Fortinet Document Library

Version:

Version:


Table of Contents

FortiWiFi and FortiAP Configuration Guide

Download PDF
Copy Link

Discovery and authorization of APs

To complete the discovery and authorization of APs, perform the following tasks:

Configuring the network interface for the AP unit

The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled.

In this example, the FortiAP units connect to port3 and are controlled through IP addresses on the 10.10.70.0/24 network.

To configure the interface for the AP unit - GUI
  1. Go to Network > Interfaces, and edit the interface to which the AP unit connects (in this example, port3).
  2. In Addressing mode, select Manual.
  3. In IP/Network Mask, enter an IP address and netmask for the interface (in this example, 10.10.70.1/255.255.255.0).

  4. In the Administrative Access section, go to IPv4 and select the CAPWAP checkbox.
  5. When FortiAP units are connected to the interface on FortiGate (directly or through a switch), you can go to the Edit Interface section and set the Role to LAN.

    Selecting the LAN role loads the DHCP Server toggle. If you enable DHCP Server, the GUI can automatically set the DHCP IP range based on the interface IP address.

  6. Click OK.
To configure the interface for the AP unit - CLI

In the CLI, you must configure the interface IP address and DHCP server separately.

config system interface

edit "port3"

set mode static

set ip 10.10.70.1 255.255.255.0

set allowaccess capwap

next

end

config system dhcp server

edit 3

set interface "port3"

config ip-range

edit 1

set start-ip 10.10.70.2

set end-ip 10.10.70.254

next

end

set default-gateway 10.10.70.1

set netmask 255.255.255.0

set vci-match enable

set vci-string "FortiAP"

next

end

The optional vci-match and vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.

Pre-authorizing a FortiAP unit

If you enter the FortiAP unit information in advance, the unit is authorized and begins to function when it is connected.

To pre-authorize a FortiAP unit
  1. Go to WiFi & Switch Controller > Managed FortiAPs and select Create New.
    On some models the WiFi Controller menu is called WiFi & Switch Controller.
  2. Enter the Serial Number of the FortiAP unit.
  3. Configure the Wireless Settings as required.
  4. Select OK.

Enabling and configuring a discovered AP

  1. Connect the FortiAP unit to the FortiGate unit. Within two minutes, the WiFi & Switch Controller > Managed FortiAPs page displays the discovered FortiAP unit.
  2. Select the FortiAP unit and authorize that unit.
Discovered access point unit

When you authorize (enable) a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). You can create and select a different profile, if needed. The FortiAP profile defines the entire configuration for the AP.

To add and configure the discovered AP unit - GUI
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
    This configuration also applies to local WiFi radio on FortiWiFi models.
  2. Select the FortiAP unit from the list and edit it.
  3. Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
  4. Select Authorize.
  5. Select a FortiAP Profile.
  6. Select OK.

The physical access point is now added to the system. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP.

To add the discovered AP unit - CLI

First get a list of the discovered access point unit serial numbers:

get wireless-controller wtp

Add a discovered unit and associate it with AP-profile1, for example:

config wireless-controller wtp

edit FAP22A3U10600118

set admin enable

set wtp-profile AP-profile1

end

To view the status of the added AP unit

config wireless-controller wtp

edit FAP22A3U10600118

get

The join-time field should show a time, not “N/A”. See the preceding GUI procedure for more information.

Disabling the automatic discovery of unknown FortiAPs

By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator's authorization. Optionally, you can disable this automatic registration function to avoid adding unknown FortiAPs. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface.

To disable automatic discovery and registration, enter the following command:

config system interface

edit port15

set ap-discover disable

end

Enabling the automatic authorization of extension devices

To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually.

This feature is only configurable in the CLI.

To enable automatic authorization on all dedicated interfaces

config system global

set auto-auth-extension-device enable

end

To enable automatic authorization per-interface

config system interface

edit <port>

set auto-auth-extension-device enable

end

Assigning the same FortiAP profile to multiple FortiAP units

The same profile can now be applied to multiple managed FortiAP units at the same time. To do this, do the following:

  1. Go to WiFi & Switch Controller > Managed FortiAPs to view the AP list.
  2. Select all FortiAP units you wish to apply the profile to.
  3. Right click on one of the selected FortiAPs and select Assign Profile.
  4. Choose the profile you wish to apply.

Overriding the FortiAP profile

In the FortiAP configuration WiFi & Switch Controller > Managed FortiAPs, there are several radio settings under Override Radio 1 and Override Radio 2. You can choose to set a value independently of the FortiAP profile setting. When each of the radios are disabled, you will see what the FortiAP Profile has each of the settings configured to.

Band

The available options depend on the capability of the radio. Overriding Band also overrides Channels. Make appropriate settings in Channels.

Channels

Choose channels. The available channels depend on the Band.

TX Power Control

If you enable Auto, adjust to set the power range in dBm.
If you enable Manual, adjust the slider. The 100% setting is the maximum power permitted in your region. See Setting your geographic location.

SSIDs

Select Auto or Manual. Selecting Auto eliminates the need to re-edit the profile when new SSIDs are created. However, you can still select SSIDs individually using Manual.

To override radio settings in the CLI

In this example, Radio 1 is set to 802.11n on channel 11, regardless of the profile setting.

config wireless-controller wtp

edit FP221C3X14019926

config radio-1

set override-band enable

set band 802.11n

set override-channel enable

set channel 11

end

You can override settings for band, channel, vaps (SSIDs), and TX power.

Outside of configuring radio settings, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, split tunneling, and login password settings.

Discovery and authorization of APs

To complete the discovery and authorization of APs, perform the following tasks:

Configuring the network interface for the AP unit

The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled.

In this example, the FortiAP units connect to port3 and are controlled through IP addresses on the 10.10.70.0/24 network.

To configure the interface for the AP unit - GUI
  1. Go to Network > Interfaces, and edit the interface to which the AP unit connects (in this example, port3).
  2. In Addressing mode, select Manual.
  3. In IP/Network Mask, enter an IP address and netmask for the interface (in this example, 10.10.70.1/255.255.255.0).

  4. In the Administrative Access section, go to IPv4 and select the CAPWAP checkbox.
  5. When FortiAP units are connected to the interface on FortiGate (directly or through a switch), you can go to the Edit Interface section and set the Role to LAN.

    Selecting the LAN role loads the DHCP Server toggle. If you enable DHCP Server, the GUI can automatically set the DHCP IP range based on the interface IP address.

  6. Click OK.
To configure the interface for the AP unit - CLI

In the CLI, you must configure the interface IP address and DHCP server separately.

config system interface

edit "port3"

set mode static

set ip 10.10.70.1 255.255.255.0

set allowaccess capwap

next

end

config system dhcp server

edit 3

set interface "port3"

config ip-range

edit 1

set start-ip 10.10.70.2

set end-ip 10.10.70.254

next

end

set default-gateway 10.10.70.1

set netmask 255.255.255.0

set vci-match enable

set vci-string "FortiAP"

next

end

The optional vci-match and vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.

Pre-authorizing a FortiAP unit

If you enter the FortiAP unit information in advance, the unit is authorized and begins to function when it is connected.

To pre-authorize a FortiAP unit
  1. Go to WiFi & Switch Controller > Managed FortiAPs and select Create New.
    On some models the WiFi Controller menu is called WiFi & Switch Controller.
  2. Enter the Serial Number of the FortiAP unit.
  3. Configure the Wireless Settings as required.
  4. Select OK.

Enabling and configuring a discovered AP

  1. Connect the FortiAP unit to the FortiGate unit. Within two minutes, the WiFi & Switch Controller > Managed FortiAPs page displays the discovered FortiAP unit.
  2. Select the FortiAP unit and authorize that unit.
Discovered access point unit

When you authorize (enable) a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). You can create and select a different profile, if needed. The FortiAP profile defines the entire configuration for the AP.

To add and configure the discovered AP unit - GUI
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
    This configuration also applies to local WiFi radio on FortiWiFi models.
  2. Select the FortiAP unit from the list and edit it.
  3. Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
  4. Select Authorize.
  5. Select a FortiAP Profile.
  6. Select OK.

The physical access point is now added to the system. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP.

To add the discovered AP unit - CLI

First get a list of the discovered access point unit serial numbers:

get wireless-controller wtp

Add a discovered unit and associate it with AP-profile1, for example:

config wireless-controller wtp

edit FAP22A3U10600118

set admin enable

set wtp-profile AP-profile1

end

To view the status of the added AP unit

config wireless-controller wtp

edit FAP22A3U10600118

get

The join-time field should show a time, not “N/A”. See the preceding GUI procedure for more information.

Disabling the automatic discovery of unknown FortiAPs

By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator's authorization. Optionally, you can disable this automatic registration function to avoid adding unknown FortiAPs. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface.

To disable automatic discovery and registration, enter the following command:

config system interface

edit port15

set ap-discover disable

end

Enabling the automatic authorization of extension devices

To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually.

This feature is only configurable in the CLI.

To enable automatic authorization on all dedicated interfaces

config system global

set auto-auth-extension-device enable

end

To enable automatic authorization per-interface

config system interface

edit <port>

set auto-auth-extension-device enable

end

Assigning the same FortiAP profile to multiple FortiAP units

The same profile can now be applied to multiple managed FortiAP units at the same time. To do this, do the following:

  1. Go to WiFi & Switch Controller > Managed FortiAPs to view the AP list.
  2. Select all FortiAP units you wish to apply the profile to.
  3. Right click on one of the selected FortiAPs and select Assign Profile.
  4. Choose the profile you wish to apply.

Overriding the FortiAP profile

In the FortiAP configuration WiFi & Switch Controller > Managed FortiAPs, there are several radio settings under Override Radio 1 and Override Radio 2. You can choose to set a value independently of the FortiAP profile setting. When each of the radios are disabled, you will see what the FortiAP Profile has each of the settings configured to.

Band

The available options depend on the capability of the radio. Overriding Band also overrides Channels. Make appropriate settings in Channels.

Channels

Choose channels. The available channels depend on the Band.

TX Power Control

If you enable Auto, adjust to set the power range in dBm.
If you enable Manual, adjust the slider. The 100% setting is the maximum power permitted in your region. See Setting your geographic location.

SSIDs

Select Auto or Manual. Selecting Auto eliminates the need to re-edit the profile when new SSIDs are created. However, you can still select SSIDs individually using Manual.

To override radio settings in the CLI

In this example, Radio 1 is set to 802.11n on channel 11, regardless of the profile setting.

config wireless-controller wtp

edit FP221C3X14019926

config radio-1

set override-band enable

set band 802.11n

set override-channel enable

set channel 11

end

You can override settings for band, channel, vaps (SSIDs), and TX power.

Outside of configuring radio settings, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, split tunneling, and login password settings.