Fortinet black logo

FortiWiFi and FortiAP Cookbook

Home FortiAP / FortiWiFi 6.2.0 FortiWiFi and FortiAP Cookbook

Discovering, authorizing, and deauthorizing FortiAP units

6.2.0
6.4.0
6.2.0
Copy Link
Copy Doc ID ac61f4d3-ce67-11e9-8977-00505692583a:540137
Download PDF

Discovering, authorizing, and deauthorizing FortiAP units

Discovering a FortiAP unit

For a FortiGate acting as an AP controller (AC) to discover a FortiAP unit, the FortiAP must be able to reach the AC. A FortiAP with the factory default configuration has various ways of acquiring an AC's IP address to reach it.

AC discovery type

Description

Auto

The FortiAP attempts to be discovered in the below ways sequentially within an endless loop.

Static

The FortiAP sends discover requests to a preconfigured IP address that an AC owns.

DHCP

The FortiAP acquires the IP address of an AC in DHCP option 138 (the factory default) of a DHCP offer, which the FortiAP acquires its own IP address from.

DNS

The FortiAP acquires the AC's IP address by resolving a preconfigured FQDN.

FortiCloud

FortiGate Cloud discovers the FortiAP.

Broadcast

FortiAP is discovered by sending broadcasts in its local subnet.

Multicast

FortiAP is discovered by sending discovery requests to a multicast address of 224.0.1.140, which is the factory default.

AC actions when a FortiAP attempts to get discovered

Enable ap-discover on the AC for the interface designed to manage FortiAPs:

config system interface

edit "lan"

set ap-discover enable

next

end

The ap-discover command allows the AC to create an entry in the managed FortiAPs table when it receives the FortiAP's discovery request. The ap-discover command is enabled by default. When the FortiAP entry is created automatically, it is marked as discovered status, and is pending for an administrator's authorization, unless the following setting is present:

config system interface
    edit "lan"
        set auto-auth-extension-device enable
    next
end

The auto-auth-extension-device command will allow AC authorize an new discovered FortiAP automatically without an administrator's manual authorization operation. The auto-auth-extension-device command is disabled by default.

Authorize a discovered FortiAP

Once the FortiAP discovery request is received by AC, an FortiAP entry will be added to the managed FortiAP table, and shown on GUI > Managed FortiAP list page.

To authorize the specific AP, click to select the FortiAP entry, then click Authorize button on the top of the table or Authorize entry in the pop-out menu.

Through GUI, authorization can also be done in FortiAP detail panel, under Action menu.

The authorization can also be done through CLI with follow commands.

config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin enable
    next
end

De-authorize a managed FortiAP

To de-authorize a managed FortiAP, click to select the FortiAP entry, then click Deauthorize button on the top of the table or Deauthorize entry in the pop-out menu.

Through GUI, de-authorization can also be done in the FortiAP detail panel, under the Action menu.

The de-authorization can also be done through CLI with follow commands.

config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin discovered
    next
end
Previous
Next

Discovering, authorizing, and deauthorizing FortiAP units

Discovering a FortiAP unit

For a FortiGate acting as an AP controller (AC) to discover a FortiAP unit, the FortiAP must be able to reach the AC. A FortiAP with the factory default configuration has various ways of acquiring an AC's IP address to reach it.

AC discovery type

Description

Auto

The FortiAP attempts to be discovered in the below ways sequentially within an endless loop.

Static

The FortiAP sends discover requests to a preconfigured IP address that an AC owns.

DHCP

The FortiAP acquires the IP address of an AC in DHCP option 138 (the factory default) of a DHCP offer, which the FortiAP acquires its own IP address from.

DNS

The FortiAP acquires the AC's IP address by resolving a preconfigured FQDN.

FortiCloud

FortiGate Cloud discovers the FortiAP.

Broadcast

FortiAP is discovered by sending broadcasts in its local subnet.

Multicast

FortiAP is discovered by sending discovery requests to a multicast address of 224.0.1.140, which is the factory default.

AC actions when a FortiAP attempts to get discovered

Enable ap-discover on the AC for the interface designed to manage FortiAPs:

config system interface

edit "lan"

set ap-discover enable

next

end

The ap-discover command allows the AC to create an entry in the managed FortiAPs table when it receives the FortiAP's discovery request. The ap-discover command is enabled by default. When the FortiAP entry is created automatically, it is marked as discovered status, and is pending for an administrator's authorization, unless the following setting is present:

config system interface
    edit "lan"
        set auto-auth-extension-device enable
    next
end

The auto-auth-extension-device command will allow AC authorize an new discovered FortiAP automatically without an administrator's manual authorization operation. The auto-auth-extension-device command is disabled by default.

Authorize a discovered FortiAP

Once the FortiAP discovery request is received by AC, an FortiAP entry will be added to the managed FortiAP table, and shown on GUI > Managed FortiAP list page.

To authorize the specific AP, click to select the FortiAP entry, then click Authorize button on the top of the table or Authorize entry in the pop-out menu.

Through GUI, authorization can also be done in FortiAP detail panel, under Action menu.

The authorization can also be done through CLI with follow commands.

config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin enable
    next
end

De-authorize a managed FortiAP

To de-authorize a managed FortiAP, click to select the FortiAP entry, then click Deauthorize button on the top of the table or Deauthorize entry in the pop-out menu.

Through GUI, de-authorization can also be done in the FortiAP detail panel, under the Action menu.

The de-authorization can also be done through CLI with follow commands.

config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin discovered
    next
end
Previous
Next