Interoperability Report
Ascom i62
Fortinet MC/WLC
WLC controller platform
Fortinet MC/WLC v. 8.5-0-6
Ascom i62 v. 6.2.0
Morrisville, NC, USA
September 2019
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 2 / 18
Contents
Introduction ...................................................................................................................................... 3
About Ascom .................................................................................................................................. 3
About Fortinet ................................................................................................................................. 3
Site Information ............................................................................................................................... 4
Verification site ............................................................................................................................... 4
Participants .................................................................................................................................... 4
Verification topology ....................................................................................................................... 4
Summary .......................................................................................................................................... 5
General conclusions ....................................................................................................................... 5
Verification overview ...................................................................................................................... 6
Known limitations ........................................................................................................................... 7
Appendix A: Verification Configurations....................................................................................... 8
Fortinet MC1550 WLAN Controller version 8.5-0-6 ........................................................................ 8
Ascom i62 .................................................................................................................................... 16
Appendix B: Interoperability Verification Records ..................................................................... 18
Document History .......................................................................................................................... 18
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 3 / 18
Introduction
This document describes a summary of the interoperability verification results of the Ascom’s and Fortinets
platform, necessary steps and guidelines to optimally configure the platforms and support contact details. The
report should be used in conjunction with both Fortinets and Ascom’s platform configuration guides.
About Ascom
Ascom is a global solutions provider focused on healthcare ICT and mobile workflow solutions. The vision of
Ascom is to close digital information gaps allowing for the best possible decisions – anytime and anywhere.
Ascom’s mission is to provide mission-critical, real-time solutions for highly mobile, ad hoc, and time-sensitive
environments. Ascom uses its unique product and solutions portfolio and software architecture capabilities to
devise integration and mobilization solutions that provide truly smooth, complete and efficient workflows for
healthcare as well as for industry, security and retail sectors.
Ascom is headquartered in Baar (Switzerland), has subsidiaries in 15 countries and employs around 1,300 people
worldwide. Ascom registered shares (ASCN) are listed on the SIX Swiss Exchange in Zurich.
About Fortinet
Fortinet (NASDAQ: FTNT) secures the largest enterprise, service provider, and government organizations around
the world. Fortinet empowers its customers with intelligent, seamless protection across the expanding attack
surface and the power to take on ever-increasing performance requirements of the borderless network - today
and into the future. Only the Fortinet Security Fabric architecture can deliver security features without compromise
to address the most critical security challenges, whether in networked, application, cloud or mobile environments.
Fortinet ranks #1 in the most security appliances shipped worldwide and more than 330,000 customers trust
Fortinet to protect their businesses. Learn more at https://www.fortinet.com, the Fortinet Blog, or FortiGuard Labs.
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 4 / 18
Site Information
Verification site Ascom US
300 Perimeter park drive
Morrisville, NC, US-27560
USA
Participants
Karl-Magnus Olsson, Ascom, Morrisville
Verification topology
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 5 / 18
Summary
General conclusions
The result of the verified test areas, such as authentication, association, handover and call stability tests,
produced in general very good test result. Due to Fortinets single channel architecture, no traditional roaming is
made which makes the roaming seamless.
Note. Unless the parameter “Expedited Forwarding Override” is used the i62 have to mark voice packets with
DSCP 48 in order for appropriate mapping in the “air” (Access Category 6). Refer to handset configuration on
page 17.
Please refer to Fortinet’s documentation for information regarding co-existence and between different access
point models within the same wireless network.
Supported Partner Access Points with SW version 8.5-0.6:
AP U221EV, U223EV
AP U321EV, U323EV
AP U421EV, U423EV
Supported Partner Controller Platforms with SW version 8.5-0.6::
MC3200, MC3200-VE
MC1550, MC1550-VE , MC1500-VE
MC4200, MC4200-VE
FortiWLC-50D ,200D, 500D, 1000D, 3000D
FWC- VM-50, 200, 500, 1000, 3000
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 6 / 18
Verification overview
WLAN Compatibility and Performance
High Level Functionality Result Comments
Association, Open with No Encryption OK
Association, WPA2-PSK / AES Encryption OK
Association, PEAP-MSCHAPv2 Auth, AES Encryption OK
Association with EAP-TLS authentication OK
Association, Multiple ESSIDs OK
Beacon Interval and DTIM Period OK
PMKSA Caching OK
WPA2-opportunistic/proactive Key Caching OK
WMM Prioritization OK
802.11 Power-save mode OK
802.11e U-APSD OK
802.11e U-APSD (load test) OK
Roaming, WPA2-PSK, AES Encryption OK Roam transparent to handset*
Roaming, PEAP-MSCHAPv2 Auth, AES Encryption OK Roam transparent to handset*
*) RF Mode: Virtual Cell. See Known issues section for limitations regarding Native Cell mode.
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 7 / 18
Known limitations
Description and Symptoms Workaround Ticket(s)
raised
RF Virtualization Mode: “Native Cell” considerations. When using PSK Authentication AP U421EV show longer roaming times than expected due to delayed EAPOL keys from AP. Measured roaming times are typically 120-170ms and data loss can be clearly noticed in a call. Fortinet does not support OKC (opportunistic key caching) resulting in unacceptable (for VoIP) roaming times when utilizing .1X authentication together with Native Cell.
Virtual Cell mode is
recommended for all access
points.
For additional information regarding the known limitations please contact [email protected] or [email protected].
For detailed verification results, refer to Appendix B: Interoperability Verification Records.
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 8 / 18
Appendix A: Verification Configurations
Fortinet MC1550 WLAN Controller version 8.5-0-6
In the following chapter you will find screenshots and explanations of basic settings in order to get a Fortinet
WLAN system to operate with an Ascom i62. Please note that security settings were modified according to
requirements in individual test cases.
The configuration file is found at the bottom of this chapter.
Security settings
Security profiles.
Security profile WPA2-PSK, AES/CCMP encryption.
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 9 / 18
Security profile WPA2-Enterprise, AES-CCMP encryption Primary RADIUS Profile Name “FreeRadius2” refers to
the RADIUS profile set up in the controller. See radius profile below for additional details.
Configuration of Radius profile.
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 10 / 18
Radius profile configuration. Note that the profile “FreeRadius2”, the RADIUS IP and the secret must correspond
to the authentication server running in the network.
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 11 / 18
ESS, Radio and QoS settings
Ascom recommended settings for 802.11b/g/n are to only use channel 1, 6 or 11. For 802.11a/n/ac, use channels
according to the infrastructure manufacturer and country regulations.
Make sure that all non-DFS channel are taken before resorting to DFS channels. The handset can cope in
mixed non-DFS and DFS environments; however, due to “unpredictability” introduced by radar detection
protocols, voice quality may become distorted and roaming delayed. Hence Ascom recommends if
possible avoiding the use of DFS channels in VoWIFI deployments.
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 12 / 18
ESS settings. Even though 11k and 11r features are not supported by Ascom i62 it can coexist in a network were
it is enabled. For example in a deployment with Ascom Myco 3.
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 13 / 18
ESS settings (continued).
Make sure APSD support is enabled.
Make sure band steering and Multicast-to-Unicast Conversion is enabled
Note. Ascom and Fortinet recommend Virtual Cell for Ux2xEV. See section Known Issues for further
details.
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 14 / 18
ESS advanced settings
- Select Voice Client Type - ascom
- Set DTIM Period of 5 and a DTIM interval of 100ms. These values are recommended in order to
allow maximum battery conservation without impacting the quality. Lower DTIM values are possible
but will decrease the standby time.
- Expedited Forwarding Override will map DSCP 46 (EF) to the AC_VO. If turned off, IP DSCP for
Voice has to be set to 0x30 (48) in the Phone. See i62 settings further down.
In a Fortinet environment, we recommended that the data rates are advertised within the ESS per above for
802.11a/n/ac.
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 15 / 18
In a Fortinet environment, it is recommended that the data rates are advertised within the ESS per above
(802.11b/g/n). To further optimize performance it is recommended to disallow 802.11b clients to associate by
setting 12Mbps rate to mandatory in the 802.11bgn data rate set.
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 16 / 18
Ascom i62
Network settings for WPA2-PSK
Note. Make sure that the enabled channels in the i62 handset match the channel plan used in the system.
Note. FCC is no longer allowing 802.11d to determine regulatory domain. Devices deployed in USA must
set Regulatory domain to “USA”.
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 17 / 18
Network settings for .1X authentication (PEAP-MSCHAPv2)
802.1X Authentication requires a CA certificate to be uploaded to the phone by “right clicking” - > Edit certificates.
EAP-TLS will require both a CA and a client certificate.
Note that both a CA and a client certificate are needed for TLS. Otherwise only a CA certificate is needed.
Server certificate validation can be overridden in version 4.1.12 and above per handset setting.
Interoperability Report Date Page Ascom i62 – Fortinet WLC 30-SEP-2019 18 / 18
Appendix B: Interoperability Verification Records
Pass
Fail
Comments
Not verified
16
0
0
5
Total 21
Refer to the attached file for detailed verification results.
Refer to the verification specification for explicit information regarding each verification case.
The specification can be found here (requires login):
https://www.ascom-ws.com/AscomPartnerWeb/en/startpage/Sales-tools/Interoperability/Templates/
Document History
Rev Date Author Description
P1 3-Oct-19 SEKMO Draft
R1 9-Oct-19 SEKMO Review. Official revision R1
https://www.ascom-ws.com/AscomPartnerWeb/en/startpage/Sales-tools/Interoperability/Templates/
WLAN TR
WLAN Interoperability Test ReportWLAN configuration:
Beacon Interval: 100ms
Test object - Handset:DTIM Interval: 5
Ascom i62 6.2.0802.11d Regulatory Domain: World
Test object - WLAN system:WMM Enabled (Auto/WMM)
Fortinet WLC 8.5-0-6No Auto-tune
AP U221EV, U421EVU221EVU421EVSingle Voice VLAN
2.4Ghz5.0Ghz2.4Ghz5.0Ghz
Test CaseDescriptionVerdictVerdictVerdictVerdictComment
TEST AREA ASSOCIATION / AUTHENTICATION
#101Association with open authentication, no encryptionNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED
#107Association with WPA2-PSK authentication, AES-CCMP encryptionPASSPASSPASSPASSHidden SSID ok
#110Association with PEAP-MSCHAPv2 auth, AES-CCMP encryptionPASSPASSPASSPASSFreeRADIUS server; RootCA loaded to device; Handset autheticates twiceFAIL
#116Association with EAP-TLS authenticationPASSPASSPASSPASSFreeRADIUS server; RootCA and clients certificate loaded to device
TEST AREA POWER-SAVE AND QOSPASS
#150802.11 Power-save modePASSPASSPASSPASSFAIL
#151Beacon period and DTIM intervalPASSPASSPASSPASSNOT TESTED
#152802.11e U-APSDPASSPASSPASSPASSSee Comment
#202WMM prioritizationPASSPASSPASSPASSiperf used to generate backgound load.
TEST AREA "PERFORMANCE"
#308Power-save mode U-APSD – WPA2-PSKNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED
#310CAC - TSPECNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED
TEST AREA ROAMING AND HANDOVER TIMES
#401Handover with open authentication and no encryptionNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED
#404Handover with WPA2-PSK auth and AES-CCMP encryptionPASSPASSPASSPASSVirtual Cell: OK. Client roaming not applicable due to virtual cell architecture. Native cell: Roaming times 80-110ms.
#408Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryptionPASSPASSPASSPASSVirtual Cell: OK. Client roaming not applicable due to virtual cell architecture. Native cell: OKC not supported. First roam before PMKSA roam to AP takes 1s+. Noticeable voice gap.
#411Handover using PMKSA and opportunistic/proactive key cachingPASSPASSPASSPASSVirtual Cell: OK. Client roaming not applicable due to virtual cell architecture. Native cell: See #408
TEST AREA BATTERY LIFETIME
#501Battery lifetime in idleNOT TESTEDNOT TESTEDNOT TESTEDPASS80+
#504Battery lifetime in call with power save mode U-APSDNOT TESTEDNOT TESTEDNOT TESTEDPASS8h+ (default settings but only non DFS channels)
TEST AREA STABILITY
#602Duration of call – U-APSD modePASSPASSPASSPASS1h call maintained , Test limited to 1h
TEST AREA 802.11n
#801Frame aggregation A-MSDUNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED
#802Frame aggregation A-MPDUPASSPASSPASSPASS
#80440Mhz channelsNOT TESTEDPASSNOT TESTEDPASS
#805802.11n ratesPASSPASSPASSPASSUplink and downlink.
look at uapsd deliver AP710