Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Campus WLAN Architecture Guide

    Home FortiAP / FortiWiFi 7.0.0 Campus WLAN Architecture Guide
    7.0.0
    7.0.0

    FortiAP Discovery, Authorization and Control Plane

    FortiAP Discovery, Authorization and Control Plane

    Communication must be established between the FortiGate and the FortiAPs it will manage. The FortiAP must then be authorized on the WLAN controller for security purposes. FortiAPs use a protocol called FortiLink to communicate with the WLAN Controller. FortiLink is also the tunneling protocol that encapsulates the client traffic, but initial discovery will usually require some preparation of the underlying network.

    Best practice is for the FortiAPs to be on an AP specific subnet. It does not have to be a FortiAP only subnet, but it is the Control Plane subnet for the FortiAPs and FortiLink communication with the FortiGate Controller. FortiAPs will use DHCP to get an IP address. The subnet's DHCP server, or its DNS server, can be configured to tell the FortiAP the IP address of the controllers. Of course, that IP address must be an existing interface on the FortiGate controllers and routable to and from the FortiAPs

    With DHCP, Option 138 can be set for controller discovery. This is probably the easiest choice for most networks. For example, on a Windows DHCP Server:

    1. Go to Set Predefined Options and click Add.
    2. Name the option.
    3. Set Code to 138.
    4. In Type enter the IP address, and click OK.
    5. Go to the option name and enter the controller IP address as a value.
    6. Go to the scope the FortiAPs will use and click Configure options.
    7. Check option 138, and then click OK.

    For DNS resolution, configure the DNS server to respond to _capwap-control._udp.example.com with the Wi-fi controller IP address.

    When the controller and the FortiAP are in the same broadcast domain, the FortiAP will easily locate the FortiGate via broadcast, but a Campus deployment can be assumed to have L3 separation between the FortiAPs and the FortiGate. Multi-cast is also supported, and APs can be preconfigured via CLI with the controller address, but DHCP and DNS are usually the simplest in campus networks. See the FortiAP documentation for details on these discovery methods

    Once FortiAPs have established FortiLink communications with the FortiGate, it must be authorized in Managed FortiAPs by right-clicking on the FortiAP entry and selecting Authorize.

    Previous
    Next

    FortiAP Discovery, Authorization and Control Plane

    FortiAP Discovery, Authorization and Control Plane

    Communication must be established between the FortiGate and the FortiAPs it will manage. The FortiAP must then be authorized on the WLAN controller for security purposes. FortiAPs use a protocol called FortiLink to communicate with the WLAN Controller. FortiLink is also the tunneling protocol that encapsulates the client traffic, but initial discovery will usually require some preparation of the underlying network.

    Best practice is for the FortiAPs to be on an AP specific subnet. It does not have to be a FortiAP only subnet, but it is the Control Plane subnet for the FortiAPs and FortiLink communication with the FortiGate Controller. FortiAPs will use DHCP to get an IP address. The subnet's DHCP server, or its DNS server, can be configured to tell the FortiAP the IP address of the controllers. Of course, that IP address must be an existing interface on the FortiGate controllers and routable to and from the FortiAPs

    With DHCP, Option 138 can be set for controller discovery. This is probably the easiest choice for most networks. For example, on a Windows DHCP Server:

    1. Go to Set Predefined Options and click Add.
    2. Name the option.
    3. Set Code to 138.
    4. In Type enter the IP address, and click OK.
    5. Go to the option name and enter the controller IP address as a value.
    6. Go to the scope the FortiAPs will use and click Configure options.
    7. Check option 138, and then click OK.

    For DNS resolution, configure the DNS server to respond to _capwap-control._udp.example.com with the Wi-fi controller IP address.

    When the controller and the FortiAP are in the same broadcast domain, the FortiAP will easily locate the FortiGate via broadcast, but a Campus deployment can be assumed to have L3 separation between the FortiAPs and the FortiGate. Multi-cast is also supported, and APs can be preconfigured via CLI with the controller address, but DHCP and DNS are usually the simplest in campus networks. See the FortiAP documentation for details on these discovery methods

    Once FortiAPs have established FortiLink communications with the FortiGate, it must be authorized in Managed FortiAPs by right-clicking on the FortiAP entry and selecting Authorize.

    Previous
    Next