Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Configuration Guide

    Home FortiAP / FortiWiFi 6.4.0 FortiWiFi and FortiAP Configuration Guide
    6.4.0
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.1
    7.2.0
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.6
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.2
    6.2.0
    6.0.5
    6.0.4
    6.0.3
    5.6.4
    5.4.3

    Discovery and authorization of APs

    Discovery and authorization of APs

    To complete the discovery and authorization of APs, perform the following tasks:

    Configuring the network interface for the AP unit

    The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled.

    In this example, the FortiAP units connect to port3 and are controlled through IP addresses on the 10.10.70.0/24 network.

    To configure the interface for the AP unit - GUI
    1. Go to Network > Interfaces, and edit the interface to which the AP unit connects (in this example, port3).
    2. In Addressing mode, select Manual.

    3. In IP/Network Mask, enter an IP address and netmask for the interface (in this example, 10.10.70.1/255.255.255.0).

    4. In the Administrative Access section, go to IPv4 and select the Security Fabric Connection checkbox.

    5. When FortiAP units are connected to the interface on FortiGate (directly or through a switch), you can go to the Edit Interface section and set the Role to LAN.

      Selecting the LAN role loads the DHCP Server toggle. If you enable DHCP Server, the GUI can automatically set the DHCP IP range based on the interface IP address.

    6. Click OK.

    If you enable DHCP Server, you can also specify the Wireless controller IP address from under the Advanced section.

    To configure the interface for the AP unit - CLI

    In the CLI, you must configure the interface IP address and DHCP server separately.

    config system interface

    edit "port3"

    set mode static

    set ip 10.10.70.1 255.255.255.0

    set allowaccess fabric

    next

    end

    config system dhcp server

    edit 3

    set interface "port3"

    config ip-range

    edit 1

    set start-ip 10.10.70.2

    set end-ip 10.10.70.254

    next

    end

    set default-gateway 10.10.70.1

    set netmask 255.255.255.0

    set vci-match enable

    set vci-string "FortiAP"

    next

    end

    The optional vci-match and vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.

    Pre-authorizing a FortiAP unit

    If you enter the FortiAP unit information in advance, the unit is authorized and begins to function when it is connected.

    To pre-authorize a FortiAP unit
    1. Go to WiFi and Switch Controller > Managed FortiAPs and select Create New.
      On some models the WiFi Controller menu is called WiFi & Switch Controller.
    2. Enter the Serial Number of the FortiAP unit.
    3. Configure the Wireless Settings as required.
    4. Select OK.

    Enabling and configuring a discovered AP

    1. Connect the FortiAP unit to the FortiGate unit. Within two minutes, the WiFi Controller > Managed FortiAPs page displays the discovered FortiAP unit.
    2. Select the FortiAP unit and authorize that unit.
    Discovered access point unit

    When you authorize (enable) a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). You can create and select a different profile, if needed. The FortiAP profile defines the entire configuration for the AP.

    To add and configure the discovered AP unit - GUI
    1. Go to WiFi and Switch Controller > Managed FortiAPs.
      This configuration also applies to local WiFi radio on FortiWiFi models.
    2. Select the FortiAP unit from the list and edit it.
    3. Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
    4. Select Authorize.
    5. Select a FortiAP Profile.
    6. Select OK.

    The physical access point is now added to the system. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP.

    To add the discovered AP unit - CLI

    First get a list of the discovered access point unit serial numbers:

    get wireless-controller wtp

    Add a discovered unit and associate it with AP-profile1, for example:

    config wireless-controller wtp

    edit FAP22A3U10600118

    set admin enable

    set wtp-profile AP-profile1

    end

    To view the status of the added AP unit

    config wireless-controller wtp

    edit FAP22A3U10600118

    get

    The join-time field should show a time, not “N/A”. See the preceding GUI procedure for more information.

    Disabling the automatic discovery of unknown FortiAPs

    By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator's authorization. Optionally, you can disable this automatic registration function to avoid adding unknown FortiAPs. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface.

    To disable automatic discovery and registration, enter the following command:

    config system interface

    edit port15

    set ap-discover disable

    end

    Enabling the automatic authorization of extension devices

    To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually.

    This feature is only configurable in the CLI.

    To enable automatic authorization on all dedicated interfaces

    config system global

    set auto-auth-extension-device enable

    end

    To enable automatic authorization per-interface

    config system interface

    edit <port>

    set auto-auth-extension-device enable

    end

    Assigning the same FortiAP profile to multiple FortiAP units

    The same profile can now be applied to multiple managed FortiAP units at the same time. To do this, do the following:

    1. Go to WiFi and Switch Controller > Managed FortiAPs to view the AP list.
    2. Select all FortiAP units you wish to apply the profile to.
    3. Right click on one of the selected FortiAPs and select Assign Profile.
    4. Choose the profile you wish to apply.

    Overriding the FortiAP profile

    In the FortiAP configuration WiFi and Switch Controller > Managed FortiAPs, there are several radio settings under Override Radio 1 and Override Radio 2. You can choose to set a value independently of the FortiAP profile setting. When each of the radios are disabled, you will see what the FortiAP Profile has each of the settings configured to.

    Band

    The available options depend on the capability of the radio. Overriding Band also overrides Channels. Make appropriate settings in Channels.

    Channels

    Choose channels. The available channels depend on the Band.

    TX Power Control

    If you enable Auto, adjust to set the power range in dBm.
    If you enable Manual, adjust the slider. The 100% setting is the maximum power permitted in your region. See Setting your geographic location.

    SSIDs

    Select Auto or Manual. Selecting Auto eliminates the need to re-edit the profile when new SSIDs are created. However, you can still select SSIDs individually using Manual.
    To override radio settings in the CLI

    In this example, Radio 1 is set to 802.11n on channel 11, regardless of the profile setting.

    config wireless-controller wtp

    edit FP221C3X14019926

    config radio-1

    set override-band enable

    set band 802.11n

    set override-channel enable

    set channel 11

    end

    You can override settings for band, channel, vaps (SSIDs), and TX power.

    Outside of configuring radio settings, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, split tunneling, and login password settings.

    Previous
    Next

    Discovery and authorization of APs

    Discovery and authorization of APs

    To complete the discovery and authorization of APs, perform the following tasks:

    Configuring the network interface for the AP unit

    The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled.

    In this example, the FortiAP units connect to port3 and are controlled through IP addresses on the 10.10.70.0/24 network.

    To configure the interface for the AP unit - GUI
    1. Go to Network > Interfaces, and edit the interface to which the AP unit connects (in this example, port3).
    2. In Addressing mode, select Manual.

    3. In IP/Network Mask, enter an IP address and netmask for the interface (in this example, 10.10.70.1/255.255.255.0).

    4. In the Administrative Access section, go to IPv4 and select the Security Fabric Connection checkbox.

    5. When FortiAP units are connected to the interface on FortiGate (directly or through a switch), you can go to the Edit Interface section and set the Role to LAN.

      Selecting the LAN role loads the DHCP Server toggle. If you enable DHCP Server, the GUI can automatically set the DHCP IP range based on the interface IP address.

    6. Click OK.

    If you enable DHCP Server, you can also specify the Wireless controller IP address from under the Advanced section.

    To configure the interface for the AP unit - CLI

    In the CLI, you must configure the interface IP address and DHCP server separately.

    config system interface

    edit "port3"

    set mode static

    set ip 10.10.70.1 255.255.255.0

    set allowaccess fabric

    next

    end

    config system dhcp server

    edit 3

    set interface "port3"

    config ip-range

    edit 1

    set start-ip 10.10.70.2

    set end-ip 10.10.70.254

    next

    end

    set default-gateway 10.10.70.1

    set netmask 255.255.255.0

    set vci-match enable

    set vci-string "FortiAP"

    next

    end

    The optional vci-match and vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.

    Pre-authorizing a FortiAP unit

    If you enter the FortiAP unit information in advance, the unit is authorized and begins to function when it is connected.

    To pre-authorize a FortiAP unit
    1. Go to WiFi and Switch Controller > Managed FortiAPs and select Create New.
      On some models the WiFi Controller menu is called WiFi & Switch Controller.
    2. Enter the Serial Number of the FortiAP unit.
    3. Configure the Wireless Settings as required.
    4. Select OK.

    Enabling and configuring a discovered AP

    1. Connect the FortiAP unit to the FortiGate unit. Within two minutes, the WiFi Controller > Managed FortiAPs page displays the discovered FortiAP unit.
    2. Select the FortiAP unit and authorize that unit.
    Discovered access point unit

    When you authorize (enable) a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). You can create and select a different profile, if needed. The FortiAP profile defines the entire configuration for the AP.

    To add and configure the discovered AP unit - GUI
    1. Go to WiFi and Switch Controller > Managed FortiAPs.
      This configuration also applies to local WiFi radio on FortiWiFi models.
    2. Select the FortiAP unit from the list and edit it.
    3. Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
    4. Select Authorize.
    5. Select a FortiAP Profile.
    6. Select OK.

    The physical access point is now added to the system. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP.

    To add the discovered AP unit - CLI

    First get a list of the discovered access point unit serial numbers:

    get wireless-controller wtp

    Add a discovered unit and associate it with AP-profile1, for example:

    config wireless-controller wtp

    edit FAP22A3U10600118

    set admin enable

    set wtp-profile AP-profile1

    end

    To view the status of the added AP unit

    config wireless-controller wtp

    edit FAP22A3U10600118

    get

    The join-time field should show a time, not “N/A”. See the preceding GUI procedure for more information.

    Disabling the automatic discovery of unknown FortiAPs

    By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator's authorization. Optionally, you can disable this automatic registration function to avoid adding unknown FortiAPs. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface.

    To disable automatic discovery and registration, enter the following command:

    config system interface

    edit port15

    set ap-discover disable

    end

    Enabling the automatic authorization of extension devices

    To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually.

    This feature is only configurable in the CLI.

    To enable automatic authorization on all dedicated interfaces

    config system global

    set auto-auth-extension-device enable

    end

    To enable automatic authorization per-interface

    config system interface

    edit <port>

    set auto-auth-extension-device enable

    end

    Assigning the same FortiAP profile to multiple FortiAP units

    The same profile can now be applied to multiple managed FortiAP units at the same time. To do this, do the following:

    1. Go to WiFi and Switch Controller > Managed FortiAPs to view the AP list.
    2. Select all FortiAP units you wish to apply the profile to.
    3. Right click on one of the selected FortiAPs and select Assign Profile.
    4. Choose the profile you wish to apply.

    Overriding the FortiAP profile

    In the FortiAP configuration WiFi and Switch Controller > Managed FortiAPs, there are several radio settings under Override Radio 1 and Override Radio 2. You can choose to set a value independently of the FortiAP profile setting. When each of the radios are disabled, you will see what the FortiAP Profile has each of the settings configured to.

    Band

    The available options depend on the capability of the radio. Overriding Band also overrides Channels. Make appropriate settings in Channels.

    Channels

    Choose channels. The available channels depend on the Band.

    TX Power Control

    If you enable Auto, adjust to set the power range in dBm.
    If you enable Manual, adjust the slider. The 100% setting is the maximum power permitted in your region. See Setting your geographic location.

    SSIDs

    Select Auto or Manual. Selecting Auto eliminates the need to re-edit the profile when new SSIDs are created. However, you can still select SSIDs individually using Manual.
    To override radio settings in the CLI

    In this example, Radio 1 is set to 802.11n on channel 11, regardless of the profile setting.

    config wireless-controller wtp

    edit FP221C3X14019926

    config radio-1

    set override-band enable

    set band 802.11n

    set override-channel enable

    set channel 11

    end

    You can override settings for band, channel, vaps (SSIDs), and TX power.

    Outside of configuring radio settings, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, split tunneling, and login password settings.

    Previous
    Next