Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Configuration Guide

    Home FortiAP / FortiWiFi 7.2.4 FortiWiFi and FortiAP Configuration Guide
    7.2.4
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.1
    7.2.0
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.6
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.2
    6.2.0
    6.0.5
    6.0.4
    6.0.3
    5.6.4
    5.4.3

    Discovery and authorization of APs

    Discovery and authorization of APs

    To complete the discovery and authorization of APs, perform the following tasks:

    Pre-authorizing a FortiAP unit

    There are two ways of pre-authorizing a FortiAP unit:

    • Enter an individual FortiAP unit information in advance; the unit is authorized and begins to function when it is connected.

    • Specify a Wildcard Serial Number to represent the model of the FortiAPs you want to authorize; the pre-configured SN is replaced by the actual SN of the FortiAP, and the FortiAP is authorized when it is connected.

    Pre-authorizing an individual FortiAP unit

    To pre-authorize an individual FortiAP unit
    1. Go to WiFi and Switch Controller > Managed FortiAPs and select Create New.
      On some models the WiFi Controller menu is called WiFi & Switch Controller.
    2. Enter the Serial Number of the FortiAP unit.
    3. Configure the Wireless Settings as required.
    4. Select OK.

    Pre-authorizing a FortiAP by specifying a Wildcard Serial Number

    You can pre-configure and pre-authorize a template FortiAP SN to represent the SN of specific FortiAP models. When a physical FortiAP connects, the pre-configured SN is replaced by the actual SN of the FortiAP, and the FortiAP can be automatically authorized.

    For example, a Wildcard Serial Number of FP231F****000001 will allow the first FortiAP-231F to register to the Wireless Controller to be authorized automatically and adopt profile configurations.

    A Wildcard Serial Number consists of three parts:

    • A six digit valid prefix for a FortiAP model, like "FP231F".
    • Four "*" (asterisks) to indicate that the Serial Number is a Wildcard Serial Number.

    • Six digits containing any valid characters. The characters do not need the match the actual Serial Number of the FortiAP you are registering.

      The last six digits enable you to create multiple profiles where each new FortiAP that registers adopt one of the wildcard SN profiles in order.

    To pre-authorize a FortiAP by specifying a Wildcard Serial Number - GUI
    1. Go to WiFI & Switch Controller > Managed FortiAPs and click Create New > Managed AP.
    2. In Serial number, enter a Wildcard Serial Number (example "FP231F****000001").

    3. Select a FortiAP profile you want to apply to the FortiAP.

    4. Click OK to save.

    5. Connect the FortiAP unit to your topology.

      Once the FortiAP is discovered by FortiGate, FortiGate will try to find a matching Wildcard SN. When FortiGate finds a matching Wildcard SN, the template Serial Number is renamed to match the newly discovered physical FortiAP SN.

    To configure a Wildcard Serial Number and pre-authorize a FortiAP- CLI:

    1. Pre-configure a Wildcard FortiAP SN (example "FP231F****000001").

       config wireless-controller wtp
  edit "FP231F****000001"
    set uuid 47ab50f8-5f7c-51ec-0a60-4ff00a3eba2e
    set admin enable
    set wtp-profile "FAP231F-test"
    config radio-1
    end
    config radio-2
    end
  next
end

    2. Connect the FortiAP unit to your topology.

      Once the FortiAP is discovered by FortiGate, FortiGate will try to find a matching Wildcard SN. When FortiGate finds a matching Wildcard SN, the template Serial Number is renamed to match the newly discovered physical FortiAP SN.

      FortiGate-80E-POE # diag debug enable
FortiGate-80E-POE # diag debug cli 7
Debug messages will be on for unlimited time.
FortiGate-80E-POE # 0: config wireless-controller wtp
0: rename "FP231F****000001" to "FP231FTF20026472"
0: end

      The pre-configured template FortiAP SN is successfully renamed to match the FortiAP SN "FP231FTF20026472".

    3. The new FortiAP is now pre-authorized and can be managed from the FortiGate without manual authorization. Note that the UUID does not change.

       config wireless-controller wtp
  edit "FP231FTF20026472"
    set uuid 47ab50f8-5f7c-51ec-0a60-4ff00a3eba2e
    set admin enable
    set wtp-profile "FAP231F-test"
    config radio-1
    end
    config radio-2
    end
  next
end

    Enabling and configuring a discovered AP

    1. Connect the FortiAP unit to the FortiGate unit. Within two minutes, the WiFi Controller > Managed FortiAPs page displays the discovered FortiAP unit.
    2. Select the FortiAP unit and authorize that unit.
    Discovered access point unit

    Note

    When you authorize a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). The FortiAP profile defines the entire configuration for the AP (see Creating a FortiAP profile). You can assign a different profile, if needed, by right-clicking the authorized FortiAP and selecting Assign Profile.

    To add and configure the discovered AP unit - GUI
    1. Go to WiFi and Switch Controller > Managed FortiAPs.
      This configuration also applies to local WiFi radio on FortiWiFi models.
    2. Select the FortiAP unit from the list and edit it.
    3. Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
    4. Select Authorize.
    5. Select a FortiAP Profile.
    6. Select OK.

    The physical access point is now added to the system. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP.

    To add the discovered AP unit - CLI

    First get a list of the discovered access point unit serial numbers:

    get wireless-controller wtp

    Add a discovered unit and associate it with AP-profile1, for example:

    config wireless-controller wtp

    edit FAP22A3U10600118

    set admin enable

    set wtp-profile AP-profile1

    end

    To view the status of the added AP unit

    config wireless-controller wtp

    edit FAP22A3U10600118

    get

    The join-time field should show a time, not “N/A”. See the preceding GUI procedure for more information.

    Disabling the automatic discovery of unknown FortiAPs

    By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator's authorization. Optionally, you can disable this automatic registration function to avoid adding unknown FortiAPs. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface.

    To disable automatic discovery and registration, enter the following command:

    config system interface

    edit port15

    set ap-discover disable

    end

    Enabling the automatic authorization of extension devices

    To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually.

    This feature is only configurable in the CLI.

    To enable automatic authorization on all dedicated interfaces

    config system global

    set auto-auth-extension-device enable

    end

    To enable automatic authorization per-interface

    config system interface

    edit <port>

    set auto-auth-extension-device enable

    end

    Assigning the same FortiAP profile to multiple FortiAP units

    The same profile can now be applied to multiple managed FortiAP units at the same time. To do this, do the following:

    1. Go to WiFi and Switch Controller > Managed FortiAPs to view the AP list.
    2. Select all FortiAP units you wish to apply the profile to.
    3. Right click on one of the selected FortiAPs and select Assign Profile.
    4. Choose the profile you wish to apply.

    Overriding the FortiAP profile

    In the FortiAP configuration WiFi and Switch Controller > Managed FortiAPs, there are several radio settings under Override Radio 1 and Override Radio 2. You can choose to set a value independently of the FortiAP profile setting. When each of the radios are disabled, you will see what the FortiAP Profile has each of the settings configured to.

    Band

    The available options depend on the capability of the radio. Overriding Band also overrides Channels. Make appropriate settings in Channels.

    Channels

    Choose channels. The available channels depend on the Band.

    Transmit power mode

    Select how you want to determine transmit power. The 100% setting is the maximum power permitted in your region. See Setting your geographic location.

    SSIDs

    Select a traffic mode for SSIDs.

    • Tunnel – available tunnel-mode SSIDs are automatically assigned to this radio.
    • Bridge – available bridge-mode SSIDs are automatically assigned to this radio.
    • Manual – manually select which available SSIDs and SSID groups to assign to this radio.
    To override radio settings in the CLI

    In this example, Radio 1 is set to 802.11n on channel 11, regardless of the profile setting.

    config wireless-controller wtp

    edit FP221C3X14019926

    config radio-1

    set override-band enable

    set band 802.11n

    set override-channel enable

    set channel 11

    end

    You can override settings for band, channel, vaps (SSIDs), and Transmit power mode.

    Outside of configuring radio settings, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, split tunneling, and login password settings.

    Previous
    Next

    Discovery and authorization of APs

    Discovery and authorization of APs

    To complete the discovery and authorization of APs, perform the following tasks:

    Pre-authorizing a FortiAP unit

    There are two ways of pre-authorizing a FortiAP unit:

    • Enter an individual FortiAP unit information in advance; the unit is authorized and begins to function when it is connected.

    • Specify a Wildcard Serial Number to represent the model of the FortiAPs you want to authorize; the pre-configured SN is replaced by the actual SN of the FortiAP, and the FortiAP is authorized when it is connected.

    Pre-authorizing an individual FortiAP unit

    To pre-authorize an individual FortiAP unit
    1. Go to WiFi and Switch Controller > Managed FortiAPs and select Create New.
      On some models the WiFi Controller menu is called WiFi & Switch Controller.
    2. Enter the Serial Number of the FortiAP unit.
    3. Configure the Wireless Settings as required.
    4. Select OK.

    Pre-authorizing a FortiAP by specifying a Wildcard Serial Number

    You can pre-configure and pre-authorize a template FortiAP SN to represent the SN of specific FortiAP models. When a physical FortiAP connects, the pre-configured SN is replaced by the actual SN of the FortiAP, and the FortiAP can be automatically authorized.

    For example, a Wildcard Serial Number of FP231F****000001 will allow the first FortiAP-231F to register to the Wireless Controller to be authorized automatically and adopt profile configurations.

    A Wildcard Serial Number consists of three parts:

    • A six digit valid prefix for a FortiAP model, like "FP231F".
    • Four "*" (asterisks) to indicate that the Serial Number is a Wildcard Serial Number.

    • Six digits containing any valid characters. The characters do not need the match the actual Serial Number of the FortiAP you are registering.

      The last six digits enable you to create multiple profiles where each new FortiAP that registers adopt one of the wildcard SN profiles in order.

    To pre-authorize a FortiAP by specifying a Wildcard Serial Number - GUI
    1. Go to WiFI & Switch Controller > Managed FortiAPs and click Create New > Managed AP.
    2. In Serial number, enter a Wildcard Serial Number (example "FP231F****000001").

    3. Select a FortiAP profile you want to apply to the FortiAP.

    4. Click OK to save.

    5. Connect the FortiAP unit to your topology.

      Once the FortiAP is discovered by FortiGate, FortiGate will try to find a matching Wildcard SN. When FortiGate finds a matching Wildcard SN, the template Serial Number is renamed to match the newly discovered physical FortiAP SN.

    To configure a Wildcard Serial Number and pre-authorize a FortiAP- CLI:

    1. Pre-configure a Wildcard FortiAP SN (example "FP231F****000001").

       config wireless-controller wtp
  edit "FP231F****000001"
    set uuid 47ab50f8-5f7c-51ec-0a60-4ff00a3eba2e
    set admin enable
    set wtp-profile "FAP231F-test"
    config radio-1
    end
    config radio-2
    end
  next
end

    2. Connect the FortiAP unit to your topology.

      Once the FortiAP is discovered by FortiGate, FortiGate will try to find a matching Wildcard SN. When FortiGate finds a matching Wildcard SN, the template Serial Number is renamed to match the newly discovered physical FortiAP SN.

      FortiGate-80E-POE # diag debug enable
FortiGate-80E-POE # diag debug cli 7
Debug messages will be on for unlimited time.
FortiGate-80E-POE # 0: config wireless-controller wtp
0: rename "FP231F****000001" to "FP231FTF20026472"
0: end

      The pre-configured template FortiAP SN is successfully renamed to match the FortiAP SN "FP231FTF20026472".

    3. The new FortiAP is now pre-authorized and can be managed from the FortiGate without manual authorization. Note that the UUID does not change.

       config wireless-controller wtp
  edit "FP231FTF20026472"
    set uuid 47ab50f8-5f7c-51ec-0a60-4ff00a3eba2e
    set admin enable
    set wtp-profile "FAP231F-test"
    config radio-1
    end
    config radio-2
    end
  next
end

    Enabling and configuring a discovered AP

    1. Connect the FortiAP unit to the FortiGate unit. Within two minutes, the WiFi Controller > Managed FortiAPs page displays the discovered FortiAP unit.
    2. Select the FortiAP unit and authorize that unit.
    Discovered access point unit

    Note

    When you authorize a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). The FortiAP profile defines the entire configuration for the AP (see Creating a FortiAP profile). You can assign a different profile, if needed, by right-clicking the authorized FortiAP and selecting Assign Profile.

    To add and configure the discovered AP unit - GUI
    1. Go to WiFi and Switch Controller > Managed FortiAPs.
      This configuration also applies to local WiFi radio on FortiWiFi models.
    2. Select the FortiAP unit from the list and edit it.
    3. Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
    4. Select Authorize.
    5. Select a FortiAP Profile.
    6. Select OK.

    The physical access point is now added to the system. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP.

    To add the discovered AP unit - CLI

    First get a list of the discovered access point unit serial numbers:

    get wireless-controller wtp

    Add a discovered unit and associate it with AP-profile1, for example:

    config wireless-controller wtp

    edit FAP22A3U10600118

    set admin enable

    set wtp-profile AP-profile1

    end

    To view the status of the added AP unit

    config wireless-controller wtp

    edit FAP22A3U10600118

    get

    The join-time field should show a time, not “N/A”. See the preceding GUI procedure for more information.

    Disabling the automatic discovery of unknown FortiAPs

    By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator's authorization. Optionally, you can disable this automatic registration function to avoid adding unknown FortiAPs. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface.

    To disable automatic discovery and registration, enter the following command:

    config system interface

    edit port15

    set ap-discover disable

    end

    Enabling the automatic authorization of extension devices

    To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually.

    This feature is only configurable in the CLI.

    To enable automatic authorization on all dedicated interfaces

    config system global

    set auto-auth-extension-device enable

    end

    To enable automatic authorization per-interface

    config system interface

    edit <port>

    set auto-auth-extension-device enable

    end

    Assigning the same FortiAP profile to multiple FortiAP units

    The same profile can now be applied to multiple managed FortiAP units at the same time. To do this, do the following:

    1. Go to WiFi and Switch Controller > Managed FortiAPs to view the AP list.
    2. Select all FortiAP units you wish to apply the profile to.
    3. Right click on one of the selected FortiAPs and select Assign Profile.
    4. Choose the profile you wish to apply.

    Overriding the FortiAP profile

    In the FortiAP configuration WiFi and Switch Controller > Managed FortiAPs, there are several radio settings under Override Radio 1 and Override Radio 2. You can choose to set a value independently of the FortiAP profile setting. When each of the radios are disabled, you will see what the FortiAP Profile has each of the settings configured to.

    Band

    The available options depend on the capability of the radio. Overriding Band also overrides Channels. Make appropriate settings in Channels.

    Channels

    Choose channels. The available channels depend on the Band.

    Transmit power mode

    Select how you want to determine transmit power. The 100% setting is the maximum power permitted in your region. See Setting your geographic location.

    SSIDs

    Select a traffic mode for SSIDs.

    • Tunnel – available tunnel-mode SSIDs are automatically assigned to this radio.
    • Bridge – available bridge-mode SSIDs are automatically assigned to this radio.
    • Manual – manually select which available SSIDs and SSID groups to assign to this radio.
    To override radio settings in the CLI

    In this example, Radio 1 is set to 802.11n on channel 11, regardless of the profile setting.

    config wireless-controller wtp

    edit FP221C3X14019926

    config radio-1

    set override-band enable

    set band 802.11n

    set override-channel enable

    set channel 11

    end

    You can override settings for band, channel, vaps (SSIDs), and Transmit power mode.

    Outside of configuring radio settings, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, split tunneling, and login password settings.

    Previous
    Next