Interoperability Report

Ascom i62

Fortinet MC/WLC

WLC controller platform

Fortinet MC/WLC v. 8.5-0-6

Ascom i62 v. 6.2.0

Morrisville, NC, USA

September 2019

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 2 / 18

Contents

Introduction ...................................................................................................................................... 3

About Ascom .................................................................................................................................. 3

About Fortinet ................................................................................................................................. 3

Site Information ............................................................................................................................... 4

Verification site ............................................................................................................................... 4

Participants .................................................................................................................................... 4

Verification topology ....................................................................................................................... 4

Summary .......................................................................................................................................... 5

General conclusions ....................................................................................................................... 5

Verification overview ...................................................................................................................... 6

Known limitations ........................................................................................................................... 7

Appendix A: Verification Configurations....................................................................................... 8

Fortinet MC1550 WLAN Controller version 8.5-0-6 ........................................................................ 8

Ascom i62 .................................................................................................................................... 16

Appendix B: Interoperability Verification Records ..................................................................... 18

Document History .......................................................................................................................... 18

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 3 / 18

Introduction

This document describes a summary of the interoperability verification results of the Ascom’s and Fortinets

platform, necessary steps and guidelines to optimally configure the platforms and support contact details. The

report should be used in conjunction with both Fortinets and Ascom’s platform configuration guides.

About Ascom

Ascom is a global solutions provider focused on healthcare ICT and mobile workflow solutions. The vision of

Ascom is to close digital information gaps allowing for the best possible decisions – anytime and anywhere.

Ascom’s mission is to provide mission-critical, real-time solutions for highly mobile, ad hoc, and time-sensitive

environments. Ascom uses its unique product and solutions portfolio and software architecture capabilities to

devise integration and mobilization solutions that provide truly smooth, complete and efficient workflows for

healthcare as well as for industry, security and retail sectors.

Ascom is headquartered in Baar (Switzerland), has subsidiaries in 15 countries and employs around 1,300 people

worldwide. Ascom registered shares (ASCN) are listed on the SIX Swiss Exchange in Zurich.

About Fortinet

Fortinet (NASDAQ: FTNT) secures the largest enterprise, service provider, and government organizations around

the world. Fortinet empowers its customers with intelligent, seamless protection across the expanding attack

surface and the power to take on ever-increasing performance requirements of the borderless network - today

and into the future. Only the Fortinet Security Fabric architecture can deliver security features without compromise

to address the most critical security challenges, whether in networked, application, cloud or mobile environments.

Fortinet ranks #1 in the most security appliances shipped worldwide and more than 330,000 customers trust

Fortinet to protect their businesses. Learn more at https://www.fortinet.com, the Fortinet Blog, or FortiGuard Labs.

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 4 / 18

Site Information

Verification site Ascom US

300 Perimeter park drive

Morrisville, NC, US-27560

USA

Participants

Karl-Magnus Olsson, Ascom, Morrisville

Verification topology

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 5 / 18

Summary

General conclusions

The result of the verified test areas, such as authentication, association, handover and call stability tests,

produced in general very good test result. Due to Fortinets single channel architecture, no traditional roaming is

made which makes the roaming seamless.

Note. Unless the parameter “Expedited Forwarding Override” is used the i62 have to mark voice packets with

DSCP 48 in order for appropriate mapping in the “air” (Access Category 6). Refer to handset configuration on

page 17.

Please refer to Fortinet’s documentation for information regarding co-existence and between different access

point models within the same wireless network.

Supported Partner Access Points with SW version 8.5-0.6:

AP U221EV, U223EV

AP U321EV, U323EV

AP U421EV, U423EV

Supported Partner Controller Platforms with SW version 8.5-0.6::

MC3200, MC3200-VE

MC1550, MC1550-VE , MC1500-VE

MC4200, MC4200-VE

FortiWLC-50D ,200D, 500D, 1000D, 3000D

FWC- VM-50, 200, 500, 1000, 3000

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 6 / 18

Verification overview

WLAN Compatibility and Performance

High Level Functionality Result Comments

Association, Open with No Encryption OK

Association, WPA2-PSK / AES Encryption OK

Association, PEAP-MSCHAPv2 Auth, AES Encryption OK

Association with EAP-TLS authentication OK

Association, Multiple ESSIDs OK

Beacon Interval and DTIM Period OK

PMKSA Caching OK

WPA2-opportunistic/proactive Key Caching OK

WMM Prioritization OK

802.11 Power-save mode OK

802.11e U-APSD OK

802.11e U-APSD (load test) OK

Roaming, WPA2-PSK, AES Encryption OK Roam transparent to handset*

Roaming, PEAP-MSCHAPv2 Auth, AES Encryption OK Roam transparent to handset*

*) RF Mode: Virtual Cell. See Known issues section for limitations regarding Native Cell mode.

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 7 / 18

Known limitations

Description and Symptoms Workaround Ticket(s)

raised

RF Virtualization Mode: “Native Cell” considerations. When using PSK Authentication AP U421EV show longer roaming times than expected due to delayed EAPOL keys from AP. Measured roaming times are typically 120-170ms and data loss can be clearly noticed in a call. Fortinet does not support OKC (opportunistic key caching) resulting in unacceptable (for VoIP) roaming times when utilizing .1X authentication together with Native Cell.

Virtual Cell mode is

recommended for all access

points.

For additional information regarding the known limitations please contact interop@ascom.com or support@ascom.com.

For detailed verification results, refer to Appendix B: Interoperability Verification Records.

mailto:interop@ascom.commailto:support@ascom.com

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 8 / 18

Appendix A: Verification Configurations

Fortinet MC1550 WLAN Controller version 8.5-0-6

In the following chapter you will find screenshots and explanations of basic settings in order to get a Fortinet

WLAN system to operate with an Ascom i62. Please note that security settings were modified according to

requirements in individual test cases.

The configuration file is found at the bottom of this chapter.

Security settings

Security profiles.

Security profile WPA2-PSK, AES/CCMP encryption.

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 9 / 18

Security profile WPA2-Enterprise, AES-CCMP encryption Primary RADIUS Profile Name “FreeRadius2” refers to

the RADIUS profile set up in the controller. See radius profile below for additional details.

Configuration of Radius profile.

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 10 / 18

Radius profile configuration. Note that the profile “FreeRadius2”, the RADIUS IP and the secret must correspond

to the authentication server running in the network.

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 11 / 18

ESS, Radio and QoS settings

Ascom recommended settings for 802.11b/g/n are to only use channel 1, 6 or 11. For 802.11a/n/ac, use channels

according to the infrastructure manufacturer and country regulations.

Make sure that all non-DFS channel are taken before resorting to DFS channels. The handset can cope in

mixed non-DFS and DFS environments; however, due to “unpredictability” introduced by radar detection

protocols, voice quality may become distorted and roaming delayed. Hence Ascom recommends if

possible avoiding the use of DFS channels in VoWIFI deployments.

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 12 / 18

ESS settings. Even though 11k and 11r features are not supported by Ascom i62 it can coexist in a network were

it is enabled. For example in a deployment with Ascom Myco 3.

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 13 / 18

ESS settings (continued).

Make sure APSD support is enabled.

Make sure band steering and Multicast-to-Unicast Conversion is enabled

Note. Ascom and Fortinet recommend Virtual Cell for Ux2xEV. See section Known Issues for further

details.

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 14 / 18

ESS advanced settings

- Select Voice Client Type - ascom

- Set DTIM Period of 5 and a DTIM interval of 100ms. These values are recommended in order to

allow maximum battery conservation without impacting the quality. Lower DTIM values are possible

but will decrease the standby time.

- Expedited Forwarding Override will map DSCP 46 (EF) to the AC_VO. If turned off, IP DSCP for

Voice has to be set to 0x30 (48) in the Phone. See i62 settings further down.

In a Fortinet environment, we recommended that the data rates are advertised within the ESS per above for

802.11a/n/ac.

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 15 / 18

In a Fortinet environment, it is recommended that the data rates are advertised within the ESS per above

(802.11b/g/n). To further optimize performance it is recommended to disallow 802.11b clients to associate by

setting 12Mbps rate to mandatory in the 802.11bgn data rate set.

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 16 / 18

Ascom i62

Network settings for WPA2-PSK

Note. Make sure that the enabled channels in the i62 handset match the channel plan used in the system.

Note. FCC is no longer allowing 802.11d to determine regulatory domain. Devices deployed in USA must

set Regulatory domain to “USA”.

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 17 / 18

Network settings for .1X authentication (PEAP-MSCHAPv2)

802.1X Authentication requires a CA certificate to be uploaded to the phone by “right clicking” - > Edit certificates.

EAP-TLS will require both a CA and a client certificate.

Note that both a CA and a client certificate are needed for TLS. Otherwise only a CA certificate is needed.

Server certificate validation can be overridden in version 4.1.12 and above per handset setting.

Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 18 / 18

Appendix B: Interoperability Verification Records

Pass

Fail

Comments

Not verified

16

0

0

5

Total 21

Refer to the attached file for detailed verification results.

Refer to the verification specification for explicit information regarding each verification case.

The specification can be found here (requires login):

https://www.ascom-ws.com/AscomPartnerWeb/en/startpage/Sales-tools/Interoperability/Templates/

Document History

Rev Date Author Description

P1 3-Oct-19 SEKMO Draft

R1 9-Oct-19 SEKMO Review. Official revision R1

https://www.ascom-ws.com/AscomPartnerWeb/en/startpage/Sales-tools/Interoperability/Templates/

WLAN TR

WLAN Interoperability Test ReportWLAN configuration:

Beacon Interval: 100ms

Test object - Handset:DTIM Interval: 5

Ascom i62 6.2.0802.11d Regulatory Domain: World

Test object - WLAN system:WMM Enabled (Auto/WMM)

Fortinet WLC 8.5-0-6No Auto-tune

AP U221EV, U421EVU221EVU421EVSingle Voice VLAN

2.4Ghz5.0Ghz2.4Ghz5.0Ghz

Test CaseDescriptionVerdictVerdictVerdictVerdictComment

TEST AREA ASSOCIATION / AUTHENTICATION

#101Association with open authentication, no encryptionNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED

#107Association with WPA2-PSK authentication, AES-CCMP encryptionPASSPASSPASSPASSHidden SSID ok

#110Association with PEAP-MSCHAPv2 auth, AES-CCMP encryptionPASSPASSPASSPASSFreeRADIUS server; RootCA loaded to device; Handset autheticates twiceFAIL

#116Association with EAP-TLS authenticationPASSPASSPASSPASSFreeRADIUS server; RootCA and clients certificate loaded to device

TEST AREA POWER-SAVE AND QOSPASS

#150802.11 Power-save modePASSPASSPASSPASSFAIL

#151Beacon period and DTIM intervalPASSPASSPASSPASSNOT TESTED

#152802.11e U-APSDPASSPASSPASSPASSSee Comment

#202WMM prioritizationPASSPASSPASSPASSiperf used to generate backgound load.

TEST AREA "PERFORMANCE"

#308Power-save mode U-APSD – WPA2-PSKNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED

#310CAC - TSPECNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED

TEST AREA ROAMING AND HANDOVER TIMES

#401Handover with open authentication and no encryptionNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED

#404Handover with WPA2-PSK auth and AES-CCMP encryptionPASSPASSPASSPASSVirtual Cell: OK. Client roaming not applicable due to virtual cell architecture. Native cell: Roaming times 80-110ms.

#408Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryptionPASSPASSPASSPASSVirtual Cell: OK. Client roaming not applicable due to virtual cell architecture. Native cell: OKC not supported. First roam before PMKSA roam to AP takes 1s+. Noticeable voice gap.

#411Handover using PMKSA and opportunistic/proactive key cachingPASSPASSPASSPASSVirtual Cell: OK. Client roaming not applicable due to virtual cell architecture. Native cell: See #408

TEST AREA BATTERY LIFETIME

#501Battery lifetime in idleNOT TESTEDNOT TESTEDNOT TESTEDPASS80+

#504Battery lifetime in call with power save mode U-APSDNOT TESTEDNOT TESTEDNOT TESTEDPASS8h+ (default settings but only non DFS channels)

TEST AREA STABILITY

#602Duration of call – U-APSD modePASSPASSPASSPASS1h call maintained , Test limited to 1h

TEST AREA 802.11n

#801Frame aggregation A-MSDUNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED

#802Frame aggregation A-MPDUPASSPASSPASSPASS

#80440Mhz channelsNOT TESTEDPASSNOT TESTEDPASS

#805802.11n ratesPASSPASSPASSPASSUplink and downlink.

look at uapsd deliver AP710