTP server IP addresses are optional, however it is highly recommended that both are
used where possible as some advance functionality will require synchronized time and name resolution.
In order for access points to operate with the correct radio frequency channel sets, in accordance with
regulatory requirements around the world, controllers will have to be configured with a country code. This
defines which frequencies and what power levels the access points can operate at. The country code is
selected from a list of during the setup script, ensure that you select the correct country code, failure to do
so could result in the breaking of local radio regulations. FortiWLC sold in North America are hard coded,
so will not have to the option to change country code.

© FORTINET
The controller also needs know the time zone it is operating in, again join the setup script there is the
option to select the correct time zone.
One of the requirements is controller index. For single-controller installations there is no need to configure
a controller index, however if access points from another FortiWLC or Meru controller are within range of
the new network then there is a chance that Virtual Cell based Wireless Networks from two different
controllers will be given the same BSSID. To avoid this there is the ability to define a controller index, this
is used as a seed to ensure that BSSIDs generated are unique. The index is simply a number in the range
of 1 to 32, the only requirement is that the same controller index is not in use on any neighbouring
controllers.
For those familiar with the controller redundancy options for the FortiWLC, N+1 standby controllers do not
need a controller index as they will not be active until the their master has failed

© FORTINET
If the controller setup script can be run using the CLI over the serial console connection or over a network
connection using SSH. The most commonly used method is the serial console method.
Logon as admin and then issuing the setup command will start the configuration script. The script can be
abandoned at anytime and it is also possible to run the script multiple times.
The setup script will give the controller of the most basic configuration required, the remaining
configuration as there and done from the web interface.

© FORTINET
It is also possible to setup the controller using the EzSetup wizard in the GUI.
This requires that you have an active network connection. If the controllers first Ethernet port is terminated
into network connection that provides DHCP then it will automatically claim an IP. If no DHCP is available
then the controller will assign itself the IP of 192.168.1.12.
The wizard will allow the installation of licenses, configuration and installation of APs and creation of
Wireless Networks. However it only provides limited configuration options, and as a result is not
recommended for the majority of network installations.

© FORTINET
We have a video now which will go through the boot process of the controller, accessing the CLI and some
useful commands and then run the setup script to setup the controller

© FORTINET

© FORTINET
You should now be able to perform the basic configuration of controller.
If it is a factory supplied hardware controller, you may need to perform an upgrade to the latest version of
SD, let's look at this next.

© FORTINET
In this section, we will talk about upgrading the system director software. Often, hardware controllers
delivered from the factory may not have the latest software version installed. As part of the setup process it
is best practice to update to the latest GA (general availability) version of system director.
The basic process we will go through here can be used to upgrade system director at any point, however
this is a general guide and the steps detailed in the release note should be the primary guide on the
upgrade process.

© FORTINET
System director updates are available from the Fortinet support site, here you will find images for each
type of controller together with release notes and updated documentation. The most important step in any
upgrade performed at anytime is to read the release notes.
Each software installation could have different prerequisites and post installation tasks. It is important to
review these irrespective of the type of upgrade your performing, whether it’s an upgrade of the newly
installed controller or a controller that is commissioned and in use. The note will also detail changes in
hardware support. As with other vendors, Fortinet may well remove support for older hardware types once
they go end of support. For instance if you have older APs on your network that are not supported by an
update, installing that update on your controller will cause those APs to fail.
There will also be specific upgrade instructions for more complex environments such as those that feature
controller redundancy.
It should also be noted that upgrades are incremental. The upgrade files that you will download from the
support portal do not contain a full copy of system director. Not unlike windows operating system updates,
the update files only contain the updated code which is patched on to the existing system director
operating system. As a result there is often and upgrade path, for instance if upgrading from an older SD
version such as SD6 to the latest SD8, you may well need to upgrade to an intermediate version of a SD7.
The release notes will contain a full path for you to follow. When upgrading a working controller that has
been in use and is configured, it is important to ensure that you have a backup. If you are upgrading the
brand new controller this will not be necessary as there is little or no configuration information. The backup
process for a controller is covered later in this course.

© FORTINET
The first step of any upgrade is to download and copy the upgrade image to the controller. This cannot be
done directly, it has to be done by downloading to an intermediate system first. This system should have
an FTP or SCP server if you plan to use these protocols to upload the image to the controller.
For newer versions of system director there is the capability to upload the upgrade file via the web
interface. This can be found under the maintenance capability in the file management section; there you
will find an option that allows you to import and delete SD upgrade files.

© FORTINET
When upgrading a controller that has access points already installed, for instance a production controller,
best practice recommends that you turn off the automatic AP upgrade process. This setting controls the
behaviour of access points when they power on and contact the controller and by default it is turned on.
When an access point boots one of the things it will do is it will compare its system director software
version with that of the controller it is connecting to. If the controller software version is older or newer the
AP will upgrade itself or downgrade itself to match.
The default for access points is that they should have the same software version as the controller, if they
don’t or can’t then the AP will disable the radio and cease transmitting Wireless Networks.
This default can be enabled or disabled using the automatic AP upgrade setting.
When upgrading a controller with many attached APs it can take a significant amount time for the upgrade
to complete if all of the APs simultaneously attempt an upgrade. The large number of simultaneous
software requests can add a disproportionate delay as controllers struggles to service all of the requests.
Often with larger networks it is faster to disable the automatic upgrade and then manage the upgrade of
the APs manually.
If you are upgrading a new controller that has yet to have APs installed then there is no need to disable the
setting.

© FORTINET
Once the upgrade image is uploaded to the controller, it is good practice to confirm that it is installed in the
controllers storage. The sh flash command will list the software images that are currently uploaded to
the controller. To the amount storage allocated to the storage of images is limited, as a result on occasion
there maybe the requirement to delete older images to make space for images that you are uploading.
Images can be deleted using the cli or the web interface on later system director software versions.
If deleting images it is best practice to maintain a copy of the current running software and then a copy of
the software you plan to upgrade to.
Once you are happy the images or uploaded, you can start the upgrade. The upgrade command is one of
the few commands that can only be issued from the cli. There is no method to upgrade the controller from
the web interface. It is best practice to initiate the upgrade using a terminal session over the console serial
cable. It is possible to use a ssh or the inbuilt java based cli but as the network connection will disconnect
during the upgrade and you run the risk of missing potentially important messages that you would
otherwise see on the serial connection.
At the CLI, issue the upgrade controller command followed by the version of the system director
image you want to upgrade to. This will then initiate the upgrade process which will be fully automatic and
will involve a controller reboot.
If upgrading a production system and then this will mean a loss of service, so upgrades should only be
performed during planned maintenance time. The duration of the upgrade will depend on the specification
of the controller and the size of the upgrade however it is recommended that you should allow at least an
hour for the upgrade of a single controller. This will allow time to read the release notes, upgrade the
controller and then to deal with any potential issues should they occur.

© FORTINET
Once the controller upgrade has completed it will reboot and return to the logon screen. At this point you
can now commence to upgrade the APs if your system has them installed.
As the controller now has a newer software version, any existing APs on the system will deactivate their
radios as their software no longer matches the controller.
For controllers that have less than 100 APs, they can be generally upgraded simultaneously. The
upgrade AP same all command tells the controller to go to all APs starting with the first and then
upgrade them to the same version as the controller.
For controllers that have more than 100 access points connected it is best to upgrade the APs in batches
of no more than 100. This minimises the load on the controller and ultimately means that the upgrade can
happen faster.
To upgrade AP is in batches you can issue a similar upgrade AP same command, but this time
specifying a range of access point ID numbers. Using 1-99 will tell controller to attempt to upgrade AP IDs
1 to 99. It will not matter if there are APs missing, the controller will simply try to contact and upgrade and
skip it can’t reach it. You can then move on to the second to hundred APs by specifying the next batch of
AP IDs. This carries on until all APs are updated.
The AP upgrade process will give you an on-screen progress for each AP, once the AP is upgraded it will
reboot and then come online as normal. Again it is best practice to allow an hour for each hundred APs.

© FORTINET
Once the upgrade of the controller and APs is complete, make sure you re-enable Automatic AP
upgrade if you have disabled it.

© FORTINET
We now have a video which will go through the upgrade of the controller that we have just installed.

© FORTINET

© FORTINET

© FORTINET
To review, these are the topics that we just talked about.
We defined what system director is and how to find the latest release to install.
We should now know to do the initial installation of both a virtual controller and a hardware base controller,
understand the requirements to run the initial setup script and what information is required. We should be
able to run the script and configure the controller and then subsequently update that controller to the
preferred software version.
The controller is now ready for the remaining configuration including installation of access points,
integration into the existing network and the configuration and publishing of Wireless Networks.

DO NOT REPRINT Network Integration
© FORTINET
In this lesson you will examine the integration of your newly-installed controller into your network.

© FORTINET

• Multiple controller interfaces
• Bridge Mode and Tunnel Mode
• Integrating VLANs

© FORTINET
After completing this lesson, you should be able to describe how to configure and use the following
controller interfaces:
• Logical network interfaces
• Physical interfaces

© FORTINET
All FortiWLC controllers have the ability to operate in single mode or dual mode Ethernet. The mode
defines the number of logical interfaces that a controller will support. Single mode uses one logical
interface, and dual mode uses two logical interfaces.
Depending on the specification of the controller, these logical interfaces can consist of one or more
physical interfaces.
In the controller, these interfaces are simply numbered one and two. You cannot have more than two
logical interfaces.

© FORTINET
If you have two logical interfaces, they can be configured in two ways. The first and most popular way is to
configure the interfaces in active/passive mode. This mode provides network link redundancy because one
interface is active and passing traffic and the second interface is passive for failover. In the event of a
physical link failure on the active connection, the controller will fail over to the passive interface, which then
becomes the active interface.
In active/passive mode, there is only a single IP address used by the controller. When the failover occurs,
this IP address switches to the passive interface. The failover occurs by physical link failure only—there is
no ping or keep-alive mechanism. Active/passive mode is supported only on physical controllers. In the
case of virtual controllers, the virtual host has the redundant links to the physical infrastructure and is
responsible for the failover. The controller guest simply has one virtual network connection.
Active/active mode provides two active IP interfaces. One of those interfaces (usually interface 1) is used
for AP tunnel and management traffic. The second active interface can be used only for VLAN tagged
traffic. It cannot be use for untagged or native traffic. This means to make use of the second active
interface you must use VLANs in the wired infrastructure.
Active/active mode does not provide redundancy, as the failure of the logical interface that supports the AP
management traffic will cause the failure of the wireless network.
Active/active mode supported on both virtual and physical controllers.

© FORTINET
After you identify how many logical interfaces you need, you can decide how many physical links will make
up the logical interface.
Current FortiWLC devices have 4 Gb Ethernet ports. You can aggregate these ports into either Single
Mode bonds or dual mode bonds, however, you must divide them evenly. It is not possible to have
asymmetrical link aggregation, for example, three interfaces assigned to one logical interface and backed
up by single interface in the second logical interface.
Link aggregation is static only. The controller does not support dynamic aggregation technologies, such as
Link Aggregation Control Protocol (LACP). The most common aggregation is a Single Mode bond with one
active IP address. This allows for the maximum throughput of the controller to be used. The Single Mode
bond tolerates individual Ethernet connection failures but won’t tolerate a complete switch fail because
static aggregation is usually only available on a single-switch chassis.
To provide redundancy, and you can configure a Dual Mode bond in active/passive mode. You can then
split the four Ethernet ports equally between the two interfaces. As a result, the maximum throughput
capacity of the controller will be 2 Gbps rather than 4 Gbps because the passive interface does not pass
traffic until a failure occurs. Because of the nature of the configuration, it is possible to split the active and
passive links between two separate switches. When you configure Dual Mode bonds, be aware that it’s
usually the first and third interfaces that form the primary link for the logical interfaces, as shown on this
slide, in the top row of the diagram.
Finally, it’s possible to configure Dual Mode bonds with two active interfaces. By default, the first interface
carries the AP tunnel traffic, and the second is used for other purposes, such as to segregate traffic in a
wired infrastructure. For controllers that have 10 gigabit interfaces, the logical organization is the same.

© FORTINET
Before configuring any logical interfaces, it’s important to make sure that you configure the physical port
bonding appropriately first. You can perform this configuration using the CLI or the GUI.
In the GUI, on the left side of the screen, click Configuration > Controller, and then select the Network
Parameters tab. The drop-down list contains the mode options. The number option is used on specific
controllers for 10 gigabit interfaces.

© FORTINET
After you select the bonding mode, configure the second interface. In the GUI, on the left side of the
screen, click Configuration > System Settings, and then select the Management Interfaces tab. By
default, one interface is configured in the factory. You can add only the second interface.
You have the option of using DHCP or static IP allocation. Static IP allocation is recommended. Either
way, you must supply some IP information. The IP address does not have to be valid. You should not use
an IP address that is in use in your infrastructure. This is simply a dummy IP address to allow the interface
to be started by the Linux-based SD software.
You can then decide on the interface mode—active or redundant.
Configuring a second logical interface is a core system change that requires a controller restart. After the
controller has restarted, you can use the CLI to verify the status of the bond and logical interfaces by using
the show interface bonding and show IP commands.
After the second active logical interface is configured, you can then egress traffic from it. Do this by
creating VLAN profiles and then assigning the profiles to the second interface. The only way to use the
second active interface is to attach a VLAN to the port. Native/untagged traffic will not be forwarded.

© FORTINET
Good job! You now understand multiple controller interfaces.
Now, you will examine bridge mode and tunnel mode.

© FORTINET

• Define Bridge Mode
• Define Tunnel Mode
• Understand when to use Bridge Mode or Tunnel Mode

© FORTINET
When you publish a wireless network from an access point, you can choose how the data is handled after
the AP receives frames from the wireless client. You can choose tunnel mode or bridge mode, which you
define on a per wireless network basis. Therefore, an AP that broadcasts multiple wireless networks can
broadcast a mix of tunnel mode and bridge mode networks. Currently, all FortiWLC-based APs support
tunnel mode and bridge mode.
By default, when you create the network, tunnel mode is used. AP management traffic is always tunnelled
back to the controller, and data traffic is either bridged or tunnelled. The tunnels are established during the
AP start-up process.
Both tunnels are customized, non-standard tunnels and, by default, the traffic is unencrypted. You can
encrypt both management and data tunnels, which you should do if traffic will cross a public WAN
connection.

© FORTINET

The diagram on this slide shows a tunnelled network and the path of a frame from the wireless client to its
destination, the printer.
(click)
The frame is transmitted to the AP, and the AP looks at the configuration of the wireless network that
receives the frame and specifies how it should handle the data frame. If the network is configured for
tunnel mode, the clients data frame is encapsulated into a bespoke tunnel, and the AP sends the tunnelled
frame to interface 1 on the controller. By default, the data tunnel frames and the management tunnel
frames are untagged.
(click)
After the tunnelled frame arrives at the controller, the controller de-encapsulates and inspects it. The
controller might also perform other actions on the frame, for example, block it or apply a DSCP/WMM tag
to it, and then forwards it out of either logical interface 1 or logical interface 2, if it is configured. The frame
is then forwarded to its destination in the usual way.
As you can see from the animation on this slide, this can mean the frame travels (hairpins) back toward its
original source.

© FORTINET
There are two main benefits to tunnelling:
• Most complex networks use VLANs. This usually means that you must reconfigure the network ports
that the network devices handling the VLANs connect to, as trunk ports. In a tunnel mode network, you
need to configure only the ports connected to the controller as trunk ports because the frames are
tagged at the controller and leave from the controller’s interface. If you are bridging frames to VLANs,
then you must configure a VLAN trunk for all APs that have the bridged networks. This can be time
consuming and complex for large numbers of APs.
• In a tunnelled network it is possible to perform additional actions on the traffic because the traffic
passes through the controller. For example, this allows the firewall module to apply firewall policies
based on the RADIUS response and on the wireless network joined. It is also possible to rate limit
traffic, and classify or reclassify traffic for QOS purposes.

© FORTINET

The diagram on this slide shows the path of the frame as being more direct, instead of being tunnelled
back to the controller.
(click)
When a wireless network is defined as bridged mode, the frames are forwarded directly from the APs
wired interface and not encapsulated in a tunnel. By default, frames egress from port 1 of the AP (Some
APs have multiple ethernet ports) and is untagged by default. The connected switch is then responsible for
forwarding the frames.
The management plane traffic is always tunnelled back to the controller regardless of the data plane mode.
By default, the management tunnel frames are also untagged.

© FORTINET
The principle benefit of bridging is to prevent the hairpin effect that potentially causes traffic to cross the
same link multiple times. In modern high-speed campus networks, this is not usually an issue, however, if
an AP is located on the other side of a low-speed WAN link, such as an AP located in a branch office
connected using an ADSL line, having traffic cross the link multiple times reduces bandwidth and
performance unnecessarily. Bridging frames locally at the AP allows frames destined for local resources to
stay local and not cross the WAN link inside a tunnel needlessly.
Split tunnelling is not supported at the AP. Traffic is either tunnelled back to the controller, or bridged
locally.
When large numbers of high-speed access points are connecting high-speed clients, it is possible for the
controller interfaces to become overloaded. In some scenarios, it can be a good solution to bridge busy
wireless networks locally. This reduces the amount traffic being sent back to the controller, and allows the
switches to manage the traffic.

© FORTINET
In summary, tunnelling is always the preferred data mode. You should always tunnel networks that you
might need to perform QoS or firewall actions on. This allows you to manipulate traffic for applications
such as voice, or manage traffic for applications such as guest networks.
You should avoid tunnelling in networks that use low-speed network links, such as branch offices, and so
on. It is common for branch offices to use a mix of tunnelling and bridging, for example, bridge the
corporate network locally and tunnel the guest network back to the controller. Usually, guest traffic does
not require access to local resources because it is often destined for the Internet and, as a result, is
unlikely to hairpin back from the controller to the branch office.
You should avoid bridging in guest networks and for voice traffic that requires DCSP tag manipulation
because bridging limits your ability to manipulate IP traffic..

© FORTINET
Congratulations! You now understand bridge mode and tunnel mode.
Now, you will examine integrating VLANs into your network.

© FORTINET
After completing this section, you should be able to configure VLANs on FortiWLC and APs.

© FORTINET
At its most basic, a VLAN-capable switch configures its wired ports into logical groupings called virtual
LANs (VLANs). By default, the ports on most switches are members of a single default VLAN. They carry
traffic only for that VLAN. All ports in the same VLAN on the switch—the native VLAN—can exchange
traffic. This is known as an access port. Devices connected to the access port do not know that they are
connected to a VLAN. The frames simply arrive and depart as they would on any network connection.
Switch ports can also be trunk ports. This allows traffic from multiple VLANs on a switch to be
communicated, or trunked, to another VLAN-capable device. To identify traffic from different VLANs, the
frames that transmit the link are tagged with a VLAN number. A single Ethernet link can carry traffic from
multiple VLANs using these tags to keep track of which frame belongs to which VLAN. This link can also
carries untagged frames, which are referred to as members of the native VLAN.
Access ports are usually used for devices that don’t need to be aware of VLANs, such as computers and
printers.
Trunk ports are usually used to connect devices that must be aware of VLANs, such as switches, wireless
controllers, and other network devices.

© FORTINET
When using VLANs on a FortiWLC device, you must map traffic from wireless networks to VLANs using a
profile. For example, after you create a VLAN in a switched infrastructure for guest users of your network,
you can extend the VLAN to the wireless network, sending traffic from the SSID to the wired guest VLAN.
You can do this in both tunnel mode and bridge mode networks, however, the configuration is slightly
different for each.
The FortiWLC relies on the tag number to send traffic to the appropriate VLAN. You can specify this tag
number in multiple ways. The most common way is to configure the tag number statically on a per-ESS-
profile basis. Any traffic that is transmitted to the wireless network is forwarded, with the VLAN tag applied,
to the wired infrastructure.
You can also specify the tag dynamically. If the wireless network is RADIUS authenticated, then the
RADIUS server can return a RADIUS attribute containing the tag number. This means that you could
potentially return different tags for users or user groups. This will allow the broadcasting of a single
wireless network where each authenticated user could be placed into a different VLAN, for example, a
VLAN for contractors or a VLAN for employees. You could have both types of user join the same wireless
network and their traffic would be dynamically placed in the correct VLAN when the users authenticate.
It is also possible to use a combination of static map and RADIUS response, which means that if a
RADIUS response does not contain a VLAN tag, a static tag is used instead.
Also users assignation to a pool of VLANs it us supported. In large networks, administrators usually create
VLANs to support smaller subnets to prevent broadcast storm issues. This can mean that a single VLAN
assigned to a wireless network could run out of IP addresses quickly. Therefore, it is possible to configure
multiple VLANS as a pool and assign clients to different VLANs automatically, which allows larger
numbers of clients to join a wireless network without experiencing issues with broadcast storms. However,
you can configure VLAN pools only in tunnel mode networks.

© FORTINET
In tunnel mode networks, frames sent by wireless clients to the wireless network are tunnelled back to the
controller.
This means that if the frames are to be placed in a VLAN, it is done at the controller. You must create a
VLAN profile in the controller to specify which VLAN the controller uses.
To create a VLAN profile, in the GUI, on the right side of the screen, select Configuration. Under Wired,
select VLAN, and then click ADD.

© FORTINET
You must name all profiles on FortiWLC, including VLAN profiles. You can choose from up to 32
characters for a name. Names should not begin with a number and should not contain spaces. You can
use underscores and hyphens. Use a name that describes the purpose of the VLAN.
You must identify the tag of the VLAN, and then define which interface on the controller the traffic from the
VLAN will use. The example on the slide shows a guest VLAN sending and receiving frames on interface
1. This means that the wired ports connected to interface 1 of the controller must be trunk ports. The trunk
ports must have VLAN 30 tagged to them by the wired network administrator.
If the second active interface is in use, you could enter interface 2 and the tagged traffic would be sent or
received on the wired ports connected to interface 2.
A VLAN is usually a layer 2 concept and, when defining VLANs on switches, you don’t need to assign an
IP address to them as a standard practice. On FortiWLC, you must assign the controller a valid IP address
in the subnet being used on the VLAN. This allows FortiWLC to perform specific layer 3 functions, such as
proxy ARP and firewalling. The controller is not a full layer 3 device, it does not do any routing or other
traffic manipulation.
The name, tag, and IP information are all mandatory—you cannot create a profile without it. Do not use
dummy IP addresses, you must assign a valid IP in the VLAN subnet.
You also have the option to override the DHCP server used on the wireless network. By default, the DHCP
server on the wired network sends and receives DHCP packets and servicing requests from wireless
clients. In some scenarios, you might want wireless clients to be serviced by a different DHCP server, in
which case, you can specify an alternative DHCP server IP address for the wireless clients to use.

© FORTINET
When you configure VLANs for bridge mode networks, you don’t need to specify a VLAN profile because
the traffic never goes to the controller. Instead, when you create an ESS profile and select bridge mode,
you can specify the traffic route there. It is still possible to use dynamic VLANs but VLAN pools are not
supported.
For every AP that broadcasts this bridge mode ESS, you must set up a network port for the VLAN trunk. If
the network contains many APs, this can be a time consuming and complicated process can be a good
reason not to use bridge mode.

© FORTINET
For larger networks, a single VLAN per wireless network ESS profile might not be enough.
Traditional IP network design requires that IP subnets be limited in size relative to the number of hosts.
This is mainly to limit the size of the broadcast domain because excessive broadcasts can cause network
performance problems. This is also important for wireless networks. A typical network in a wireless
environment is usually a class C or /24. This ultimately means that a wireless network that is assigned a
single VLAN is limited to 254 wireless clients.
Instead of specifying a single VLAN, you can create and specify a pool of VLANs. You must create a
profile for each VLAN on the controller before you create the VLAN pool. A pool can consist of up to 16
VLANs. You create the pool by using the tag numbers. The controller will then assign clients to the VLANs,
starting at the first VLAN specified, and then moving on to the next as each VLAN fills up.
The controller can support up to 64 VLAN pools. VLAN pools are only available in tunnel mode networks

© FORTINET
In summary, when you use VLANS in your wireless network, a lot depends on the mode that the ESS
profiles will operate in.
For the default installation that uses tunnelled profiles, you will need to define only the controller ports as
trunk ports. AP ports are access ports and need to be only in VLAN that is routable to the controller. Later
in this course, you will learn about best practices for AP deployment and why you should put APs on their
own VLAN.
If you are planning a bridge mode installation, be prepared to configure the ports connecting to your APs
as trunk ports.

© FORTINET

© FORTINET

• Configuration and uses of the logical interfaces of a controller
• Configuration and uses of the physical interfaces of a controller
• Defining bridge mode and tunnel mode and when to use them
• Configuring VLANs on both controllers and APs

DO NOT REPRINT Access Points Integration
© FORTINET
In this lesson, you will examine how to integrate access points (APs) in to your newly installed network.

© FORTINET

• AP deployment types
• Controller discovery
• General AP configuration requirements
• Additional requirements for remote APs
• Physical AP requirements

© FORTINET
After completing this section, you should be able to describe the various AP deployment types.

© FORTINET
Based on the method of communication the AP uses to communicate with the controller, AP deployments
can be categorized into three different types:
• Local
• Remote
• Mesh
All three deployment modes can be used simultaneously on a controller, for example a controller can
support both local and remote APs at the same time.

© FORTINET
Local deployment is the most commonly used AP deployment type. The main feature of a local AP
deployment is a high bandwidth/low latency connection between the APs and the controller. This
connection is provided by the switched infrastructure commonly found in present day organizations.
In local deployments, APs are typically:

• Found on the same campus as the controller
• Connected to the controller through a gigabit link via a local switch with equal or greater upstream
bandwidth
The data flowing across this network is considered private; that is, it does not cross a public WAN
connection.
Both bridged networks, tunnelled networks, and all AP features are supported.

© FORTINET
In a remote AP deployment, APs connect to a controller over a low bandwidth link. That low bandwidth link
may have additional features of high latency, unreliability, and low security. APs in a remote deployment
are usually installed in remote sites, such as small satellite offices or home-base offices. These are places
where the low number of APs does not warrant a controller.
In a remote deployment, a centralized controller provides control and management of the network and,
possibly, data traffic as well.
Typically, the WAN link from the AP to the controller uses a low bandwidth, DSL type connection. As a
result, the path of the data from the AP needs to be carefully considered. There is a risk that an AP
operating in tunnel mode may send traffic to the controller only to have it returned back to the AP because
the destination for that traffic is on the remote site. This results in the DSL link being used twice for the
same piece of traffic, and an impact to the overall performance.
If the WAN/DSL link is across a public connection, such as the Internet, both control and management
traffic should be VPN encrypted.
The majority of remote AP deployments for networks will be in bridge mode. This means that the local
infrastructure (some form of switch or router) manages the traffic. Traffic is destined stay local, will stay
local, and other traffic will sent to its destination normally.
It should be emphasized that clients connected to a bridge mode network are using network services on
the remote site, such as DHCP and DNS. Only wireless management and authentication traffic is going
back to the controller.
It is possible to publish multiple networks on the remote sites: some in bridge mode others in tunnel mode.

© FORTINET
For example, there might be a requirement to publish a guest network at the remote sites and have all
the traffic tunnel back to the controller for inspection and security purposes, while a corporate SSID is
bridged locally.
If you are planning to tunnel traffic back to the controller and you are also using VPN encryption, be
aware that there is a significant encryption overhead when sending and receiving the traffic. As a
result, the rate of throughput for that tunnelled network drops.
Even though the amount of control and authentication traffic generated by a single AP is quite small, it
is a best practice to consider adding a controller to any remote site that includes more than 10 APs.

© FORTINET
A mesh AP deployment is used when there is no available wired connection to the controller. Instead of
using the traditional wired interface to discover and connect to a controller, one of the radios is used as a
‘backhaul’ connection instead.
Mesh AP deployments are typically used when it is difficult or impossible to extend traditional wired links to
an area requiring wireless coverage. A mesh AP deployment requires only: a form of power and to be
within range of another mesh AP.
A mesh link can be used to form a bridge between two physical locations; however, it should be noted that
this is not considered as a true point-to-point bridge, like other dedicated solutions.

© FORTINET
Good job! You now understand AP deployment types. Next, you’ll examine controller discovery.

© FORTINET
After completing this section, you should be able to describe how an AP discovers and connects to its
FortiWLC controller.

© FORTINET
Controller discovery is a critical part of the AP boot process. APs store minimal configuration information,
so, on each boot, the AP needs to download the majority of the configuration from the controller. In order
to perform this download, the AP must be able to ‘discover’ the controller without having any preconfigured
information. APs use three discovery methods in the following order:
1. Layer 2 (L2)
2. Layer 3 (L3)
3. Mesh
This is the default order of discovery methods, which is factory configured. The order of discovery is
configurable.
Once an AP discovers a controller, the AP is known as L2-AP, L3-AP, or mesh-AP, depending on the
discovery method that was used to make the discovery.

© FORTINET
By default, an AP will attempt an L2 discovery first. Once the AP has booted, it issues a sequence of L2
broadcast frames. Any FortiWLC controllers that are inside that L2 broadcast domain, respond. The AP
connects to the controller that responds first.
The AP will establishes a L2 tunnel using a bespoke ethertype. Because the tunnel is not IP based, it will
not cross any routed boundaries. Once the tunnel is established, the AP exchanges information with the
controller and downloads its configuration. The first time the AP connects to the controller, it downloads the
default configuration.
The controller then classifies the AP as an L2 AP. It may also claim an IP address, but it won’t use this IP
for communication with the controller.
L2 discovery is used in very small environments where there may not be sufficient infrastructure to support
other types of connectivity.

© FORTINET
There are two types of L2 discovery. The default method is L2 preferred. When the AP boots, it tries the L2
discovery method first. If the AP gets no response, it tries other methods. If the other methods fail to
respond, the AP returns to the L2 method. The AP will attempt this loop five times. If it gets no response in
the five attempts, it restarts. APs continue to boot in a loop until they discover a controller.

© FORTINET
The second type of discovery is L2 only. When L2 only discovery is used, the AP uses only the L2
broadcast method, it does not try any other discovery methods. This method is recommended only for very
limited use cases.

© FORTINET
If L2 discovery fails, factory configured APs will move on to L3 discovery. L3 discovery uses IP.
By default, the AP first attempts to acquire an IP using DHCP. APs can also be pre-configured with a static
IP if required. Once it has an IP, the AP will then use one of three L3 methods to discover and connect to
its controller.
• Preconfigured controller IP – The AP can be manually configured with a static controller IP. This
configuration can be made using the controller or for those APs that have a serial console port, over a
console cable. If a pre-configured IP is present, the AP contacts the controller using that IP. If it fails to
contact the controller, because the IP was typed in incorrectly or there is a routing/firewall issue
preventing connection, it will not move on to the next option. It will continually loop looking for the static
IP.
• Preconfigured controller hostname – The AP can be manually configured with a DNS hostname for the
controller, by default from the factory it is wlan-controller, it can be customized. The AP will use
the DNS server supplied as part of the DHCP response to resolve the hostname to an IP. If it fails to
contact the controller, it will continually loop looking for the IP resolved from the hostname and not
move on to the next option.
• The above two options are mutually exclusive, you can have one or the other, not both.
• DHCP scope option – If the AP can’t resolve the host name or contact the controller using an IP
address, it will look at the DHCP response to see if a scope option has been supplied. This is an
optional mechanism available on most DHCP servers. This mechanism allows vendor-specific
information to be passed to the DHCP client. In this case, the vendor-specific information would be the
IP of the controller. By default option 43 can be used, if using SD 8.3 or later, option 138 defines the
controller IP when using CAPWAP.
L3 discovery has also two methods: L3 preferred and L3 only.

© FORTINET
When L3 preferred is configured, the AP tries L3 discovery first. If that fails, the AP then attempts the other
methods. If none are successful in making a connection, the AP returns to trying L3 discovery.
Again., the AP will loop five times and then restart.

© FORTINET
When L3 only discovery is used, the AP uses only L3 methods to discover the controller. When you use L3
only discovery, you must be careful if you choose to manually configure the controller IP or controller
hostname in the AP configuration. If you make an error or misconfiguration, physical access to the AP
might be required to fix it. Physical access may not be possible if the AP is mounted high up in a roof or
similar inaccessible location.

© FORTINET
Assuming that the AP is able to make an L3 connection, it defaults to establishing tunnels over UDP ports
9393 and 5000. One tunnel is used for management of the AP and the network, the other can be used to
carry client data if the AP is transmitting a tunnelled ESS Profile. Port 9292 is used during the controller
discovery phase and not used to carry management or client data. L3 tunnels on SD 8.2 and earlier use
Fortinet-specific protocols.
When SD 8.3 or later is used, the CAPWAP standard tunnel type is applied, with alternative ports. Once
the tunnel is established, the AP downloads the configuration from FortiWLC. By default, the data carried
in these tunnels is unencrypted. You can apply encryption by encapsulating the two tunnels in a VPN
tunnel.
For successful connection, any required ports need to be open for normal operation. If you are using the
VPN option, only the one port, TCP 1194, needs to be open.

© FORTINET
Mesh discovery is a form of L3 discovery. Instead of discovering using the normal wired interface, the AP
will uses a wireless interface instead.
Mesh-enabled APs broadcast a specific frame that identifies them as mesh capable. An AP using mesh
discovery enables radios and listens for on of the specific mesh frames.
Information that is included in the mesh frame enables the AP to make a connection to the controller
through the a mesh AP. Once connected, the AP downloads the configuration information.

© FORTINET
L3 preferred discovery is the best practise discovery and connection method for APs. Increasingly,
advanced functionality is only enabled at the AP, if the AP used L3 preferred discovery.
L3 is faster. All current sizing and design recommendations are based on performance testing conducted
in an L3 environment.
However, L3 does require some configuration as well as support from the underlying network. It requires
additional IP addresses may also require DHCP or DNS configuration.

© FORTINET
As we can see from this table, a number of advanced functions are not available when using L2
connectivity. Without an IP connection, these advanced functions cannot establish a connection to the
controller.

© FORTINET
Good job! You now understand controller discovery. Now you will examine general AP configuration
requirements.

© FORTINET
After completing this section, you will understand how to gather the information required to configure an
AP.

© FORTINET
There are several choices and decisions that you have to make when you configure an AP. It’s best to
make these decisions before you install ANY APs.
You must decide on the following things, which require configuration:

• AP naming conventions
• Default wireless channel settings
• Preferred controller discovery method
You also need to ensure that the supporting infrastructure is configured and in place. If you are relying on
DHCP or DNS, you need to ensure that the related configuration is complete.
Reviewing documentation is also critically important, as well as ensuring that you have the correct release
notes, site plans, and configuration information available.
Finally, you need a method for collecting AP information. This is a required part of any handover
documentation.

© FORTINET
All APs require a name. The AP name is used by the network administrator to identify an AP. The default
name assigned by the controller is ‘AP’ followed by the AP ID number.
This default name format does not help the wireless network administrator to identify the type, location, or
purpose of the AP.
It is recommended that you change the AP name, to something more helpful, during installation.
A well-constructed, logical naming convention can make the management of a FortiWLC wireless network
significantly easier.
At a minimum, you should consider including one or more of the following items in the AP name:
• location information
• configuration details
• AP model
• the channel layer in which the AP is operating
AP names are text based. When you name an AP, there is no method to prevent you from using the same
name multiple times; that is, AP names do not have to be unique. Having multiple APs with the same
name can be confusing, so it is recommended that you avoid this when assigning AP names. Names can
be up to 63 characters in length and can include dashes, hyphens, and underscores.
AP names cannot begin with a number or contain spaces.

© FORTINET
This is an example of a naming convention that you could use. Choosing a naming convention is up to you
and the customer.
In the case of a large network, specifying the country and campus can be very useful.
Other information that is used in this example naming convention includes the following:
• The building number and floor number. This can help identify the geographic location of an AP.
• The model number of the AP and the channel layer in which the AP is operating. This can make
subsequent configuration of channel layers easy.
• The physical location. This will help you identify exactly where the AP is.
When you use a naming convention like the one shown in this example, you can quickly and easily identify
the configuration and location of any AP, just by looking at the name.
The AP name can also be used for filtering and selecting. Most tables in the interface have a search field
where you can type in a text string to search on. Simply typing in part of the AP name will result in the list
being filtered and the APs that match being selected.

© FORTINET
The other configuration element that you should consider is the default wireless settings.
The settings are used to configure the AP when it first connects to the controller. The settings allow you to
define the 2.4 GHz channel and 5 GHz channel. If you have chosen different channels during the design
phase, it’s a good idea to set those before adding a new APs.
The settings apply to all AP types and only apply when an AP is initially added. You can’t use these
settings to make bulk changes to existing APs.

© FORTINET
As highlighted earlier, L3 connectivity is the recommended connectivity method because of the additional
functionality that this enables. L2 connectivity should be used only for very small sites with minimal
infrastructure; sites that typically don’t have DHCP or DNS.
You should not have L2 and L3 connectivity APs located in the same geographical area. APs in the same
area should all discover as L2 or L3
The easiest way to ensure that this happens is to install the APs in a separate routable VLAN. This makes
it impossible for the APs to discover at L2, as L2 broadcast are not routable and helps minimize the need
for configuring APs.
If you cannot deploy a separate AP VLAN and the controller and APs are in the same L2 broadcast
domain, then you should configure each AP to discover as L3 Preferred. This causes the APs, as
previously discussed, to try a L3 connection to the controller first. This is a manual configuration and needs
to be performed on each new AP.

© FORTINET
If you are planning to implement an AP VLAN, you need to configure it prior to installing APs. The ports
connecting the APs will need to be configured natively in the AP VLAN. The AP VLAN also need to be able
to route traffic to the VLAN containing the FortiWLC controller. It is not necessary to trunk the AP VLAN to
the controller.
You need to make sure that you have a method for supplying the controller IP address to the AP: by DNS
or DHCP option. You will not need both.
You will need to ensure that the APs have power. You can connect to a suitable PoE-capable switch or
use another method of power injection. When you have a large numbers of APs, it is also important to
ensure that your switches have enough power. Not all PoE switches can supply full PoE power on all PoE-
capable ports. They will have a ‘power budget’ that shows the total amount of PoE power a switch can
support.

© FORTINET
If you are planning to use DHCP to supply an option 43, you need to ensure that your DHCP server is
capable of doing so.
Option 43 is an industry-standard option that is supplied as part of the DHCP response. For FortiWLC-
based wireless, this option is used to supply the IP address of the controller.
APs send a specific text string in the DHCP discover packet, known as the option 60 vendor class
identifier. Each family of APs supplies its own string. The DHCP server can (optionally) supply different IP
addresses for different families of APs.
The table shown in this slide provides details about all recent FortiWLC-based APs and the strings that
they send.
With SD 8.3 or later, there is also the ability to use option 138 which supplies the controller IP when
CAPWAP is being used.

© FORTINET
You can use a Windows DHCP server to supply IP addresses to the AP VLAN.
You need to define a new vendor class for each AP family that you plan to use. Use the table shown in the
previous slide to add a new class for each AP. Give each class a name that identifies the AP family that is
being used. When you enter the ASCII string, remember that is case sensitive.

© FORTINET
Once you define the vendor class, you can set the predefined options.
Select predefined options and add a new option and value.
Select String from the Data type drop down menu and enter 43 in the Code field.
Once you have set the predefined options, you can add the new option to the DHCP scope that you
created for the AP VLAN. When you add the scope option you can define the IP of the FortiWLC controller.

© FORTINET
If you choose to supply the controller IP using a DNS record, you need to configure the DNS server with a
host record.
By default, APs use wlan-controller as the record. However, If wlan-controller is already being
used, you can use a different record. If you use a different record, each AP needs to be configured to use
the new name.

© FORTINET
Before adding new APs, it is critical that you review the release notes.
The release notes for SD include a list of supported hardware. You need to ensure that the APs you are
installing are supported by that installed version of SD. You may also find that certain APs have additional
upgrade actions that maybe required, for instance specific scripts that might need to be run.
The installation guide or quick start guide for the AP include information about mounting options, PoE
capability, and LED activity and meaning, which is important information for AP connectivity issues.

© FORTINET
Good job! You now understand general AP configuration requirements. Now, you will examine additional
requirements for remote APs.

© FORTINET
After completing this section, you will understand the additional requirements for installing an AP remotely.

© FORTINET
A remote AP, for example, one that is located in a satellite learning centre or a home office, needs a
publicly available IP address to talk to. This public IP address may need to be forwarded through a firewall.
Best practice may recommend using the public DNS record instead of an IP.
You also need to consider how the name or IP will be supplied to the AP. You may be able to use local
DNS/DHCP, or you may have to preconfigure the AP before using to onsite; this is usually done by
installing the AP on the main campus and configuring the AP prior to moving to the remote site.
Some APs have a console port that can allow the AP to be configured without having to connect to a
controller first.

© FORTINET
In addition to the public IP address or hostname, you need to enable port forwarding to the controller.

© FORTINET
If the AP tunnels are crossing a public Internet connection, it is highly recommended that that traffic be
encapsulated in a VPN tunnel. The standard three ports are still used, but the traffic is encapsulated in an
VPN tunnel.
By default, traffic is passed over an OpenVPN tunnel using TCP Port 1194; however, you can change this.

© FORTINET
Not all APs are capable of, or suitable for VPN encryption. Consult the datasheet for more information
about suitability. Also, there is a limit to the number of VPN APs a controller can support.
Encryption requires increased CPU use and neither the AP or the controller has dedicated encryption
hardware. This also results in a significant drop in data throughput when data is tunnelled back through a
VPN connection. If the data is bridged locally then only the control plane traffic is sent back over the VPN,
as a result the impact is significantly less.
To enable VPN encryption, the AP needs to be equipped with an SSL certificate. Some APs come
supplied with an SSL certificate; however, the same self-signed certificate is used on all factory-supplied
APs. As a result, you will not be able to manage which APs can connect to your controller as they are all
using the same certificate.
If you are planning to deploy VPN encryption for APs, it is highly recommended that you generate your
own certificates from your own certificate authority. The certificates that you generate can still be self-
signed certificates, but they will be unique, which enables you to control access by each AP, for instance if
an AP gets stolen you could revoke its unique certificate.
Because of the overhead caused by VPN AP encryption, you should consider using it only for
telecommuters and home-based offices, where the lack of throughput won’t be as much of an issue. For
larger branch office installations, a dedicated to FortiGate site-to-site VPN is recommended.

© FORTINET
When deploying wireless networks to remote APs, you should carefully consider the type of networks you
wish to publish. Both tunnel and bridge networks are supported, but you may want to bridge traffic that is
going to remote destination in order to minimize the traffic crossing the link to the AP, and ensure best
performance.
There is no split tunnel option when using networks published by a remote AP. Traffic either stays remains
local or goes back to the controller.

© FORTINET
Good job! You now know the additional requirements required to support remote APs. Next, you will
explore the physical requirements for APs.

© FORTINET
After completing this section, you should know all of the physical requirements that you need to take into
account for when you install an AP.

© FORTINET
Before you install an AP, there are several things that you must understand and ensure are in place:
• For some installations, you might need to purchase extra brackets or optional mounting kits, to mount
the AP.
• You need to ensure that AP positioning is optimal and that you understand the AP orientation.
• You need to ensure that you have functioning network ports.
• You need a power source.
• If you are using external antennas, you need to calculate the gains and losses of the antennae's,
assorted cables and lighting arrestors (if used). Incorrectly specifying the antenna gain can lead to the
AP exceeding the regulatory limits and so, potentially, breaking the law.

© FORTINET
The release notes for the AP will detail the different mounting options available.
As there are different types of suspended ceiling you may well find that optional brackets maybe required.
Sometimes you may be required to mount the AP above a suspended ceiling, in which case you’ll need to
ensure that the AP meets local fire safety regulations (some countries require access points be plenum
rated for instance).
If placing an AP above a suspended ceiling you should also plan to have an external antenna solution that
can install on the underside of the ceiling to provide optimal coverage.

© FORTINET
It is important to ensure that you meet some basic criteria when mounting APs. There is often some
flexibility about where you place the APs, so you don’t always don’t need to place theme exactly where the
plan specifies.
You should avoid placing APs within 1.8m/6ft of any structural metalwork or large metal objects because
this can significantly interfere with the radiation pattern, making coverage unpredictable. Avoid mounting
near any existing or newly installed access points. All wireless LAN radios (operating in the same
frequency range) must have a minimum separation of 2.4m or 8ft.
Avoid mounting APs close to vertical walls; mount them towards the centre of the room, if possible. This
minimizes the amount of interference cause by signal reflection and refraction.
Do not mount APs above suspended ceilings without deploying an external antenna. Best performance is
achieved when the end users can see the antenna. All current predictive survey tools assume that APs are
mounted below the ceiling; mounting APs above will invalidate any virtual or simulated survey.
You should also consider if the AP location is within reach of the end users. Transmitting antennas should
not be touched and in an educational institutions, antennas are often removed if reachable.

© FORTINET
Many APs antennas have particular coverage patterns, any survey conducted would have been performed
with the APs in a certain orientation. You should ensure that you mount the APs to match orientation used
in the survey.
If you are using external or non-standard antennas, you should pay particular attention to the survey to
ensure that you have the APs antennas pointing in the correct direction.
To get good, general purpose coverage with APs with external antennas, which are often omnidirectional,
ensure that the antennas are perpendicular to the floor. Always ensure that antennas are pointing in the
same direction.

© FORTINET
This slide shows some examples of poor AP mounting locations.

© FORTINET
When provisioning cabling for APs, you should plan for a minimum one gigabit connection. CAT5e is the
minimum standard cable recommended.
Some APs can support multiple Ethernet connections. Some AP models can support link aggregation. AP
models with dual ports can support the connection of wired devices. These devices, when connected by a
switch or directly to the second port, appear as wired stations on the controller. As such, they count
towards the client count of the controller and are subjected to the same traffic control, such as rate limiting
and firewalling. It is also possible to RADIUS authenticate clients connected to the second port.
If you are planning on using both ports, you need to ensure that you review the datasheet. Some APs
require higher power PoE to enable both ports.

© FORTINET
All current FortiWLC APs support power over Ethernet (PoE) from either a switch or a power injector.
Most APs support the original 802.3af PoE standard, although some require higher power for enabling
advanced functionality.
The exception is the FAP-U wave two series AP. It requires high power PoE+ 802.3at. This AP is also
unique because it supports PoE on both ports, enabling power redundancy.
Some APs include the option to use an external power supply unit, which you would purchase as an
additional option. Refer to the datasheet.
The AP autodetects the power supply in use. No additional configuration will be required.
Not all switches have the same PoE budget, if a switch is to support a number of AP’s, ensure that it that it
has a big enough power budget to the power the all that are to be installed.

© FORTINET
If you are going use external antennas that were not supplied with the AP, it is critical that you configure
the correct antenna gain.
The power levels that are used to transmit wireless signals are strictly controlled across the world.
Different rules and regulations apply in different countries. If the country code is set correctly, the controller
knows the power limitations. If the antenna is properly configured, the controller ensures that the APs don’t
exceed the legal power output.
The AP can’t autodetect the installed antennas. By default, the AP is configured to assume that it is
equipped with the antenna is shipped from the factory. If you use a non-standard antenna, then you need
to configure the controller with the gain settings for that new antenna.

© FORTINET

Power output from the AP is measured from the antenna and is called equivalent isotropically radiated
power (EIRP). When you configure the power in the AP interface settings, you are not actually setting the
transmit power of the radio, you setting the target transmit power from the antenna, the EIRP.
The controller calculates the required radio power setting and sets the level so the AP does not exceed the
maximum allowed EIRP. This calculation is based on the antenna gain setting configured in the AP
settings.
This slide shows three example scenarios of calculating antenna gain. In the top scenario the factory-
supplied antennas, which are 3 dBi, are used. The target EIRP is set at 23 dBm. Because the AP is
already configured with the correct gain setting for the factory-supplied antennas, no adjustment is
required.
(click)
In the middle scenario, a directional panel antenna of 8 dBi is used. In this scenario, the AP settings need
to be updated to enable the controller to reduce the transmission power to account for the increased gain.
Cable loss and insertion loss, caused by any installed lightning suppression, also needs to be calculated.
Cable loss is typically calculated on a per metre basis. Insertion loss caused by the lightening arrestor is
typically specified on the datasheet.
(click)
The bottom scenario also includes an 8dbi gain antenna; however, the cable and arrestor loss need to be
deducted when calculating the antenna gain. So, rather than configuring the antenna as an 8dbi antenna at
the AP, it is configured as 4dbi antenna, based on the loss deductions.

© FORTINET
You should now understand and be able to describe the different modes of AP deployment. You should
also be able to describe AP controller discovery and understand any related configuration requirements.
You should also know information is required to install and configure APs, both local and remote, as well
as any physical requirements.

© FORTINET

• Describe AP deployment types
• Understand controller discovery
• Describe general AP configuration requirements
• List additional requirements for remote APs
• List physical AP requirements

DO NOT REPRINT Installation of Access Points
© FORTINET
In this lesson, you will look at the process of installing APs.

© FORTINET

• Installing access points
• Optimizing the channel plan
• Installing mesh access points

© FORTINET
After completing this section, you should be able to install and configure APs.

© FORTINET
If all APs are connected to the network and start at the same time, the controller will add all of them to the
system at the same time. This results in all APs receiving the standard AP name and makes it difficult to
identify which AP is in which location. This is a big problem when you have hundreds of APs. A good idea
would be to connect and configure each AP in turn, which allows you to identify and name each AP
individually or keep a record of the AP serial number and location with a view to changing the name
afterwards.
The APs name is one of the configuration elements that cannot be changed in bulk.
For large installations, is often a good idea to have a staging location where you can unpack the AP and:
1. Configure
2. Label (or asset tag)
3. Record the AP serial number
The AP can then be repacked and sent to its permanent location for installation.

© FORTINET
If you are installing a single-channel architecture, it can be helpful to set the default channels that the
wireless APs will use when they are first installed. By default, the channels are set to 6 for 2.4 GHz and 36
for 5GHz. You can change these channel assignments. Any AP that you install after the change will use
the new default channels. The new channel assignments won’t affect any APs already installed.
If you are installing multiple families of APs and are using channels stripes to segregate them, install one
AP family at a time, changing the default channel settings after you install one AP family and before you
install the next AP family. This can help minimize the amount of post-installation channel setting.

© FORTINET
The steps to install an AP are as follows:

• Record the AP serial number and installation location.
• Start the AP and observe the AP boot sequence.
• After the AP starts, you can configure the mandatory AP settings, which are the minimum
recommended configurations for each AP.
• Repeat the previous steps for additional APs.
• After you have installed and configured all of the APs, you can configure the optional AP settings using
the bulk update function. This includes radio channel settings if you have different AP families.
Optimizing the channel plan is optional, however, doing so can help with the ongoing performance and
reliability of the network and could prevent future issues.

© FORTINET
Both the AP and the AP shipping box have a serial number label attached to them. This serial number is
not the same as the serial number listed in the controller interfaces. The serial number referenced in the
controller interfaces is actually the MAC address of the APs wired Ethernet port.
However, is possible to identify the MAC address by appending the last six characters of the serial number
to the FortWLC OUI which is 00:0c:e6. In the example shown on this slide, the MAC address is
00:0c:e6:1f:39:ec.

© FORTINET
You should record the serial number and MAC address together with the physical location and the name of
the AP.
You can store the information on the implementation spreadsheet, if one was created as part of the initial
design phase.
Use a USB barcode scanner to make collecting serial numbers faster and more reliable.

© FORTINET
Connect the AP to the network and, if required, power. The AP will boot using the software pre-loaded in
the factory, contained in the APs local storage.
The LEDs will flash in different sequences to indicate the status of the boot process. Refer to the release
notes for the AP to learn what the flash codes mean.

© FORTINET
You can review the status of the boot process in the GUI and CLI.
In the GUI, click Configuration. Under Devices, click APs. To update the list, click REFRESH.
In the CLI, enter the sh ap command.
The first AP boot process can take up to 5 minutes.

© FORTINET
New APs are usually delivered with an older software image. The controller checks the AP software image
the first time it connects to the AP. If the software on the AP is different from the version on the controller,
the controller upgrades or downgrades the software on the AP automatically. This is known as the
automatic AP upgrade process and is the default behaviour of the network.
The operational state of the AP is Disabled until the upgrade or downgrade is complete and the AP has
restarted. You cannot configure the AP until the status of the AP is Enabled and Online.
Some older APs might need a patch for the initial software installation from the controller. For more
information, see the release notes for the AP and the version of SD on the controller.

© FORTINET
After the AP is enabled and online, you can edit it. To edit the AP, click the edit icon beside the check box
for the AP, or select the check box for the AP, and the click the EDIT button.
All APs must have a name, on first addition of an AP, the controller will assign it a default one in the format
of ‘AP-’ and then the AP ID number. As highlighted in the previous lesson, it is best practice to change this
name to be more useful.
You cannot perform a bulk name change for multiple APs. You must edit and name each AP individually.
After you name the AP, you must click SAVE before you attempting any further configuration.

© FORTINET
The AP name is now changed.
Edit the AP again, select the Connectivity tab.
On the Connectivity tab, you can configure the discovery protocol. By default, L2 preferred is configured.
Like the AP name, you cannot bulk change the connectivity settings. You must configure the connectivity
settings for each AP individually.
You can also specify an IP address for the controller, or an updated DNS host name
Only the settings on this configuration page are retained during an AP boot. All other settings are lost when
the AP restarts and are downloaded again as part of the configuration process.

© FORTINET
If you are using non-standard antennas on the APs, you can configure them now. If you only have a small
number of APs with External antennas, then it would make sense to configure them individually as you
install them.
On the Antenna Property tab, select the antennas for each radio in turn, and then click BULK UPDATE
to apply the new gain.
If you have large number of APs with the same non-standard external antennas, you can use the bulk
change mechanism to change many APs at the same time.
You can edit the gain only for APs that have external antennas.

© FORTINET
If it is capable and you want to link aggregate the AP to a switch, select the Ethernet Interface tab to edit
the configuration.
In the LACP drop-down list, select Enable, and then click SAVE.
Obviously any switch configuration required must have been performed in advance.
Not all APs have multiple Ethernet ports and of those that do, not all are capable of link aggregation. Refer
to the data sheet for the AP capability.
The LACP mode can be bulk updated for multiple APs, again, if you only have small number, it might be
better to individually configure these APs as you install them.

© FORTINET
The minimum required AP configuration is now complete, so you can configure the remaining APs in the
same way. Add each AP in turn, and then configure the mandatory settings.
You should save the controller configuration often.
You can configure all other AP settings using the bulk update option, which allows you to update the
configuration for many APs at the same time. Many tables in the GUI have a bulk update option.

© FORTINET
The example AP table on this slide shows a partial search for AP names containing the word “canteen”. To
select all of the APs that have “canteen” in the name, in the AP Name column, in the search field, type
canteen, and then press the Enter key.
You can enter search criteria in each column of the table to further filter the selected items. Then, you can
bulk update or delete the selected items.
The Edit button only works on single table entries, bulk update can be used on multiple entries.
Bulk update is useful for applying radio settings to multiple interfaces, configuring channel layers, or
deploying a microcell channel plan.

© FORTINET
When you select Bulk Update, the Bulk Update screen displays all of the options that you can change.
The options vary depending on the items that you are configuring.
Select the check boxes for the settings you want to change, select a value in the drop-down list for the
setting, and then click OK.
This will overwrite the existing settings.
If you select multiple entries with different capabilities, for instance you select AP interfaces of different
radio capabilities and then try and bulk update with a invalid radio setting, the bulk update will fail.
For instance, if you selected 10 AP radios, 8 of which were 802.11ac radios and 2 802.11n radios and then
tried to apply an 80MHz channel setting (which applies to 802.11ac only), the bulk update would fail. The
80Mhz channel setting in not valid for an 802.11n radio, so you would need to filter the list further to ensure
that you only selected the appropriate radios.

© FORTINET
Good job! You now understand installing APs.
Now, you will examine how to optimize the channel plan.

© FORTINET
After completing this section, you should be able to optimize the channel plan.
At this point you should have installed all of your APs. They will be installed using the default channel set
that you decided upon in the RF planning phase.
Now all the APs are installed they are actively ‘listening’ to the RF environment, they can be used to
assess the environment to determine if you are using the best channels,
This is entirely optional but can help ensure that the network is operating at its best and potentially
minimize any ongoing issues.
It can take some time for the APs to collect our RF Data, so could be done in conjunction with the
remainder of the installation.

© FORTINET

To enable the fastest possible collection of RF information, enable rogue detection. This causes access
points to scan all available frequencies, increasing the speed at which they collect information about
neighbouring devices.
You don’t need to leave rogue detection enabled, however, it is very helpful to be aware of new APs
operating in your airspace. Rogue detection allows you to do this.
To enable rogue detection, under Configuration, click Rogue AP. Enable Detection, and then add your
APs to the AP list. This will cause the listed APs to scan for and report other devices. It may take some
minutes for the information to be collected.
To view a complete list of all wireless devices, both APs and stations, that have been detected by your
APs, under Monitor, click Discovered Devices. These devices are wireless devices that are transmitting
frames that are decodable by your APs. They are not necessarily a threat to your network, they are simply
other devices operating in your radio environment.
To filter the table for APs, in the Device Type column, in the search field, enter access point. To sort
the table for APs that have a strong signal strength, click the Current RSSI column heading. The
Discovered APs and Stations table displays a list of neighbouring APs, their channel, and their signal
strength.
Note the channel setting of any APs that have a signal strength stronger than -80. This indicates that those
APs are strong enough to cause CCI for your network. You might want to change the channel for your
network if there are many neighbouring APs that conflict with that channel.

© FORTINET
(click)
Note that the table also displays APs that are using inappropriate channels. For example, the table on
this slide shows an AP on channel 4 that has relatively strong signal strength. This could interfere with
APs located on both channel 1 and channel 6.

© FORTINET
You can assess channels for radio noise using one of two methods, depending on the equipment and
licenses available to you.
The first method is to use the radio dashboard, which is very useful for quickly assessing interference
levels after an installation.
On the GUI, click Monitor. Under Dashboard, click Radio. The AMBIENT CHANNEL NOISE table
displays all of the AP interfaces on your network and represents the amount of noise that each radio is
detecting. This display is known as a ‘Distribution Dashboard’; we learn how to interpret this display in
more detail in a later lesson.
To view a list of all the radio interfaces and the noise levels that have been detected, right-click each of the
bars in the table, and then select Details. Look for interfaces listing noise in the -70s or -80s. This
indicates a higher level of noise in that AP location and might indicate interference.
Note the AP ID and interface index of any interface that has a high noise level, and then view the AP table
to identify which channel is being used by the AP. If there is interference on the channel, eliminate the
source, or change the channel.

© FORTINET
If your network has APs that support spectrum analysis, and a controller with installed licenses, you can
use the spectrum analysis feature to assess channel quality.
By default, APs that are capable of spectrum analysis operate only as APs until you configure them as
spectrum sensors. You don’t need to configure all APs as spectrum sensors. Temporarily change one AP
interface in each area of the building (approximately one in every four APs) into spectrum sensors. Allow
the spectrum sensors to collect spectrum information for as long as possible.
After you configure the APs as spectrum sensors, do the following:

1. On the GUI, click Monitor.
2. Under Spectrum Management, select Console. The console opens.
3. Select the Channel Availability tab.
4. On the left side of the console, click Sensor Hierarchy, and then select each spectrum sensor.
5. To view real-time spectrum information collected by the sensor, select the green live data icon.
The Channel Quality table provides an assessment of channel quality in the area of the building covered
by the spectrum monitor you selected, and highlights channels experiencing interference. Make note of
any channels that seem to be lower quality.
In the GUI, on the left side of the console, select Display Settings. Make sure you view both the 2.4 GHz
and 5 GHz range. If the sensors have been running for a while, the Event Log tab will display historical
information about interference events.
After you finish optimizing your network channels, change the mode of the spectrum APs back to normal
operation.

© FORTINET
After you identify the lowest quality channels, select the best channels to use.

© FORTINET
The example on the previous slides shows that channel 1 has the most neighbouring APs as well as the
lowest channel quality score.
Channel 11 is likely to be the best channel because it has the fewest APs and appears to have the least
interference.
In a single-channel environment, you need to use only one channel. In this case, you would use a channel
11 for a single channel on 2.4 GHz.
If you need to use an additional channel layer or stripe, then channel 6 is the next best option, however, it
could experience channel interference from a bad RF neighbour.
For a microcell network, you must use all three channels. However, channel performance could be
affected by neighbouring APs. If possible, plan the microcell network so that the APs closest to the
neighbouring APs use channel 1 to minimize interference. Unfortunately, it is difficult to avoid these types
of problems in microcell networks.
At the end of the day, selecting the best channels to use is a balancing act. As RF environments become
ever busier it will become more of compromise. It is also worth noting that the monitoring of the channels
in use and their utilisation is an important factor to monitor on a regular basis.

© FORTINET
If you need to make channel updates, the bulk update feature is usually the best method to use. Click
BULK UPDATE to apply the RF settings to the APs that you need to update. Make sure you save the
controller configuration.

© FORTINET
Good job! You now understand how to optimize the channel plan.
Now, you will examine how to install mesh APs.

© FORTINET
After completing this section, you should be able to install and configure mesh APs.

© FORTINET
A mesh AP network is a group of APs that provides wireless network access to clients using a wireless
connection to the controller. The mesh APs communicate with the controller using a wireless connection
established across one or more intermediate APs.
The wireless connection used is known the mesh backhaul and uses interfaces that communicate on the
same channel. Traffic transferred across the mesh backhaul shares airtime.

© FORTINET
In a mesh network, when a frame transfers from the controller to the end client, it transfers from mesh AP
to mesh AP using the mesh backhaul radio link. Because these radios are all on the same channel, each
frame uses two or three times as much air time. as the transmission of the frame is subject to the same
CSMA/CA mechanism as normal wireless traffic.
After the frame reaches the final AP supporting the client, it is broadcast from the radio that is transmitting
the network.
Returning frames follows the same path from the client to the controller.

© FORTINET
In addition to servicing wireless clients, the mesh AP can support wired clients using its second Ethernet
port (if it has one). Frames for wired clients are treated in the same way as they are for wireless clients.
Similar to wireless interfaces, the wired interface has a limit of 128 clients.

© FORTINET
It is also possible to trunk tagged frames across the mesh a link, which is very useful if you have VLANs
that you want to distribute.

© FORTINET
If an AP fails for any reason, the mesh has the ability to heal by finding an alternative path via functioning
mesh APs.

© FORTINET
A cloud is a group of mesh APs that share the same backhaul link. The controller can have multiple clouds
of APs.

© FORTINET
Each cloud of APs has at least one gateway AP that provides a wired link to the controller.

© FORTINET
Mesh APs are wirelessly connected to other mesh or gateway APs and provide connectivity to clients and
other mesh or leaf APs.

© FORTINET
A leaf AP is the last AP in the chain and only provides connectivity to clients.

© FORTINET
Frames hop from one mesh AP to the next across the backhaul connection.

© FORTINET
The controller can support up to 64 clouds. If your network contains clouds of adjacent APs, you should
use a different backhaul channel for each cloud to prevent interference.
Each cloud must have one gateway AP, can include a maximum of 16 APs in total, and can support up to
500 active clients.
There can be no more than three hops to the final leaf AP. Gateway mesh APs can support a maximum of
four backhaul links to other APs.

© FORTINET
To enable mesh functionality, all APs must discover in L3 mode. Mesh APs discover in L3 mode
automatically, but you must ensure gateway APs discover in L3 mode.
Any wireless networks that are advertised from mesh APs must operate only in tunnel mode.
It is possible to mix different APs in a cloud but the backhaul capacity depends on the capability of the
wireless interfaces.
Note: Only specific AP families support mesh functionality. See the product datasheet.

© FORTINET
There are two ways to set up a mesh network, manual setup mode and PlugNPlay setup mode.
To perform a manual setup, you must connect the AP to the network as usual, configure the APs manually
for mesh operation, and then disconnect the APs and move them to their final location.
PlugNPlay mode allows you to set up APs without using a wired connection to connect them to the
controller. After the APs discover the controller across the mesh network automatically, you can configure
the APs for mesh operation to allow networks to be broadcast.
PlugNPlay is slightly less secure because you have no control over which APs connect to your mesh
networks. Anybody who has a Fortinet, controller-based, wireless AP could, in theory, connect their AP to
your mesh network. However, this does not mean the AP will advertise networks because you would still
have to add the AP to a mesh profile.
The recommended deployment method is manual setup mode, which ensures only authorized APs are
allowed to connect to your network.

© FORTINET
To use either manual setup mode or PlugNPlay mode, you must first configure a mesh profile, which
specifies the group of APs in the mesh cloud.
In the GUI, on the left side of the screen, click Configuration, and then, under Wireless, click Mesh. Then
you can add a new mesh profile. Each profile requires a name. You can also add an optional description.
You must also enter a Pre-shared Key, which is used by the mesh APs to encrypt the backhaul.
At this point, you can also:

• Enable Admin Mode
• Enable PlugNPlay Status
• Enable VLAN Trunking

© FORTINET
After you create the mesh profile, you can connect and configure the gateway AP.
Configure and name the AP, and then edit the newly-created mesh profile. Then, do the following:
1. Select the Mesh AP Table tab, which contains a list of all the APs that will be in the mesh cloud.
2. To add an AP, in the AP ID drop-down list, select the AP.
3. Click Save.
Note: APs can be a member of only one mesh profile at a time.

© FORTINET
After you add the AP to the mesh profile, you must configure an interface as the mesh backhaul.
1. In the GUI, on the left side of the screen, click Configuration.

2. Under Devices, click APs.
3. Select the Wireless Interface tab.
4. In the AP table, beside the interface that you want to use for backhaul, click the edit icon. Usually, the
backhaul interface is interface 2, the 5 GHz interface.
5. If required, change the channel settings.
6. In the Mesh Service Admin Status drop-down list, select Enable. This causes that radio to start
broadcasting mesh frames and will allow other mesh APs to discover the gateway AP.

© FORTINET
After you configure the mesh profile and its gateway AP, you can adding other mesh APs.
If you’re planning to use plug and play, make sure PlugNPlay Status is enabled for the mesh profile.
Start the AP that you want to use as the mesh AP without a wired network connection to the controller. The
AP will run through the discovery methods until it discovers the mesh AP. This process can take many
minutes.
Observe the AP table and wait for the new AP to appear online. Make sure the discovery method and
other information are correct, and then configure the radio interface to match the channel settings of the
gateway AP. Then, enable mesh admin status.
Now you can add the new AP to the mesh profile, which will allow the AP to broadcast tunnelled networks
when it is included in the AP table of a wireless network.

© FORTINET
To enable a AP for mesh operation manually, connect the AP to the network using a wired connection,
start the AP, and then configure the AP name and discovery method.
Configure the backhaul interface to match the gateway AP radio settings, and enable mesh admin status.
Add the new AP to the mesh profile. Then, disconnect the AP from the network and install it in its
permanent location. The next time the AP starts, it will discover and connect to the nearest mesh AP.

© FORTINET
To monitor the status of a mesh, in the GUI, select the Mesh Topology tab to view a graphical
representation of how the APs are linked. To update the Mesh Topology screen, click Refresh.
Disconnecting an AP and then refreshing the Mesh Topology screen repeatedly shows the changes in the
topology as the mesh heals.
For more information about an AP, hover over an AP. Alternatively, you can use the CLI to monitor the AP
using the sd# sh mesh-ap command.

© FORTINET
When configuring mesh, you should observe the following best practices:
• 5 GHz is the preferred band to deploy a mesh backhaul on. You can deploy a mesh backhaul on the
2.4 GHz band, but 5 GHz usually has greater bandwidth or channel availability. However, avoid using
DFS channels in case interference events cause the mesh backhaul channel to change.
• Avoid using 5 GHz channels that are used by other APs for client connectivity.
• If you have multiple clouds on the same controller, and the APs are located close to each other, avoid
using the same channel.
• It is possible to broadcast wireless networks from interfaces that support the mesh backhaul, however,
it is not recommended because doing so has the potential to reduce the amount bandwidth available for
the mesh with a resulting reduction in performance.
• Mesh networks are not suitable for applications that require high bandwidth and/or low latency because
the combination of multiple hops and contention on the backhaul can reduce performance in networks
that have more than a few mesh clients.

© FORTINET

© FORTINET

• Installing and configuring APs
• Optimizing the channel plan
• Installing and configuring mesh APs

Building Wireless Networks
DO NOT REPRINT
© FORTINET
In this lesson, you will learn how to configure the newly installed controller and APs to build and broadcast a
wireless network.

DO NOT REPRINT
© FORTINET

• System Director (SD) profiles
• Wireless network configuration
• Wireless network broadcast control
• Profiles for AP families

DO NOT REPRINT
© FORTINET
After completing this section, you should be familiar with System Director (SD) profiles and how to use them.

DO NOT REPRINT
© FORTINET
Configuration profiles are collections of configuration settings that are used to define controller features and
functions when broadcasting wireless networks. Different profiles control different elements of wireless
network configuration. There are settings for both the wireless and wired side of the network.
All wireless networks broadcast from a controller use, at a minimum, an ESS profile and a security profile.

DO NOT REPRINT
© FORTINET
The ESS profile is the primary profile used to define a wireless network. It defines many wireless settings. It
also operates as a container that references many other profiles that control other aspects of network
configuration.
Many of the referenced profiles are optional, depending what functions you want to associate with your
wireless network.
The most commonly referenced profiles are listed on this slide, but there are many others.
Another important function of the ESS profile is to control the physical location where your wireless network is
available.
Profiles are can be organized into three categories: wireless, wired, and security.

DO NOT REPRINT
© FORTINET

This slide shows and example of an ESS profile acting as a container. It is defining the SSID that the will be
broadcast.
(click)
The absolute minimum requirement for the network to broadcast is the ESS profile and security profile.
All other profiles are optional, and are required only if want the associated function for your wireless network.
Other commonly used profiles are shown in this example.
(click)
If you require the network to be Enterprise authenticated, you need to add a RADIUS profile that defines the
server that is used for authentication.
RADIUS authentication, is added to the security profile, but the ESS profile is the container.
(click)
If you want to enable RADIUS accounting, you also add a separate RADIUS profile to the ESS profile
container.
(click)
Other profiles can be added as well.

DO NOT REPRINT
© FORTINET

Profiles can be used multiple times by multiple ESS profiles.
The example in this slide shows two ESS profiles, broadcasting two different network SSIDs: one for internal
staff members and one for contractors. This example also includes a setting which specifies that all traffic
coming from contractors be assigned to a different VLAN. In order to enforce this policy, you require at least
one VLAN profile to define the VLAN information.
(click)
In this example, the CorpNetwork profile would be assigned the appropriate VLAN , security, and RADIUS
profiles.
(click)
Contractors would use the same authentication source as internal staff, so there is no reason to create
separate security and RADIUS server profiles; the same profile would apply to all user types. However,
because the VLAN is different for contractors, you need to specify a different VLAN profile.

DO NOT REPRINT
© FORTINET
In large and small wireless environments, it’s likely that some core wireless networks will need to be available
from all APs. In the example shown in this slide, there are four APs per building and there is a requirement for
the wireless network to be available in all areas, in both 2.4 GHz and 5 GHz frequencies.

DO NOT REPRINT
© FORTINET
In some cases, you may want to limit where a network is available. For example, you might want to make a
guest network available in only certain locations, such as the reception area and meeting rooms. In the
example shown in this slide, there is a wireless network available to contract staff who are working in a
specific part of the building. This contractor network may have different security policies for authentication,
and may also egress traffic in to a more secure VLAN.

DO NOT REPRINT
© FORTINET
The configuration element that controls where wireless networks are broadcast is a feature of the ESS profile.
It’s a tab that appears in the interface after you have created the ESS profile. It is not a profile itself and it is
not shareable.
Each ESS profile has its own unique ESS AP table. The table consists of lists of interfaces. Most APs have
two interfaces; usually, interface one is the 2.4 GHz interface and interface two is the 5 GHz interface. When
an interface is added to an ESS AP table, that interface starts broadcasting the wireless network defined by
that ESS profile. The ESS AP table is also often used to configure virtual cell architecture, such as channel
striping and channel layering.

DO NOT REPRINT
© FORTINET
There is an important setting in the ESS profile that controls how the table is populated. It is the New AP’s
Join ESS setting.
The setting affects how existing and new APs are treated when an ESS profile is added. By default when you
create a new ESS profile, the New AP’s Join ESS is turned on. This causes the following to happen:
• All existing AP interfaces are automatically added to the ESS AP table, this results in the wireless network
you are creating being broadcast in all locations
• Any new APs that are added to the controller after the ESS profile has been created also have their
interfaces added to the AP table.
If you turn this setting off, either when first creating the ESS profile or at some point afterward, you will need to
add the interfaces manually before any networks are broadcast. In complex wireless networks, turning this
option off is often preferred because it minimizes the chances of wireless networks being broadcast to
unintended locations.

DO NOT REPRINT
© FORTINET
Good job! You now understand System Director (SD) profiles.
Now, you’ll see how to use profiles to create wireless networks.

DO NOT REPRINT
© FORTINET
After completing this section, you should be able to configure a wireless network.

DO NOT REPRINT
© FORTINET
There are four steps to creating configuration profile. The order shown on this slide is the most efficient order,
but is not mandatory. The recommended process for creating an ESS profile is as follows:
1. Create functional profiles – You only need to create profiles for the functions that you are planning to use.
2. Create the security profile – The security profile controls the type of authentication and encryption that the
wireless network will use.
3. Create the ESS profile – The ESS profile specifies the SSID, the security profile, the virtualization mode,
and any other optional profiles.
4. Add AP interfaces to the AP table – Once the ESS profile has been created, the AP table becomes
available and you can add AP interfaces to it. Adding interfaces to the table controls which interfaces are
broadcast to the wireless network.
Because profiles are independent, you can add or remove configuration objects at any time.

DO NOT REPRINT
© FORTINET
One of most common optional profiles to configure is a RADIUS server profile. It is required only when you
are planning to authenticate your wireless network using an Enterprise authentication method.
The most commonly used Enterprise authentication method is WPA2 Enterprise, which commonly requires
networks to be authenticated using a username and password. The username and password are usually
installed in a central database, such as Windows Active Directory, and a RADIUS server is required to provide
the interface to the database.
It is also possible to use RADIUS authentication from a captive portal web page. This allows users to connect
to a network by entering a username and password at a web page.
It also supports authentication by a MAC address. This is known as MAC filtering or MAC authentication and it
is possible to use the MAC address as a credential for RADIUS authentication.
There are two fundamental functions of a RADIUS profile: authentication and accounting.
• Authentication is the process of verifying supplied user credentials and controlling access.
• Accounting is the process of logging and auditing connection events.
Often, authentication an accounting are conducted by the same server; however, because requests arrive on
and depart from separate ports, two separate entries are be needed in the RADIUS table.
Accounting is optional. It is perfectly acceptable to only authenticate your network and not use accounting. By
default, the RADIUS server table is empty and you will need to add your own entries.

DO NOT REPRINT
© FORTINET
These are the steps to configure a RADIUS profile:

1. Define the RADIUS profile name – Names can be up to 16 characters long and should be as descriptive
as possible.
2. Specify the radius server IP address.
3. Specify the radius secret – This is a pass phrase that the controller uses to access the RADIUS server.
The pass phrase authenticates the controller as an authorized RADIUS client. The pass phrase can be
alphanumeric and should be as long and as complex as practical.
4. Specify the RADIUS server port. By default, port 1812 is used for authentication and port 1813 for
accounting, but you will need to verify the port numbers with the radius server administrator during the
setup process.
For most installations this is all the configuration that is required. However, there are other options that can be
implemented. For example, it is possible to pass MAC addresses as credentials. If the MAC address is being
used, you may need to change the MAC address delimiter to define the MAC address format or the Called-
Station-ID type, which defines any additional information that may be passed with the MAC address.
One of the most common mistakes made when configuring wireless networks is not configuring the radius
server. It is often forgotten that the radius/NPS server requires that the controller to be configured as a radius
client, before it accepts radius requests.

DO NOT REPRINT
© FORTINET
In a complex environment you may use many sources of authentication. Therefore, you can add as many
RADIUS profiles as needed.
Wireless networks can be configured with multiple RADIUS servers for redundancy purposes. Again, in larger
environments, you would often have multiple RADIUS servers for redundancy.
Accounting an authentication do not need to be on the same server.
Profiles cannot be deleted while in use. If a RADIUS server profile is defined in a security or ESS profile, it is
not possible to delete it from the table until it has been un-configured.

DO NOT REPRINT
© FORTINET
Another commonly used profile is a VLAN profile. It controls the use of VLANs in the wireless network.
It is optional and only required if you want to send and receive (ingress and egress) traffic from a wireless
network to a wired VLAN.
VLAN profiles are required only if you are using tunnel mode wireless networks. Traffic in bridge mode
networks is sent and received from the AP wired interface directly and uses a slightly different configuration
option.
You must ensure that the VLAN that you are using is tagged to one of the logical network ports of the
controller.
VLANs are usually at Layer 2, so don’t need an IP address to use a VLAN. However, because the controller
performs some Layer 3 functions, such as proxy ARP, you do require an IP address for the controller in the
VLAN.
This IP address should be valid in the VLAN subnet and not a special IP address such as a gateway, network,
or broadcast address.

DO NOT REPRINT
© FORTINET
These are the steps to configure a VLAN profile:
1. Define the profile name – For ease of use, it’s best to include the tag number and the purpose of the
VLAN in the profile name.
2. Specify the tag number – The controller uses the tag number to tag and identify traffic.
3. Specify the controller interface where traffic will ingress and egress – There can only ever be two logical
interfaces: the default is the first, index 1 and a second that is used only when you have set it up.
4. Enter the IP address and gateway – You cannot create a VLAN profile without a valid IP address. Do not
use a broadcast or gateway IP address, use a valid, unused address in the subnet.

DO NOT REPRINT
© FORTINET
It is possible to control DHCP traffic that flows from the wireless clients to the wired VLAN. In most cases, you
would allow the normal wired network DHCP server to service the DHCP clients in the VLAN. However, if it is
required, it is possible to override which DHCP server is used by wireless clients.
To override the DHCP server:
• Turn on Override Default DHCP Server flag.

• Specify the alternate IP address to be used.
• Turn off DHCP Relay Pass-Through.
• Click Save.

DO NOT REPRINT
© FORTINET
To limit broadcast traffic in an IP network, subnet sizes are typically kept quite small, usually a class c or /24/
mask. ESS profiles can have only one VLAN profile assigned to them. This can limit the number of clients that
connect to the wireless network.
It is possible to configure a larger VLAN, but the increase in broadcasts can cause performance issues.
Instead of using individual VLANs, it’s possible to define a VLAN pool. A VLAN pool is a collection of VLANs
that the controller uses when assigning clients to a network. The controller starts with the first VLAN listed
and, when that VLAN is full, it moves on to the second, third, and so on.
VLAN profiles must still be configured before you can define a VLAN pool. A VLAN pool can contain a
maximum of 16 VLANs.
To configure a VLAN pool profile:

1. From the configuration capability, select VLANPOOL.
2. Click Add.
3. Enter a profile name.
4. Enter the tag number of the VLANs you want to add to the pool.
5. Click Save.
Vlan pools cannot be used with bridged networks.

DO NOT REPRINT
© FORTINET
Captive portal profiles are optional and are used mostly on guest networks. Captive portal profiles allow the
configuration of a wireless network where users are isolated from network access until they enter a username
and password on a webpage. Once authenticated, users are unblocked and allowed to pass traffic.
Captive portal profiles are commonly used in public areas that offer Internet access. There are two types of
captive portal profile configuration:
• In an internal configuration, the captive portal web page is hosted on controller and the controller captures
and authenticates traffic.
• In an external configuration, a device other than the controller hosts the web page.
Multiple captive portal profiles are allowed. The profile controls the settings applied to the portal, such as how
users are authenticated and timeouts.
The captive portal web page is separate from the captive portal profile. It is possible to have up to eight
captive portal pages. The controller will present a page based on the IP subnet of the client, not based on
which captive portal profile is in use. An example of the default captive portal page is shown on this slide. You
can edit a custom portal web page, but you should have knowledge of creating and editing HTML to do this.
The controller presents the captive portal webpage using a built-in web server. To protect the user names and
passwords, the default web page is an encrypted https page. By default, the built-in web server includes a
self-signed web certificate which does generate a certificate warning when the client opens the web page. If
you are planning to use a captive portal and present it to non-technical end users, it is best practice to use a
public-signed certificate to prevent certificate warning messages.

DO NOT REPRINT
© FORTINET
These are the steps to configure a captive portal profile using local authentication:
1. Define a profile name.
2. From the Authentication Type drop-down menu, select local.
There are two methods for authentication. Here we are configuring local authentication. In local
authentication, the user database is located on the controller.
3. Configure optional settings in the Advanced Settings section, as required:
• Session Timeout: Defines the amount time a user can be logged in to the captive portal before
being logged out. It allows a simple time limit for captive portal users, which can be useful in a
guest environment.
• Activity Timeout: Defines how long the session can inactive before being logged out. Users can
potentially log on to the portal, use it, and then leave without logging out the portal. The session
is logged out after a number of minutes of inactivity.
• Session Caching Time: Defines the number of minutes that the controller remembers or caches
the user credentials entered on the web page. This prevents the user from being asked to supply
a username and password in the event of a temporary disconnection from the network. For
example, if you set this setting to one minute, it allows the user to disconnect and reconnect
within a minute and not be asked to re-authenticate.
• CNA bypass: This option is specifically for Apple wireless clients. Later versions of IOS will
attempt to make contact with an Apple server on the Internet when logging on to a wireless
network. By default, the captive portal prevents this and this can cause issues when Apple clients
are authenticating. The CNA bypass setting allows clients to access the only Apple server without
authentication. This allows the captive portal to work in the correct way with IOS based clients.

DO NOT REPRINT
© FORTINET
If you are using local authentication, you need to create the guest users in the local database, on the
controller. The database is empty, by default, but can contain up to 300 users. It is managed manually. Users
have to be added and deleted by a network administrator.
There is no simple receptionist type interface for a non-technical user. Users can be added only to the
standard web interface.
To add a local user to the database:

1. In the Configuration tab, navigate to Security > Guest Users. You’ll find an empty table where you can
add users.
2. Click Add.
3. Enter a username and password. There are no complexity requirements for the password.
4. Set a start and stop date. This controls the period in which a user can a log in. If the user logs in between
the server start and stop time, when the stop time is reached, the user is not forcibly logged off. Only
when the session times out, or when a user logs out and then tries to log in again, does the log in fail.
Note: The times that you enter here are referenced to the controllers clock. The times entered may need to be
offset to match the users time zone.

DO NOT REPRINT
© FORTINET
It is also possible to authenticate the captive portal against a RADIUS server. The same captive portal is still
used, however instead of using the local database, the credentials are sent to the radius server instead.
These are the steps to configure a captive portal profile using radius authentication:
1. Enter a profile name.
2. From the authentication Type drop-down menu, select radius.
3. Select the local-radius option when you want to use a combination of local and radius authentication: the
local database first, followed by RADIUS authentication.
4. Define primary and secondary authentication servers.
5. Optionally, define primary and secondary accounting servers.
There is no limit to the number of users that can be authenticated by a RADIUS server. Additional settings are
available, if required.

DO NOT REPRINT
© FORTINET
Now you can define the core configuration profiles that will publish the wireless network, starting with the
security profile.
There is the default security profile which comes from the factory. It is generally best practice to leave this
profile in place and not use it.
For any new networks, it is best to create dedicated profiles.

DO NOT REPRINT
© FORTINET
These are the steps to configure a security profile:

1. Define a profile name. It should describe the purpose of the security profile and the authentication type
being used.
2. From the Security Mode drop-down menu, select a security mode. For nearly all modern networks, one
these three options is used:
• Clear: This is the least secure mode. It defines an open network, meaning there is no requirement to
enter credentials, keys, or any other type of password to gain access. Very few networks are
published as completely clear networks. Clear networks are often broadcast in conjunction with
captive portal authentication, to control access in a guest environment.
• WPA2 PSK: This is the most commonly used security mode for small networks that have no central
source of user identity or authentication. Instead, a preshared key is used. The key is configured in
the controller and then at the client. The client uses the key as an identity and to encrypt traffic with
the latest, most secure encryption algorithm. This mode is more secure than clear mode, but,
because the key is shared among multiple users, it is not easy to control which user has access to
the network. This mode is also commonly used in home-based wireless networks. Use of preshared
key authentication should be avoided in Enterprise.
• WPA2 Enterprise: This is the most commonly used protocol for Enterprise environments. It uses a
central identity source to authenticate users through RADIUS. The provides tight control over who
has access to the network, and the ability to allow or deny access on the basis of user identity. It
also provides the ability to pass additional information with the RADIUS response. For example,
allowing a VLAN or firewall policy to be supplied that allows the controller to place the user in a
particular VLAN or apply a particular firewall policy.
There are many other options available in the list, which are there mostly for backwards compatibility with
clients that are unable to support the latest security standards. These modes are not secure and should only
be used in exceptional circumstances.

DO NOT REPRINT
© FORTINET
There are common options that are available across all security profiles.
All security profiles can have captive portal authentication. Sometimes a WPA2-PSK network is also
authenticated using a captive portal. If you want to use captive portal, you must designate a device in your
network to present a captive portal page. You have two options when selecting a device. You can choose
internal, which configures the FortiWLC to host the captive portal page. Your other option is external, which
allows another device in your network to host the captive portal page.
You can also apply a MAC filter to any type of network. This allows clients to be granted or denied access
based on their wireless MAC address. The MAC addresses can either be stored as a static list on the
controller or can be authenticated using a RADIUS response.
You also have the ability to apply a QoS and firewall policy to any clients connecting using the policy. The
QoS and firewall policy can be statically applied, by specifying the firewall filter ID, or dynamically applied by
RADIUS, as long as the network is radius authenticated.
You also have the ability to log any connection attempts using the security policy. Enabling security logging
causes the controller to insert additional log events into the Syslog. These logs can be useful when trying to
troubleshoot authentication problems.

DO NOT REPRINT
© FORTINET
The easiest security profile to create is one for open networks.
Open networks are not authenticated or encrypted. Traffic can be easily intercepted and is subject to
eavesdropping.
It is a simple configuration. You simply define a security profile name and select open as the security mode.
No other settings are required.

DO NOT REPRINT
© FORTINET
The next most complicated security profile is one that defines a captive portal authenticated network.
On captive portal networks, all traffic is unencrypted; however, you have the option to authenticate the
network using the credentials entered in the captive portal web page presented when the use connects to the
network.
Set the security mode to open and select WebAuth as the captive portal.
You can now select the captive portal profile that was defined earlier. Then you need to decide whether it’s an
internal or external device performing the hosting the web pages.

DO NOT REPRINT
© FORTINET
The same process is applied to a preshared key network.
All traffic on PSK networks are authenticated and encrypted.
When you select WPA2 PSK/CCMP-AES from the Security Mode drop-down menu, then you can enter a
pre-shared key.
When you enter a key, it:

• Must be a minimum of eight characters
• Must not contain any spaces
• Can contain numbers
• Can contain a mix of uppercase and lower case characters. A mix is recommended.
The generation of good pre-shared keys is difficult. They should be long and complex to minimize the chance
of compromise. They also need to be usable for end user.
Alternatively, you can use a 64-character hexadecimal string , if required.

DO NOT REPRINT
© FORTINET
Traffic in enterprise networks is fully authenticated and fully encrypted. It is, by far, the most preferred network
type, if you have the infrastructure to support authentication.
When you select WPA2/CCMP-AES from the Security Mode drop-down menu, additional RADIUS server
profile options appear.
You will specify the primary RADIUS server authentication profile as one of the profiles you created earlier.
You also have the option to specify a secondary RADIUS profile, if required.
Other settings do not need not be adjusted.

DO NOT REPRINT
© FORTINET
Once the security profile is complete, you can configure the ESS profile. The ESS profile table is empty by
default and you can add an ESS profile.
To create a profile, you must define a useful profile name. The profile name should include the SSID that it will
broadcast, with a network that have multiple AP families, the family of APs included in the AP table would
also be recommended.

DO NOT REPRINT
© FORTINET
There are mandatory settings that you need to configure to create a new ESS profile.
• Define the SSID that will be broadcast.
• Select the security profile that you want the network to use. By default, the factory supplied open network
is used.
• Define the RF Virtualization mode. The drop down-menu contains options for: virtual cell, virtual port, and
native cell.
Virtual cell is the default virtualisation mode. This is the shared BSSID mechanism that allows proper
operation of single channel networks. All modern FortWLC APs support virtual cell.
The virtual port option is used for older APs. It is a variation on the shared BSSID mechanism that still works
with a single channel. It is not supported on any currently shipping APs and used on the older AP300 and
AP400 series.
The final option is native cell. This configures each AP interface with its own BSSID, effectively turning the
network into a traditional microcell network.
The use of virtual port and native cell networks is not covered in this course as they are unusual options not
commonly used.
Now the base options are complete you can go and click save. This will activate the configuration on
controller straight away and will result in the Wireless Network being broadcast from all AP interfaces.

DO NOT REPRINT
© FORTINET
Now that the ESS profile is complete, you can make changes, if needed. However, it should be noted that you
can’t change the SSID or the profile name once they are created. If you need to change either, you need to
delete and recreate the profile.
If the network is RADIUS-authenticated, you can select an accounting server, if required.
You can also define the network to be a tunnelled or bridge network, and specify the VLANs to be used.
There are many other settings and advanced options that you can set. Many of them relate to the network
operation, such as connection rates, beacon intervals, and SSID visibility. You should only change these
settings only when necessary.

DO NOT REPRINT
© FORTINET
When you create an ESS profile, it is created as a tunnelled mode network by default.
This means, by default, that traffic from the wireless network defined by the ESS profile ingresses and
egresses from interface one on the controller, without any VLAN tags attached.
If you want to ingress and egress traffic to a VLAN in tunnel mode, ensure that dataplane mode is configured
as tunnelled
If you select Configured VLAN Only from the Tunnel Interface Type drop-down menu, you have the option
to select the VLAN profile. This means that any traffic entering or leaving the wireless network will be tagged
with the VLAN information specified by the profile. This is sometimes referred to as static VLANs.

DO NOT REPRINT
© FORTINET
Using the RADIUS VLAN Only option requires that the network is RADIUS authenticated and that the
RADIUS server returns a RADIUS attribute called Tunnel-Pvt-Group-ID.
This is a standard RADIUS attribute that can be configured at most RADIUS servers. It allows the radius
server to pass back a VLAN tag to use.
The tag that is passed back must have the matching VLAN profile on the controller.
This flexibility allows individual users to be assigned to different VLANs while still joining the same wireless
network and commonly referred to as dynamic VLANs.

DO NOT REPRINT
© FORTINET
The RADIUS And Configured VLAN option combines static and dynamic VLAN allocation. The controller will
first look for a VLAN to be passed back by the RADIUS server. If none is passed back it will fall back and use
the static option instead.
The final option is to specify VLAN pool if one has been configured. The client is assigned the first available
IP in the pool of VLANs.

DO NOT REPRINT
© FORTINET
When you select Bridged from the Dataplane Mode drop-down menu, the network operates in bridged
mode; the traffic ingresses and egresses at the AP interface, rather than the controller interface, and the
traffic is untagged.
To have the traffic to go to a VLAN instead, change the selection in the AP VLAN Policy drop-down menu.
The first option listed in the drop-down menu is Static VLAN Only; however, rather than choosing a VLAN
profile, you simply specify the tag number. For bridged VLANs, there is no requirement for the controller to
know about that VLAN, so no profile is required.
You need to ensure that the VLAN is tagged to the network port of all APs that are going to advertise the
wireless network.

DO NOT REPRINT
© FORTINET
The RADIUS VLAN Only option relies on the network being RADIUS authenticated and returning the Tunnel-
Pvt-Group-ID RADIUS attribute.
The RADIUS And Static VLAN option combines both modes.

DO NOT REPRINT
© FORTINET
Good job! You now understand how to configure a wireless network.
Now, you’ll examine how to control where wireless networks are broadcast.

DO NOT REPRINT
© FORTINET
After completing this section, you will know how to control where wireless networks are broadcast.

DO NOT REPRINT
© FORTINET
When you create a wireless network using the default settings, all the APs in your network will broadcast the
network defined by the ESS profile. If you need to broadcast networks in specific geographical areas, you can
do this by editing the ESS AP table. The ESS AP table is not present when you first configure the ESS profile.
It appears after you save the profile.

DO NOT REPRINT
© FORTINET
Select the ESS profile that you want to edit.
You can click Edit or click the Edit (pencil) icon.
When the profile opens, you will see two additional tabs in the interface: the ESS-AP Table tab and the
Security Profile tab.
If you select the Security Profile tab, you can edit the security profile, if required.

DO NOT REPRINT
© FORTINET
When you click the ESS-AP Table tab, you will see a table that contains all of the interfaces that are currently
broadcasting the wireless network.
In this example, you have created a guest ESS profile and, by default, all of the available APs are included in
the table. However, you might want the guest network to include interfaces that are broadcasting only in the
2.4 GHz range only. Therefore, you need to remove any interfaces that are not required to broadcast the SSID
The search function can be extremely useful in situations like this. Instead of manually finding and selecting
each interface that needs to be removed, you can use the search field, In this example, you search on the
interface field by typing 2. The search results show all of the interfaces with an interface index of 2. These are
the five GHz interfaces. Once you have searched for and found those interfaces, you can delete them, leaving
only the 2.4 GHz interfaces.
This results in only the 2.4 GHz interfaces broadcasting this SSID.

DO NOT REPRINT
© FORTINET
Adding is simply the reverse process.
Selecting the add button will show a table containing all of the radio interfaces that are not assigned to that AP
table, again search options can be used to add interfaces.
It should be noted that giving your AP’s a name the reflects their location, the AP model and their radio
configuration can make life much easier and also minimize the possibility of mistakenly configuring the wrong
interface.

DO NOT REPRINT
© FORTINET
Good job! You now understand how to control where a wireless network broadcasts.
Now, you’ll examine how profiles are used for AP families.

DO NOT REPRINT
© FORTINET
After completing this section, you will understand how to configure profiles to support AP families.

DO NOT REPRINT
© FORTINET
An ESS profile can publish a wireless network; however, there are other uses for ESS profiles.
ESS profiles can also define:

• The single channel virtual cell architecture for a network
• Channel layered architectures, where additional Virtual Cells are deployed for extra capacity
• Channel stripes, where we need to reduce AP neighbour count or install multiple types of AP family in the
same geographical location.
Channel layering is not covered in this course.

DO NOT REPRINT
© FORTINET
Differences radio capability mean that APs from different families, should not coexist in the same virtual cell.
For optimal performance, each AP family should exist in their own virtual cell. However, they still need to
advertise the same SSID.
This logical configuration is achieved by creating separate ESS profiles. This gives you two ESS AP tables to
work with, but you still configure the profile to transmit the same SSID and use the same security profile.
In the example shown on this slide, a group of AP822s provides a wireless network called CorpNet. In this
example, you are expanding the network by adding some higher specification universal APs. Because the
original APs are 802.11ac wave 1 and a new APs are wave 2, they cannot coexist in the same virtual cell. So,
we create separate virtual cell by creating a new ESS profile and assigning the universal APs to the ESS AP
table of the new profile.
Both ESS profiles are configured to broadcast the same SSID and use the same security profile.

DO NOT REPRINT
© FORTINET
(slide contain animations)

You can also use ESS profiles in scenarios where you want to deploy channel stripes. In installations where
you have a large open space that requires coverage, you find that each AP can see at larger number of AP
neighbours. This can cause a reduction in performance. It can become a problem is scenarios such as
warehouses and exhibition or convention centres where there are large amounts of open space and little to
block the wireless signals.
Spaces that are divided with walls will not have this problem because the range of the APs is reduced and the
neighbour count is reduced to an acceptable level.
(click)
Rather than deploy all of the APs in one ESS profile, you can deploy multiple ESS profiles in the stripe format.
In this example, the stripe divides the floor in two and instantly reduces the number of neighbouring APs.
Ensure that you name the ESS profiles properly to denote their purpose. In the example in this slide, the
names STR1 and STR2 indicate the stripe number, alongside the AP model and ESSID that is being used.
(click)
For best performance, it would be optimal to assign different channels to the APs in each stripe. This would
maximize reuse, particularly around the boundaries between the stripes. However, this may be practical only
if you have the channels to use. In many cases, using the same channels in each stripe is acceptable.

DO NOT REPRINT
© FORTINET
When you create ESS profiles, make the profile name as descriptive as possible. In the profile name, it is
useful to include:
• The SSID
• The family of the AP
• The stripe number, if using channel stripes
• The layer number, if using channel layers
You can clone an existing ESS profile by selecting the profile in the table and then clicking Add.
This results in the creation of a new profile that uses the selected profile settings as a template.
• You must ensure the same SSID is being broadcast.
• You must ensure the same security profile is used.
If you are creating complex ESS profile setups, it is a good idea to disable the New AP's Join ESS setting.
Disabling this setting before when you create a profile results in an empty table to which it is it easier to add a
small number of APs, rather than a large table full of APs that you need to remove.
It also means that any new APs that are added to the system are not automatically added to the wrong profile.

DO NOT REPRINT
© FORTINET
Once you create an ESS profile you can edit it to ensure that the correct AP interfaces are in the correct ESS
profile table.
In the example shown in this slide, the correct APs are being added to an ESS AP table. The ESS profile
shown at the top of the slide must contain APs from the AP832 family. In the example, the table search
function were used to find and select the AP832 family APs.
The ESS profile shown at the bottom of the slide needs to contain only AP1020 Aps.

DO NOT REPRINT
© FORTINET
Once you’ve completed your edits, you should have an AP table that contains only the interfaces that are
required.
If you look at the BSSID column of each table, you will see that all the interface one’s of the APs share the
same BSSID and all the interface two’s have a 2nd , separate BSSID.
The example shows that you have a single virtual cell in 2.4 GHz and a single virtual cell in 5 GHz.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET

• Describe SD profiles and how to use them
• Configure a wireless network
• Control where wireless network are broadcast
• Configure profiles to support AP families

Monitoring the Wireless Network
DO NOT REPRINT
© FORTINET
In this lesson, you will examine how to navigate the controller interface. You will also learn how to identify and
interpret the metrics that are important to the health of the wireless network.

DO NOT REPRINT
© FORTINET

• Core FortiWLC terminology and concepts
• Key wireless metrics and measures
• Network metrics
• Metrics on specific locations
• Metrics on clients
• Station tables

DO NOT REPRINT
© FORTINET

• Understand basic FortiWLC terminology
• Understand how to gather and apply metrics
• Understand information storage

DO NOT REPRINT
© FORTINET
The equipment that connects to the wireless network might be called a station, client, or device; they all refer
to the same thing. You will see these terms used interchangeably throughout the interface.

DO NOT REPRINT
© FORTINET
In FortiWLC wireless networks, the component on the AP that transmits and receives radio signals is called a
radio or wireless interface. Both terms are used in the controller management interfaces.

DO NOT REPRINT
© FORTINET

When you look at the metrics and diagnostics of wireless interfaces, it is easy to think only about the radio
itself and that it has a retry rate or a percentage of channel utilization.
(click)
While this is true, retry rate and percentage of channel utilization indicate the quality and capacity of the air, or
RF, around the AP. This assessment also incudes the clients that use the RF. Many of the measures you
take at the AP will also impact the clients.

DO NOT REPRINT
© FORTINET
Most of the metrics shown on the controller are measured from the APs or controller’s point of view.
When an AP transmits network traffic to, and receives traffic from, a client, the controller shows the rate of
frame retry and loss that the AP experiences when it transmits to the client.
The client is subject to the same RF environment, and is likely to have as much difficulty, if not more, to
transmit traffic back to the AP. The client’s retry and loss rates are usually greater than the APs because its
transmit power rate is less than the APs and as a result will be more susceptible to interference.
The AP can’t measure the client’s transmit loss and retry rates directly. Only the client’s network card can
measure this. There is no way for these metrics to be sent back to the wireless network. Often the client’s
operating system doesn’t report these metrics to the end user. Usually, the client must install a tool designed
specifically to capture these metrics.
Regardless, you can learn a lot about the client’s wireless experience from the metrics gathered on the
controller.

DO NOT REPRINT
© FORTINET

It is important to understand how much information is stored on the controller.
The controller makes sure the frames transmitted to and from the wireless clients reach their destination
successfully. The controller also makes sure the wireless network is configured and functioning correctly. To
do this, the controller collects and displays a very large amount of information in real-time. However, the
controller has limited storage and, therefore, limited memory.
Depending on the number of clients and the size of the network, the amount of information the controller
stores can vary from a few hours' worth of information in the case of a smaller network, or a few minutes’
worth of information in the case of a much larger network. There are exceptions, which are covered later in
this lesson, because some types of information can be stored longer.
(click)
There is a partner product available that provides the ability to remember the history of the network, called the
FortiWLM. It is an optional product, deployed as a separate appliance. The network manager functions as a
central point of enterprise management and monitoring, and can support multiple controllers. The network
manager can store substantially more information about the wireless network than the controller. You can
configure the controller to send regular packages of information to the network manager about the status of
the network. Then network manager stores the information in its central database. It is possible to store more
than year’s worth of data about a wireless network, but this varies depending on the activity and the size of the
wireless network.

DO NOT REPRINT
© FORTINET
Good job! You now understand core FortiWLC terminology and concepts.
Now, you will examine key wireless metrics and measures.

DO NOT REPRINT
© FORTINET

• Describe the key metrics and measures used to assess wireless networks
• Describe the recommended limits for various metrics
• Understand possible causes for poor performance

DO NOT REPRINT
© FORTINET
The important measures belong to two broad categories—wireless health and wireless capacity.
Wireless health includes measures of factors that affect connection reliability, such as getting or staying
connected to a wireless network. It is a measure of how healthy the RF is around a specific interface.
Wireless health assesses how well wireless frames are being transmitted from the APs to the clients. You can
check wireless health by looking at the retry and loss rates when transmitting frames, the ambient channel
noise measured by the interface in a specific area, the signal strength of the client, and the link rates that the
client is using.
Wireless capacity measures factors that affect the capacity of the interface and the channel capacity around
the interface. It is a measure of channel utilization—how busy the interface and the spectrum is and the
number of clients on an interface. The retry rate can be an indication that the collision rate is high, which can
occur when there are large numbers of clients in the network, again, a capacity measure.
A number of metrics are relevant to both categories, however, some are more important than others.

DO NOT REPRINT
© FORTINET
The retry rate is the percentage of data frames the AP interface has to retransmit to a client. As we have
seen, wireless is a half-duplex environment, meaning that stations and interfaces, like walkie-talkies, can only
transmit or receive at any one time. As a result, the interfaces can’t tell if a transmission it has just made has
been received by the target client successfully. The interfaces rely on the target client sending an ‘ACK’ or
acknowledgement frame. An ACK frame is sent by the receiving radio to tell the sender that it received and
decoded the frame successfully. If the sending client or AP radio does not receive an ACK frame, it assumes
that the transmission was not received successfully and then retries the transmission. Each frame it retries
has a flag set in the frame to indicate that it is a retry frame. The retry rate is a percentage of the frames that
have been sent by the AP interface that are retry frames.
Retries are usually caused by collisions between transmissions of radios. These radios can be in other client’s
associated to the same AP or the radio in the access point itself, however, neighbouring APs and clients can
also generate collisions if within range. Retries can also be caused by interfering transmissions from non-
wireless LAN transmitters, such as garage door openers, cameras, baby monitors, and microwaves.
Depending on the amount of time these devices transmit, known as duty cycle, they can cause a small or
large number of frame retries.
Because the same piece of data is being repeatedly sent, retry frames use airtime that could have been used
for other wireless transmissions. The net result is that less data is going through for the same amount of
airtime.
All wireless networks should expect to have a small retry rate—it is an inevitable consequence of the way
wireless devices access media.
The most important measure is the proportion of retry frames to successfully received frames.

DO NOT REPRINT
© FORTINET
Loss is an extension of retry. When an AP is struggling to send a frame to a client, it will retry a fixed number
of times. If the AP still fails to transmit the frame successfully, it will assume that there is a problem with the
frame and discard it, and then attempt to send the next frame. Any data that was contained in the discarded
frame is lost. It is then the responsibility of the application sending the data to handle the error. In the case of
web traffic, a user may need to refresh the webpage to force a reload, or, in the case of a file copy, the
operating system may need to resend a block of data.
In very busy or noisy wireless network, loss is not unusual to see, but in an ideal scenario, the network would
not be losing any data at all. It is preferable to keep loss rates as low as possible.
High loss rates are a prime indicator that your wireless network in that location is having significant trouble
sending frames and should be investigated.

DO NOT REPRINT
© FORTINET
The AP interfaces are constantly monitoring the wireless channel they are tuned in to. One of the things an
interface does when it is not servicing clients is take a measurement of the noise floor. Ambient channel noise
is a measure of the background wireless signal that the radio cannot interpret as a wireless LAN signal. To a
radio, any signal that comes from another device sounds like radio static sounds to a human. Ambient
channel noise is generated by many different sources that can interfere with a network. The higher the level of
noise the lower the signal to noise ratio (SnR), this can affect the both the APs and client’s ability to send a
frame. Often both the client and AP radios will respond to the decrease in SnR by reducing the connections
link rates. This can result in an acceptable signal strength but a unusually low link rate, indicating that there is
potentially a noise issue.
Because the interface is not a dedicated spectrum analyser, this measure is only an estimate. However, it is a
very important indicator of potential interference in a specific area of the network. Such interference would
cause significant issues with the network if it was both powerful and frequent (high duty cycle).

DO NOT REPRINT
© FORTINET
The controller maintains a list of the receive signal strength (RSSI) for all clients. RSSI is measured by the AP
of each client as transmissions occur. It is not a measure taken by the client of the AP signal strength, which
arguably is more important because the majority of data is downstream.
However, it is still possible to infer that the downstream signal strength is somewhat stronger than the
upstream signal strength. In general, the transmission power of the AP is somewhat higher than the
transmission power of the client, so it is reasonable to expect that the client’s signal strength is somewhat less
than the signal of the AP.
The lower the signal strength, the lower the ability of the radio to use higher modulation rates. The lower those
rates, the lower the connection performance of the client. Low signal scenarios can occur for a number of
reasons. Most commonly, someone is trying use the wireless network from a location that was never
designed to support wireless devices. As a result, they are simply standing too far away from the AP. At that
point, the user must choose to either move to a location that is designed to be supported by the wireless
network or, if the location warrants it, install a new AP to improve the signal strength.
Low signal strength may also indicate that an AP has stopped running. The network is designed with overlap
to allow for RF redundancy. In the event of an AP failure, there is usually another AP within range even if it
has a much lower signal strength. The result is that the client will associate with that other AP, but will appear
as a low signal strength client.
In a more complex RF environment where native cell virtualisation or channel stripes are in use, a client might
maintain a connection to the original BSSID. After the client moves to another location, they remain “stuck” to
the original AP, and are known as a sticky client. In these types of design scenarios, low signal strength
stations can be a fact of life. It may not be possible to eliminate low signal strength stations completely, but it
is possible to monitor the number of devices that are poorly connected.

DO NOT REPRINT
© FORTINET
TX and RX rates show the data rates that are being used by the AP, which is the TX or transmit rate, and
client, which is the RX or receive rate. Both are us is closely linked to signal strength—they often go hand in
hand, but are also impacted by other factors. The AP keeps a record of the link rates used when transmitting
to and from each associated client. The ultimate aim for all wireless implementations is to ensure that the link
rates are as high as possible for clients. A high link rate means that both the signal strength and the signal
quality are good. Because it is possible to measure the upstream link rate directly, this is a great way to check
if the client suffering from RF issues.
The higher the link rates, the faster data is transferred and the less air time is used for transmissions. This not
only ensures high performance for the client, but also allows maximum opportunity for other clients to transmit
as well, improving their overall performance. The link rates are calculated by the wireless chipset, based on
signal strength, the SnR and the retry and loss rate of frames. A client might have very good signal strength
but a low link rate, which could indicate that the noise floor is higher than is optimal because the SnR is
potentially quite small. This prevents the client from using the upper link rates regardless of how strong the
signal is. The frame retry and loss rates will also cause a lower connection rate. If either the client or the AP
radio is struggling to send a frames, for example there are large number of collisions due to stations on
neighbouring APs, the radio can reduce it link rate to attempt to make transmissions more reliable
Lower link rates may also indicate that the wireless client might be an older client and, as such, might only
support older wireless standards where the link rates are a lot less. For maximum efficiency, is often
worthwhile to ensure that these older clients are replaced as soon as possible with newer-standard clients that
support more efficient link rates. Finally, upstream link rates can be reduced when a client enters power save
mode. Many handheld devices will aggressively reduce links when they are not transmitting data because this
can save significant amounts of battery power. However, this does make the client appear as if he is having a
poor experience because the signal strength is often strong. Lower link rates are relevant in this scenario
when you can see that the client is transmitting data. The radio should be trying to attain the highest link rates
possible and the fact that it isn’t indicates that the client might have an RF issue.
DO NOT REPRINT
© FORTINET
Channel utilization is the primary indicator of capacity around an interface. The AP is constantly monitoring
the amount of wireless traffic it can decode in the channel and providing a measure. It is not only accounting
for traffic transmitted by its own clients but It is also is accounting for other wireless traffic in the channel,
which could be coming from neighboring APs and wireless clients not associated with your wireless network.
The neighboring APs and wireless clients still use capacity and your network cannot transmit data while those
other transmissions are occurring.
The higher the channel utilization, which is measured in percent, the less the spare airtime that is available.
Channel utilization is the most important indicator of wireless capacity.
High channel utilization is usually caused by a high number of station connections, but can also be caused by
a smaller number of stations transmitting a large amount traffic. It does not matter if the stations and APs are
your own or if they are neighboring devices.

DO NOT REPRINT
© FORTINET
Another critical metric for your wireless interface is the associated client count. Association count is a
measure of the number of clients associated with each interface. A high client count will always affect
performance, but the applications in use and the types of clients also a matter.
Many devices means many associations. A higher than expected count can be caused by a nearby AP that
stops running, or an unexpected mix of clients that prefer one frequency range over another.

DO NOT REPRINT
© FORTINET
Alongside access point client count, it is also important to consider station count for the whole controller. The
management and monitoring of clients in a virtual cell environment consumes resource at the controller, this
means that there is ultimately a limit of how many stations a controller can manage. Each controller is rated
for a maximum number of stations, when this limit is approached or exceeded then it is possible for the
network performance to be impacted. So it is important to monitor the overall client count on a controller on a
regular basis.
Virtual cell also has a unique limit. The IEEE standard specifies the limit of 2007 clients per BSSID. Because a
virtual cell can extend a single BSSID across multiple radios, it is possible in some scenarios for that limit to
be reached. Microcell and native cell networks do not generally have this problem as each radio interface is
own BSSID and it’s very unlikely for a single AP will ever have close to 2007 clients.
In the case of an overloaded controller it is sometimes simply a case of the controller not being sized large
enough. Also is difficult to account for the increase in client count over the years of use, inevitably when you
have a Wireless Network that works, people bring more wireless clients to use it.
As your client count increase, particularly when you see client count in the thousands, you will need to be
mindful of the configuration of your network. At some point you may find that you will need to reduce the size
of your virtual cells to keep the client count within the 2007.

DO NOT REPRINT
© FORTINET
Data throughput is an import metric when it comes to controller sizing because controllers are typically limited
by the amount of data they can process. If a controller is limited by the number of interfaces that it use, then
certain types of wireless networks will quickly exhaust the throughput capability of the controller. High
throughput can be generated by a relatively small number of clients, if those clients are transmitting a large
amount of data. Networks with large numbers of tunnelled networks also need to be careful about monitoring
data throughput at the controller.
AP interfaces also have a throughput measure. It is difficult to put a good or bad number on AP throughput
because so many factors can affect it. An AP that is transmitting a lot of data on the interface is an indication
that the AP is operating well.

DO NOT REPRINT
© FORTINET
When it comes to wireless health, an interface should have less than 10% loss and less than 50% retry. The
interface can experience temporary spikes above these rates but if the interface experiences consistent loss
or retry rates that exceed these levels, then there is an issue that requires investigation.
There is one major caveat. Loss and retry numbers are only valid when the interface is forwarding a
reasonable amount of traffic. If the wireless interface is very quiet, for example, sending only two frames and
then losing one, this can result in a retry rate of 50%. Because of the small amount of traffic being sent, this is
misleading. When you see these levels of retry or loss, you must evaluate the amount of data being
transferred. The interface should be forwarding at least 0.1 Mbps.
The lower the ambient channel noise, the better. Signal strength is measured in negative decibels—the
greater than negative number the weaker the signal.
For noise, a signal weaker than -92 is considered optimal. A signal in the high -80s is acceptable. A signal in
the low -80s or -70s indicates significant interference that you should investigate using a spectrum analyzer.
The wireless network would have been designed and specified with a target signal strength for clients. You
should make sure that the majority of your clients have that minimum signal strength or greater.
Is not unusual to have a small number of stations that are weaker. For example, wireless devices enter and
leave buildings, which can cause small numbers of low signal strength clients to appear and disappear.
Ideally, you should see signal strengths of -64 or stronger.

DO NOT REPRINT
© FORTINET
When considering client count on AP interfaces you should aim for approximately 30 clients per interface as a
general guide. This assumes that your clients are performing a mix of activities including file and print and
video streaming. The network does not ‘break’ if you exceed these levels and indeed in many scenarios
where client’s are transmit less traffic it’s eminently possible to have more than 30 clients per interface and
still have the network works perfectly well, this guide is generally considered optimal for medium density
network.
There are some exceptions, some of the APs are designed to be used in an ‘in room’ scenario only, such as
the AP 122. As a result, the recommended client count for these in room APs is around 10 clients per radio.
All APs have a maximum client count, the majority of FortWLC-based AP interfaces are limited to 128 clients.
The interface will not connect more than its maximum rated.
Channel utilization should not regularly exceed 75%. If it does then you should consider investigating the
source of the utilization. If it’s your clients that are generating the utilization then you should consider adding
additional capacity to the network. If its neighbouring clients and access points that are generating the channel
utilisation, you may want to investigate changing your channel to avoid the busy channel.
Adding capacity to a virtual cell based network is very straightforward, if you have the area of the building
there is constantly overloaded then adding another channel layer can easily add capacity and improve the
performance of the network in that area.

DO NOT REPRINT
© FORTINET
Client count and data throughput are also relevant for controller capacity.
Because of the way single channel and virtual cells work, the controller must keep track of all clients. This
requires that there be a small amount of controller resources used for each client assigned at the controller,
which means that different controllers with different hardware capabilities will support different numbers of
clients.
These are not hard limits. The controller will not stop working if you exceed is rated capacity, however, you
should expect performance to degrade after you exceed this station count.
Likewise, the network interfaces at the controller also have limits. Different controllers have different numbers
and types of Ethernet ports. As a result, they can carry a limited amount of data. Some controllers can be
equipped with 10GbE interfaces, but most will have multiple gigabit interfaces. Ultimately, there is a limit for
networks that tunnel data back to the controller. Fully utilized interfaces won’t stop working but ultimately will
limit performance.

DO NOT REPRINT
© FORTINET
Good job! You now understand key wireless metrics and measures.
Now, you will examine how to collect them.

DO NOT REPRINT
© FORTINET

• Gather metrics on network and controller performance
• Gather data over time for specific metrics

DO NOT REPRINT
© FORTINET
The first time you log in to the controller, the first screen that you see is the system dashboard. The
dashboard provides an overview of the status of your entire wireless network, including information about
controller capacity and load, station status, and network configuration.
The colour of the pie charts indicates if there are issues with the network. The graphs show the loading status
of your network, the table at the bottom of the screen provides information about the network configuration,
specifically where each of your wireless interfaces is broadcasting.
This is a dynamic webpage that displays statistics in near real time. The page updates automatically every 60
seconds, but you can update the dashboard manually if you need updated information sooner. You can’t
change the automatic update interval.
In mission-critical wireless environments, many administrators display the dashboard permanently on a

monitor in their network operations centre.

DO NOT REPRINT
© FORTINET
Trending graphs display at the top of the system dashboard. There are two graphs available, which can’t be
changed. Both graphs chart over a maximum of 24 hours, and record and update in intervals of 60 seconds.
One trend graph plots the station load separated into 2.4 and 5 GHz. The second graph plots throughput
across the controller, separated into transmit and receive.
These tables cannot be exported although they can be printed if captured appropriately. You can zoom in to
highlight areas of interest by clicking and dragging and, if you hover over points in the graph, you will see a
numerical value together with the time that statistic was collected.
The majority of information gathered by the controller is stored for only a limited period of time. The system
dashboard is where you will see station load and data throughput displayed over a maximum of 24 hours.
View these graphs first to discover if your controller is reaching capacity.

DO NOT REPRINT
© FORTINET
The distribution pie charts are located on the central pane. The information is updated every 60 seconds and
shows the metrics for the last 60 seconds.
Three pie charts are dedicated to station details, one pie chart is dedicated to controller alarms.
The station pie charts are broken down into:

• Number of stations by SSID – it’s possible to see how busy each wireless network by looking at the size
of the section of pie.
• Stations by RF band – this pie chart breaks down the different wireless technologies across the network
and makes it possible to easily identify any clients that might be using older wireless standards and
potentially slowing your network down.
• OS type – this pie chart makes it easy to identify the proportions of different types of client that you have in
your network. It analyzes the DHCP exchange for fingerprints used by common operating systems.
The alarms by severity pie chart displays any active alarms on your controller. The colour codes used in the
sections of pie make the severity of the alarm clear. For example, critical alarms display as red. So, a red
section of pie indicates that your controller has a significant issue. Critical alarms typically signify some form
of equipment failure.
On each of the pie charts, the sections are usually clickable. Click a section of pie to display a table that
contains more information.

DO NOT REPRINT
© FORTINET
Good job! You now understand network metrics.
Now, you will examine metrics on specific locations to help identify areas of the wireless network that might be
in trouble.

DO NOT REPRINT
© FORTINET

• Gather RF and load metrics on specific locations in the network
• Focus on areas of the network that are experiencing issues

DO NOT REPRINT
© FORTINET
When you look at information about an interface on the AP, what you see is, in fact, information about the air
around the AP interface. Often, metrics gathered at the Radio Distribution Dashboard also affect the clients
around the interface.
The Radio Distribution Dashboard displays information about the entire population of interfaces on the
controller. Every interface of every AP is on the distribution dashboard. Dashboards make it very easy to
isolate and identify outliers—interfaces that are performing very poorly or very well. The status of an interface
is obvious from its position on the dashboard. Colour also indicates the status of a dashboard. Poorly
performing interfaces usually display as red or orange.
The Radio Distribution Dashboard shows the status of the AP interfaces now and in the last 60 seconds.
The dashboard updates automatically every 60 seconds, but you can manually refresh the screen sooner.
The key metrics for throughput and association, retry and loss, channel utilization, and management overhead
display on the dashboard.

DO NOT REPRINT
© FORTINET
Each measure is displayed on its own dashboard.
Each measure is represented by a bar chart. The interfaces are divided up and distributed into one of 10
columns, or ‘bins’, on the bar chart to indicate the status of a specific measure.
The graph on this slide shows channel utilization for AP interfaces. The number of AP interfaces is reflected in
the size of the bar in each column.

DO NOT REPRINT
© FORTINET

The best way interpret a dashboard is to look at the type of measure first, in this case, channel utilization.
Then, look at the maximum and minimum values. These show that you have at least one interface on the
system that is 0% utilized and at least one that is utilized at 29%. This means all the other interfaces on the
system are somewhere in between.
(click)
The controller starts the graph at zero on the left side
(click)
and finishes on the right side at 29 percent
(click)
Then the controller divides the columns into 10. The first column on the left side contains interfaces that have
between 0 and 2.82 percent utilization, the second between 2.82 and 5.8 percent utilization, and so on.
(click)
To read the value of each column, draw a line from the top of the bar in the column to the vertical axis to
identify how many wireless interfaces are in a particular column.
(click)
Then, look below that line to identify what utilization the column represents. The chart on this slide shows two
interfaces that have between 14 and 17.4 percent utilization

DO NOT REPRINT
© FORTINET
A bar’s color indicates whether that interface is in trouble.
Shades of green usually indicate that that interface is running well within capacity. Other colours indicate
interfaces that may be running outside of recommended values.
The help icon at the top of the dashboard describes the color codes and their meanings. Each graph has a
slightly different set of colours associated with values. For example, in the example on this slide, the RETRY
chart shows interfaces that have a retry rate of greater than 50%.
Unfortunately these values are not changeable, but they do serve as a signal that an interface is having
problems.
The key to reading the distribution dashboard is to look for red.

DO NOT REPRINT
© FORTINET

To find out more about the contents of a bar, hover the cursor over it to reveal the range the bar represents
and the number of wireless interfaces it contains.
(click)
To view a breakdown of the interfaces and the measures a bar represents, right-click the bar, and then select
Details.
(click)
Click Open, to open a new window that contains details about the specific interface.

DO NOT REPRINT
© FORTINET
The Wireless Interface Diagnostics window collects all of the metrics for a single interface displayed in the
dashboard, and plots the metrics on a series of graphs.
You can use the data the Wireless Interface Diagnostics window to analyze a specific interface over time.
When you open the window, the controller starts gathering information for a specific interface and loading it on
to the graphs. The controller continues to build the graphs for up to two hours, so you can view the last two
hours of measures in one place. The controller discards data collected more than two hours before you
opened the window.
If you close the window, the controller discards the data. You can’t export the data, although you can record it
by taking a screen capture.
The main purpose of this window is to observe over time an interface that you’ve identified as possibly being
in trouble. This allows you to identify whether the measurement was just a peak that occurred only one time,
or if the interface consistently exceeds the capacity or health recommendations.
You can open a Wireless Interface Diagnostic window for any interfaces, but you must keep the window
open if you want to monitor the interface over time.

DO NOT REPRINT
© FORTINET
Good job! You now understand metrics on specific locations.
Now, you will examine metrics on clients.

DO NOT REPRINT
© FORTINET

• Gather metrics on clients connected to the wireless network
• Identify clients that are experiencing issues

DO NOT REPRINT
© FORTINET
You can read the Stations Distribution Dashboard the same way as the Radio Distribution Dashboard.
The Stations Distribution Dashboard uses bars to represent the client population instead of the access
point interfaces and allows you to identify outliers—clients that are performing poorly or exceptionally.
Bars on the dashboard show throughput, airtime utilization, retry, loss, and signal strength.

DO NOT REPRINT
© FORTINET
Another set of dashboards shows link rates in use.
Use these dashboards to identify clients that are using lower link rate families when transferring data. These
could be older legacy clients that are only capable of slow link rates, or clients suffering from underlying RF
issues.
There are distribution dashboards for the older A and B band rates, and the newer ABG, ABGN, and AC rates.

DO NOT REPRINT
© FORTINET
This slide shows an example of signal strength. The minimum signal strength from the weakest client is -76
and the maximum signal strength from the strongest client is -41.
On the SIGNAL STRENGTH chart, the low-signal-strength clients, represented by orange bars, appear on the
left side of the chart.
On the LOSS and RETRY graphs, you can identify stations that have high loss or retry rates. Colour codes
indicate clients that are in trouble.

DO NOT REPRINT
© FORTINET
This slide shows an example of clients using different link rates in the 802.11ac link rate family.
Both the upstream, RX rate, and downstream, TX rate, are represented in the dashboard. You can isolate and
investigate the clients that might be using suboptimal link rates.
Remember, some battery powered devices will reduce the radio link rate to conserve power. A low link rate
does not always mean a poor connection, this measure should be considered alongside the RSSI and the
amount of data the client is exchanging with the AP.

DO NOT REPRINT
© FORTINET
The example on this slide shows the range of values in use, as well as the number of clients in use.
You can right-click a bar to see more information, or, click Open to use the DIAGNOSTICS feature.
Analysis runs for up to two hours. The data is not stored, only graphed.

DO NOT REPRINT
© FORTINET
The Station Diagnostics screen shows signal strength, the amount of data transmitted and received, and the
loss or retry rates graphed on a common table.
Station log information displays at the bottom of the screen and provides logical information about the
connection states of the client. For example, it details the steps of authentication, association, and other
connection activities that could indicate a successful or unsuccessful connection.
Station logs are covered in more detail in later lessons.
It is common practice when investigating station connectivity issues to open a station diagnostics dashboard
in conjunction with an interface dashboard for the AP interface that the particular client is connecting to. That
way, you can see the network from the client’s point of view and also from the APs point of view.

DO NOT REPRINT
© FORTINET
Good job! You now understand how to gather metrics on clients.
Now, you will examine station tables.

DO NOT REPRINT
© FORTINET

• Describe the station tables available on the controller
• Compare and use station tables

DO NOT REPRINT
© FORTINET
Station tables provide a list of clients connected to or trying to connect to the wireless network.
The tables are broadly split into three different types:

• The All Stations table displays logical network information about connected clients, such as IP address,
and so on.
• The Associations Table contains the same list of clients as the All Stations table, but displays
information about RF, listing data rates and frame counts.
• The Discovered Devices table lists all other devices detected in the environment, specifically, devices not
connected to your network that could be neighbouring devices.
The tables display many common values, for example, MAC and IP addresses.

DO NOT REPRINT
© FORTINET
The All Stations table displays a selection of information about stations currently connected to the wireless
network. Common values that you can see in the table include MAC address, IP address, APs and the
interfaces the station is connected to, together with the AP name. You can search and sort the tables.
Usually, you can see the RADIUS-authenticated user name listed for a client, if that client authenticated on an
enterprise security profile. If the RADIUS server returns a dynamic username and tag, you will also see that
listed.
Seeing the authenticated user name makes the identification of wireless clients easier. If you know the end
user’s username, you can track down all the devices that are using that username to authicate with.
The table also displays information about RF band and lists the wireless standard that is in use, as well as the
channel width and the number of streams that a client is using. This information is not easily found elsewhere.
You can also perform actions on stations. Select the check box beside a station to delete a client or view
details about individual clients.
Deleting a client allows you to disconnect the client from the wireless network, by deleting the association.
However, this is usually temporary because the client will immediately re-associate and re-authenticate.
However, deleting a client can be used to force the authentication to check for authentication issues.
Click VIEW DETAILS to open a separate screen containing more information about clients, including
additional information about the signal strength detected and whether the firewall policy has been applied.

DO NOT REPRINT
© FORTINET
The Associations table displays RF metrics. It shows the link rates in use by the client when it receives data
from the AP (upstream and downstream), together with the interface of the AP that the client is connecting to.
The link rates are one of the best indications of connection quality. High link rates equal good performance,
while lower link rates could indicate that a client is struggling to transfer data to the AP, potentially indicating
an underlying RF issue.
Click VIEW DETAILS to view additional information about the client, including the channel utilization of the
client. In combination with the signal strength, the link rates could indicate that a client is struggling to connect
to the network.

DO NOT REPRINT
© FORTINET
The Discovered Devices table lists ALL the wireless devices that are transmitting within range of your APs.
They may well be in any wireless network and not just associated with yours. These devices are commonly
referred to as neighbouring devices.
The table lists devices detected in real time and updates each time you click REFRESH. It displays both
wireless APs and wireless stations. For wireless APs, the table lists the channel in use, the current signal
strength of the AP, and the AP that detected it.
This is information is useful when investigating sources of channel utilization from outside your network. You
can audit all of the neighbouring APs and the channels they are using. This enables you to select a less
congested alternative channel for your single channel layer.
You can also use this table to display the SSIDs in use, which can be helpful for identifying which wireless
network belongs to what organization. It is also possible to see from this list if someone is advertising your
SSID—a potential security issue.
The table lists stations, as well as any device that is transmitting wireless frames. If you have problems with
an end user client that seemingly is not connecting to your wireless network, it is possible to see if that
wireless client is transmitting anything over the air. This is often a good way to verify that the device is
wireless enabled and the wireless is switched on.

DO NOT REPRINT
© FORTINET
Good job! You now understand station tables.

DO NOT REPRINT
© FORTINET

• Core FortiWLC terminology and concepts
• Key wireless metrics and measures
• Network metrics
• Metrics on specific locations
• Metrics on clients
• Station tables

Troubleshooting—Gathering Information
DO NOT REPRINT
© FORTINET
In this lesson, you will examine basic troubleshooting, beginning with gathering information about a suspected
problem.

DO NOT REPRINT
© FORTINET

• Creating a Problem Statement
• Analyzing Controller Logs
• Collecting Network Connectivity Information
• Collecting Network Performance Information
• Collecting Controller Diagnostics

DO NOT REPRINT
© FORTINET

• Understand why a clear problem statement is critical for successful issue resolution
• Understand how to create a problem statement

DO NOT REPRINT
© FORTINET
When a problem arises with a network, it is often too easy to move into solution mode, immediately focusing
on the perceived technical problems which might or might not be real. In the rush to fix a problem, you can
miss key details that are not particularly technical but might be related to the way the wireless device is being
used, its location, or another non-technical reason. To ensure that the problem is correctly defined and its
impact understood, get a clear statement of the problem from the person reporting the issue before you
attempt to perform any technical diagnostics or resolution. As a result, the person reporting the problem will
feel more engaged in the process. Whether the problem statement takes the form of an email message,
written document, or an entry in a call management system, you must consider some key features.
The problem should be clearly described in a non-technical way. It is easy to use technical jargon and terms
the people outside the IT industry won’t understand, which can make the troubleshooting process more
contentious. After all, during the troubleshooting process you are trying to improve an end users experience of
the network. The underlying technical problems that might be causing problems with the experience are
immaterial to the end user.
After everyone agrees that the problem is clearly defined, the problem statement should function as a guide
for all involved. It should help avoid mission creep, which is the temptation to attach other issues to the
problem. Problems are best dealt with one at a time. There could be other issues with the network, but these
can be assigned their own problem statements and priorities. If the person or organisation who reported the
problem is satisfied with the description in the statement, it should be easy to prove when the problem is fixed.
If the problem was not defined clearly, then it will be difficult to know when it is fixed.
The problem statement should also reflect the priority of the issue. The temptation is to classify every problem
as a critical issue, which creates a bottleneck of issues, all of which seem to need investigation and resolution
parallel. This parallel activity can cause issues because it results in changes to the network that can
complicate other problem investigations. Encouraging the reporter to be honest about the importance of the
problem could lead to a faster resolution.
DO NOT REPRINT
© FORTINET
PerhAPs the most important thing to consider is: can you repeat the problem and reproduce it on demand?
Much that occurs in a wireless network is transient. Because a wireless network is subject to the quirks of
radio technology, it’s possible that a one-time interference event could cause a significant problem in part of
the wireless network and never recur. Spending huge amounts of time and effort to find the root cause of
issues like this usually produces no results. You should still investigate these issues, however, the only action
you can take might be to implement additional monitoring in case the problem recurs, to help gather more
information about the issue. If the problem is repeatable and reproducible then it will be easier to define the
problem clearly in the problem statement and find the root cause.
This slides shows examples of information that you should include in the problem statement. It is not a
complete list. Each network has unique features, so you must create a list of items specific to your network for
your problem statement. Usually, you should be able to define what has attracted your attention. Was it a
complaint from an end user? Was it a log off from, or an error returned by, a piece of equipment? Has the
issue happened before? If so, when and where and how many times? Is there is a pattern to the location or
the timing of the events? Ask the end user to describe the problem specifically.
Verify what is happening. Often, the end user is non-technical and will be able to use only the terms that they
are familiar with. You might need view the problem yourself on the device that is experiencing the issue.
Establish, step-by-step, what the end user did to generate the problem. Often, people focus on tasks or
actions they performed on the device, such as visiting a website or a shared resource on the network, or
another related activity, however, equally important is what the user was doing with the device when the
problem occurred. For example:

DO NOT REPRINT
© FORTINET
• Were they moving from room to room?
• What did they do when they moved from room to room?
• Did they shut their laptop down, suspend it, or shut the lid?
• Does the problem occur when the device is connect to a power source, or running on battery
power?
Most of these questions do not relate to technical information, such as IP address, signal strength, or
other such technical details. It is important to collect information about all aspects of the problem.
Often, user behaviour might cause the problem. If you focus only on the technical elements of the
problem, it may take weeks to discover the root cause.
A good problem statement should describe any known problems in the network and any recent
changes to network configuration, even if they seem unrelated to the problem. For example, a change
to something in the Active Directory could impact authentication for a specific group of users, which in
turn impacts authentication on the wireless network.
Have there been any changes on the client? Have there been any upgrades updates or changes to the
driver? Apple devices are in widespread use on wireless networks. Major iOS updates often introduce
changes in wireless behaviour that can cause problems with wireless networks. Understanding
changes in the client configuration can often lead to uncovering compatibility issues with clients.
Try to vary some factors to fully understand the problem:

• If the laptop is using a wireless connection, if possible, connect to the wired network and see if you
can reproduce the problem.
• If the problem occurs on an iPad, does the problem also occur on an iPhone or Android device?
• If there is a connectivity problem with a built in wireless card, does connecting to a USB wireless
card enable you to repeat the problem?
Some quick and easy checks during the initial problem definition helps to guide you to the issue. For
example, if the issue occurs when the device is using a wired connection to the network, then the
problem is unlikely to be a wireless issue.
Recording all the information you gather in a problem statement provides a baseline to work from. A
well-written problem statement can be the most powerful troubleshooting tool of all.

DO NOT REPRINT
© FORTINET
Good job! You now understand what is involved in creating a problem statement.
Now, you will examine analyzing controller logs.

DO NOT REPRINT
© FORTINET

• Describe the logs available on a controller and their purpose
• Navigate to and analyze the alarm table, event table, and syslog table
• Distinguish between alarms and events, their consequences and relative importance
• Distinguish current and historical alarms and events
• Configure alarm and event thresholds
• Enable additional syslog information for troubleshooting

DO NOT REPRINT
© FORTINET
The FortiWLC controller contains many logs. Many are not visible to the system administrator and are used
only for in-depth support and engineering.
There are three main log sources available to the system administrator on the controller: the Alarm table, the
Events table, and the optional Syslog.
The Alarms table is used by the controller to communicate critical events. An alarm usually indicates a
persistent fault, such as equipment failure. Most alarms require immediate action to resolve a condition that’s
affecting the performance of the wireless network.
The Events table records less significant network occurrences, only communicating that an event has
occurred on the network. The event might not be a problem—it might be informational only.
Events can give clues about the root cause of other problems. You usually use events in combination with
other troubleshooting tools. The Events table is similar to the Windows event log in that you that you usually
look at these tables when you notice a problem in another area of the network.
You should review the Alarms and Events tables frequently.
The syslog contains system-level logging. You usually consult it only when you notice a specific problem. You
can enable additional syslog events to help diagnose problems, for example, debug options to diagnose
controller redundancy, user authentication, and firewall issues.

DO NOT REPRINT
© FORTINET
The alarms are visible in multiple locations. The first pie chart in the distribution section of the system
dashboard shows you the number and type of alarms that are active.
Alarms are active until they are cleared. Once they are cleared, alarms move to a history list. Most alarms
clear themselves after you resolve them. For example, when an AP stops running, an alarm is raised. When
the AP starts running again, the alarm clears itself without any manual intervention. Some alarms, however,
don’t clear themselves—you must clear them manually. Clearing an alarm doesn’t fix the underlying condition,
it only removes the alarm from the Alarms table.
The system classifies alarms according to severity—critical, major, minor, and informational. The system also
assigns color to alarms. The example on the slide shows that the pie chart is split into red and yellow sections
to indicate the number and severity of the alarms that are active. Red is bad, and is usually indicative of a
major equipment failure. Major and minor alarms also indicate a problem that requires investigation.
To view more information about an alarm, visit the Fault Management dashboard, select the Active Alarms
tab and review the detailed information column. To view the alarm history, click the Alarm History tab. To
view a definition of the alarm, click the Definitions tab. Each alarm includes the name, severity, source, FDN,
date and time raised, and detailed information. The detailed information column usually contains all the
information the controller has about the event. For example, if an AP stops running, the AP name is shown,
together with the MAC and IP addresses. If the APs are named appropriately, you should be able to locate the
faulty AP in the network easily.
You can acknowledge alarms to indicate that you are investigating the cause of the alarm, acknowledgements
don’t have any other function, the option simply functions as a ‘flag’. For example, if an AP stops running, the
technician that spotted the alarm may well set it to ‘Acknowledged’. This would signify to anyone else
monitoring the network that the alarm is being investigated.

DO NOT REPRINT
© FORTINET
The Definition tab contains a list of all the alarms that can be raised on the controller. You can’t add your own
alarms or events, however, you can edit alarms to change the severity and some thresholds, if required. For
example, you may not think of an AP that stops running as a critical failure, so you could reclassify the alarm
as a major alarm by editing the Definition table. Some alarms have thresholds associated with them, usually
for memory or CPU usage. You can edit these alarms too, although this is unusual. Editing also allows you to
view information about the purpose of the alarm and allows you to permanently disable the alarm if required.
By default, alarms are forwarded by the controller to a syslog or SNMP server, if one is configured. You can
turn off this action for specific alarms.
Because the storage on the controller is limited, there is a limit to the size of the alarm table. The controller
can store a maximum of 10,000 alarms. When that limit is reached, the controller purges the oldest 9900
alarms. Optionally, you can archive the oldest 9900 alarms using the remote-log cli command.
The FortiWLC controller doesn’t proactively notify you of faults, however, FortiWLM can provide this function
using emails.

DO NOT REPRINT
© FORTINET
Events display only under Fault Management. They don’t appear in the system dashboard pie chart or
anywhere else.
There is no event history because all events are considered history.
Events are classified according to severity, and the Detail Information column contains specific information
about the event.
Often, events relate to workstations and could indicate unusual behaviour by a workstation. For example, if
you are investigating issues with the connectivity of a specific workstation, you can filter the Detail
Information column by the MAC address of the workstation. This could reveal authentication events and
might help indicate why the station is not connected correctly.

DO NOT REPRINT
© FORTINET
You can access a full list of events on the Definition tab. As with the alarms table, you cannot add you own
events.
Edit events to see the description, change the severity and some thresholds, or disable an event.
By default, events are forwarded to syslog and SNMP servers.

DO NOT REPRINT
© FORTINET
To access the syslog tables, on the left side of the screen, click Maintenance.
You don’t need to view syslog tables daily, however, they can contain events that are useful to view when you
are troubleshooting.
The logs are divided into eight categories. Many of these categories contain only a few or no events, which is
not unusual.
If you are troubleshooting firewall issues, the most useful categories to review are usually Security, System
WNC, and Per User Firewall.

DO NOT REPRINT
© FORTINET
If you are troubleshooting authentication issues, enable security logging on the security profile. This produces
additional information about the authentication of clients connecting using the security profile.
If you are investigating problems with the Per User Firewall, enable QoS rule logging in the rule you are
having trouble with. This adds additional information for firewall rule matching to the syslog.
If you are investigating issues with failover, you can enable additional logging for N+1 controller redundancy.
Refer to the system configuration guide for information about this.

DO NOT REPRINT
© FORTINET
Good job! You now understand analyzing controller logs.
Now, you will examine collecting network connectivity information.

DO NOT REPRINT
© FORTINET

• Describe the process for collecting and reviewing client connectivity information
• Describe the steps a client takes to connect to a FortiWLC network
• Understand how locate client information in the controller
• Investigate client connectivity problems using the system director dashboards
• Investigate client connectivity problems using the system director interactive client log

DO NOT REPRINT
© FORTINET
This is a summary of the process that we would use to collect information about a client connection issue.
Before collecting information, locate the clients wireless MAC address. This is essential information that you
must have to collect information about the client. The wireless network operates at layer 2 of the OSI model
and while it is useful to define the IP address, the MAC address is a key piece of information because it is
what the controller uses to refer to the client. If the client is connected, you can get the MAC address from the
controller.
You can use the controller to discover if the client is transmitting or attempting to connect to the controller. The
controller’s Discovered Devices table will show all wireless devices transmitting within range of the APs. If
you can’t find the MAC address from the controller, you can analyze the DHCP server to discover if the client
has previously claimed an IP address or other sources of network information that you could analyze. As a
last resort, you could ask the end user for the MAC address, or query the device for them.
After you get the MAC address, you must verify which AP and interface the client is connected to. If the client
is not connected, discover the physical location of the device and locate the AP closest to it. If the client is
connected to the controller, examine the client’s connection metrics using the station diagnostics. The key
metrics to review are signal strength and the retry and loss rates. Is the user standing close enough to an AP?
Are the client and the AP exchanging information accurately? The station diagnostics provide an overview of
the health of the workstation from the wireless network’s point of view.

DO NOT REPRINT
© FORTINET
Next, examine the health of the workstation’s location by inspecting the radio diagnostic for the interface that
the client is connected to. If the client is not connected to a specific interface, review the diagnostics for both
interfaces at the APs located closest to the clients location. You must verify that the station count is
acceptable and that the AP interface is not overloaded. Ultimately, there is a limited amount of air time for the
clients to share. While each radio interface can, in theory, accept up to 128 clients, in reality, acceptable
performance is achieved at a much lower client-to-interface ratio.
Verify that the noise level is acceptable. The APs have the ability to estimate the amount of background noise.
A high level of background noise makes it difficult for both the client and the access points to send frames
reliably to each other. This usually is indicated by a good signal strength but reduced link rates, because the
clients speak more slowly to make themselves better understood.
Examine the loss and retry rates of the AP interface, which is a measure of the health of the connections
between the AP and its associated clients. An AP interface’s struggle to send frames reliably to a client will be
reflected in the loss and retry rates.
Finally, check the channel utilization. This is a measure taken by the APs of how much of the air time is taken
up by wireless frames. This is a key capacity indicator. If channel utilization is at 100%, then there is no more
air time to transmit frames, ideally this should average no more than 75%.
If the previous measures don’t reveal the problem, then analyze the steps the client goes through to connect
to the network by performing a station log. If the station is failing to connect at some point during the
connection process, then errors should appear in the log to indicate the problem. The controller retains only a
limited number of logs. Often, it is best to perform a live station log of a failing connection to find the failure.
After you have completed this process, most connection issues should be explainable and resolvable.

DO NOT REPRINT
© FORTINET
The station log functionality is built in to the FortiWLC controller. It continuously monitors and logs client
activity. Station logs are very useful for troubleshooting clients that are struggling to get connected or stay
connected to the wireless network.
Station logs record all phases of client connection attempts, including the standard wireless 802.11
connection steps, such as authentication and association. Station log also analyzes other types of events
such as DHCP exchanges, radius messages, MAC filter events, and band steering events. You can also use
station log while clients are connected to monitor the client as it moves around the network and is handed off
from AP to AP.
A log is produced for all clients that connect to the network but is only retained for a short period of time
because of the limited amount of storage. You can query the retained logs using the CLI or the GUI. In GUI,
the retained logs are referred to as buffered diagnostics.
Usually, if you are investigating a client connection issue, you should perform an interactive station log where
the connection attempt is made while a manual log is made.
The FortiWLM network manager appliance allows for the capture and the option of permanent storage of all
station logs.

DO NOT REPRINT
© FORTINET
When a station connects to a FortiWLC network, it goes through a series of stages during the connection
process that are well defined and occur in a specific order.
The station must complete one stage in the process before it begins the next stage. It is important for
troubleshooting to know which stages happen in what order. For example, if a client can’t connect, you can
observe how the client progresses through the sequence while it tries to connect.
If the station completes a particular stage and then stops, you know that the next stage is where the issue is
occurring, which can help us characterize what is happening and the specific stage of the sequence to focus
on.
This diagram on this slide shows the stages in the order in which they happen, from left to right. The first
stage on the left side of the diagram is MAC filtering.

DO NOT REPRINT
© FORTINET
If a station’s MAC address is on a block list, and MAC filtering is active, then the station’s traffic won’t proceed
any farther. The client won’t continue in the connection process and a log message will be generated to
indicate that a client MAC address was blocked.

DO NOT REPRINT
© FORTINET
Initial station assignment is where most stations are observed before connecting. The station starts and
begins to passively scan the wireless channels and make probe requests. It gathers information about all of
the APs around its location and builds a list of candidate entries. When that station indicates that it wants to
join one of those networks with a probe request, the controller must assign it to a radio interface on an AP.
The selected AP interface is responsible for that station for the duration of the connection process. This is the
initial station assignment.
This step is required. If it does not happen, then none of the radio interfaces on any of the APs will respond to
that station. Where there are multiple AP interfaces within range, you might see multiple assignments
because the controller is priming those APs to accept a connection from that client should the controller send
the client to that AP.
Initial station assignment is used to decide on and then inform an interface that it is responsible for a specific
station. It rarely fails but, if it does, it is usually because the client is too far away from the nearest AP
interface. Clients with very low signal strength will not get assigned and, as a result, will not get connected
even if the client can see the wireless network.
By default, a client has to be detected at a signal strength 15 decibels above the detected noise floor. This is
known as the probe response threshold (PRT). If the noise floor is measured by the AP interface at -92dBm,
then only clients measured with a RSSI at -77dBm or stronger will be assigned to that AP interface. It should
be noted that this process applies during station connection only. Once a station is connected and its signal
drops below this threshold it is still left connected, if the station disconnects and then reconnects, the PRT
threshold will then apply.
Assignments do not last for ever. They age out if unused and you will see these messages in the station log.
Assuming that initial station assignment succeeds, the next stage is part of the 802.11 standard.

DO NOT REPRINT
© FORTINET
When a station starts to connect; it asks to be authenticated with the network. In the original 802.11 standard,
there were only two choices for authentication and encryption—an open network (called a clear network
today) or a shared network (called WEP today).
So, even if we’re using a newer form of authentication, the station still has to authenticate with one of those
two before it can continue. Even though it may not be the actual authentication that takes place, it’s a
placeholder. It’s there to satisfy backwards compatibility with the original standard.
For example, if the network that the station is joining is a WPA2 pre-shared key, (also known as a WPA2
personal), when the network reaches this stage, the station triggers an 802.11 authentication to a clear
network. Both the station and the infrastructure know at this moment that this isn’t the real authentication, but
it’s going to have to succeed for it to go any further.
If the network really is a clear network, then this is where the connection happens. If it is using one of the
newer forms of authentication, then the placeholder will always succeed, and then moves into the association
stage in which the station will ask to be associated with the AP of its choosing. In a virtual cell environment,
the station sees only one AP for the network it’s joining, therefore it’s going to ask to be associated with the
virtual AP. After the authentication process is complete, the client will try and associate with the AP. The AP
and client will exchange information about supported rates and supported authentication protocols and,
assuming they both find common settings, they will make a connection.
If the association rates for the wireless network have been changed, for example, older 802.11b connection
rates have been disallowed, it is possible for clients to fail to agree on connection rates, in which case the
association will fail. Associations will also fail if the network is using a newer encryption standard than the
client is able to support. For example, some older clients can’t support WPA2 and, as a result, won’t able to
negotiate a successful association.

DO NOT REPRINT
© FORTINET
The next two stages are optional and appear only if the network the station is joining uses one of five types of
authentication. The first authentication type is an extension of the original WEP standard, 802.1X over WEP,
which uses WEP encryption but authenticating using credentials exchanged with an authentication server
using the 802.1X protocol, rather than a static WEP key.
You should not be using this as WEP encryption uses weak encryption technology and as a result is easy to
exploit. The next two authentication types are the two WPA alternatives: WPA personal and WPA enterprise.
Both use TKIP-based encryption, an encryption technology that has been superseded. It is best practice to
avoid this technology due to security concerns, plus all modern clients now support more secure standards by
default
The last two authentication types are WPA2 personal and WPA2 enterprise, which use a more secure and
robust encryption and are the correct choices for today’s networks. It should be noted that 802.11n and
802.11ac protocols do not even recognize older forms of encryption. The only authentication methods that
adhere to those standards are WPA2.
If the authentication method is any of the five authentication types, then the next two stages are triggered. The
first stage handles the authentication using the 802.1X protocol. Authentication is typically either a PSK (pre-
shared key), username and password or in some circumstances, a certificate. These are the common
methods, known as EAP type, but there are many other options.
Usually, it at this stage of the connection that failures occur. Common problems include the wrong pre-shared
key, or wrong EAP/RADIUS configuration, which causes the process to fail. It is possible to decode the
message to indicate the type of failure that occurred. Assuming authentication completes successfully, then
the second stage is completed. This handles the creation and exchange of the keys used for the data
encryption. It is usually a formality and it is rare to see a failure here.

DO NOT REPRINT
© FORTINET
After these initial stages complete, then the layer 2 bridge is opens between the wireless clients and the rest
of the network. Until this point, frames have travelled only as far as the APs and no further. But now that the
client is authenticated and associated and has optionally completed it crypto key setup, it can exchange traffic
with the rest of the network.
If the client is configured for DHCP, one of the first things it should do is to locate the DHCP server. You can
observe the DHCP discovery and other packets pass to and from the client in the station log. This stage is
optional. Clients can have a static IP and might not use DHCP.
If there is a problem with DHCP, you will begin to see indications at this stage.

DO NOT REPRINT
© FORTINET
IP discovery is the final mandatory event in a successful client connection. If a DHCP exchange has occurred,
the IP address is discovered from the DHCP server exchange. If the IP is statically allocated, the initial
packets transmitted by that client are inspected for the IP address.
A valid IP address must be discovered by the controller because several internal processes rely on the IP
being known.

DO NOT REPRINT
© FORTINET
Captive portal is an optional step for wireless networks using a web page to authenticate user access to a
wireless network. By this stage, the wireless connection has been established successfully and an IP address
has been discovered.
The controller is restricting access to the rest of network until authentication occurs through the captive portal.
Captive portal events, such as incorrect username and password are displayed here.

DO NOT REPRINT
© FORTINET
Station logs can become quite long, depending on the type of authentication in use. This means they can
sometimes be difficult to interpret quickly.
The best way to check quickly whether a station is connected successfully is to look for the ‘bookend’ events.
Look at the beginning of a station log and the end of the station log for the initial station assignment message
and the IP discovery message. If they are present, then you don’t need to inspect the events in between these
bookend events. The IP discovery message doesn’t appear unless you have a successful connection.
For IP discovery, it is important to make sure the controller has discovered an IP in the correct range.
Sometimes the client will assign itself a privately assigned IP address in the 169 range, which is a valid IP to
the controller, but not necessarily to the rest of the network.

DO NOT REPRINT
© FORTINET
Before you can begin troubleshooting, you must find out the client’s MAC address.
The ease of finding this depends on the status of the client. If the client is connected to the wireless network
then its MAC address should appear in the Associations and All stations tables. Each table provides slightly
different information about the client, but the Associations table is the first table you should try.
At the bottom of the screen, click the station icon. Or, on the left side of the screen, click Monitor, and then,
under Devices, click Associations.
The Associations table provides the MAC address, IP address, associated AP, associated interface, and the
receive and transmit link rates in Mbps. It is worth noting the associated AP and interface because you will
use this information later.
To read this table and locate the client, you will need to know some information about the client’s connection.
The SSID and location of the building the client is in will help, however, the IP address will enable you to
identify the client in the table.
The transmit and receive link rates are useful indicators of the health of the client’s wireless connection. They
show the speed that the client and the AP radios have negotiated. If those speeds are close to the maximum
speeds that the client’s radio will support, then that implies that the RF conditions are favorable. However
there are exception, which will be covered later in this lesson.

DO NOT REPRINT
© FORTINET
The All Stations table also contains information about clients, although slightly different. You can sort and
filter the information in this table.
The MAC address, associated AP information, and IP address are visible, as well as the RF band and OS
type, if it is being detected.
If the network is enterprise-authenticated with a RADIUS server, then you can also see the username used
during the authentication process. This is probably the most useful piece of information for identifying a user’s
client.
The RF band in use by the client reveals the wireless standards that have been used, the capabilities of the
connection, and the number of streams in use. 1S denotes a single-stream client, 2S denotes a two-stream
client, and so on. The number at the end denotes the channel width in use and is usually either 20, 40, or 80,
to indicate the channel width in megahertz.
Both the All Stations and Association tables can show more information about each client. Select a client,
and then, click View Details. On the Details screen, Current RSSI provides the signal strength of the client
detected by its associated radio. This is the signal strength of the upstream connection from the client to the
AP.
Usually, a client's radio power is less than the FortiWLC access points, therefore the downstream signal
strength from the AP to the client is at least as strong as the upstream signal strength, and probably stronger.

DO NOT REPRINT
© FORTINET
The Discovered Devices table contains a list of all wireless LAN devices within range of your network that
are transmitting at a signal strength that allows frames to be decodable.
All FortiWLC APs listen to all wireless frames in the environment. This includes other APs not related your
network, as well as any workstations not related to your network that are transmitting frames. This is useful for
locating workstations because FortiWLC can discover any workstation that is turned on and transmitting.
To generate a list of MAC addresses that could contain the workstation that is failing to connect to your
network, filter on the AP closest to the client’s suspected location together with signal strength.

DO NOT REPRINT
© FORTINET
If you can’t easily locate the client’s MAC address over the air using the controller tables, then you must locate
it manually. In some networks, it’s possible to analyse DHCP or DNS to find the client’s MAC address. Other
networks may have security appliances that make a record of the MAC address. Often, the easiest way to find
out the MAC address is by looking on the client’s machine.
Different client operating systems have different ways of revealing the wireless card MAC address. On
Windows, you can use the GUI, but in later versions it can be easier to use the CLI and enter the netshell
command. This command produces a simplified output—MAC addresses are easy to find, as well as the
status of the radio. Later versions of Windows can identify whether the radio is turned or turned off by
software or hardware. This can be useful for making sure the end user has turned on the wireless switch on a
laptop that can’t connect to the network. Many laptops have hardware switches to enable or disable wireless
connectivity. One of the most common reasons that a laptop can’t connect to the wireless network is because
that switch is turned off.
NetSH reveals different information depending on whether the client is connected or not, including the channel
connected. You can see the channel that is in use, an estimate of the receive and transmit rates, and the
percent signal strength.
These measures vary in accuracy, depending on the quality of the driver, and should be used cautiously.
Other operating systems use other methods. Mac OS has a similar CLI option. For Android and other
operating systems, you can locate the MAC address in the phone settings.

DO NOT REPRINT
© FORTINET
After you have found the MAC address, you can investigate the status of the client.
First, if the client is connected, view the Station Dashboard. If the client is not connected, the Station
Dashboard won’t contain any information. The Station Dashboard allows you to focus on the connection
information for a single client only. It’s one of the few places where information is collected and preserved for
any amount of time on the controller. You can collect up to two hours' worth of connection information for a
client.
To collect connection information on a client, in the GUI, on the left side of the screen, click Monitor, and
then, under Diagnostics, right-click Station, and then click Open Link in New Window. A new window
opens, which you can minimize or send to the background. While the new window is open, it is collecting
information on the client. If you close the window, the information is lost. You can’t export information
displayed in that window. You can, however, take a screen capture.

DO NOT REPRINT
© FORTINET
After you open the Station Dashboard in a new window, enter the MAC address for the device, and then
click Start Diagnostics. From this point on, the controller collects and displays information about the client. It
displays up to two hours' worth of information. When investigating both client connectivity and performance
issues, begin by monitoring the signal strength and the retry and loss rates. These measures are displayed on
the Station Dashboard in the form of graphs over time.
When you first open a Station Diagnostics window, the controller takes three quick measures in succession
and starts plotting them on the graphs. The graphs refresh every 60 seconds to reflect new values. You can’t
change the 60-second interval, or to refresh manually. You should open a Station Diagnostics window as
soon as you begin an investigation, to enable the continuous collection of data. These are the primary health
metrics of a client, which identify both the performance and the ability of the client to connect reliably .
Ideally, a client connection should have less than 10% loss, meaning that less than 10% of the frames being
transmitted from the AP to the client should be lost. The retry rate for frames to the client should be less than
50%. If either measure is consistently above those thresholds, then the access point is not able to transmit
data to the client reliably, which impacts the reliability and performance of the connection.
One of the reasons for high loss and retry rates might be signal strength, so monitoring signal strength as
measured by the AP is important. Signal strength could indicate whether a client is within reasonable range of
an AP, or that the client is connected to an inappropriate AP. It's important to monitor is metrics over time
because is not unusual for metrics to spike intermittently. The retry and loss rates are only relevant when data
is being transmitted If the connection is idle, then the loss and retry rates can be much higher because a small
number of frames being sent. Therefore, you should make sure that at least 100 kilobits per second of data is
flowing across the connection.
The example on this slide shows a table at the bottom of the screen that contains the most recent station log
entries. If the client has performed any connection attempts, or made any connection changes, they will be
listed here.
DO NOT REPRINT
© FORTINET
While you inspect the client’s metrics using the Station Dashboard, you should monitor the interface of the AP
the client is associated with at the same time.
Even if your client is not connected, monitoring the radio dashboards of the AP interfaces located close to the
client can reveal some of the RF issues that might be causing the client file to connect. You will have to open
multiple windows to inspect multiple interfaces, and employ a certain amount guesswork to discover which
APs are within range of your client. For example, you may receive a support call from an end user who is
located on the top floor of a building. You could activate the Radio Dashboard for each of the AP interfaces
located on the top floor, which will provide a good overview of the load and any potential RF issues in those
areas.
The Radio Dashboard focuses on the metrics of the radio or AP interface. Focus only on the condition of the
AP interface and not the individual stations.
If you close the Radio Dashboard window, the information is lost. You can’t export information displayed in
that window. You can, however, take a screen capture.

DO NOT REPRINT
© FORTINET
Open a separate window for the radio diagnostics, and then enter the AP ID and interface ID you collected
earlier, and then click Start Diagnostics. The controller conducts three quick updates, and then updates the
window every 60 seconds.
This time, you are looking for measures related to the access point interface.
The dashboard displays multiple graphs. The throughput graph is possibly the least useful graph on the
dashboard. It is a measure of the amount data transmitted and received from all the clients associated with
the AP. Other than to demonstrate that data is flowing, it is difficult to draw any further conclusions because
there is no such thing as good or bad throughput.
The most important measures to observe on this dashboard are the noise level, associated station count, and
the channel utilization. These measures indicate spectrum health and AP capacity.
The AP interface is continuously monitoring the channel it is tuned to, and it has the ability to take
measurements of the amount noise in the environment. It is not an exact measure because most of the AP
chipsets can’t take an accurate measurement in the same way as a spectrum analysis device can. However,
the noise level is important. Any increase in noise level indicates a potential problem with the health of the
channel.
Associated station count is a measure of the number of clients associated with the AP interface. It is a simple
station count.
Channel utilization is a measure of the amount of air time taken up by wireless frames. Ultimately, there are
only a fixed number of microseconds in the second, seconds in an minute, minutes in an hour, and so on. As

DO NOT REPRINT
© FORTINET
result, only a certain number of frames can be transmitted in any given microsecond. The amount of
data transmission in frames varies because of the various encoding and link rates that might be in use.
The AP interface is continuously counting the number of wireless frames that it hears. This can be any
frames from any wireless devices, including neighbouring APs and clients on the same channel. This is
an accurate measurement of the amount of capacity in use, and therefore free capacity, in any
particular area of the network. Remember, you are not necessarily looking at the channel utilization of
the AP itself, but the channel utilization of the area around the AP.
As a rule, the associated station count should be approximately 30 workstations per interface. This is a
good number for office and classroom use where the wireless connection is being used for transferring
files, web access, streaming YouTube videos, and so on. The network does not break if you exceed
30, however, experience suggests that efficiency begins to drop off beyond 30 clients per radio for
these types of uses. In other environments where only web access used, the number of clients per
radio can approach 50 to 80 clients, however this assumes that relatively small amounts of data are
exchanged in the network.
From a channel utilization point of view, if you begin to exceed 75% channel utilization on a regular
basis, you can classify that area of the network as running short on capacity. By looking at the
associated station count for the interface, and the data throughput for that interface, you should be able
to draw a conclusion as to whether the channel utilization is caused by your clients or neighbouring
APs and clients. If you have very few clients on your interface and very little data flow over the air, yet
the channel utilization is still high, that implies that neighbouring networks are generating the channel
utilization.
The noise level reported by the AP interface is heavily averaged. As a result, you won’t see large
peaks and troughs but a gradual change in noise level over time. Nonetheless, noise levels should be
in the -90s . If the noise level starts increasing into the -80s, that indicates an increase in background
noise, which might indicate a source of interference. To further investigate a noise issue use of a
spectrum analyser is recommended.
Temporary peaks above these values are acceptable.

DO NOT REPRINT
© FORTINET
If neither of the station or radio dashboards show any obvious reasons for connectivity issues, then the next
stage is to review the station log.
As mentioned, the GUI contains a limited record of the station log events that have occurred recently. The log
is very dependent on the number of stations in the network. In a large network, the limited amount controller
storage will mean the logs may be available for minutes only.
On the GUI, the log is available in the Station Diagnostics window, however, the log is available only when
the clients connected.
On the CLI, you can run the station log show command and include the –mac option. This will dump any
station log events the controller has for that MAC address, regardless of whether the client is connected.

DO NOT REPRINT
© FORTINET
Often, the historical log may not contain the correct ,or any information at all, and the only option is to take a
live log.
This is only really practical if the event is reproducible. So, if you have an end user with a connectivity problem
that they can reproduce, then a live station log is ideal.
However, it is possible to use the CLI to leave a station log logging over an extended amount time. This log
than can be captured by the terminal programs capture function. This would require a CLI session open on a
secure PC, but would give the option to capture information on the troublesome client over time.
The optional FortiWLM Network Manager platform provides a function that keeps a permanent record of all
station logs for all stations that connect to the controller. It also keeps a long-term record of the contents of the
station and radio dashboards, allowing the ability to rewind the state of your network to troubleshoot problems
that have occurred in the past. If working in a typical environment that experiences frequent issues, then a
network manager device can be a very useful addition to the monitoring of the network.
The following video shows how you can locate the client’s MAC address, and set up and analyze a station log
showing connections to multiple types of wireless networks, including clear or open networks, captive portal,
pre-shared key, and enterprise authenticated RADIUS.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
Good job! You now understand collecting network connectivity information.
Now, you will examine collecting network performance information.

DO NOT REPRINT
© FORTINET

• Describe the process for collecting and reviewing client performance information
• Analyze metrics of poorly performing clients
• Identify potential causes for poor performance
• Understand the use of the FortiWLC software spectrum analysis function

DO NOT REPRINT
© FORTINET
To collect network performance information, use an information gathering process similar to the one used to
gather connection information.
Again the MAC address is the most important piece of information you need to identify the client. The process
to get the client’s MAC address is the same as covered earlier in this lesson—reference the controller’s tables
or other sources, such as DHCP, DNS, or a security device, or ask the end user.
You must verify exactly which AP interface the client is connected to, and you’ll need to review the upstream
and downstream link rates in use.
Then, verify that the station’s connection metrics are acceptable, including signal strength, and loss and retry
rates.
Inspect the AP load metrics and ensure that they meet specifications.
Make sure that the controller is within its load rating—controllers are rated with station and throughput limits.
Performance issues on the network could be caused by these limits being approached or exceeded.
Finally, if some of the previous measures indicate that noise might be an issue, analyze the RF spectrum to
look for potential causes of interference.

DO NOT REPRINT
© FORTINET
To inspect client and AP metrics, reference the Station Diagnostics and Wireless Interface Diagnostics
tables, and review the data received and data transmit link rates that are listed in the Associations table of
the controller.

DO NOT REPRINT
© FORTINET
When looking at performance metrics, first make sure that the client has sufficient signal strength.
There’s no point doing any further troubleshooting unless you are sure the client is close enough to an AP to
get a good signal. As a rule, the minimum signal strength required for a reliable connection is -64 dBm, so
during the process of inspecting the stations metrics, make sure that the signal strength is consistently above
the minimum requirements.
To make use of a higher connection rate, a strong signal is required. The fastest 802.11ac rates require signal
strengths in the region of -53 dBm. If your network has been designed to meet this requirement, then you
must make sure that your stations are consistently meeting this signal strength.
Another important metric to verify for the client is the signal-to-noise ratio. This is not reported as number in
the controller interfaces and requires some arithmetic to work out. You must find the noise level reported by
the AP interface the workstation is connected to, using the radio dashboard. Then, subtract that noise level
from the detected signal strength of the client.
For example, if the noise floor reported at the AP is -92 and the signal strength of the client is -64, subtracting
-64 from -92 equals 28 dB. This means that the workstation’s transmissions are a good margin above the
noise floor detected at the AP, therefore, it’s clear that the AP can decode at least some of the data rates.
The minimum ratio required for a connection is 15 dB. If the noise floor rises or the station's signal strength
drops down, and the ratio drops below 15 dB, the signal will no longer be easily decodable. Higher link rates
require a better signal-to-noise ratio—some of the high link rates require an SnR of up to 35 dB.
While signal strength and signal-to-noise ratio are the primary arbiters for connection quality, another useful

DO NOT REPRINT
© FORTINET
reference is the link rates that are in use by the client and AP radio when they transmit data to each
other. The radios attempt to use the highest link rates that they are capable of. Problems with signal
strength, signal-to-noise ratio, or interference spikes cause the clients and the APs to use a lower link
rates.
For example, if you have a station that has a -60 dB signal strength, that implies that the station is
close to an AP and it has a good, strong signal. However, when you review the link rates used by the
client, you might see that the link rate is much less than expected, which implies that the client and AP
are having problems transmitting frames, perhAPs because of some form of noise or congestion. One
of the responses of the client and the AP radio interface to the lack of acknowledgement of frames is to
communicate more slowly. Both will use increasingly lower link rates in an attempt to reliably
communicate with the other radio. When you see these lower link rates in use, it can indicate a noise
problem.
There are some caveats to this. First, you must know the specification of the client and the AP to
understand what higher link rates are available. Second, mobile clients are battery powered. They are
known for aggressive power management to preserve battery power. Third, when not transmitting data,
mobile clients can reduce the link rates artificially. So, often a mobile client will have very low upstream
link rates because it has no need to send data and, as result, has reduced its radio power and/or link
rate to save battery.
Link rates can be an indication of performance issues. If the client is using high link rates upstream and
downstream, that implies that the connection quality is good enough for it to do so, and the
performance issue might not be related to the workstation’s connection.
If the problem is not the quality of the link between the client and the AP, then it could possibly be an
overloading issue on the AP. As mentioned earlier, the station count and the channel utilization are
both primary indicators of capacity. If station count regularly exceeds 30 clients per interface, or
channel utilisation regularly exceeds 75%, then that AP is becoming overloaded. An exception is the
smaller, in-room APs designed for use in hotel rooms. Those APs are designed to handle up to 10
clients.

DO NOT REPRINT
© FORTINET
Remember, interfaces must transmit a reasonable amount of data for loss and retry to be important, so keep
this in mind when analyzing these metrics.
Management overhead used to be more important in the past with older types of network virtualization, such
as Virtual Port. Management overhead is similar to channel utilization, but instead of measuring all frames in
the air, management overhead measures the proportion of frames to management frames. In most networks,
management overhead is not an issue. An exception is broadcasting a large number of separate SSIDs, or in
an area where there are a large number of neighbouring wireless networks, where you might find that the
number of management frames being transmitted starts to get high.
Be aware the management frames do not carry data, but only information for the clients and the APs to
manage the wireless network. If 50% of the channel is used for management overhead, then this means that
50% of the data capacity is being lost.

DO NOT REPRINT
© FORTINET
In larger wireless networks that have many clients, or with clients that transmit a lot of data, the controller size
can become an issue. Because of the nature of virtual cell and the way it is coordinated, controllers require
memory and CPU to manage the network and, as a result, have a limit to the number of workstations and data
they can support. Each controller has a different station count, a different number of supported APs, and a
different amount of data that the interfaces will pass.
You can monitor the overall station count and the overall data throughput on the system dashboard. If you find
that your network is starting to approach the limits of any one controller, then you will start to see performance
issues. Again, it does not break if you go one workstation beyond the limits, but be aware that testing has
shown the performance drops off quickly if you regularly exceed these limits.
Also, remember that each BSSID or virtual cell has a limit of 2007 clients. This is based on the IEEE standard.
Normal microcell networks are not affected by this limitation, but because virtual cells can result in a single
channel of many APs, in large networks it is feasible that an individual virtual cell could have large numbers of
clients associated with it.
The table on this slide shows the current controllers, however, controllers are added and removed from the
product line on a regular basis. Use the product data sheets to confirm the numbers of stations and amount of
data supported.

DO NOT REPRINT
© FORTINET
Spectrum analysis is the process of inspecting the radio frequencies used by wireless LANs. It allows a more
detailed inspection with the potential of identifying and classifying sources of interference and their impact on
the network.
Interference from other devices is a big source of performance issues, particularly in the 2.4 GHz Range. This
is due to the sheer number of devices that use 2.4 GHz and also the fact that they are often not wireless LAN
Devices, often they are radio controlled devices such as garage door openers and similar. These devices will
be transmitting signals that wireless LANs cannot understand or interpret. The signal simply interferes with the
client or access points ability to transmit a signal.
Most wireless clients and access points are not designed to directly measure or analyse the spectrum. They
generally perform basic measurements of the noise floor and cannot perform any further analysis. Often the
access point and client measurements will indicate that there is a noise issue but you will not be able to locate
or classify it.
Traditionally to perform spectrum analysis it was required to have a dedicated piece of equipment, the
spectrum analyser. However modern Wireless Systems are increasingly including spectrum analysis function
as part of AP functionality.

DO NOT REPRINT
© FORTINET
If a high noise floor or excessive retry or loss count is reported, then there could be a source of interference
located around the AP or the client associated with the AP.
To analyze the noise any further and to potentially locate a noise source, a spectrum analyzer is required. The
clients and many APs containing wireless chipsets are designed to transmit and receive frames and, as such,
are not suitable for performing any further analysis on possible interference sources. To understand more
about what is causing the interference, a dedicated spectrum analyzer adaptor is usually required.
The spectrum analyzer typically monitors the whole frequency range. A good-quality spectrum analyzer can
usually analyze both the 2.4 GHz and the 5 GHz ranges. The software and hardware adapter can usually
analyze the RF signature, or fingerprint, and compare it to a database of known signatures. This can give a
good indication as to the type of interference because most devices tend to emit a very unique RF signature.
Typically, spectrum analyzers come in two types. A discrete spectrum analyser is a standalone device,
usually USB, that is plugged into a laptop which then runs dedicated spectrum manager software. A
commonly used device in the wireless industry is known as Wi-Spy, but there are many other devices
available. These discrete devices can be equipped with a directional antenna that, after an interference source
detected, can usually locate the interference source by varying the physical location of the spectrum analyzer
and then using the directional antenna to home in on it.
Because of the nature of the device, spectrum analyzers can be expensive. They also require someone to be
on site with the spectrum analyzer active to detect the interferer. This is not always practical or possible. You
could spend all day on site with your spectrum analyser and not discover any interference, only to leave and
then find it an hour later after the interferer became active.

DO NOT REPRINT
© FORTINET
The other option is integrated spectrum analysis. More and more wireless vendors are incorporating spectrum
analysis into AP chipsets. Many chipsets can operate in dual mode, which allows the AP chipset to function as
an AP or as a spectrum analyzer, or both at the same time, in the case of more modern APs.
Some FortiWLC APs can perform spectrum analysis. Refer to the AP datasheet to understand the
functionality. Some older FortiWLC/Meru controllers also require an additional software licence to enable the
functionality.
One of the major benefits of integrated spectrum analysis is that APs can be enabled as spectrum sensors
and then left to gather information. This means nobody has to stand on site holding a portable device. If the
integrated spectrum analyzer is left enabled, any RF interference events can be correlated with network
connection or performance issues.
However, the downside is that most APs are not directional, which makes it difficult to precisely locate an
interference source using a single AP. If an interference source is suspected, it is possible to enable multiple
APs in an area and then perform a rough triangulation to locate the interference source.
APs operating as spectrum sensors also have additional network connectivity requirements. APs must
discover the controller as L3 AP’s, this allows the spectrum software on the AP communicate with the
controller over IP. Additional ports must be open between the controller and the APs and these connections
currently do not work across network address translation (NAT).

DO NOT REPRINT
© FORTINET
To collect information about a source of interference, try and identify the approximate area of the suspected
interfere, and then enable a nearby spectrum-capable AP. Be aware that when you do this, the interface that
you configure for spectrum analysis will be taken out of service and, as result, any clients associated with the
interface will be dropped and will connect to an alternative interface.
If you don’t have a spectrum-capable AP in the area, then relocate another AP to that location. Often in larger
installations, it makes sense to keep an AP that can be used both as a spare AP and also as a spectrum
analyzer.
After the interface is enabled for spectrum management, it starts collecting information immediately.
At the controller, open the Spectrum Manager console and review the event log for recent information.
Usually, low-level interference events are detected in most networks. Sort the table by utilization to identify
any interferer is that are causing a significant problem in the network. Notice the signal strength of the
detected interferer and the location of the sensor.
You can activate a live view to enable a real-time view of the spectrum, which allows you to assess the
affected channels.
If the source of interference is not immediately obvious from the the interferer description and its location, then
enable multiple sensors in the location and use the interferer signal strength detected and the sensors to
triangulate the location of the interferer. This is a manual activity and would probably require a print out of the
floor plan showing the location of the APs, as well as a pencil and ruler.

DO NOT REPRINT
© FORTINET
The following video explains the configuration of an AP interface as a spectrum sensor, and demonstrates the
features and functions of the software.
It demonstrates how to locate poorly performing clients and diagnose the underlying interference issue.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
Good job! You now understand collecting network performance information.
Now, you will examine collecting controller diagnostics.

DO NOT REPRINT
© FORTINET

• Describe why you would collect controller diagnostics
• Understand the type of diagnostic available
• Be able to perform diagnostic collection

DO NOT REPRINT
© FORTINET
A system diagnostic is an automated process available at the controller that allows the automated collection of
files, logs, and configuration information about the wireless network. The diagnostic assembles all of this
information into a single file to allow for easy downloading and can quickly provide Fortinet support personnel
with information about a wireless network. It includes details about the controller and AP configuration, debug
logs for core system components, the status of internal software components, other information not normally
visible to an end user. It is a very useful source of information to collect when a problem has occurred on the
network. You should attach a diagnostic log to any open support request.
You can collect system diagnostics using the GUI or the CLI. The file produced is not encrypted—you can
open it with most archiving applications. However, there is very little information in the file that is of use to a
network administrator.

DO NOT REPRINT
© FORTINET
To collect diagnostics using the GUI, click Maintenance, and then, under File Management, click
Diagnostics.
You can collect two types of diagnostics. Controller diagnostics’ collect information only from the controller.
System diagnostics collect information from the controller and all of the APs.
After the diagnostics are complete, the GUI automatically offers the file for download through http, minimizing
the need for an FTP server.
To generate a system diagnostic on the CLI, use the following command:

• diagnostics-controller will generate only controller diagnostics
• diagnostics-ap <ap id> or all will generate only AP diagnostics
• diagnostics will generate both controller and AP diagnostics
After the diagnostics are created in the CLI, you must use an FTP server to download the file manually.
It is usually necessary to generate only controller diagnostics. For most issues, all the required information is
located in the controller diagnostics file. You don’t need to collect AP diagnostics as well. Collecting AP
diagnostics is a time- and resource-consuming process, and can disrupt a busy network. Avoid collecting AP
diagnostics unless specifically requested to by support personnel.

DO NOT REPRINT
© FORTINET
• Creating a Problem Statement

• Analyzing Controller Logs
• Collecting Network Connectivity Information
• Collecting Network Performance Information
• Collecting Controller Diagnostics

Troubleshooting—Resolving Issues
DO NOT REPRINT
© FORTINET
In this lesson, you will examine additional solutions for network issues.

DO NOT REPRINT
© FORTINET

• Resolving Common Connectivity Problems
• Resolving Common Performance Problems
• What to Do If You Can’t Fix the Problem

DO NOT REPRINT
© FORTINET

• Describe a basic troubleshooting flow for resolving common connectivity issues
• Understand the benefits of a methodical approach to resolving connection issues
• Be familiar with solutions to common connectivity issues

DO NOT REPRINT
© FORTINET
Often, the worst type of troubleshooting is implementing solutions randomly without following any formal
process. You can waste a lot of time trying things that are irrelevant or don’t work. Many people apply the
same solutions to every wireless problem, which can cause more problems than they fix. The best approach
to troubleshooting is methodical, relevant, and driven by a formal process. The flowchart shown on this slide
provides an example of the methodical process that you must employ when troubleshooting. However, you
must adapt this flowchart to the needs of your network.
The flowchart shown on this slide shows a process for troubleshooting the inability of a client to connect to the
network. The first thing you must identify is whether or not the client has connected to the network before.
When a client fails to connect to the network, the person who is troubleshooting the problem often assumes
that there is an underlying wireless issue, and spends hours trying to solve the problem only to discover that
the client is not configured correctly for access to the network. Identifying whether or not the client has
connected successfully before allows you to eliminate irrelevant troubleshooting tasks.
Next, you must identify the client’s MAC address. Identifying the IP address or username, or using other
network services, such as DHCP or DNS, can help you identify the MAC address. After you identify the MAC
address, you must identify whether the client is listed in any of the station tables. If so, you must analyze the
quality of the client connection. Later in this lesson, you will learn how to confirm IP connectivity and DHCP
configuration. If the client is connected and can access core parts of the IP network, then you can assume that
the client is connected correctly. If the client is not connected, then you must analyze the station log to learn
why.
After you learn why the client is not connected, you can start the process of troubleshooting. Several points in
the flowchart might send you to the end of the process, represented on this slide by the red boxes. The green
boxes will contain suggestions for further troubleshooting or possible solutions to the issue. We will describe
some of these in the coming slides. Ultimately, if you can’t solve the problem, log a support ticket to seek
assistance.
DO NOT REPRINT
© FORTINET
If the controller’s device tables show the client is connected but doesn’t show a valid IP address for the
network the client is joining, this can indicate a problem with the underlying DHCP infrastructure.
Depending on the type of client, you might not see an IP address or a 169 link-local address in the device
tables, which indicates that the client couldn’t obtain a DHCP IP address. One of the most common causes of
this problem is DHCP scope exhaustion. Often, when a wireless network is first implemented, the expectation
is that only a few clients will use it. However, over time, more and more clients join the network, especially if it
is reliable. The result is that the DHCP scope runs out of IP addresses because it was not designed to handle
so many devices.
Many network managers assume a wireless issue on the controller is causing the connectivity problem. Make
sure that the supporting infrastructure is working for DHCP, as well as other services that the wireless network
relies on, such as the RADIUS server.
More complex networks that use enterprise authentication might contain dynamic VLANs. Dynamic VLANs
depend upon the RADIUS server to return the correct tags, otherwise, the client will be placed in the incorrect
area of the LAN and won’t meet the correct connectivity requirements.
Other IP issues can occur when a device moves between a wireless home network and a wireless work
network. For example, if the end user applies a static IP address to the device manually to access the home
network, the device won’t connect correctly to the work network. Users might also change the IP configuration
of the device to avoid security devices. By default, FortiWLC stops a client from joining a tunnelled wireless
network if the client’s manually configured IP address doesn’t match the IP address range in use on the
wireless network.

DO NOT REPRINT
© FORTINET
A client can often show as connected at layer two and may also successfully claim an IP address, however
when an end user tries to reach other parts the network they will find that they can’t.
In this scenario standard IP troubleshooting tools such as ping and tracecert can be deployed to check
connectivity. Most of the time an inability to ping the destination resource such as a file server or a gateway is
often a core networking issue. However it is also possible that any incorrectly configured the VLAN profile or a
QoS and firewall rule configured in the controller could be causing an issue. This can be checked by enabling
additional logging on the firewall rules and attempting the connection again. Packets that match any firewall
rules will be listed in the syslog.
Outside of these potential issues with controller configuration is likely that the core networking is at fault,
particularly if multiple VLANs and access control lists or policies are configured in the core switching or
firewalls

DO NOT REPRINT
© FORTINET
It can be difficult to diagnose where a connection issue is located. An easy way to diagnose this is to remove
the authentication process. To do this, create an open network on a single interface of the AP that the client is
unable to connect to. If the client can’t connect to the unencrypted network, then there is an underlying RF
issue or AP overloading issue the causing the connectivity problem. You can also move the network to a
different interface enabling you to check connectivity on both the 2.4 and the 5 GHz ranges.
If the client can connect to the open network but not the encrypted network, and the client entered the correct
credentials during the authentication process, then RF is not the problem and you should focus your
troubleshooting efforts on the client configuration.

DO NOT REPRINT
© FORTINET
The virtual cell network minimizes the choices that the client has to make about joining a wireless network.
However, one of the choices that you can’t easily control is the band the client connects to. If the wireless
network is advertised both in the 2.4 and the 5 GHz ranges, the client might make the wrong choice. A client
that consistently connects to the 2.4 GHz range instead of the 5 GHz range could have issues with its driver
design, its chipset or its certification. It is worth noting that not all wireless clients are DFS certified and so are
not allowed to operate in 5GHz channels above 60. If you have deployed wireless networks on DFS channels
you may well find that some clients will never connect to them.
Alternatively it might simply need an adjustment to the wireless network configuration to ‘encourage’ clients
towards 5GHz. You do this in one of two ways.
The preferable option is to alter the relative signal strength of both AP interfaces to equalize the 5 GHz and
2.4 GHz signal strength. By default, the 2.4 GHz signal tends to be stronger than the 5 GHz signal because of
the differences in signal propagation between the two frequencies. Usually, a reduction of 3 dB is enough to
equalize the signal strength of the two bands. You can reduce the signal strength for all radios at the same
time using the bulk edit feature, which will affect wireless networks that are being broadcast by these radios.
The other option is to enable band steering. This is a function of the ESS profile, so rather than affecting all
devices on the network you can limit the band steering function to a single wireless network. After you enable
band steering, the AP selectively responds to probe requests from the client. It detects probe requests from
the client on frequency ranges the client can support. If the client probes on both the 2.4 and 5 GHz ranges, it
is dual-band capable. If the client probes on only a single band, it is a single-band client.
Band steering can cause problems for specific types of clients. The default setting, Band Steering to N
Band, specifies that any 5 GHz client that is capable of connecting on the 5 GHz 802.11n range is steered to

DO NOT REPRINT
© FORTINET
the 5 GHz range. If the client is an older 802.11a 5 GHz client, Band Steering to N Band causes the
client to remain on the 2.4 GHz range, which is preferable for this older standard because the client
doesn’t use airtime efficiently. To steer all 5 GHz-capable clients to the 5GHz band, including the
802.11a clients, select Band Steering to the A band.
You should reduce the band steering timeout to two seconds. If a client tries to connect to the 2.4 GHz
range, the AP steers it for two seconds before allowing it to connect to the 2.4 GHz range. Some
clients can be so persistent in their attempts to connect to the 2.4 GHz range that they fail to connect.
The timeout guarantees that the client will be able to connect even if it is being ‘difficult’ about being
steered.

DO NOT REPRINT
© FORTINET
An AP interface can be overloaded as more wireless clients arrive at the network seeking a connection. This
can cause significant performance issues, which, in turn, can lead to unreliable connectivity.
Each radio has only a limited amount of airtime, which clients consume based on their link rates. The higher
the link rates, the less airtime that is consumed by the client transmission. You can increase airtime by adding
more radio interfaces.
You can add radio interfaces in the same channel layer. This can increase the signal strength for your clients
if the AP is positioned appropriately. As the signal strength increases, the link rate increases. As the link rate
increases, the amount of time taken to transmit data is reduced, which makes more air time available to other
clients.
You can also increase airtime by adding an AP on a different channel, known as the channel layer. This is the
addition of an AP in the same location as the original, but configured on another channel, which doubles the
amount of airtime available in that particular location.

DO NOT REPRINT
© FORTINET

This slide shows an example of a simple floor plan that contains a single AP. The original design survey
specified the position the AP to meet coverage requirements. Therefore, the AP shown in this example is
connecting at -60 dB. This meets the coverage requirements, however, channel utilization is high in this area.
You can increase the efficiency by adding another AP to the same channel.
(click)
Positioning the additional AP to maximize the signal strength for as many clients as possible results in more
efficient use of airtime, assuming the client is capable of higher link rates. The additional AP also provides
another wired connection to the network, which can also increase performance. No special channel
configuration required.
However, the AP neighbour count can increase if you continue to add APs. If the AP neighbour count exceeds
10, then overall performance can decrease.

DO NOT REPRINT
© FORTINET

This slide shows the same client and AP as the previous slide. Each AP interface broadcasts a virtual cell, it is
a dual band AP, so there is one virtual cell on 5 GHz and one on 2.4 GHz.
(click)
Adding an additional AP on a different channel layer doubles the amount of available airtime by doubling the
number of available virtual cells and channel layers. The original AP is configured to use channel one in the
2.4 GHz range and channel 36 in the 5 GHz range. Adding the additional AP to a different channel layer
means that the new AP is configured to use channel 6 in the 2.4 GHz range and channel 52 in the 5 GHz
range. There is now 2 virtual cells in 2.4 GHz and 2 in 5GHz, doubling the amount of airtime.
You must place the additional AP beside the original AP in an arrangement that is referred to as a pod. This
ensures that both APs appear to the client to have approximately the same signal strength, to prevent the
client from favoring one AP over another. You must place the APs a minimum of 8 feet (2.4 meters) apart to
avoid interference.
This implementation requires complex ESS profile configuration and planning. It can also cause roaming,
which can cause problems for applications that rely on seamless mobility.
The configuration shown on this slide is an advanced design, so it is not covered further in this course. The
example serves only to illustrate that you can scale up virtual cells to support more and more clients.

DO NOT REPRINT
© FORTINET
In many networks, specifically networks in towns and cities, neighboring wireless devices and networks can
cause problems for your wireless network. The wireless frequency that your AP is tuned in to is a shared
environment. If other APs are within range and using the same frequency they will generate channel utilisation
which will show in the Radios dashboard. This can result in channel utilization higher than you would expect
from traffic on your own network. Neighboring sources of interference can also cause problems.
You must plan your network to account for other networks or interference sources in the environment. Usually,
the first step is to audit your local environment. You can do this by enabling Rogue Detection and then using
the Discovered Devices and Rogue Devices tables available on the controller GUI to identify channels that
have many APs and clients, and poorly configured wireless networks. For example, 2.4 GHz networks that
are configured with inappropriate channels.
If possible, you should enable spectrum analysis and then use the Channel Availability tab to measure the
channel quality. The spectrum manager will also tell you about any detected noise sources and allow you to
locate neighboring interference.
After you gather this information about your neighbouring wireless networks or interference sources, you can
approach the neighbors to ask them to consider reconfiguring their network to use the correct channels, or
agree to a channel plan that allows you to use a single channel for your virtual cell and the remaining
channels for their network. You could also ask them to disable or remove the interference source. The
neighbor will also benefit from correct network design and neutralization of interference.
If it is not possible to mitigate issues caused by neighbouring networks or interference sources, you can
potentially reconfigure your network to avoid them. A single channel architecture could be configured to use
the channels that are: least occupied, least utilized, and least interfered with. Traditional microcell or Native
cell FortiWLC network are more difficult due to the limited number of channels traditionally available (3 in the
2.4GHz range).
DO NOT REPRINT
© FORTINET
This slide shows an example of a Discovered Devices table for a controller that has several neighboring
wireless networks. You can filter the table by device type to select the access points, and sort by packets
received, to display the busiest access points at the top of the table.
The table shows signal strengths of the networks, and the channels used. The example on this slide shows
that channel 1 is busy, and also that the APs are poorly configured to use channel 4. This will cause problems
in channels 1 and 6.
The example on the slide also shows how you can activate the spectrum manager and use the Channel
Availability tab to see that there is a small amount of noise being detected around channel 11. In this
example, channel 6 might be the better option for the single channel layer in the 2.4 GHz range, however, you
should get the AP that is on channel 3/4 reconfigured if possible.

DO NOT REPRINT
© FORTINET
The wireless network state is only half of the equation when looking at connection issues.
A client’s type, configuration or drivers can also cause connection or performance issues.
Wireless client vendors often introduce bug fixes in the form of updated drivers. Many laptop manufacturers
install the latest driver that is available at the time of manufacture, however, unless the driver is updated
regularly, it could miss many enhancements and bug fixes. So, when faced with a driver-related problem, you
should investigate the drivers that are available and upgrade to a later version to see if that fixes the issue.
It is also possible for drivers to introduce a compatibility issue. Many operating systems update drivers
automatically. Or, in the case of handheld devices such as iPhones and iPads, when the operating system is
updated, the drivers are updated too. You should investigate whether a recent operating system upgrade or
driver upgrade has taken place. If so, temporarily downgrade the operating system or drivers to see if the
issue resolves.

DO NOT REPRINT
© FORTINET
Driver configuration can also be a source of client compatibility issues. Many devices have advanced
functionality that can cause compatibility issues. Some devices have multiple settings that can be changed,
and some of these settings can cause compatibility issues. For example, you can often fix client connectivity
problems by turning off power save mode on the device.
Some vendors allow the customization of client roaming behaviour using settings in the driver. Some drivers
allow you to control the frequency range the client prefers to connect to.
Try disabling or changing the advanced driver functions, and then observe the effect on the problem.

DO NOT REPRINT
© FORTINET
Driver upgrades, downgrades, or reconfiguration might not result in any change in behaviour. Sometimes, it is
a good idea to isolate the wireless client as the source of a problem by installing a known good wireless client
in its place. This can reveal the component that is causing the problem.
Many devices used in a home or small office environment have not been tested for compatibility with more
complex and challenging enterprise wireless networks. The Wi-Fi Alliance is an independent organization
funded by the wireless industry. One of the services it offers is client certification. The alliance tests wireless
clients and wireless APs to verify compatibility before it issues a certification. Certification is not a guarantee
of compatibility, but it prove that the client has been tested in an enterprise environment.
The Wi-Fi Alliance website includes a certification database that you can search to verify whether a client has
been certified.

DO NOT REPRINT
© FORTINET
Good job! You now understand how to resolve common connectivity problems.
Now, you will examine the following topics:


DO NOT REPRINT
© FORTINET

• Describe a basic troubleshooting flow for resolving common performance issues
• Understand the benefits of a methodical approach to resolving performance issues

DO NOT REPRINT
© FORTINET
The example on this slide shows a set of tasks similar to the connection troubleshooting flowchart.
Performance problems can be caused by issues that are similar to problems that lead to connectivity issues.
Many of the solutions looked at for the connectivity issues are relevant for performance as well.

DO NOT REPRINT
© FORTINET
Performance problems can be difficult to reproduce. Having tools that allow you to perform a stress test on a
wireless connection can help uncover wireless performance problems. At its most basic, a test tool should be
able to generate a load. This could be as simple as a file copy, but this does not necessarily provide the most
repeatable results because of the reliance on other components in the system, such as hard disk speed.
Use a utility that is designed for network testing and select a utility that has both a client and the server
component. This allows the server to be located in the core of your network and when you perform a test, you
are testing the limit of your wired and wireless connection.
Avoid utilities that are designed for broadband testing. They usually use servers on the Internet, so when
you’re performing tests you are also testing the performance of your broadband link.
There are many suitable utilities. For example, Iperf is an open source, industry-standard utility that is suitable
for wireless testing. However when you conduct these types of throughput tests, you must understand the
relevance of the results you’re getting. To know if a client is slow, you must have a baseline to compare it to.
If you can go to another part of the network, or perform a test during a quieter part of the day, you can get a
good idea of the performance a client is capable of. Then, when you test a problem client, or in a problem
location, you will see if there is a performance problem by comparing the results.

DO NOT REPRINT
© FORTINET
Good job! You now understand how to resolve common connectivity and performance problems.
Now, you will examine the following topic:


DO NOT REPRINT
© FORTINET
After completing this section, you should be able to assemble the information needed to quickly resolve a
support request.

DO NOT REPRINT
© FORTINET
Some wireless issues are not easily solved without the support of either the wireless network vendor or the
client hardware vendor. Problems can occur inside drivers, or AP and controller code, that are not easy to
diagnose without specialist knowledge and tools.
When logging a support ticket, it is critical to include as much information as possible about the nature of the
problem and the part of the network that is potentially causing the problem to help make the resolution faster.

DO NOT REPRINT
© FORTINET
Include the following critical elements in a support ticket:

• The problem statement. This provides a complete picture of the nature of the problem and its impact on the
network.
• The priority. Assigning a fair priority to a problem will likely result in the truly critical problems being
resolved more quickly. If all problems are deemed to be critical, then troubleshooting efforts become
diluted.
• Any related tickets. If there are any other problems with the wireless network, other tickets might be open.
Sometimes these tickets might not seem to be related, but is good practice to include any ticket numbers
that are currently open.
• A summary of the troubleshooting steps taken so far avoids repetition. If it is clear to the support team what
steps have been taken and what the results were, then you won’t be asked to repeat those steps unless
there’s a good reason to do so.
• The controller type and software version, together with the AP type that is having the problems, can result
in a faster solution.
• The diagnostics log collected in the information gathering phase provides the support teams with all the
information they need about the wireless controller.

DO NOT REPRINT
© FORTINET
Highly recommended items to add to a support ticket include:

• A network diagram. This will help will support teams visualize the size and nature of your network.
• The IP schema and any VLAN information.
• A copy of the station log, if the problem is related to station connectivity. This can be captured on the
terminal client. PuTTY and Tera Term can output terminal text to a file you can attach to the ticket.
• The details of any operating systems in use, including the underlying infrastructure servers as well as a
client operating systems
• The specification and wireless capability of the clients—the standards, frequency ranges, and connection
rates they can support. The make and model of the device together with the driver versions are also useful.
If there is a known problem with a particular driver version of a commonly used wireless client, it will
become immediately apparent during the initial support engagement. If you are using any non-standard
settings on the wireless client, perhAPs to work around any previous problems, describe them or it will be
assumed that the driver is the default state.
If you include all of this information, the support team won’t have to ask for more information, which can make
the process much shorter.

DO NOT REPRINT
© FORTINET

• Resolving Common Connectivity Problems

Managing and Maintaining The Network
DO NOT REPRINT
© FORTINET
In this lesson, you will learn how to perform basic management and maintenance on your FortiWLC controller.
These are the tasks that you may need to perform on a day-to-day basis.

DO NOT REPRINT
© FORTINET

• Reboot and power off the controller
• Back up and restore controller configuration
• Add device fingerprints
• Manage rogue devices
• Replace failed APs

DO NOT REPRINT
© FORTINET
After competing this section, you should be able to reboot the controller and APs through the CLI and GUI.
You should also be able to shut down the controller. These are basic but important tasks.

DO NOT REPRINT
© FORTINET
Occasionally, you will have to reboot or power off the controller.
Reboots are required when making changes to the core networking configuration, such as reconfiguring the
physical network interfaces or restoring configuration from a backup file.
By default, FortiWLC APs broadcast networks in tunnel mode. When you reboot the controller, clients
connected to tunnelled networks drop their connection until the AP and controller restart. Clients connected to
bridge mode networks maintain their connection to the their current AP, but will not be seamlessly roam to
another. These clients will also not be able to establish connections to new APs, until the controller connection
is reestablished.
You can power off the controller from the CLI only; you cannot power it off from the GUI.
Depending on the type of controller, the power off command stops the operating system and cleanly shuts
down the file system. Some controllers will turn off automatically and some need to be turned off manually,
using the power switch. Typically, you power off the controller only when you need to relocate it or replace it.

DO NOT REPRINT
© FORTINET
When you reboot the controller from the GUI, you can reboot:
• The controller only

• The APs only
• Both the controller and the APs
You can’t select APs that are not online.
Note: By default, all online APs are selected. If you don’t want to reboot an AP, you must make sure that it is
not selected, before you select the reboot option.

DO NOT REPRINT
© FORTINET
You can also reboot the controller from the CLI.
As with the GUI, when you reboot from the CLI, you can reboot:
• The controller only
• The APs only
• Both the controller and the APs
Using the reload default command resets the configuration of the controller to the default configuration.
The current configuration is deleted, but licences, certificates, and users created in the controllers user
database are not deleted.
To delete and reset everything, use the reload default factory option. This option performs a
complete factory reset of the controller. Licenses, certificates, and users in the database are deleted.
When you perform a reboot, any unsaved controller configuration is lost, but you are reminded during the
reboot process to save it if required. You can power off the controller using the poweroff controller
command. There are no options for this command. There is a yes or no confirmation, but after you respond,
the controller shuts down. If you are powering down across a console cable, you will see various messages as
the services stop. If you are powering down across an SSH network connection, you will not see a complete
list of messages as the network connection will be terminated before final shutdown..
After powering off the controller, it is recommended that you wait a few minutes to ensure that the file system
is shut down cleanly, before turning off the power switch.

DO NOT REPRINT
© FORTINET
Good job! You now know how to reboot and power off the controller. Next, you will learn how to back up and
restore the controller configuration.

DO NOT REPRINT
© FORTINET
After completing this section, you will:

• Understand both backup types
• Know when to use both backup types
• Be able to perform both backup types
Performing a backup is one of the most critical tasks that you will have to perform on a regular basis.

DO NOT REPRINT
© FORTINET
As with any other device on your network, the controller contains important information that will require
backup. It is likely that’s a considerable amount of time has been spent configuring the network to get it the
way you want it; recreating it in the event of a hardware failure is usually a costly and time consuming
exercise.
All of this configuration information is stored in files on the controller file system. In the event that your
controller fails and has to be returned to Fortinet, you will needs to ensure that you have made sufficient
backups AND have copied them from the controller to a safe location.
System Director does not back up automatically. Backups have to be performed manually and we recommend
that backups are performed after any configuration change. There is an optional product called FortiWLM
Network Manager that can perform automatic, scheduled backups for you.
It should be noted that some of the backups are stored in plain text and as a result passwords and pre-shared
keys are stored in the clear. Please make sure that these backups are stored securely.

DO NOT REPRINT
© FORTINET
There are two types of backups.
Configuration backup:
• Contains the running configuration of the controller, which contains the majority of the configuration
information
• The simplest and quickest to perform
System configuration backup:

• Contains the configuration information of the controller
• Contains copies of the licenses, certificates, and any users created on the controller
Typically, you perform a configuration backup when making minor configuration changes and a system
configuration backup after making major changes.
The system configuration backup can be downloaded only over FTP/SCP. Configuration backup can be
download through the GUI or FTP/SCP.

DO NOT REPRINT
© FORTINET
The running configuration holds the current controller configuration and it is held in memory. It does not exist
as a file. If you make changes to the configuration, for instance adding a network, these changes are made to
the running configuration in memory only. When you ‘save;’ the changes, the configuration in memory is
copied to a file on file system called startup-config
You can create backups of the configuration by copying the either running config or startup-
config to a file located on the controller file system.
Depending on the model of the controller, storage consists of either an SSD or a compact flash card. The file
can be called anything (within the linux file system limitations) and you can keep many copies of the
configuration. You are limited only by the size of the storage on the controller. Being text based, these files are
fairly small.
It is also possible to copy the configuration directly to an FTP or SCP server
To list the contents of the storage, use the dir command. This will show you any existing backup files on the
system.

DO NOT REPRINT
© FORTINET
For quick and easy backups of the controller, the GUI is often the best place to go. When you select a
configuration file to export, the browser allows downloads to your local machine without needing an FTP or
SCP server.
You can download:

• The running configuration, which is the configuration which is active on the controller
• The start-up configuration, which is the configuration that the controller uses when it starts up
It is also possible to import a configuration, again the browser will upload the file without the need of an FTP
or SCP server.

DO NOT REPRINT
© FORTINET
You will need to be in configuration mode to use the sysconfig command, enter this mode by typing
configure terminal.
Issuing the sysconfig backup command generates a tarball backup file. The file name consists of the
host name, model number of the controller, software version, the date of the backup, and the time of the
backup. The file name is generated automatically.
Sysconfig tells you the name of the backup file so that you can copy it to an FTP or SCP server. You cannot
download this file from the GUI
You can open the file using a utility such as WinRAR or similar.

DO NOT REPRINT
© FORTINET
Before performing a configuration restore, copy the config file to the controller. You can do this using an FTP
command or from the GUI.
If you are using the CLI to perform the restore, you must copy the backup file to a temporary file on the
controller file system first. You then copy the temporary file to the running configuration. Once the temporary
file is in the running configuration, you save it to the startup configuration by issuing a copy command.
You must restart the controller for the configuration to take effect.

DO NOT REPRINT
© FORTINET
Before performing a full sysconfig restore, you have to upload the file to the controller using FTP or SCP.
Once the file is uploaded, use the sysconfig restore command and specify the file name. Sysconfig will
restore the configuration.
You must restart the controller for the configuration to take effect.

DO NOT REPRINT
© FORTINET
Now, you will watch a short video that shows both the local and remote back up processes, as well as how to
perform a full system backup by using the CLI.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
Good job! You now know how to back up and restore the controller configuration. Next, you will explore how
to add device fingerprints.

DO NOT REPRINT
© FORTINET
After completing this section, you will know:

• The contents and purpose of a device fingerprint
• The process for collecting a new fingerprint and importing it in to the controller

DO NOT REPRINT
© FORTINET
Fingerprints are strings of characters passed from the client to the DHCP server during the DHCP request.
The strings of characters are formulated by the vendor of the client hardware and OS.
SD collects this information and displays it on the dashboard and in the client information tables. This
information gives you a good view of the type of clients that are coming to your network.
One example of how fingerprints can be used is passing them on to Fortinet Connect appliance . Fortinet
Connect can use the information found in fingerprints to determine radius responses. For example, a Fortinet
Connect policy may allow a user to connect from a windows based operating system, but not an android
based one.
System director by itself can only monitor and display fingerprint information about clients, it cannot take any
action on it.

DO NOT REPRINT
© FORTINET
The dashboard view provides a graphical representation of the stations in the network. It can also show the
stations in list format.
When a device type is listed as Unknown, this means that the controller has a DHCP fingerprint for that
device, but the controller cannot find a reference for the fingerprint in the fingerprint database. Therefore, that
device type is identified as unknown.
When you see the classification of Others, this means that the controller has detected the fingerprint and
successfully found the fingerprint in the database, but there is not enough of that device type to be
represented as a slice of the pie.

DO NOT REPRINT
© FORTINET
When the controller examines packets in a DHCP exchange, it is looking for two pieces of information: option
55 and option 60.
The controller extracts the strings and compares them to a database. If the string matches an entry in the
database, that entry is then displayed in the station details and on the dashboard.
The contents of option 55 are created by the OS DHCP client. The contents include a list of IP parameters
that the client requires, such as DNS server, NTP server, broadcast address, and so on. The precise order
and number of entries requested is specific to the OS type, so the fingerprint allows you to identify the OS that
is in use. However, there is no guarantee that a fingerprint is not being used by two different OSs.
The contents of option 60 are also created by the DHCP client. In option 60, the client identifies itself using a
device string. The string is known as the VCI option or vendor class identifier. This option identifies the
hardware type. For example, legacy Meru APs identify themselves according to their family type.
The strings are collected in hexadecimal format. Option 60 strings are prefixed with the characters 3c and
option 55 strings are prefixed with 37. The controller compares the strings to the database. The database
contains fingerprints for a large number of client types; however, you can add your own, and SD updates also
add new entries.

DO NOT REPRINT
© FORTINET
Question: Given the reliance on the DHCP, what are the two instances when a device fingerprints will not be
available?
The controller will not return a match if its database does not contain a matching entry; however one of the
main reasons is if the station has a static IP address. As no DHCP exchange took place, there was no option
information for the controller to examine.

DO NOT REPRINT
© FORTINET
If you have an unknown device on your network that you want to fingerprint, it is possible to add your own
fingerprint signature to the database.
It is a two stage process: find the fingerprint then add it to the database.
There are two ways to find a fingerprint: capture a DHCP exchange and look for options 55 and 60, or use a
community resource such as www.fingerbank.org.
Some DHCP servers can display client DHCP fingerprints. Unfortunately, windows DHCP servers don’t do
this. If you can’t find the fingerprint , then the only option is to capture the DHCP exchange. This can be done
using traditional packet capture methods, using a network tap, or using a port mirror. However, the easiest
way to capture the DHCP exchange is to use FortiWLC.
Once you have fingerprints, you can use the CLI or GUI (depending on the version of SD) to add them to the
database.
Always keep a separate record of the fingerprints, perhAPs in a separate spreadsheet. SD upgrades can
overwrite or delete user added fingerprints.

DO NOT REPRINT
© FORTINET
The controller has a limited capacity to capture traffic. The controller has a limited amount storage, so
captures are limited to 10 mb. You can use a capture filter so that the controller focuses on only the
exchanges between the client that you need to fingerprint and the DHCP server. Using a filter also makes
analysis easier.
To simplify the capture process, it is best to create a temporary, unencrypted tunnelled network for your
unknown clients to connect to.
You can capture packets using the CLI. There is a dedicated folder used to store captures. Use the capture
command and insert your client MAC address and DHCP server IP address.
capture-packets -w cap.pcap -S -i eth0 \(ether host <mac of client> or host <IP

address of DHCP Server>\) and \(udp port 68 or udp port 67\)
Once the capture starts, you will need to get your client to connect, to generate a DHCP exchange. A
successful exchange consists of around four packets. You are looking for a DHCP discover packet.
Once you have the packets, press CTRL+C to copy the capture file from the controller using FTP.

DO NOT REPRINT
© FORTINET
To analyze the capture, you will need a workstation with Wireshark installed. Wireshark is the most popular
open source network analyzer. When you are installing Wireshark, you need to install only Wireshark, and not
the associated capture modules (WinPCAP).
Open the .PCAP file with Wireshark. You should see a small number of DHCP packets, if your packet filtering
is successful. You need to locate the DHCP packets that come from the client. Typically, the best packet to
select is the DHCP discover packet.
In the middle pane of the Wireshark interface you will see the packet details. Expand the bootstrap protocol
option and you will to see the options sent by the client. Options 55 and 60 should be there.
Select each option in turn and expand it to see the details. Right click on the option in the packet details and
select copy then “…as a hexstream” into a text editor. The final step is to remove the lengh field, this is usually
the second set of bytes in the field, 07 in the example above. If you are unsure which is the lengh field then
select the length option in packet details and it will highlight the bytes in the decode. Remove these from the
hexstream as shown in the slide. This will give you the final fingerprint stream, in this example an option 55
fingerprint.

DO NOT REPRINT
© FORTINET
If you don’t want to capture packets there are other resources you can use, for example, fingerbank.org. This
is a community maintained resource where people upload DHCP fingerprints of clients. You can search on
your device type and you will get a decimal copy of the fingerprint.
Once you have the decimal fingerprints, you need to turn them into hexadecimal. You can do this using an
online utility. Each decimal number must be translated into a two-character Hex number.
(http://www.binaryhexconverter.com/decimal-to-hex-converter). If you are translating vendor code, the entire
text must be converted to hex (http://www.swingnote.com/tools/texttohex.php).
Using the option in the slide:

• 1 translates to 01
• 15 translates to 0f
• 252 translates to fc
The hex conversions of the fingerbank.org decimal string is 0103060f77fc.
In fingerbank, the DHCPv4Fingerprint is the option 55 entry. The DHCPv4 vendor entry (if there is one) is the
option 60. To make the fingerprint an:
• option 55 finger print, prefix the string with 37.
• option 60 finger print, prefix the string with 3c.

DO NOT REPRINT
© FORTINET
In this video example you will see how to view fingerprints, capture fingerprints at the controller, and import
fingerprints in to the database.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
Good job! You now know how to collect and add device fingerprints.

DO NOT REPRINT
© FORTINET
After completing this section, you will understand how to:

• Describe a rogue device
• Detect a rogue device
• Classify and manage rogue devices

DO NOT REPRINT
© FORTINET
First, what do we mean by a rogue device?
In the FortiWLC world, any AP that is not connected to the controller is defined as a rogue AP. Also, any
device associated to a rogue AP is considered to be a rogue station.

DO NOT REPRINT
© FORTINET
There are two main reasons why you should not have rogue APs inside your facility.
First and foremost, rogue APs can present a security issue. It’s quite possible for a well-meaning employee to
install the their own AP to provide connectivity for their own device or their colleagues devices. This AP may
not be configured appropriately, perhAPs offering an open network without any form of encryption. This would
allow a potential attacker an easy method of entry in to your network.
It’s also possible that a bad actor might try and gain access to your network. One of the ways that they might
try to gain access is to gather passwords from unsuspecting users connecting to an AP that is controlled by
them, rather than by your network. They can do this by setting up an AP that impersonates your network by
broadcasting your SSID. This allows man in the middle attacks with the potential of the gathering end-user
passwords.
Rogue APs can also present a performance problem. Wireless standards dictate that neighbouring wireless
networks must give way to each other when transmitting. This means that any unauthorized APs in your
airspace could be reducing the amount of airtime available to your clients. Of course, not all APs that you
detect will be inside your facility. It is very likely that they could be neighbouring APs legitimately using the
frequency.
Ultimately, it is good practice to monitor your airspace and ensure that you detect, classify and potentially
action any rogues that are detected.

DO NOT REPRINT
© FORTINET
When rogue detection is turned on (it is turned off by default), AP interfaces occasionally search for rogues. If
an AP radio interface has one or more devices associated to it, it will search the channel it is configured for
(sometimes called the home channel) when it is not actively servicing clients.
If a radio interface does not have any devices associated to it, it will search all channels in both the 2.4GHz
and 5 GHz bands. You can dedicate a radio interface to only search for rogues – this is called scanning mode.
When a rogue is detected, an alarm is generated by any of the APs that can hear the rogue. These alarms
help you determine where the rogue device is.
MiFi devices and other 802.11 ‘ad-hoc’ networks are not detected, only networks that advertise themselves in
802.11 ‘infrastructure‘ mode are detected as rogue AP’s

DO NOT REPRINT
© FORTINET
Rogue detection is disabled by default on the controller. You can enable it from the Rogue APs option.
It’s important to note that simply turning on protection will not cause APs to start detecting rogues. APs need
to be nominated as rogue detectors. You do this by adding them to the AP list. Not all APs need to be able to
detect rogues, they only need to detect the management frames broadcast by rogue APs. These frames are
transmitted at the lower link rates and as a result can be detected at reasonable distance. It’s usually sufficient
to enable rogue detection on one in every three access points.

DO NOT REPRINT
© FORTINET
Once you’ve detected a rogue, how do you determine if it’s a security threat?
The most direct indication of a security risk is if you see another AP offering the same SSID as your network.
For example, if your corporate network is called Staff and you see a another AP broadcasting the same SSID,
there is a good chance that your clients will try and connect to it. This can allow a bad actor to perform a man
in the middle attack in the attempt to gain data are such as passwords or credentials.
You can also assess a rogue by its location, using basic triangulation and measuring the signal strength.

DO NOT REPRINT
© FORTINET
If a rogue AP is broadcasting any of your SSIDs – your network names – you should assume that it is
unfriendly. An appropriate response is to mitigate the rogue. This is true whether the rogue in in your buildings
or outside.

DO NOT REPRINT
© FORTINET
If a rogue AP is not broadcasting any of your SSIDs, it may or may not be friendly. An appropriate response is
to locate the rogue. You can locate the rogue using the data in the Rogue AP table. The RSSI columns give a
relative distance from each AP that is reporting the rogue.
In a typical network deployment, you will have a pervasive signal strength of between -62 and -70 dBm. If you
detect a rogue AP with a signal strength stronger than that, then that is a good indication that the AP is inside
your premises.

DO NOT REPRINT
© FORTINET
In this example, there are at least two APs that detect the rogue at an RSSI stronger than -70. This indicate
that the AP is inside the building.

DO NOT REPRINT
© FORTINET
For rogues outside our walls, we would expect to see them at an RSSI of less than -70 , a weaker signal.

DO NOT REPRINT
© FORTINET
In this example, the rogue is at an RSSI of less than -70 dBm and as a result, likely to be outside of your
walls.
The AP is not broadcasting the staff SSID and it’s signal is weak. This indicates that it is a neighbouring AP,
and is likely to be legitimate.

DO NOT REPRINT
© FORTINET
What could you do about rogue devices once you detect them?
If the rogue device is in your building or campus, you might want to find it and turn it off. You might also leave
it alone, if you believe that it is there for a legitimate reason.
You also have the option to mitigate. This is usually a last resort because it involves configuring the network to
prevent clients from associating with designated APs. You should consider mitigation very carefully, because
mitigation of a legitimate AP can result in loss of wireless connectivity for legitimate users.

DO NOT REPRINT
© FORTINET
To find the location of a rogue, you triangulate using the relative RSSI indications to get a sense of where the
rogue is and then go looking for it. There are several techniques you can use to find the rogue.
You can use directional antennas and a program like Metageek’s InSSIDer to see the strength of the signal for
the SSID the rogue is broadcasting. As you move around, the signal strength will increase or decrease and
you can use that information to guide you to the source – the rogue itself.

DO NOT REPRINT
© FORTINET
Once we have classified the AP as a friendly device we can enter it into the Allowed APs list.
If rogue detection is enabled, it is a good practice to classify rogues on a regular basis. This keeps your alarm
table empty and allows you to anticipate any potential performance issues on your network.

DO NOT REPRINT
© FORTINET
If you want to mitigate a rogue, the first step is to identify its BSSID and put it into the Blocked APs list. The
rogues’ BSSID information is prominently displayed in the rogue devices and rogue AP table. This allows you
to focus on just the rogues that you want to mitigate. Once the list has APs in, you then you open the rogue
AP configuration page and activate mitigation on the blocked list.
When you mitigate a rogue, you are sending signals to the devices trying to associate to the rogue, telling
them to deauthenticate. This keeps those devices from passing any valuable data through the AP.
This keeps the rogue AP busy while you are working on locating it.

DO NOT REPRINT
© FORTINET
There are two mitigation options are available:
Block all BSSIDs that are not in the ACL

This option is the riskier one. It blocks any detected AP that is not in the allowed list. This option relies on the
administrator quickly detecting and analyzing APs and then adding them in the allowed APs list if they are
legitimate. Sometimes, this can lead to unintended mitigation, especially if legitimate APs appear in your air
space on a regular basis.
Block only BSSIDs in the blocked list

This option is the safest option to use for mitigation. This option mitigates only APs that are on the blocked
APs list. This means that the administrator has to explicitly select an AP to mitigate, minimizing the chances of
causing issues for legitimate users.

DO NOT REPRINT
© FORTINET
In this video demonstration, you will see an active rogue detection, a rogue alarm being interpreted and a
BBSID added to a whitelist or blacklist.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
Good job! You now know how to manage rogue APs. Next, you will explore how to replace failed APs.

DO NOT REPRINT
© FORTINET
After completing this section, you should know when and why you would replace an AP and how to do it.

DO NOT REPRINT
© FORTINET
Occasionally, usually due to hardware failure, you have to replace an AP. There are two ways of replacing a
failed AP: adding a new AP or using the swap process.
Adding a new AP:

• The AP (the AP being added) is assigned a new AP ID–the next available AP index number
• The new AP needs to be configured with the correct AP name, radio settings, and other configuration
information.
• The AP ID of the failed AP, the AP being replaced, is not used again. This results in a ‘hole’ in the AP
table.
Swapping an AP:
• The configuration of the replaced AP, including its AP ID, is transferred to the new AP. This minimizes the
possibility of configuration error.
Typically, the AP swap process is used to replace APs that are the same hardware version. You can replace
an older model AP with a newer model AP, but you need to reconfigure the AP settings to match the updated
hardware. For instance if you replaced an older 802.11n AP with a newer 802.11ac AP, you would have to
ensure the radios setting were set correctly for the new channel width.

DO NOT REPRINT
© FORTINET
To perform an AP swap you need two pieces of information. The MAC address of the old/dead AP and the
MAC address of the replacement AP. Once you have the MAC addresses of the AP being replaced and the
replacement AP, use the GUI or CLI to enter them in the AP Replacement Table.
Then, you’re ready to swap the APs. It’s critical that you unplug the old AP before plugging in the new one in.
Once the new AP starts, it will register with the controller. The controller will see the AP serial number in the
replacement table and perform swap.
Once the swap is complete, the entry will be removed from the table. You should check the AP table to verify
that the AP has the new MAC address.
The MAC address is referred to as the AP serial number in the web interface.

DO NOT REPRINT
© FORTINET
You can determine the MAC address of AP from the serial number on the bottom of the AP or on the side of
the box. The last six characters of the serial number are the last six characters of the MAC address. To get
the full MAC address, add the Fortinet OID (00:0c:e6) in front of the last six characters of the serial number.

DO NOT REPRINT
© FORTINET
The AP Replacement Table is where the controller stores AP swap information. By default, the table is
empty; entries appear only during an AP swap.
You can access the table through the GUI or the CLI. Accessing the table through the CLI is useful when you
need to swap a large number of APs because it is easier to copy and paste multiple MAC addresses into the
CLI.

DO NOT REPRINT
© FORTINET
In this video demonstration, you see the AP swap process and how to check the swap was successful.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
Congratulations! You have completed this final lesson.

DO NOT REPRINT
© FORTINET

• Reboot and power off the controller
• Back up and restore controller configuration
• Add device fingerprints
• Manage rogue devices
• Replace failed APs

DO NOT REPRINT
© FORTINET
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiWLC Study Guide Online PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

FortiWLC Study Guide Online PDF

Hochgeladen von

Copyright:

Verfügbare Formate

DO NOT REPRINT

FortiWLC Study Guide

Fortinet Network Security Expert Program (NSE)

FortiWLC 8.2 Study Guide 4

In this lesson, you will explore the following topics:

FortiWLC 8.2 Study Guide 5

After completing this section, you should be able to:

FortiWLC 8.2 Study Guide 6

FortiWLC 8.2 Study Guide 7

FortiWLC 8.2 Study Guide 8

FortiWLC 8.2 Study Guide 9

FortiWLC 8.2 Study Guide 10

FortiWLC 8.2 Study Guide 11

FortiWLC 8.2 Study Guide 12

FortiWLC 8.2 Study Guide 13

When evaluating which network to join, the client looks at:

FortiWLC 8.2 Study Guide 14

To join a network, a client:

FortiWLC 8.2 Study Guide 15

FortiWLC 8.2 Study Guide 16

FortiWLC 8.2 Study Guide 17

Airtime fairness is a mechanism that can help in these types of scenarios.

FortiWLC 8.2 Study Guide 18

FortiWLC 8.2 Study Guide 19

In summary, when designing and implementing a traditional or microcell wireless LAN:

FortiWLC 8.2 Study Guide 20

So, what are the alternatives to microcell networks?

FortiWLC 8.2 Study Guide 21

FortiWLC 8.2 Study Guide 22

In summary, airtime fairness:

FortiWLC 8.2 Study Guide 23

FortiWLC 8.2 Study Guide 24

(slide contains animations)

FortiWLC 8.2 Study Guide 25

(slide contains animations)

FortiWLC 8.2 Study Guide 26

FortiWLC 8.2 Study Guide 27

In virtual cell networks:

FortiWLC 8.2 Study Guide 28

FortiWLC 8.2 Study Guide 29

FortiWLC 8.2 Study Guide 30

FortiWLC 8.2 Study Guide 31

FortiWLC 8.2 Study Guide 32

(slide contains animations)

FortiWLC 8.2 Study Guide 33

FortiWLC 8.2 Study Guide 34

(slide contains animations)

FortiWLC 8.2 Study Guide 35

(slide contains animations)

FortiWLC 8.2 Study Guide 36

The AP neighbor count is used to estimate of the size of interference regions.

FortiWLC 8.2 Study Guide 37

FortiWLC 8.2 Study Guide 38

After completing this section, you will be able to:

FortiWLC 8.2 Study Guide 39

FortiWLC 8.2 Study Guide 40

FortiWLC 8.2 Study Guide 41

FortiWLC 8.2 Study Guide 42

Congratulations! You have completed this lesson.

FortiWLC 8.2 Study Guide 43

This lesson covered the following objectives:

FortiWLC 8.2 Study Guide 44

FortiWLC 8.2 Study Guide 45