Skip to main content
TheyCallMe
TheyCallMe
New Member
January 14, 2026
Question

FortiAP 23JF secure LAN port 3 for VOIP only

  • January 14, 2026
  • 1 reply
  • 274 views

I have started to set up FortiAP 23JF devices on our network using Fortigate 3200D as the Controller. They are working fine but what I am trying to do is make the POE port LAN3 on the FortiAP to only accept the Avaya Phones on that port so Guests cant unplug the phone and plug their laptop in and get on the Voice network. I have created a Firewall Object Address called "Avaya" with a list of all the MAC addresses of the Phones in each room. Then under SSID's created a SSID called "AvayaVOIP" with the Address Group Policy set to "allow" and chosen the object created above. Then I created a FortiAP Profile called "AvayaFAP23JF" and assigned it to one of the FortiAP's which all worked fine but when testing and plugging in my laptop to Port3 I still get assigned an IP on that port. The Cisco AP's that I am replacing with the FortiAP's were VLAN aware so I could untag the Guest VLAN (2201) and Tag the VOIP network (2065) so if a client unplugged the phone and plugged in they would be put on the Guest network. The FortiAP's do not let me do this. Since the VOIP Interface is not on the Fortigate I cant set Policy's. Any suggestions would help.

1 reply

joshbergm
joshbergm
Explorer
January 16, 2026

Hi,

 

Why did you create a SSID if you're trying to achieve authentication on a LAN port?

I think you need some sort of RADIUS authentication on your LAN port.

 

 

TheyCallMe
TheyCallMeAuthor
New Member
January 18, 2026

Thats how the 23JF works. The only options you have are below. NAT to LAN and Bridge to LAN pass it thru to the AP Management VLAN which is no good to me. Bridge to SSID is my only option to get the phone working. I have a ticket open with Fortinet, at this point I dont think it is possible. I think I'll have to lock down the VOIP VLAN as best as possible. Not what I wanted to do but my Network is pretty complex and NAC is not an easy task.

 

23JF.png

ebilcari
Staff
ebilcari
Staff
January 25, 2026

Due to the limitations of this setup, you may also consider limiting at least the IP assignment for the voice VLAN through DHCP (VCI pattern or reservation and block unknown). It is not considered secure, but it will at least reduce unnecessary network activity on the VoIP VLAN.

Emirjon
Terms & ConditionsAccessibility statement