Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Home FortiAP / FortiWiFi 7.2.4 FortiWiFi and FortiAP Configuration Guide
7.2.4
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.1
7.2.0
7.0.4
7.0.2
7.0.1
7.0.0
6.4.6
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.2
6.2.0
6.0.5
6.0.4
6.0.3
5.6.4
5.4.3

Discovering, authorizing, and deauthorizing FortiAP units

Discovering, authorizing, and deauthorizing FortiAP units

In order for FortiGate to manage a FortiAP unit, it must first discover the FortiAP and then authorize it.

For more information about discovery, authorization, and ways to pre-authorize FortiAPs, see Discovery and authorization of APs

Discovering a FortiAP unit

For a FortiGate acting as an AP controller (AC) to discover a FortiAP unit, the FortiAP must be able to reach the AC. A FortiAP with the factory default configuration has various ways of acquiring an AC's IP address to reach it.

AC discovery type

Description

Auto

The FortiAP attempts to be discovered in the below ways sequentially within an endless loop.

Static

The FortiAP sends discover requests to a preconfigured IP address that an AC owns.

DHCP

The FortiAP acquires the IP address of an AC in DHCP option 138 (the factory default) of a DHCP offer, which the FortiAP acquires its own IP address from.

DNS

The FortiAP acquires the AC's IP address by resolving a preconfigured FQDN.

FortiCloud

FortiGate Cloud discovers the FortiAP.

Broadcast

FortiAP is discovered by sending broadcasts in its local subnet.

Multicast

FortiAP is discovered by sending discovery requests to a multicast address of 224.0.1.140, which is the factory default.

See Advanced WiFi controller discovery for more information on WiFi controller discovery methods.

AC actions when a FortiAP attempts to get discovered

Enable ap-discover on the AC for the interface designed to manage FortiAPs:

config system interface

edit "lan"

set ap-discover enable

next

end

The ap-discover command allows the AC to create an entry in the managed FortiAPs table when it receives the FortiAP's discovery request. The ap-discover command is enabled by default. When the FortiAP entry is created automatically, it is marked as discovered status, and is pending for an administrator's authorization, unless the following setting is present:

config system interface
    edit "lan"
        set auto-auth-extension-device enable
    next
end

The auto-auth-extension-device command will allow AC authorize an new discovered FortiAP automatically without an administrator's manual authorization operation. The auto-auth-extension-device command is disabled by default.

Authorize a discovered FortiAP

Once the FortiAP discovery request is received by AC, a FortiAP entry will be added to the managed FortiAP table and shown in WiFi and Switch Controller > Managed FortiAPs.

To authorize the specific AP, select the FortiAP entry, and then right-click and select Authorize from the context menu.

Authorization can also be granted from the FortiAP details panel under the Actions menu.

Authorization can also be granted through the following CLI commands:

config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin enable
    next
end
Note

When you authorize a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). The FortiAP profile defines the entire configuration for the AP (see Creating a FortiAP profile). You can assign a different profile, if needed, by right-clicking the authorized FortiAP and selecting Assign Profile.

De-authorize a managed FortiAP

To de-authorize a managed FortiAP, select the FortiAP entry, and then click Deauthorize on the top of the table or right-click and select Deauthorize from the context menu.

You can also de-authorize from the FortiAP details panel under the Action menu.

You can also de-authorize with the following CLI commands:

config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin discovered
    next
end
Previous
Next

Discovering, authorizing, and deauthorizing FortiAP units

In order for FortiGate to manage a FortiAP unit, it must first discover the FortiAP and then authorize it.

For more information about discovery, authorization, and ways to pre-authorize FortiAPs, see Discovery and authorization of APs

Discovering a FortiAP unit

For a FortiGate acting as an AP controller (AC) to discover a FortiAP unit, the FortiAP must be able to reach the AC. A FortiAP with the factory default configuration has various ways of acquiring an AC's IP address to reach it.

AC discovery type

Description

Auto

The FortiAP attempts to be discovered in the below ways sequentially within an endless loop.

Static

The FortiAP sends discover requests to a preconfigured IP address that an AC owns.

DHCP

The FortiAP acquires the IP address of an AC in DHCP option 138 (the factory default) of a DHCP offer, which the FortiAP acquires its own IP address from.

DNS

The FortiAP acquires the AC's IP address by resolving a preconfigured FQDN.

FortiCloud

FortiGate Cloud discovers the FortiAP.

Broadcast

FortiAP is discovered by sending broadcasts in its local subnet.

Multicast

FortiAP is discovered by sending discovery requests to a multicast address of 224.0.1.140, which is the factory default.

See Advanced WiFi controller discovery for more information on WiFi controller discovery methods.

AC actions when a FortiAP attempts to get discovered

Enable ap-discover on the AC for the interface designed to manage FortiAPs:

config system interface

edit "lan"

set ap-discover enable

next

end

The ap-discover command allows the AC to create an entry in the managed FortiAPs table when it receives the FortiAP's discovery request. The ap-discover command is enabled by default. When the FortiAP entry is created automatically, it is marked as discovered status, and is pending for an administrator's authorization, unless the following setting is present:

config system interface
    edit "lan"
        set auto-auth-extension-device enable
    next
end

The auto-auth-extension-device command will allow AC authorize an new discovered FortiAP automatically without an administrator's manual authorization operation. The auto-auth-extension-device command is disabled by default.

Authorize a discovered FortiAP

Once the FortiAP discovery request is received by AC, a FortiAP entry will be added to the managed FortiAP table and shown in WiFi and Switch Controller > Managed FortiAPs.

To authorize the specific AP, select the FortiAP entry, and then right-click and select Authorize from the context menu.

Authorization can also be granted from the FortiAP details panel under the Actions menu.

Authorization can also be granted through the following CLI commands:

config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin enable
    next
end
Note

When you authorize a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). The FortiAP profile defines the entire configuration for the AP (see Creating a FortiAP profile). You can assign a different profile, if needed, by right-clicking the authorized FortiAP and selecting Assign Profile.

De-authorize a managed FortiAP

To de-authorize a managed FortiAP, select the FortiAP entry, and then click Deauthorize on the top of the table or right-click and select Deauthorize from the context menu.

You can also de-authorize from the FortiAP details panel under the Action menu.

You can also de-authorize with the following CLI commands:

config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin discovered
    next
end
Previous
Next