By Manny Fernandez

September 25, 2019

WiFi Best Practices Part 1

Credit: This article was written by a friend and colleague Bryan Wolski.  He is a great asset to our team and brings a wealth of WiFi knowledge to the team.

Introduction

FortiAPs can be managed as stand alone, cloud-managed, FortiGate managed, or controller managed. Every environment is different and it is difficult to give a list of things you should do on every wireless deployment.

FortiCloud

Fortinet offers free cloud management for life unlike some of the competitors that charge a subscription license.  Also when managed from the cloud, if you DO have a subscription associated with the APs such as in the S models with on-board IPS, Content, Application etc, if you stop paying the subscription, you will obviously NOT get any updates and none of those advanced features will be accessable but the APs do not become a brick like some of the competitors.

Stand Alone

You can, but not recommended especially with the free cloud option.

Controller Based

Similar to traditional Wirless LAN controllers, the Fortinet solution offers a full blown controller for large implementations and customers that have particular security requirements.

FortiGate Managed

Each Fortigate has a built-in Wireless LAN Controller and can manage FortiAPs and Fortiswitches from the same Firewall GUI.  There is no charge for this and the logs generated by the APs are automatically pushed to FortiAnalyzer (if you are running one….recommended).

Here are some concepts that are common in many deployments. For better understanding of the concepts, you can use the CWNA Certified Wireless Network Administrator Study Guide to get a good handle on how 802.11 works. It is one of the best resources on the market. This article may spark questions about if you should or shouldn’t do certain things. You will find the answer that you get to your questions from many wireless professionals is “It depends.” For years there was a hashtag on Twitter #WiFiQ that asked a new question everyday about WLAN environments. That is another good resource to learn from. According to a recent announcement, #WiFiQ is coming back.

The commands and information in this article will help you decide how to setup things on your FortiGate managed APs but the concepts apply to other management environments too.

Concepts

Design for the Least Capable, Most Important (LCMI) devices. In other words, what it the most important device on your wireless network that has the least capabilities? Think older and critical devices in many cases, but not always. Is it a tablet, smartphone, laptop, medical device, IOT sensor? Each of these have very different radios, drivers, and 802.11 technology.

An example is a warehouse that uses barcode scanners on their pickers. I still see many 802.11b only units. For reference, the 802.11b standard was ratified in July of 1999 but new scanner guns can be thousands of dollars each. I would make sure SGI (Short Guard Interval) is off. WiFi & Switch Controller > FortiAP Profiles > choose the AP you have > Radio 1 (and Radio 2) make sure the Short Guard Interval is switched to off.

Picture1.png

If there were no B-clients I would tick the SGI on in most cases as it increases your throughput. The subtext here is push back hard on B-clients being used in your environment if possible. That technology was ratified in 1999!

Use the least number of SSIDs possible. Each SSID usually sends out 10 beacons per second for EVERY SSID. Since Wi-Fi is half duplex and  a shared medium, we want it to be as efficient as possible. Collapse those SSIDs by authentication methods where you can. Examples may be, Open, WPA2 Personal, and WPA2 Enterprise. WiFi & Switch Controller > SSID > Create New > SSID > WiFi Settings > Security Mode

Picture2.png

It is worth noting that using FortiNAC gives you even more control, like more expansive RBAC (Role Based Access) for devices that don’t support WPA2 Enterprise. and likely lets even the largest networks use only 3 or 4 SSIDs.

There is a good, and free SSID Overhead Calculator by Revolution Wi-Fi. This will help you see what too many SSIDs is doing to your environment.

Disable low data rates. Each environment will be different but many times you can and should disable the lowest data rates. If you want to know why visit the blog of CWNE #1, Devin Akin where he talks about this. The rates that you allow and disable will be specific to what devices you allow on your network. Back to the B-Clients example and you would need at least (1) 802.11b rate offered (normally people would select the fastest rate of 11 Mbps).

To turn off rates 1, 2, 5.5, and 11, you go into the CLI on the FortiGate and use the following:

config wireless-controller vap
      edit <vap_name>
              set rates-11a 12-basic 18 24 36 48 54
             set rates-11bg 12-basic 18 24 36 48 54
       end

 

Avoid 80+ MHz wide channels in 5GHz and only use 20 MHz channels in 2.4GHz. There are use cases for wider channels, but there is not enough spectrum available today for proper channel reuse in an enterprise deployment or a multitenant environment. You will end up with CCI and ACI (co-channel and adjacent channel interference).

Navigate to WiFi & Switch Controller > FortiAP Profiles > Create New > Radio 2 > Channel Width. Use the widest you can. You can know by getting a real site survey. You can also use WiFi scanner tools like insider by MetaGeek, WiFi Explorer, Ekahau Site Survey, and many more to at least get some data on what spectrum is being used.

Picture3.png

Use DFS Channels if possible. You can see in the picture from #4 in my list that there are a bunch of channels in the 5GHz range that have stars. That means these have special rules and have to coexist with things like weather radar and military functions. When an AP detects a “hit” on DFS it has to change to a non-DFS channel for a specified time in order to free up that spectrum. In some places DFS is nearly unusable because of so many DFS hits. In many cases DFS is usable and frees up spectrum. This allows more channels which also means the potential for using 40 MHz wide channels because you have less chance of CCI and ACI.

Navigate to WiFi & Switch Controller > FortiAP Profiles > Create New > Radio 2 > Channels. You do want to make sure your devices support DFS channels. There are some out there that don’t support all the channels. Remove the channels that are not suitable to use.

Here are some charts from SecurityUncorked.com showing the available 5GHz channels available and why you might want to use the DFS spectrum.
1.png

2.png

3.png

 

 

 

 

This is a first in a series of WiFi Best Practices posts.

 

 

 

 

 

Recent posts