Fortinet black logo

FortiWiFi and FortiAP Cookbook

Home FortiAP / FortiWiFi 6.4.0 FortiWiFi and FortiAP Cookbook

Configuring the FortiGate interface to manage FortiAP units

6.4.0
6.4.0
6.2.0
Copy Link
Copy Doc ID daf31b55-67cc-11ea-9384-00505692583a:252439
Download PDF

Configuring the FortiGate interface to manage FortiAP units

This guide describes how to configure a FortiGate interface to manage FortiAPs.

Based on the above topology, this example uses port16 as the interface used to manage connection to FortiAPs.

  1. You must enable a DHCP server on port16:
    1. In FortiOS, go to Network > Interfaces.
    2. Edit port16.
    3. In the IP/Network Mask field, enter an IP address for port16.
    4. Enable DHCP Server, keeping the default settings.
  2. If required, you can enable the VCI-match feature using the CLI. When VCI-match is enabled, only devices with a VCI name that matches the preconfigured string can acquire an IP address from the DHCP server. To configure VCI-match, run the following commands:

    config system dhcp server

    edit 1

    set interface port16

    set vci-match enable

    set vci-string "FortiAP"

    next

    end

  3. As it is a minimum management requirement that FortiAP establish a CAPWAP tunnel with the FortiGate, you must enable CAPWAP access on port16 to allow it to manage FortiAPs:
    1. Go to Network > Interfaces.
    2. Double-click port16.
    3. Under Administrative Access, select Security Fabric Connection.
    4. Click OK.
  4. To create a new FortiAP entry automatically when a new FortiAP unit is discovered, run the following command. By default, this option is enabled.

    config system interface

    edit port16

    set allow-access fabric

    set ap-discover enable

    next

    end

  5. To allow FortiGate to authorize a newly discovered FortiAP to be controlled by the FortiGate, run the following command. By default, this option is disabled.

    config system interface

    edit port16

    set allow-access fabric

    set auto-auth-extension-device enable

    next

    end

Previous
Next

Configuring the FortiGate interface to manage FortiAP units

This guide describes how to configure a FortiGate interface to manage FortiAPs.

Based on the above topology, this example uses port16 as the interface used to manage connection to FortiAPs.

  1. You must enable a DHCP server on port16:
    1. In FortiOS, go to Network > Interfaces.
    2. Edit port16.
    3. In the IP/Network Mask field, enter an IP address for port16.
    4. Enable DHCP Server, keeping the default settings.
  2. If required, you can enable the VCI-match feature using the CLI. When VCI-match is enabled, only devices with a VCI name that matches the preconfigured string can acquire an IP address from the DHCP server. To configure VCI-match, run the following commands:

    config system dhcp server

    edit 1

    set interface port16

    set vci-match enable

    set vci-string "FortiAP"

    next

    end

  3. As it is a minimum management requirement that FortiAP establish a CAPWAP tunnel with the FortiGate, you must enable CAPWAP access on port16 to allow it to manage FortiAPs:
    1. Go to Network > Interfaces.
    2. Double-click port16.
    3. Under Administrative Access, select Security Fabric Connection.
    4. Click OK.
  4. To create a new FortiAP entry automatically when a new FortiAP unit is discovered, run the following command. By default, this option is enabled.

    config system interface

    edit port16

    set allow-access fabric

    set ap-discover enable

    next

    end

  5. To allow FortiGate to authorize a newly discovered FortiAP to be controlled by the FortiGate, run the following command. By default, this option is disabled.

    config system interface

    edit port16

    set allow-access fabric

    set auto-auth-extension-device enable

    next

    end

Previous
Next