Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Cookbook

    Home FortiAP / FortiWiFi 6.4.0 FortiWiFi and FortiAP Cookbook
    6.4.0
    6.4.0
    6.2.0

    Discovering, authorizing, and deauthorizing FortiAP units

    Discovering, authorizing, and deauthorizing FortiAP units

    Discovering a FortiAP unit

    For a FortiGate acting as an AP controller (AC) to discover a FortiAP unit, the FortiAP must be able to reach the AC. A FortiAP with the factory default configuration has various ways of acquiring an AC's IP address to reach it.

    AC discovery type

    Description

    Auto

    The FortiAP attempts to be discovered in the below ways sequentially within an endless loop.

    Static

    The FortiAP sends discover requests to a preconfigured IP address that an AC owns.

    DHCP

    The FortiAP acquires the IP address of an AC in DHCP option 138 (the factory default) of a DHCP offer, which the FortiAP acquires its own IP address from.

    DNS

    The FortiAP acquires the AC's IP address by resolving a preconfigured FQDN.

    FortiCloud

    FortiGate Cloud discovers the FortiAP.

    Broadcast

    FortiAP is discovered by sending broadcasts in its local subnet.

    Multicast

    FortiAP is discovered by sending discovery requests to a multicast address of 224.0.1.140, which is the factory default.

    AC actions when a FortiAP attempts to get discovered

    Enable ap-discover on the AC for the interface designed to manage FortiAPs:

    config system interface

    edit "lan"

    set ap-discover enable

    next

    end

    The ap-discover command allows the AC to create an entry in the managed FortiAPs table when it receives the FortiAP's discovery request. The ap-discover command is enabled by default. When the FortiAP entry is created automatically, it is marked as discovered status, and is pending for an administrator's authorization, unless the following setting is present:

    config system interface
    edit "lan"
        set auto-auth-extension-device enable
    next
end

    The auto-auth-extension-device command will allow AC authorize an new discovered FortiAP automatically without an administrator's manual authorization operation. The auto-auth-extension-device command is disabled by default.

    Authorize a discovered FortiAP

    Once the FortiAP discovery request is received by AC, an FortiAP entry will be added to the managed FortiAP table, and shown on GUI > Managed FortiAP list page.

    To authorize the specific AP, click to select the FortiAP entry, then click Authorize button on the top of the table or Authorize entry in the pop-out menu.

    Through GUI, authorization can also be done in FortiAP detail panel, under Action menu.

    The authorization can also be done through CLI with follow commands.

    config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin enable
    next
end

    De-authorize a managed FortiAP

    To de-authorize a managed FortiAP, click to select the FortiAP entry, then click Deauthorize button on the top of the table or Deauthorize entry in the pop-out menu.

    Through GUI, de-authorization can also be done in the FortiAP detail panel, under the Action menu.

    The de-authorization can also be done through CLI with follow commands.

    config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin discovered
    next
end
    Previous
    Next

    Discovering, authorizing, and deauthorizing FortiAP units

    Discovering, authorizing, and deauthorizing FortiAP units

    Discovering a FortiAP unit

    For a FortiGate acting as an AP controller (AC) to discover a FortiAP unit, the FortiAP must be able to reach the AC. A FortiAP with the factory default configuration has various ways of acquiring an AC's IP address to reach it.

    AC discovery type

    Description

    Auto

    The FortiAP attempts to be discovered in the below ways sequentially within an endless loop.

    Static

    The FortiAP sends discover requests to a preconfigured IP address that an AC owns.

    DHCP

    The FortiAP acquires the IP address of an AC in DHCP option 138 (the factory default) of a DHCP offer, which the FortiAP acquires its own IP address from.

    DNS

    The FortiAP acquires the AC's IP address by resolving a preconfigured FQDN.

    FortiCloud

    FortiGate Cloud discovers the FortiAP.

    Broadcast

    FortiAP is discovered by sending broadcasts in its local subnet.

    Multicast

    FortiAP is discovered by sending discovery requests to a multicast address of 224.0.1.140, which is the factory default.

    AC actions when a FortiAP attempts to get discovered

    Enable ap-discover on the AC for the interface designed to manage FortiAPs:

    config system interface

    edit "lan"

    set ap-discover enable

    next

    end

    The ap-discover command allows the AC to create an entry in the managed FortiAPs table when it receives the FortiAP's discovery request. The ap-discover command is enabled by default. When the FortiAP entry is created automatically, it is marked as discovered status, and is pending for an administrator's authorization, unless the following setting is present:

    config system interface
    edit "lan"
        set auto-auth-extension-device enable
    next
end

    The auto-auth-extension-device command will allow AC authorize an new discovered FortiAP automatically without an administrator's manual authorization operation. The auto-auth-extension-device command is disabled by default.

    Authorize a discovered FortiAP

    Once the FortiAP discovery request is received by AC, an FortiAP entry will be added to the managed FortiAP table, and shown on GUI > Managed FortiAP list page.

    To authorize the specific AP, click to select the FortiAP entry, then click Authorize button on the top of the table or Authorize entry in the pop-out menu.

    Through GUI, authorization can also be done in FortiAP detail panel, under Action menu.

    The authorization can also be done through CLI with follow commands.

    config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin enable
    next
end

    De-authorize a managed FortiAP

    To de-authorize a managed FortiAP, click to select the FortiAP entry, then click Deauthorize button on the top of the table or Deauthorize entry in the pop-out menu.

    Through GUI, de-authorization can also be done in the FortiAP detail panel, under the Action menu.

    The de-authorization can also be done through CLI with follow commands.

    config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin discovered
    next
end
    Previous
    Next