Description:
This article describes how to fix sticky client issues on a FortiAP connected to FortiGate.
Scope
FortiOS 6.4/FortiAP 6.4 and above.
Solution
The primary focus of an implementation with FortiAP connected to FortiGate is to maintain high quality SNR clients in BSS. Low quality SNR-based clients will be de-authenticated and not allowed in BSS until their SNR improves.
If sticky-client-remove is enabled, the AP will send deauthentication to the client when the client's RSSI falls below the sticky-client-2g|5g-threshold, and a FortiGate event log will be generated.
The sticky client problem occurs if a client remains connected to far away FortiAP with a weaker signal.
This results in degraded wireless network speed due to factors such as low data rate, interference, more Air-time by sticky clients etc.
This solution to remove sticky clients maintains good SNR clients in BSS. Low SNR-based clients will be de-authenticated and will not be accepted in BSS until their SNR improves.
To configure sticky-client-remove in the CLI, run the following:
# config wireless-controller vap
edit <vap-name>
set sticky-client-remove enable|disable
set sticky-client-2g-threshold <minimum RSSI required to maintain connection> (-95 to -20, default = -76)
set sticky-client-5g-threshold <minimum RSSI required to maintain connection> (-95 to -20, default = -76)
end
end
To check if sticky client is enabled, run the following CLI command on the FortiAP:
# vcfg | grep -ie Radio -ie "sticky client"
To verify if the client has been removed due to sticky-client-remove enable, check the event log. For example:
1: date=2020-xx-xx time=xx:xx:01 logid="0104043xx7" type="event" subtype="wireless" level="notice" vd="root" eventtime=158274114161xx1879 tz="-0800" logdesc="Wireless client denied" sn="FPxxxxxxx03" ap=" FPxxxxxxx03" vap="VAP_profile" ssid="SSID_Name " stamac="xx:xx:xx:xx:xx:xx" radioid=2 channel=100 security="WPA2 Personal" encryption="AES" action="client-denial" reason="STA denied on WTP due to low RSSI" msg="Client xx:xx:xx:xx:xx:xx denied due to low rssi. client rssi -85dBm, threshold rssi -76dBm" remotewtptime="1557.250156"
Run the below command on the FortiAP CLI to check the sticky client behavior in realtime:
# klog | grep -ie snr -ie deauth
.
.
[ 856.477122] Client a6:c8:b4:40:c3:bf(avg snr=23, cnt=94) de-authed due to insufficient SNR
[ 856.477139] [MLME] cpu1 vap-00(wlan00): [a6:c8:b4:40:c3:bf] wlan_mlme_deauth_request reason 1.
.
Press Ctrl+C at any time to stop.
Related links:
https://docs.fortinet.com/document/fortigate/6.4.0/cli-reference/167620/wireless-controller-vap
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.