Disable console access on managed FortiAP devices 7.0.1
Serial console access on managed FortiAP devices can be disabled in FortiOS by disabling console login in the WTP profile that is applied to the FortiAP. By default, console login in enabled in WTP profiles.
config wireless-controller wtp-profile
edit <profile>
set console-login {enable | disable}
next
end
When the console access is changed, the managed FortiAPs are rebooted.
Example
In this example, a FortiWiFi 60F is managing a FortiAP 433F. A WTP profile with console login disabled is applied to the FortiAP.
To configure the WTP profile and apply it to the FortiAP:
-
Configure a WTP profile:
config wireless-controller wtp-profile edit "FAP433F-default" config platform set type 433F set ddscan enable end set handoff-sta-thresh 55 set allowaccess https ssh snmp config radio-1 set band 802.11ax,n,g-only end config radio-2 set band 802.11ax-5G end config radio-3 set mode monitor end next end -
Configure the FortiAP to use the profile:
config wireless-controller wtp edit "FP433FTF21000000" set admin enable set wtp-profile "FAP433F-default" config radio-1 end config radio-2 end next end -
On the FortiAP, confirm that console login is enabled:
FortiAP-433F # wcfg | grep console-login console-login : enabled -
Disable console login in the WTP profile:
config wireless-controller wtp-profile edit FAP433F-default set console-login disable WARNING: changing console-login will reboot managed APs. next endThe managed FortiAPs are rebooted.
-
Log in to the FortiAP with the SSH connection and confirm that console login is disabled:
FortiAP-433F # wcfg | grep console-login console-login : disabled