Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Configuration Guide

    Home FortiAP / FortiWiFi 7.4.4 FortiWiFi and FortiAP Configuration Guide
    7.4.4
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.1
    7.2.0
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.6
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.2
    6.2.0
    6.0.5
    6.0.4
    6.0.3
    5.6.4
    5.4.3

    Discovering, authorizing, and deauthorizing FortiAP units

    Discovering, authorizing, and deauthorizing FortiAP units

    In order for FortiGate to manage a FortiAP unit, it must first discover the FortiAP and then authorize it.

    For more information about discovery, authorization, and ways to pre-authorize FortiAPs, see Discovery and authorization of APs

    Discovering a FortiAP unit

    For a FortiGate acting as an AP controller (AC) to discover a FortiAP unit, the FortiAP must be able to reach the AC. A FortiAP with the factory default configuration has various ways of acquiring an AC's IP address to reach it.

    AC discovery type

    Description

    Auto

    The FortiAP attempts to be discovered in the below ways sequentially within an endless loop.

    Static

    The FortiAP sends discover requests to a preconfigured IP address that an AC owns.

    DHCP

    The FortiAP acquires the IP address of an AC in DHCP option 138 (the factory default) of a DHCP offer, which the FortiAP acquires its own IP address from.

    DNS

    The FortiAP acquires the AC's IP address by resolving a preconfigured FQDN.

    FortiCloud

    FortiGate Cloud discovers the FortiAP.

    Broadcast

    FortiAP is discovered by sending broadcasts in its local subnet.

    Multicast

    FortiAP is discovered by sending discovery requests to a multicast address of 224.0.1.140, which is the factory default.

    See Advanced WiFi controller discovery for more information on WiFi controller discovery methods.

    AC actions when a FortiAP attempts to get discovered

    Enable ap-discover on the AC for the interface designed to manage FortiAPs:

    config system interface

    edit "lan"

    set ap-discover enable

    next

    end

    The ap-discover command allows the AC to create an entry in the managed FortiAPs table when it receives the FortiAP's discovery request. The ap-discover command is enabled by default. When the FortiAP entry is created automatically, it is marked as discovered status, and is pending for an administrator's authorization, unless the following setting is present:

    config system interface
    edit "lan"
        set auto-auth-extension-device enable
    next
end

    The auto-auth-extension-device command will allow AC authorize an new discovered FortiAP automatically without an administrator's manual authorization operation. The auto-auth-extension-device command is disabled by default.

    Authorize a discovered FortiAP

    Once the FortiAP discovery request is received by AC, a FortiAP entry will be added to the managed FortiAP table and shown in WiFi and Switch Controller > Managed FortiAPs.

    To authorize the specific AP, select the FortiAP entry, and then right-click and select Authorize from the context menu.

    Authorization can also be granted from the FortiAP details panel under the Actions menu.

    Authorization can also be granted through the following CLI commands:

    config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin enable
    next
end
    Note

    When you authorize a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). The FortiAP profile defines the entire configuration for the AP (see Creating a FortiAP profile). You can assign a different profile, if needed, by right-clicking the authorized FortiAP and selecting Assign Profile.

    De-authorize a managed FortiAP

    To de-authorize a managed FortiAP, select the FortiAP entry, and then click Deauthorize on the top of the table or right-click and select Deauthorize from the context menu.

    You can also de-authorize from the FortiAP details panel under the Action menu.

    You can also de-authorize with the following CLI commands:

    config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin discovered
    next
end
    Previous
    Next

    Discovering, authorizing, and deauthorizing FortiAP units

    Discovering, authorizing, and deauthorizing FortiAP units

    In order for FortiGate to manage a FortiAP unit, it must first discover the FortiAP and then authorize it.

    For more information about discovery, authorization, and ways to pre-authorize FortiAPs, see Discovery and authorization of APs

    Discovering a FortiAP unit

    For a FortiGate acting as an AP controller (AC) to discover a FortiAP unit, the FortiAP must be able to reach the AC. A FortiAP with the factory default configuration has various ways of acquiring an AC's IP address to reach it.

    AC discovery type

    Description

    Auto

    The FortiAP attempts to be discovered in the below ways sequentially within an endless loop.

    Static

    The FortiAP sends discover requests to a preconfigured IP address that an AC owns.

    DHCP

    The FortiAP acquires the IP address of an AC in DHCP option 138 (the factory default) of a DHCP offer, which the FortiAP acquires its own IP address from.

    DNS

    The FortiAP acquires the AC's IP address by resolving a preconfigured FQDN.

    FortiCloud

    FortiGate Cloud discovers the FortiAP.

    Broadcast

    FortiAP is discovered by sending broadcasts in its local subnet.

    Multicast

    FortiAP is discovered by sending discovery requests to a multicast address of 224.0.1.140, which is the factory default.

    See Advanced WiFi controller discovery for more information on WiFi controller discovery methods.

    AC actions when a FortiAP attempts to get discovered

    Enable ap-discover on the AC for the interface designed to manage FortiAPs:

    config system interface

    edit "lan"

    set ap-discover enable

    next

    end

    The ap-discover command allows the AC to create an entry in the managed FortiAPs table when it receives the FortiAP's discovery request. The ap-discover command is enabled by default. When the FortiAP entry is created automatically, it is marked as discovered status, and is pending for an administrator's authorization, unless the following setting is present:

    config system interface
    edit "lan"
        set auto-auth-extension-device enable
    next
end

    The auto-auth-extension-device command will allow AC authorize an new discovered FortiAP automatically without an administrator's manual authorization operation. The auto-auth-extension-device command is disabled by default.

    Authorize a discovered FortiAP

    Once the FortiAP discovery request is received by AC, a FortiAP entry will be added to the managed FortiAP table and shown in WiFi and Switch Controller > Managed FortiAPs.

    To authorize the specific AP, select the FortiAP entry, and then right-click and select Authorize from the context menu.

    Authorization can also be granted from the FortiAP details panel under the Actions menu.

    Authorization can also be granted through the following CLI commands:

    config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin enable
    next
end
    Note

    When you authorize a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). The FortiAP profile defines the entire configuration for the AP (see Creating a FortiAP profile). You can assign a different profile, if needed, by right-clicking the authorized FortiAP and selecting Assign Profile.

    De-authorize a managed FortiAP

    To de-authorize a managed FortiAP, select the FortiAP entry, and then click Deauthorize on the top of the table or right-click and select Deauthorize from the context menu.

    You can also de-authorize from the FortiAP details panel under the Action menu.

    You can also de-authorize with the following CLI commands:

    config wireless-controller wtp
    edit "FP423E3X16000320"
        set admin discovered
    next
end
    Previous
    Next