Fortinet Document Library

Version:


Table of Contents

6.2.0
Download PDF
Copy Link

Remote AP setup

This section guides you through the process of setting up remote FortiAPs to work with FortiGates:

  1. Configuring FortiGate before deploying remote APs
  2. Configuring FortiAPs to connect to FortiGate
  3. Final FortiGate configuration tasks

Configuration prerequisites
  • Ensure that your FortiGate has an existing wireless SSID configured in tunnel mode.
  • For the best security practices, set up WPA2/Enterprise for SSIDs used by remote clients. You can use RADIUS Server for PEAP Authentication using MS-CHAPv2 and install a trusted Root CA certificate on all devices that connect to the secure SSIDs.

    Note

    For more security, you can use Client Certificates instead of MS-CHAPv2. For more information, refer to the FortiAuthenticator Cookbook.

  • If you plan on deploying the FortiAP from FortiAP Cloud, ensure you have a Fortinet Support Account at https://support.fortinet.com.
  • Ensure the internet bandwidth at the site where the FortiGate is located can handle the extra load needed for the remote APs.
  • Determine if you want to tunnel all traffic from the remote wireless client to the FortiGate or just a select subset of the internal or corporate networks (Split Tunneling).

    Note

    If you are only tunneling a subset of your internal or corporate networks, a security client such as FortiClient with URL Filtering and Anti-malware (or another security product) should be used to protect the remote client from becoming compromised and used to access corporate resources.

  • Determine how remote sites will provide IP address to the remote AP once it's deployed.
Reference guides

You can refer to the following guides for using FortiAuthenticator (FAC) or Microsoft NPS Server as a RADIUS server:

Remote AP setup

This section guides you through the process of setting up remote FortiAPs to work with FortiGates:

  1. Configuring FortiGate before deploying remote APs
  2. Configuring FortiAPs to connect to FortiGate
  3. Final FortiGate configuration tasks

Configuration prerequisites
  • Ensure that your FortiGate has an existing wireless SSID configured in tunnel mode.
  • For the best security practices, set up WPA2/Enterprise for SSIDs used by remote clients. You can use RADIUS Server for PEAP Authentication using MS-CHAPv2 and install a trusted Root CA certificate on all devices that connect to the secure SSIDs.

    Note

    For more security, you can use Client Certificates instead of MS-CHAPv2. For more information, refer to the FortiAuthenticator Cookbook.

  • If you plan on deploying the FortiAP from FortiAP Cloud, ensure you have a Fortinet Support Account at https://support.fortinet.com.
  • Ensure the internet bandwidth at the site where the FortiGate is located can handle the extra load needed for the remote APs.
  • Determine if you want to tunnel all traffic from the remote wireless client to the FortiGate or just a select subset of the internal or corporate networks (Split Tunneling).

    Note

    If you are only tunneling a subset of your internal or corporate networks, a security client such as FortiClient with URL Filtering and Anti-malware (or another security product) should be used to protect the remote client from becoming compromised and used to access corporate resources.

  • Determine how remote sites will provide IP address to the remote AP once it's deployed.
Reference guides

You can refer to the following guides for using FortiAuthenticator (FAC) or Microsoft NPS Server as a RADIUS server: