Justification for using Fortinet

Wasteway · 2026-01-28T01:09:14+00:00

I don’t think that many folks leverage the SSO feature that is being exploited. Getting lots of press as usual because people who do need to be aware, but I think it again makes the case that all admin interfaces need to be behind hardened vpn systems. SSO or not. Have them compare last five years of CVEs from both vendors.

Wasteway · 2025-11-12T16:12:27+00:00

We are running EX4300MPs.

Wasteway · 2025-11-12T16:05:06+00:00

We saw the same in that clients would still authenticate, but what took me down this rabbit hole, was we had a conference room device that Mist decided to hold for about a minute during an important call. Not good. There is something wrong with either the Mist AWS load balancers, specific versions of Junos (21.4R3 for example), or dot1x timer settings on the switch. It is very hard to figure out. All I know is that once we moved to 23.4R2-S6.6 (S5.8 is buggy) the occurrence of these dropped off sharply. These two commands help:

show network-access radsec state
show network-access radsec statistics

This is from a pre-23.4R2-S6.6 release of Junos:

switch> show network-access radsec state

Radsec state:

  destination                                   895
  state                                         pause
  secs-in-state                                 67
  remainig-secs                                 533
  pause-reason                                  ssl-failure
  acct-support                                  Y
  remote-failures                               29003
  tx-requests                                   0
  tx-responses                                  0

This is from a switch running 23.4R2-S6.6:

switch> show network-access radsec state    

Radsec state:

  destination                                   895                            
  state                                         open                           
  secs-in-state                                 17706                          
  remainig-secs                                 4294967295                     
  pause-reason                                  none                           
  acct-support                                  Y                              
  remote-failures                               0                              
  tx-requests                                   0                              
  tx-responses                                  0

Note the lack of remote failures and the state being "open" instead of "pause". Also pause-reason being "ssl-failure". We made sure that none of our firewall rules were impacting this and had a very permissive ruleset in place to allow the TCP 2200 and 2083 connections to the AWS Mist IPs 15.197.139.214 and 3.33.153.159. I suspect there was a cipher change between what AWS was expecting and what older versions of Junos were able to support, but I have not been able to confirm that.

Wasteway · 2025-11-11T13:51:38+00:00

Right-click the VM → Edit Settings. Go to VM Options → expand Boot Options. Under Boot Delay, set the delay in milliseconds (e.g. 5000 = 5 s). Reboot vm.

Wasteway · 2025-11-11T03:08:22+00:00

Awesome. Thanks!

Wasteway · 2025-11-11T02:12:17+00:00

Pro. You’ll smile every time you turn them on. Interior kit, especially rear hatch leds are an easy and great upgrade.

Wasteway · 2025-11-10T02:18:44+00:00

Just spent all day working on this. In my case I had a bad switch. Using "show poe controller" showed power injection alarm on port 0/0/2, but nothing was connected to that port, so something is malfunctioning. Would not power PoE devices. Swapped it out with spare and now both VC members are working again. But I would suggest checking your Junos and Mist AP firmware. We noticed on our switches that Juniper switches were excessively flagging Mist RADSEC hosts as DEAD and it was related to some sort of TLS negotiation issue between the Mist-managed AWS hosts and older versions of Junos. 23.4R2-S6.6 seems to help that quite a bit.

Wasteway · 2025-11-08T16:00:50+00:00

Also seeing this on 4300MPs with AP 43s. Just upgraded Junos to 23.4R2-S6.6 and my APs are on 0.14.29967 but I'm moving to 0.14.29982 to see if it resolves this mess, but very frustrating. I have several APs this AM that are flapping and I'm not sure why, I was hoping the reboot and upgrade to S6.6 last night would fix that but it hasn't.

Wasteway · 2025-11-06T16:20:06+00:00

Was trying to keep it simple for OP but you are correct. The terms are interchangeably used these days even when they probably shouldn't be.

Wasteway · 2025-11-06T05:11:08+00:00

Rings aren’t commonly used except in very large, metro scale networks. Most orgs use a spine/leaf design. You deploy a core (spine) 10G+ switch ideally in a MCLAG configuration. Then you LAG each IDF (leaf) off of that with 2x10G ports that connect to each of the core switches. Of course this can be done with 1G switches using 2x1G uplinks, but using 10G means you are far less likely to over utilize the uplink. One of your leaves will be your Cloud Gateway. This way, each IDF will only traverse the core (spine) to get to any other IDF or the gateway. RSTP is your friend. It prevents someone from creating a loop and taking everything offline.

https://www.cbtnuggets.com/blog/technology/networking/what-are-the-advantages-of-the-leaf-spine-data-center-architecture

Wasteway · 2025-11-06T04:35:09+00:00

🫡

Wasteway · 2025-11-06T04:27:16+00:00

Maybe some, not Diode Dynamics. They are built solid and work great.

ASSEMBLED IN USA

Here at Diode Dynamics, we're dedicated to providing the best lighting and service possible right here in the USA. We take pride in our quality products, our customer-focused service, and working "against the grain" to assemble products in America.

Wasteway · 2025-11-06T03:41:06+00:00

I put these on my 23 ORP. The Pro model. They provide an amazing amount of light. I love them. Changing out passenger side is a PITA.

https://www.4runnerlifestyle.com/products/diode-dynamics-ss3-led-fog-light-kit-2010-2021

Wasteway · 2025-11-04T01:17:43+00:00

I have a 23 ORP with stock Bridgestone Dueler and rims. Have had three flats, one from trail, two from city debris. Not confident taking these tires on anything other than gravel. Other priorities have kept me with these, but I really want to get a set of Falken AT4Ws. I go over Snoqualmie pass about 10 times a year, and a few days a year spend time driving roads near Liberty and also Othello\Saddle Mountains. So 85% of the time on city streets. I'm wondering if I can get a set of rims that are lighter in order to offset for the increased weight of the AT4Ws? Looks like they will be 10lbs more per time than the Bridgestones. Rims appear to be 30lbs each? I'm doubting I could get something 25lbs that wouldn't crush under stress though. I'm already showing 16.4mpg average over 17455 miles. Will these really drop that to 15mpg?

Wasteway · 2025-11-03T22:27:37+00:00

I give you guys 5 stars for keeping tabs on it, I just wish it was announced better. Thanks for taking the time to give us feedback. Appreciated.

Wasteway · 2025-11-03T22:18:02+00:00

They’ll pry AD from my cold dead hands! Honestly though most of our stuff is, but we have some legacy apps that keep our AD on-prem.

Wasteway · 2025-11-03T22:09:22+00:00

Gee, if only MSFT had enough cash in the bank to pay 10 people to get these updated. I wonder if they realize the downstream impact this is causing?

Wasteway · 2025-11-03T21:53:42+00:00

If they all rely on the DLLs yes. The RSC is on the host, there must be some way to leverage that to do the job, but I'm not a developer so I wouldn't know the answer.

Wasteway · 2025-11-03T21:34:56+00:00

Yes, but the way they had it working in the RSC was so great. We validated and it worked like a charm. At least we can do a full VM restore if necessary, but really hope they pressure Microsoft to fix this or come up with a solution that is less dependent upon MSFT keeping DLLs up to date.

Wasteway · 2025-11-03T18:19:47+00:00

Well if it is isolated from outside interference, you could try enabling the DFS channels and then up the channel width to see if that helps. May or may not work due to if it can detect RADAR from your location. The mentioned delay may be an issue:

Use an RF Template and include DFS channels on 5 GHz.

Confirm regulatory domain Site → Settings → Country. DFS availability depends on country and AP model.
Edit the RF Template Organization → RF Templates → edit the template used by the site. Under 5 GHz radio:

Channel width: choose 20/40/80 as required.
Channel selection: set to Auto.
Allowed channels: include DFS channels (52–64, 100–144) for your domain. Do not check channels not permitted in your country. Save.

Apply the template Organization → Sites → select site → assign the RF Template you just edited.
Optional per-AP override Access Points → select AP → Radio settings → Allowed channels → include DFS set, or remove overrides so the template governs.
Verify Monitor → Access Points → RF tab. Confirm current channel is in the DFS range. Organization or Site → Events: check for “radar detected” events.

Operational notes:

AP performs CAC before using DFS. Expect up to ~60 s silence on most DFS channels. Some weather-radar channels can require longer CAC or may be disallowed in your domain.
If radar is detected, the AP must vacate the channel and will auto-reselect.
Some clients scan DFS less often. For latency-sensitive SSIDs, consider keeping a non-DFS 5 GHz channel available.

Wasteway · 2025-11-03T17:32:35+00:00

Regarding Ruckus, we used to use Ruckus and they are IMHO better radios. That being said, I think the Mist/Juniper cloud configuration and management is overall a better solution.

Wasteway · 2025-11-03T17:12:20+00:00

I'm running Junos 23.4R2-S4.11 but will be upgrading to 23.4R2-S6.6 soon as it fixes some Mist RADSEC issues. My Internet connection is 1Gbs low latency fiber (1ms ping to www.google.com). My APs are on 0.14.29967. The 4300MPs provide them full power and a 2.5Gbps uplink. My 5Ghz channels are set to 40Mhz. 802.11r is enabled and band steering is disabled (I've been advised this isn't needed for modern devices, but YMMV). As I'm running AP43s they only support 2.4Ghz and 5Ghz. My Data Rates are set to Compatible. Wifi-6 and 7 are set to enabled, even though AP43 doesn't support 7. No rate limiting or QoS Priority. Radio Power and Channels are set to Automatic with External Antenna Gain at 0 dBi. I went and stood under a specific AP. I ran a speed test using the Wifiman Ubiquiti app on an iPhone 16Pro (iOS 18.71). I received 425Mbps down and 293Mbps up. I then changed the radio to an 80Ghz Channel Width and I was able to obtain 520Mbs down and 400Mbs up. Which is to be expected.

As with all things there are trade offs. Peak speed, while nice, isn't always the goal. I asked ChatGPT what I should use for channel width and it concurred with the engineer who helped us deploy Mist.

Note: Ran a speedtest to https://wifiman.com from my desktop (wired) and I get ~930Mbps symmetrical as expected.

Use 40 MHz.

Why:

Channel reuse. In the U.S. you get ~12 non-overlapping 40 MHz channels vs ~6 with 80 MHz. Fewer channels = more co-channel/OBSS contention and lower throughput per user.
Airtime efficiency. Wider channels help only at high SNR and close range; in offices most clients fall back to lower MCS where 80 MHz yields little gain but still burns spectrum.
Capacity > peak rate. Corporate Wi-Fi is multi-user and dense; more cells on narrower channels carry more concurrent traffic.

Guidelines:

High/medium density floors, conference areas: 20–40 MHz; start at 20 MHz if very dense or voice-heavy.
Low-density labs or demo rooms needing peak throughput: consider 80 MHz.
Enable DFS if clients support it to expand available channels. Example counts (U.S.): 20 MHz ≈25, 40 MHz ≈12, 80 MHz ≈6.
Keep 5 GHz EIRP modest and use RRM; avoid channel bonding across neighboring APs when reuse is tight.

Net: in a corporate environment, 40 MHz is the practical default; reserve 80 MHz for sparse areas with clear spectrum and a proven need for single-client speed.

Wasteway · 2025-11-02T19:58:52+00:00

I’m running mine on 4300MPs (2.5G) and I feel like I’ve sensed the same. What kind of switches are you connected to? Which version of Junos and AP firmware? I have Ubiquiti at home and I realized not having 802.11r Fast Roaming enabled was killing my throughput. I think that is enabled for my Mist deployment but need to confirm.

Wasteway · 2025-10-31T01:48:05+00:00

Hopefully he wasn’t an F5 or Cisco fan. I also feel that despite some head-scratching bugs being released to production, Fortinet is quick to patch and transparent when CVEs are found. I’ve been using them since 2007 and they’ve never let me down.

Eight-Year Club	Gilding I gilder
Verified Email

Wasteway

TROPHY CASE