Wi-Fi Roaming on a Fortinet Single Channel Architecture(SCA)

Successful Wi-Fi client Roaming is moving across Access point / BSSID  to a best possible service AP for the wireless client in term’s of SNR and RSSI while with least time involved in the process and with zero Hard hand off seen.

Faster Roaming is considered key for VoIP over Wi-Fi and for other application that is running over Wi-Fi Network which is very sensitive for latency and delay.

Wireless Vendor’s do have protocol implementations to deal these roaming problems with : PMK caching, OKC, FAST ROAMING 802.11 K/V/R

However Fortinet Infrastructure Wi-Fi being unique with single BSSID virtually visible across the network and roaming seems to be quite simple, but they still have to calculate the math to solve the roaming issue with their software.

I want to stress on this point: Yes, FortiWLC does  support both Single channel Architecture and Multi channel Architecture mode and you can take advantage of this with the help of feature grouping. So you can deploy sites some with single channel and other sites which you feel from Design point that it’s optimal to go with Multi channel architecture. So take some advantage of the SCA where it can really go well for you.

Ok, So how does SCA works together for client roaming?

Like other MCA vendors Fortinet Wi-Fi system also has the following tweaks and operations that will help you to build a system optimal for Good roaming (choice of which parameter really depends on wi-fi environment).

*Prob response threshold(This is based on SNR)

*Lower data rate changes

*TX power changes.

*Prob response from associated AP only.

*AP load balancing

*Frequency Band-steering

Apart from the settings mentioned above there are some  major factors that contribute SCA roaming :  

*Adequate RSSI




2 frame report with 3 dbm difference on RSSI strength   [ This is Interval between each frame report and its RSSI difference]

Coordinator  [wi-fi system which takes in-charge of  AP<->CLIENT association and here coordinator gives client assignment to the best access point to service the client based on the condition and threshold set]

coordinator reassignment and AP acknowledgment for that assignment.

silent client behavior and WLC features to handle such client behaviors.

Below are some client roaming behavior on different roaming condition.

#Normal system hand off based on adequate rssi(better signal strength).

2017-Sep-29 14:51:56.611901 | 78:31:c1:Xx:Xx:XX | 802.11 State | * <AID=31>[abgn](v0) handoff <OLD_AP=6> RSSI (-56 -55) <NEW_AP=13> RSSI (-52 -43) ESSID=XXXXX Ch=149 A-BSSID=00:0c:e6:02:67:70 reason=Normal handoff

#System Hand off based on  -256  frame report:

This condition of seeing -256 frame report and followed by normal handoff means that the station is found on different service AP while before the last serviced AP could flag the client as LOST.

station-log> 2017-Sep-29 15:44:55.069959 | 78:31:c1:XX:XX:XX | 802.11 State | * <AID=31>[abgn](v0) handoff <OLD_AP=13> RSSI (-256 -256) <NEW_AP=6> RSSI (-55 -55) ESSID=XXXX Ch=149 A-BSSID=00:0c:e6:02:67:70 reason=Normal handoff

#System LOST-FOUND on same Access point(-256):

When the wireless client is marked LOST on the connected Access point and not found on any other servicing Access point. And the client shows up(FOUND) again on the same access point after been marked as LOST.

–>Sample Station log:

If no other UNASSIGNED AP have marked it QUASI FOUND
01:40:30.503000 | 7c:7a:91:XX:XX:XX | 802.11 State | <AID=6>[abgn](pre lost) found on assigned <AP=97>(rssi=-256) ESSID=XXXX Ch=44 A-BSSID=00:0c:e6:5a:1b:44 reason=Station discovered

#System Hand off based on LOST-FOUND(station is declared as LOST but found on different servicing AP)

Here station is completely lost on the connected AP, while it probed on a different Access point resulting on a hand off.

–>Sample station log :

2017-Sep-29 15:44:53.507727 | 78:31:c1:XX:XX:XX| 802.11 State | * <AID=31>[abgn](v0) (pre found) lost from assigned <AP=13> ESSID=XXXX Ch=149 A-BSSID=00:0c:e6:02:67:70 reason=Station lost from AP
station-log> 2017-Sep-29 15:44:55.069956 | 78:31:c1:XX:XX:XX | 802.11 State | * <AID=31>[abgn](v0) (pre lost) quasi found on unassigned <AP=6>(rssi=-55) ESSID=XXXX Ch=149 A-BSSID=00:0c:e6:02:67:70 reason=Station probed
station-log> 2017-Sep-29 15:44:55.069959 | 78:31:c1:XX:XX:XX | 802.11 State | * <AID=31>[abgn](v0) handoff <OLD_AP=13> RSSI (-256 -256) <NEW_AP=6> RSSI (-55 -55) ESSID=XXXX Ch=149 A-BSSID=00:0c:e6:02:67:70 reason=Normal handoff


->>The below log indicates that the station is now handed-off to new access point and the access point ack’ed the “coordinator” that he is going to take over the client service.
station-log> 2017-Sep-29 15:44:55.070826 | 78:31:c1:XX:XX:XX | 802.11 State | * <AID=31>[abgn](v0) (pre quasi found) marked found as received handoff ack from assigned <AP=6> ESSID=wireless-nation Ch=149 A-BSSID=00:0c:e6:02:67:70


#Wireless Client Assoc-Assoc .

This is a problem condition in SCA where the wi-fi station does a re-association to the access point but to the wireless system already know him as a associated client in his DB.

The client does this thinking  it needs a re-association to the wireless network because he hasn’t heard any beacon for some time interval or could be because beacons are found to be corrupted while decoding or client didn’t like the frames sent by Access point(Have seen such behavior mostly with INTEL chip-set based clients). This needs a investigation if these log show up on system and matches the time frame user reporting any connectivity issues.

This  condition could cause client going through authentications phase again and/or even disconnections (8021.x and 802.11i  happens every time when hits Assoc to Assoc)

–>Sample events for Assoc-Assoc situation:
station-log> 2017-Sep-29 15:44:59.257873 | 78:31:c1:XX:XX:XX | 802.11 State | * <AID=31>[abgn](v0) state change <old=Associated><new=Associated><AP[6]=00:0c:e6:1a:34:11> ESSID=XXXX Ch=149 A-<BSSID=00:0c:e6:02:67:70>
station-log> 2017-Sep-29 15:44:59.257877 | 78:31:c1:XX:XX:XX | 802.11 State | * <AID=31>[abgn](v0) state change <old=Associated> <new=Associated> <AP=6> ESSID=XXXX Ch=149 A-<BSSID=00:0c:e6:02:67:70>
station-log> 2017-Sep-29 15:44:59.258432 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=0> <EAP code=request> <EAP ID=1> <EAP type=Identity> sent
station-log> 2017-Sep-29 15:44:59.290511 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=31> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=1>
station-log> 2017-Sep-29 15:44:59.290514 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=31> Radius <msg code=access_request><msg ID=174> sent <ip=>:<port=1812>
station-log> 2017-Sep-29 15:44:59.299477 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=31> <pkt type=EAP_PACKET> <EAP code=request><EAP ID=2> <info=relay eap-request from Radius> sent

station-log> 2017-Sep-29 15:44:59.572152 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=31> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=9>
station-log> 2017-Sep-29 15:44:59.572156 | 78:31:c1:XX:XX:XX | 1X Authentication |
station-log> 2017-Sep-29 15:44:59.645547 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=31> <pkt type=EAP_PACKET> <EAP code=response><EAP ID=12>
station-log> 2017-Sep-29 15:44:59.646297 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=31> Radius <msg code=access_request><msg ID=189> sent <ip=>:<port=1812>
station-log> 2017-Sep-29 15:44:59.647948 | 78:31:c1:XX:XX:XX | 1X Authentication | <AID=31> Radius ACCESS-ACCEPT received : Session Timeout: None, VLAN Tag : 0, Filter id : , CUI : None.



Separating your RF space for priority traffic with Single Channel Architecture and Channel Layering

Segmentation of services can be achieved by doing channel layering with Fortinet Infrastructure WiFi(SCA). By doing so you actually separate  business critical traffic  from  your non critical and Guest traffics.

There are applications like VO-WIFI and few other low latency sensitive application that need special care taken.

#Wired infrastructure :You deploy a separate Vlan and end-end QOS written and so.

#On WIFI Controller you can do inbound/outbound QOS

#The WMM supported clients have TX-OP /Access category  Q for prioritizing the voice/video traffic.

In a SCA you further get the opportunity to do Segmentation of services by creating  a separate RF space for them.

Ref Pic: