Skip to main content
antoniomastrolia
antoniomastrolia
New Member
March 24, 2026
Question

Disconnections on a WPA2-Enterprise SSID

  • March 24, 2026
  • 3 replies
  • 689 views

Probably the most bizarre IT problem I've ever come across.

 

We are in the process of migrating from Aruba to Fortinet, wired and wireless. One building has now been completely moved to FortiAPs and since day one we've been experiencing random disconnections from our WPA2-Enterprise SSID.

The initial symptoms were these: out of the blue, without moving, a device would lose internet connection, showing the 'globe' in the bottom right corner (Windows), claiming to still be connected to the network, but with no internet and with an auto-assigned APIPA address.


Having done A LOT of investigation, most of the time with little to no result, I have noticed that clients are very frequently re-associating (often with the same AP), sometimes failing (hence the 'disconnections'). The signal is high, APs are generally a few feet away, it happens on both 2.4 and 5Ghz.

 

We have done a lot of tweaking, including changes recommended by Fortinet Support, which included disabling fast roaming, PMF, adjusting APs power levels, removing frequency and AP hand-offs, changing to WPA3-Enterprise, etc. Nothing has helped in any meaningful way.

 

Weirdly, I am able to fairly consistently trigger the disconnections if I initiate a file transfer from my laptop to a remote server. The connection first becomes unstable, then it drops after a few minutes/seconds. Even more weird is that sometimes if I initiate a file transfer from my laptop, another laptop connected to the same AP gets disconnected.

 

All the devices seem to be using variations of Intel cards, like the AX201 and the AX211. Tried to use an external TP-Link USB adaptor and the file transfers went smoothly.

 

We are using mainly 231K units, but the problem also happens on the 441K. Firmware, tried both 7.4 and 7.6, no change.

 

It feels like it's got something to do with EAP-TLS (we use computer certificates).


I am at a loss, because we've had to stop our FortiAP deployment since the issue has never happened on the Aruba ones.

3 replies

funkylicious
SuperUser
funkylicious
SuperUser
March 24, 2026

your issue sounds kinda complex.

i would open a support ticket if you havent already

"jack of all trades, master of none"
christian_89_
christian_89_
Explorer
March 24, 2026

Yes. And the uncomfortable answer is this: it does not mainly look like EAP-TLS. It looks far more like an interoperability / roaming / Wi-Fi 6 issue between FortiAP K-series and Intel AX201/AX211 clients, which gets worse under load. The fact that a USB adapter works cleanly while Intel cards drop is your strongest clue. The APIPA address is very likely just the aftermath of reassociation or connectivity loss, not the root cause. Fortinet itself documents throughput-related instability as a cause of link drops, and Intel community cases describe very similar enterprise symptoms with AX201/AX211: unnecessary roaming, reauth or roam events, then “connected, no internet” or loss of IP connectivity.

The most sensible immediate action is not more tuning of PMF, WPA3, or 802.11r. The fastest way out is to isolate the fault hard:

  1. Build a test SSID on the same VLAN/DHCP, but with WPA2-PSK instead of 802.1X/EAP-TLS.
    If the disconnect still happens during a file transfer, then EAP-TLS is not your root problem and you should focus on RF, AP, and client interoperability. If PSK is stable, only then is it worth putting 802.1X/RADIUS back in the centre. This kind of clean isolation is exactly how Fortinet recommends narrowing client connection issues.

  2. Disable 802.11ax for testing, ideally on a dedicated test SSID or on the affected AP/radio profile.
    Do not theorise. Measure it: same laptop, same AP, same file transfer, once with ax enabled and once with ax disabled. Because of the strong Intel correlation, this is the highest-value test you can run.

  3. Run 5 GHz only, 20 or 40 MHz channels, no DFS, no band steering, no AP handoff, no load balancing on the test SSID.
    You need to strip variables out aggressively. If that setup becomes stable, the problem is in roaming or RF feature interaction, not certificates. Fortinet explicitly documents client steering and load balancing as mechanisms that can affect behaviour, so they should be out of the picture during A/B testing.

  4. De-tune the Intel client for proof testing:

    • Roaming aggressiveness: Lowest

    • Preferred band: 5 GHz

    • 802.11ax: Disabled

    • U-APSD / WMM power save: disable for testing if exposed

    • Test both OEM driver and Intel generic driver

This is not a nice final fix, but it is a valid proof. If these settings stop the drops, you are dealing with interoperability, not RADIUS.

The second area you need to look at is infrastructure stability under load. The detail that Laptop A starts a file transfer and Laptop B on the same AP also gets knocked off is a major warning sign against “this is just certificates”. That points more toward AP radio behaviour, AP uplink, CAPWAP/controller stability, switchport issues, or PoE problems. Fortinet explicitly says that when AP connectivity issues occur, you need to verify the AP-to-controller path. They also note that LLDP is required for a stable FortiAP environment in some deployment cases, especially where profiles or settings were migrated or reused.

So, in parallel, check this:

  • LLDP enabled in the FortiAP profile

  • AP switchport for errors, drops, flaps, EEE, and PoE events

  • If this is on FortiSwitch, check port errors, CRC, queue drops, and power budget

  • Test one problematic AP in isolation, with neighbouring AP influence reduced

  • Test a single AP on a different switch or uplink path

What I do not think is likely: that EAP-TLS itself is the primary fault. If EAP-TLS were the real issue, you would expect mainly authentication failures. Your pattern is different: under load it becomes unstable, clients reassociate frequently, sometimes to the same AP, USB adapters remain stable, and other clients can be affected at the same time. That fits interoperability or AP/uplink behaviour much better than a certificate problem. Fortinet’s own troubleshooting guidance lists client-device interoperability as a common cause of connection problems.

So the practical order should be:

A. Do this first

  • New test SSID: 5 GHz only, WPA2-PSK, 20/40 MHz, 802.11ax off, all roaming/handoff/load-balancing features off

  • Same laptop, same AP, same file transfer

  • In parallel, test the original enterprise SSID with 802.11ax disabled

B. Read the result properly

  • PSK also unstable: EAP-TLS is innocent. Focus on AX, client/AP interoperability, and AP uplink

  • PSK stable, enterprise unstable: then debug 802.1X properly

  • Enterprise stable as soon as AX is off: you have effectively proven an interoperability bug or feature interaction

C. Only then do deep debug

  • Wireless client event logs on FortiGate/FortiAP

  • RADIUS debug only during a reproducible file transfer

  • DHCP/sniffer in parallel, to confirm that APIPA appears only after reassociation

My honest assessment is this:
The most likely real-world fix is a workaround, either by disabling 802.11ax or by heavily simplifying RF and roaming behaviour, until you find a Fortinet firmware and Intel driver combination that is actually stable. Everything else you already tried was mostly lateral movement.

 

antoniomastrolia
antoniomastroliaAuthor
New Member
March 24, 2026

Thanks for this. My biggest challenge is that, while I can fairly regularly recreate the issue by doing a file transfer, it becomes much less predictable every time I make a change to the base config, which means that it may take days before I can confirm, one way or another, if any one change has had any effect whatsoever. While this may suggest that the issue is not regular enough to cause concern, I am sure it will become so the moment hundreds of people will start connecting to the new APs.

 

New SSID: done. Much more stable, to the point that I thought it was all due to the SSID, then I got disconnected twice in 10 minutes, minutes before I was ready to declare victory.

All load balancing/roaming stuff, all turned off, no difference.

Channels, all set to 20Mhz in all bands. Bizarrely, for a while it was much more stable with 40 Mhz channels, on the 5G, instead of the 20 Mhz.

ax disabled on both the AP and the Intel card itself, no difference.


The only thing that seemed to actually work, was to set the band to 2.4 Ghz at the slowest possible negotiated speed (something like 54 Mbps). It worked, but it took ages to do anything.

 

A PSK-only SSID seemed much, much more stable, but that's of no use to us, because of the certificate requirement.

 

99% of the tests were performed in an office with only 1 FortiAP available, so the only 'roaming' the client could've done, was within the access point itself (band steering), which it did do regularly.

 

I totally agree that the DHCP problem is just a consequence of the device being disconnected, but so are all the roaming requests: it doesn't disconnect because it tries to roam to aggressively, it roams because the network becomes too unstable.

 

Lastly, pretty much every single time the device disconnects, an event is recorded in the Windows' wlan report. It says:

Capability change on {interface}. Family: V4 Capability: Local ChangeReason: ActiveHttpProbeSucceded

Capability change on {interface} Family: V4 Capability: None ChangeReason: CapabilityReset

Wireless security stopped 

 

I will look at what the FortiSwitches have to say, but given that it happens in different locations, served by different switches, I doubt it is switch-related.

 

Also, we are using a single SSID for different VLANs (dynamic VLANs served by RADIUS) and the SSID is in tunnel mode. I'm new to Fortinet but I was told that you can't re-use a VLAN/subnet that already belongs to a different SSID, in which case I don't think I'll be able to create an exact clone of the current setup.

gutocano
gutocano
New Member
June 11, 2026

Guys, I had the same problem, but with the 431G.

The system only became stable after we disabled the following items:

Radio resource provisioning

Frequency Handoff

We also had to set the channels and power levels to manual mode.

It seems that whenever the AP changes channel or frequency, the AX210/211 client gets lost and does not request a new IP, assuming the APIPA.

Terms & ConditionsAccessibility statement