Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Configuration Guide

Advanced WiFi controller discovery

Advanced WiFi controller discovery

A FortiAP unit can use any of six methods to locate a controller. By default, FortiAP units cycle through all six of the discovery methods. In most cases there is no need to make configuration changes on the FortiAP unit.

There are exceptions and the following section describes the WiFi controller discovery methods in more detail and provides information about configuration changes you might need to make so that discovery will work.

Controller discovery methods

There are six methods that a FortiAP unit can use to discover a WiFi controller. When the FortiAP discovery type is set to auto, the AP Controller (AC) uses the following discovery methods in sequence:

1(static) → 2(dhcp) → 3(dns) → 7(fortiedgecloud) → 5(multicast) → 6(broadcast)

For every discovery type, FortiAP sends out discovery requests and sets a timer, an interval defined as a random number of seconds (between 2 and 180, default is 5 seconds), which is set via the CLI:

CLI syntax

config wireless-controller timers

set discovery-interval 5

end

After the timeout is reached, FortiAP sends out another discovery request, up to a maximum of 3 times.

After about 3 - 15 seconds, if FortiAP has no AC connection, it will switch to another discovery type and repeat the above process until the last one (broadcast) fails, which will lead to SULKING state.

After about 30 seconds, FortiAP will go into an AC_IP_DISCVER state. After the AC IP is found, it will go to IDLE state, and will eventually go to the DISCOVERY state, and repeat the above process again.

Note that, while the process above is showcasing the auto discovery method, it's recommended to set the AC_DISCOVERY_TYPE to your used method in order to reduce downtime.

If FortiAP gets stuck in a discovery loop due to changes in the network, you might need to reboot the AP to detect the new changes. You can set up automatic AP reboot to reduce the need for manual intervention (see Configure automatic AP reboot).

Static IP configuration

If FortiAP and the controller are not in the same subnet, broadcast and multicast packets cannot reach the controller. The admin can specify the controller's static IP on the AP unit. The AP unit sends a discovery request message in unicast to the controller. Routing must be properly configured in both directions.

To specify the controller's IP address on a FortiAP unit:

cfg –a AC_IPADDR_1="192.168.0.100"

By default, the FortiAP unit receives its IP address, netmask, and gateway address by DHCP. If you prefer, you can assign these statically.

To assign a static IP address to the FortiAP unit:

cfg -a ADDR_MODE=STATIC

cfg –a AP_IPADDR="192.168.0.100"

cfg -a AP_NETMASK="255.255.255.0"

cfg –a IPGW=192.168.0.1

cfg -c

For information about connecting to the FortiAP CLI, see FortiAP CLI access.

DHCP

If you use DHCP to assign an IP address to your FortiAP unit, you can also provide the WiFi controller IP address at the same time. This is useful if the AP is located remotely from the WiFi controller and other discovery techniques will not work. Since the AP sequentially goes through all the different discovery methods, DHCP has the best ratio between configuration and time for discovery.

When you configure the DHCP server, configure Option 138 to specify the WiFi controller IP address(es). The most direct method is to input an IP address in hexadecimal format. For example, 192.168.0.1 converts to C0A80001.

For DHCP servers that support inputting other option types, you can select the "IP" type and then input a regular IP address.

You can also input multiple addresses (concatenated in hexadecimal format). The first address has the highest priority.

If Option 138 is used for some other purpose on your network, you can use a different option number if you configure the AP units to match.

To change the FortiAP DHCP option code:

To use option code 139 for example, enter

cfg –a AC_DISCOVERY_DHCP_OPTION_CODE=139

For information about connecting to the FortiAP CLI, see FortiAP CLI access.

DNS

FortiAP can discover controllers through your domain name server (DNS) from DHCP option 15 (e.g. "example.com"), which can be configured on a 3rd-party DHCP server.

By default, FortiAP has the default AC hostname of "fortinet-capwap-controller" and combines it with the AC domain suffix to form one FQDN (e.g. "fortinet-capwap-controller.example.com").

If necessary, you can customize the default AC hostname without the "." character on FortiAP.

To customize the default AC hostname:
  1. From the FortiAP CLI, enter the following commands to customize the AC_HOSTNAME_1/2/3:

    cfg -a AC_HOSTNAME_1=<yourcompany>

    cfg -a AC_HOSTNAME_2=<yourcompany2>

    cfg -a AC_HOSTNAME_3=<yourcompany3>

    cfg -c

The new example DNS hostname would become "yourcompany.example.com".

FortiEdge Cloud

FortiAP can discover FortiEdge Cloud by doing a DNS lookup of the hardcoded FortEdge Cloud AP controller hostname "apctrl1.forticloud.com". The FortiAP discovers the FortiEdge Cloud AP controller via HTTPS to get the AC address.

FortiEdge Cloud - APController: apctrl1.forticloud.com

Broadcast request

The FortiAP unit broadcasts a discovery request message to the network and the controller replies. The AP and the controller must be in the same broadcast domain. No configuration adjustments are required.

Multicast request

The FortiAP unit sends a multicast discovery request and the controller replies with a unicast discovery response message. The AP and the controller do not need to be in the same broadcast domain if multicast routing is properly configured.

The default multicast destination address is 224.0.1.140. It can be changed through the CLI. The address must be same on the controller and AP.

To change the multicast address on the controller:

config wireless-controller global

set discovery-mc-addr 224.0.1.250

end

To change the multicast address on a FortiAP unit:

cfg –a AC_DISCOVERY_MC_ADDR="224.0.1.250"

For information about connecting to the FortiAP CLI, see FortiAP CLI access.

Advanced WiFi controller discovery

Advanced WiFi controller discovery

A FortiAP unit can use any of six methods to locate a controller. By default, FortiAP units cycle through all six of the discovery methods. In most cases there is no need to make configuration changes on the FortiAP unit.

There are exceptions and the following section describes the WiFi controller discovery methods in more detail and provides information about configuration changes you might need to make so that discovery will work.

Controller discovery methods

There are six methods that a FortiAP unit can use to discover a WiFi controller. When the FortiAP discovery type is set to auto, the AP Controller (AC) uses the following discovery methods in sequence:

1(static) → 2(dhcp) → 3(dns) → 7(fortiedgecloud) → 5(multicast) → 6(broadcast)

For every discovery type, FortiAP sends out discovery requests and sets a timer, an interval defined as a random number of seconds (between 2 and 180, default is 5 seconds), which is set via the CLI:

CLI syntax

config wireless-controller timers

set discovery-interval 5

end

After the timeout is reached, FortiAP sends out another discovery request, up to a maximum of 3 times.

After about 3 - 15 seconds, if FortiAP has no AC connection, it will switch to another discovery type and repeat the above process until the last one (broadcast) fails, which will lead to SULKING state.

After about 30 seconds, FortiAP will go into an AC_IP_DISCVER state. After the AC IP is found, it will go to IDLE state, and will eventually go to the DISCOVERY state, and repeat the above process again.

Note that, while the process above is showcasing the auto discovery method, it's recommended to set the AC_DISCOVERY_TYPE to your used method in order to reduce downtime.

If FortiAP gets stuck in a discovery loop due to changes in the network, you might need to reboot the AP to detect the new changes. You can set up automatic AP reboot to reduce the need for manual intervention (see Configure automatic AP reboot).

Static IP configuration

If FortiAP and the controller are not in the same subnet, broadcast and multicast packets cannot reach the controller. The admin can specify the controller's static IP on the AP unit. The AP unit sends a discovery request message in unicast to the controller. Routing must be properly configured in both directions.

To specify the controller's IP address on a FortiAP unit:

cfg –a AC_IPADDR_1="192.168.0.100"

By default, the FortiAP unit receives its IP address, netmask, and gateway address by DHCP. If you prefer, you can assign these statically.

To assign a static IP address to the FortiAP unit:

cfg -a ADDR_MODE=STATIC

cfg –a AP_IPADDR="192.168.0.100"

cfg -a AP_NETMASK="255.255.255.0"

cfg –a IPGW=192.168.0.1

cfg -c

For information about connecting to the FortiAP CLI, see FortiAP CLI access.

DHCP

If you use DHCP to assign an IP address to your FortiAP unit, you can also provide the WiFi controller IP address at the same time. This is useful if the AP is located remotely from the WiFi controller and other discovery techniques will not work. Since the AP sequentially goes through all the different discovery methods, DHCP has the best ratio between configuration and time for discovery.

When you configure the DHCP server, configure Option 138 to specify the WiFi controller IP address(es). The most direct method is to input an IP address in hexadecimal format. For example, 192.168.0.1 converts to C0A80001.

For DHCP servers that support inputting other option types, you can select the "IP" type and then input a regular IP address.

You can also input multiple addresses (concatenated in hexadecimal format). The first address has the highest priority.

If Option 138 is used for some other purpose on your network, you can use a different option number if you configure the AP units to match.

To change the FortiAP DHCP option code:

To use option code 139 for example, enter

cfg –a AC_DISCOVERY_DHCP_OPTION_CODE=139

For information about connecting to the FortiAP CLI, see FortiAP CLI access.

DNS

FortiAP can discover controllers through your domain name server (DNS) from DHCP option 15 (e.g. "example.com"), which can be configured on a 3rd-party DHCP server.

By default, FortiAP has the default AC hostname of "fortinet-capwap-controller" and combines it with the AC domain suffix to form one FQDN (e.g. "fortinet-capwap-controller.example.com").

If necessary, you can customize the default AC hostname without the "." character on FortiAP.

To customize the default AC hostname:
  1. From the FortiAP CLI, enter the following commands to customize the AC_HOSTNAME_1/2/3:

    cfg -a AC_HOSTNAME_1=<yourcompany>

    cfg -a AC_HOSTNAME_2=<yourcompany2>

    cfg -a AC_HOSTNAME_3=<yourcompany3>

    cfg -c

The new example DNS hostname would become "yourcompany.example.com".

FortiEdge Cloud

FortiAP can discover FortiEdge Cloud by doing a DNS lookup of the hardcoded FortEdge Cloud AP controller hostname "apctrl1.forticloud.com". The FortiAP discovers the FortiEdge Cloud AP controller via HTTPS to get the AC address.

FortiEdge Cloud - APController: apctrl1.forticloud.com

Broadcast request

The FortiAP unit broadcasts a discovery request message to the network and the controller replies. The AP and the controller must be in the same broadcast domain. No configuration adjustments are required.

Multicast request

The FortiAP unit sends a multicast discovery request and the controller replies with a unicast discovery response message. The AP and the controller do not need to be in the same broadcast domain if multicast routing is properly configured.

The default multicast destination address is 224.0.1.140. It can be changed through the CLI. The address must be same on the controller and AP.

To change the multicast address on the controller:

config wireless-controller global

set discovery-mc-addr 224.0.1.250

end

To change the multicast address on a FortiAP unit:

cfg –a AC_DISCOVERY_MC_ADDR="224.0.1.250"

For information about connecting to the FortiAP CLI, see FortiAP CLI access.