Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Discovery and authorization of APs

Copy Link
Copy Doc ID 87eec643-a25f-11ed-8e6d-fa163e15d75b:827468
Download PDF

Discovery and authorization of APs

To complete the discovery and authorization of APs, perform the following tasks:

Pre-authorizing a FortiAP unit

There are two ways of pre-authorizing a FortiAP unit:

  • Enter an individual FortiAP unit information in advance; the unit is authorized and begins to function when it is connected.
  • Specify a Wildcard Serial Number to represent the model of the FortiAPs you want to authorize; the pre-configured SN is replaced by the actual SN of the FortiAP, and the FortiAP is authorized when it is connected.

Pre-authorizing an individual FortiAP unit

To pre-authorize an individual FortiAP unit
  1. Go to WiFi and Switch Controller > Managed FortiAPs and select Create New.
    On some models the WiFi Controller menu is called WiFi & Switch Controller.
  2. Enter the Serial Number of the FortiAP unit.
  3. Configure the Wireless Settings as required.
  4. Select OK.

Pre-authorizing a FortiAP by specifying a Wildcard Serial Number

You can pre-configure and pre-authorize a template FortiAP SN to represent the SN of specific FortiAP models. When a physical FortiAP connects, the pre-configured SN is replaced by the actual SN of the FortiAP, and the FortiAP can be automatically authorized.

For example, a Wildcard Serial Number of FP231F****000001 will allow the first FortiAP-231F to register to the Wireless Controller to be authorized automatically and adopt profile configurations.

A Wildcard Serial Number consists of three parts:

  • A six digit valid prefix for a FortiAP model, like "FP231F".
  • Four "*" (asterisks) to indicate that the Serial Number is a Wildcard Serial Number.
  • Six digits containing any valid characters. The characters do not need the match the actual Serial Number of the FortiAP you are registering.

    The last six digits enable you to create multiple profiles where each new FortiAP that registers adopt one of the wildcard SN profiles in order.

To pre-authorize a FortiAP by specifying a Wildcard Serial Number - GUI
  1. Go to WiFI & Switch Controller > Managed FortiAPs and click Create New > Managed AP.
  2. In Serial number, enter a Wildcard Serial Number (example "FP231F****000001").
  3. Select a FortiAP profile you want to apply to the FortiAP.

  4. Click OK to save.
  5. Connect the FortiAP unit to your topology.

    Once the FortiAP is discovered by FortiGate, FortiGate will try to find a matching Wildcard SN. When FortiGate finds a matching Wildcard SN, the template Serial Number is renamed to match the newly discovered physical FortiAP SN.

To configure a Wildcard Serial Number and pre-authorize a FortiAP- CLI:
  1. Pre-configure a Wildcard FortiAP SN (example "FP231F****000001").

     config wireless-controller wtp
      edit "FP231F****000001"
        set uuid 47ab50f8-5f7c-51ec-0a60-4ff00a3eba2e
        set admin enable
        set wtp-profile "FAP231F-test"
        config radio-1
        end
        config radio-2
        end
      next
    end
  2. Connect the FortiAP unit to your topology.

    Once the FortiAP is discovered by FortiGate, FortiGate will try to find a matching Wildcard SN. When FortiGate finds a matching Wildcard SN, the template Serial Number is renamed to match the newly discovered physical FortiAP SN.

    FortiGate-80E-POE # diag debug enable
    FortiGate-80E-POE # diag debug cli 7
    Debug messages will be on for unlimited time.
    FortiGate-80E-POE # 0: config wireless-controller wtp
    0: rename "FP231F****000001" to "FP231FTF20026472"
    0: end

    The pre-configured template FortiAP SN is successfully renamed to match the FortiAP SN "FP231FTF20026472".

  3. The new FortiAP is now pre-authorized and can be managed from the FortiGate without manual authorization. Note that the UUID does not change.

     config wireless-controller wtp
      edit "FP231FTF20026472"
        set uuid 47ab50f8-5f7c-51ec-0a60-4ff00a3eba2e
        set admin enable
        set wtp-profile "FAP231F-test"
        config radio-1
        end
        config radio-2
        end
      next
    end

Enabling and configuring a discovered AP

  1. Connect the FortiAP unit to the FortiGate unit. Within two minutes, the WiFi Controller > Managed FortiAPs page displays the discovered FortiAP unit.
  2. Select the FortiAP unit and authorize that unit.
Discovered access point unit

Note

When you authorize a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). The FortiAP profile defines the entire configuration for the AP (see Creating a FortiAP profile). You can assign a different profile, if needed, by right-clicking the authorized FortiAP and selecting Assign Profile.

To add and configure the discovered AP unit - GUI
  1. Go to WiFi and Switch Controller > Managed FortiAPs.
    This configuration also applies to local WiFi radio on FortiWiFi models.
  2. Select the FortiAP unit from the list and edit it.
  3. Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
  4. Select Authorize.
  5. Select a FortiAP Profile.
  6. Select OK.

The physical access point is now added to the system. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP.

To add the discovered AP unit - CLI

First get a list of the discovered access point unit serial numbers:

get wireless-controller wtp

Add a discovered unit and associate it with AP-profile1, for example:

config wireless-controller wtp

edit FAP22A3U10600118

set admin enable

set wtp-profile AP-profile1

end

To view the status of the added AP unit

config wireless-controller wtp

edit FAP22A3U10600118

get

The join-time field should show a time, not “N/A”. See the preceding GUI procedure for more information.

Disabling the automatic discovery of unknown FortiAPs

By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator's authorization. Optionally, you can disable this automatic registration function to avoid adding unknown FortiAPs. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface.

To disable automatic discovery and registration, enter the following command:

config system interface

edit port15

set ap-discover disable

end

Enabling the automatic authorization of extension devices

To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually.

This feature is only configurable in the CLI.

To enable automatic authorization on all dedicated interfaces

config system global

set auto-auth-extension-device enable

end

To enable automatic authorization per-interface

config system interface

edit <port>

set auto-auth-extension-device enable

end

Assigning the same FortiAP profile to multiple FortiAP units

The same profile can now be applied to multiple managed FortiAP units at the same time. To do this, do the following:

  1. Go to WiFi and Switch Controller > Managed FortiAPs to view the AP list.
  2. Select all FortiAP units you wish to apply the profile to.
  3. Right click on one of the selected FortiAPs and select Assign Profile.
  4. Choose the profile you wish to apply.

Overriding the FortiAP profile

In the FortiAP configuration WiFi and Switch Controller > Managed FortiAPs, there are several radio settings under Override Radio 1 and Override Radio 2. You can choose to set a value independently of the FortiAP profile setting. When each of the radios are disabled, you will see what the FortiAP Profile has each of the settings configured to.

Band

The available options depend on the capability of the radio. Overriding Band also overrides Channels. Make appropriate settings in Channels.

Channels

Choose channels. The available channels depend on the Band.

Transmit power mode

Select how you want to determine transmit power. The 100% setting is the maximum power permitted in your region. See Setting your geographic location.

SSIDs

Select a traffic mode for SSIDs.

  • Tunnel – available tunnel-mode SSIDs are automatically assigned to this radio.
  • Bridge – available bridge-mode SSIDs are automatically assigned to this radio.
  • Manual – manually select which available SSIDs and SSID groups to assign to this radio.
To override radio settings in the CLI

In this example, Radio 1 is set to 802.11n on channel 11, regardless of the profile setting.

config wireless-controller wtp

edit FP221C3X14019926

config radio-1

set override-band enable

set band 802.11n

set override-channel enable

set channel 11

end

You can override settings for band, channel, vaps (SSIDs), and Transmit power mode.

Outside of configuring radio settings, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, split tunneling, and login password settings.

Discovery and authorization of APs

To complete the discovery and authorization of APs, perform the following tasks:

Pre-authorizing a FortiAP unit

There are two ways of pre-authorizing a FortiAP unit:

  • Enter an individual FortiAP unit information in advance; the unit is authorized and begins to function when it is connected.
  • Specify a Wildcard Serial Number to represent the model of the FortiAPs you want to authorize; the pre-configured SN is replaced by the actual SN of the FortiAP, and the FortiAP is authorized when it is connected.

Pre-authorizing an individual FortiAP unit

To pre-authorize an individual FortiAP unit
  1. Go to WiFi and Switch Controller > Managed FortiAPs and select Create New.
    On some models the WiFi Controller menu is called WiFi & Switch Controller.
  2. Enter the Serial Number of the FortiAP unit.
  3. Configure the Wireless Settings as required.
  4. Select OK.

Pre-authorizing a FortiAP by specifying a Wildcard Serial Number

You can pre-configure and pre-authorize a template FortiAP SN to represent the SN of specific FortiAP models. When a physical FortiAP connects, the pre-configured SN is replaced by the actual SN of the FortiAP, and the FortiAP can be automatically authorized.

For example, a Wildcard Serial Number of FP231F****000001 will allow the first FortiAP-231F to register to the Wireless Controller to be authorized automatically and adopt profile configurations.

A Wildcard Serial Number consists of three parts:

  • A six digit valid prefix for a FortiAP model, like "FP231F".
  • Four "*" (asterisks) to indicate that the Serial Number is a Wildcard Serial Number.
  • Six digits containing any valid characters. The characters do not need the match the actual Serial Number of the FortiAP you are registering.

    The last six digits enable you to create multiple profiles where each new FortiAP that registers adopt one of the wildcard SN profiles in order.

To pre-authorize a FortiAP by specifying a Wildcard Serial Number - GUI
  1. Go to WiFI & Switch Controller > Managed FortiAPs and click Create New > Managed AP.
  2. In Serial number, enter a Wildcard Serial Number (example "FP231F****000001").
  3. Select a FortiAP profile you want to apply to the FortiAP.

  4. Click OK to save.
  5. Connect the FortiAP unit to your topology.

    Once the FortiAP is discovered by FortiGate, FortiGate will try to find a matching Wildcard SN. When FortiGate finds a matching Wildcard SN, the template Serial Number is renamed to match the newly discovered physical FortiAP SN.

To configure a Wildcard Serial Number and pre-authorize a FortiAP- CLI:
  1. Pre-configure a Wildcard FortiAP SN (example "FP231F****000001").

     config wireless-controller wtp
      edit "FP231F****000001"
        set uuid 47ab50f8-5f7c-51ec-0a60-4ff00a3eba2e
        set admin enable
        set wtp-profile "FAP231F-test"
        config radio-1
        end
        config radio-2
        end
      next
    end
  2. Connect the FortiAP unit to your topology.

    Once the FortiAP is discovered by FortiGate, FortiGate will try to find a matching Wildcard SN. When FortiGate finds a matching Wildcard SN, the template Serial Number is renamed to match the newly discovered physical FortiAP SN.

    FortiGate-80E-POE # diag debug enable
    FortiGate-80E-POE # diag debug cli 7
    Debug messages will be on for unlimited time.
    FortiGate-80E-POE # 0: config wireless-controller wtp
    0: rename "FP231F****000001" to "FP231FTF20026472"
    0: end

    The pre-configured template FortiAP SN is successfully renamed to match the FortiAP SN "FP231FTF20026472".

  3. The new FortiAP is now pre-authorized and can be managed from the FortiGate without manual authorization. Note that the UUID does not change.

     config wireless-controller wtp
      edit "FP231FTF20026472"
        set uuid 47ab50f8-5f7c-51ec-0a60-4ff00a3eba2e
        set admin enable
        set wtp-profile "FAP231F-test"
        config radio-1
        end
        config radio-2
        end
      next
    end

Enabling and configuring a discovered AP

  1. Connect the FortiAP unit to the FortiGate unit. Within two minutes, the WiFi Controller > Managed FortiAPs page displays the discovered FortiAP unit.
  2. Select the FortiAP unit and authorize that unit.
Discovered access point unit

Note

When you authorize a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). The FortiAP profile defines the entire configuration for the AP (see Creating a FortiAP profile). You can assign a different profile, if needed, by right-clicking the authorized FortiAP and selecting Assign Profile.

To add and configure the discovered AP unit - GUI
  1. Go to WiFi and Switch Controller > Managed FortiAPs.
    This configuration also applies to local WiFi radio on FortiWiFi models.
  2. Select the FortiAP unit from the list and edit it.
  3. Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
  4. Select Authorize.
  5. Select a FortiAP Profile.
  6. Select OK.

The physical access point is now added to the system. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP.

To add the discovered AP unit - CLI

First get a list of the discovered access point unit serial numbers:

get wireless-controller wtp

Add a discovered unit and associate it with AP-profile1, for example:

config wireless-controller wtp

edit FAP22A3U10600118

set admin enable

set wtp-profile AP-profile1

end

To view the status of the added AP unit

config wireless-controller wtp

edit FAP22A3U10600118

get

The join-time field should show a time, not “N/A”. See the preceding GUI procedure for more information.

Disabling the automatic discovery of unknown FortiAPs

By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator's authorization. Optionally, you can disable this automatic registration function to avoid adding unknown FortiAPs. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface.

To disable automatic discovery and registration, enter the following command:

config system interface

edit port15

set ap-discover disable

end

Enabling the automatic authorization of extension devices

To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually.

This feature is only configurable in the CLI.

To enable automatic authorization on all dedicated interfaces

config system global

set auto-auth-extension-device enable

end

To enable automatic authorization per-interface

config system interface

edit <port>

set auto-auth-extension-device enable

end

Assigning the same FortiAP profile to multiple FortiAP units

The same profile can now be applied to multiple managed FortiAP units at the same time. To do this, do the following:

  1. Go to WiFi and Switch Controller > Managed FortiAPs to view the AP list.
  2. Select all FortiAP units you wish to apply the profile to.
  3. Right click on one of the selected FortiAPs and select Assign Profile.
  4. Choose the profile you wish to apply.

Overriding the FortiAP profile

In the FortiAP configuration WiFi and Switch Controller > Managed FortiAPs, there are several radio settings under Override Radio 1 and Override Radio 2. You can choose to set a value independently of the FortiAP profile setting. When each of the radios are disabled, you will see what the FortiAP Profile has each of the settings configured to.

Band

The available options depend on the capability of the radio. Overriding Band also overrides Channels. Make appropriate settings in Channels.

Channels

Choose channels. The available channels depend on the Band.

Transmit power mode

Select how you want to determine transmit power. The 100% setting is the maximum power permitted in your region. See Setting your geographic location.

SSIDs

Select a traffic mode for SSIDs.

  • Tunnel – available tunnel-mode SSIDs are automatically assigned to this radio.
  • Bridge – available bridge-mode SSIDs are automatically assigned to this radio.
  • Manual – manually select which available SSIDs and SSID groups to assign to this radio.
To override radio settings in the CLI

In this example, Radio 1 is set to 802.11n on channel 11, regardless of the profile setting.

config wireless-controller wtp

edit FP221C3X14019926

config radio-1

set override-band enable

set band 802.11n

set override-channel enable

set channel 11

end

You can override settings for band, channel, vaps (SSIDs), and Transmit power mode.

Outside of configuring radio settings, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, split tunneling, and login password settings.