Wireless client not receiving an IP through Tunneled SSID

Question

Hello,

My wireless clients do not receive an IP Address when connecting to a SSID.

My Infrastructure is as follow;
FortiGate 120G <fortilink> FortiSwitch FS-108F-FPOE <port1> FAP231

On the FortiSwitch port1 the native vlan is 5 and the allowed vlan are 30 and 40

On the FortiGate in the fortilink interface the vlan5 is configured with a subnet 192.168.5.32/27 and a DHCP server to provide management subnet for the FAP231 (this is working).
On the fortilink I configured the vlan 30 without any IP or DHCP server

On the fortilink I configured the vlan 40 with a subnet 192.168.40.0/24 with a DHCP server (192.168.40.10-192.168.40.250).

In the SSID section I configured the SSID GUEST_30 in Tunnel mode, with a subnet 192.168.30.0/24 and a DHCP server (192.168.30.10-192.168.30.250) open authentication with a local captive portal, and the vlanid 30.

In the SSID section I configured the SSID OFFICE_40 in Tunnel mode, without a subnet or DHCP server, WPA2 Personnal (will go to Enterprise when radius server is up) and the vlanid 40.
DHCP Snooping is disabled everywhere and just in case I trusted the port1 of the Fortiswitch where the FAP231 is connected.

Both of my SSID are well broadcasted and when I connect to both SSID, my clients do not get an IP address.

I do not know what else to check, does anyone have an idea?
Let me know if more details are needed!

Thanks in advance, Sylvain C.

SylvainC · Accepted Answer

Hello,

Solution confirmed by Fortinet is to add another FortiSwitch where the FortiGate is located to have FortiAPs connecting to the FortiSwitch which then connect to the FortiGate.
Having FortiAPs connected to FortiSwitch and FortiGate is possible, but they cannot broadcast the same SSID and use the same subnet (possible to use the same vlan though).

Tests were made to confirm again, and deployment in production with Fortinet's solution has been made.

Hope this can help someone someday.
Sylvain C.

SylvainC · Answer

Hello, Here are some configuration snippet that may help;Spoiler (Highlight to read)Interface configurationFGT-120G (40_OFFICE) # showconfig system interface    edit "40_OFFICE"        set vdom "root"        set type vap-switch        set device-identification enable        set role lan        set snmp-index 53        set ip-managed-by-fortiipam disable    nextend FGT-120G (OFFICE_40) # showconfig system interface    edit "OFFICE_40"        set vdom "root"        set ip 192.168.40.1 255.255.255.0        set allowaccess ping        set alias "WIFI_OFFICE"        set device-identification enable        set role lan        set snmp-index 58        set ip-managed-by-fortiipam disable        set interface "fortilink"        set vlanid 40    nextend FGT-120G (30_GUEST) # showconfig system interface    edit "30_GUEST"        set vdom "root"        set ip 192.168.30.1 255.255.255.0        set allowaccess ping        set type vap-switch        set alias "PORTAL_GUEST"        set device-identification enable        set role lan        set snmp-index 42        set ip-managed-by-fortiipam disable    nextend FGT-120G (GUEST_30) # showconfig system interface    edit "GUEST_30"        set vdom "root"        set device-identification enable        set role lan        set snmp-index 57        set ip-managed-by-fortiipam disable        set interface "fortilink"        set vlanid 30    nextend FGT-120G (AP_5) # showconfig system interface    edit "AP_5"        set vdom "root"        set ip 192.168.0.33 255.255.255.224        set allowaccess ping ssh fabric        set device-identification enable        set role lan        set snmp-index 52        set ip-managed-by-fortiipam disable        set interface "fortilink"        set vlanid 5    nextend  DHCP Server configurationFGT-120G (13) # showconfig system dhcp server    edit 13        set lease-time 28800        set dns-service default        set ntp-service default        set default-gateway 192.168.40.1        set netmask 255.255.255.0        set interface "OFFICE_40"        config ip-range            edit 1                set start-ip 192.168.40.10                set end-ip 192.168.40.250            next        end    nextend FGT-120G (12) # showconfig system dhcp server    edit 12        set lease-time 28800        set dns-service default        set default-gateway 192.168.30.1        set netmask 255.255.255.0        set interface "30_GUEST"        config ip-range            edit 1                set start-ip 192.168.30.10                set end-ip 192.168.30.250            next        end    nextend FGT-120G (11) # showconfig system dhcp server    edit 11        set lease-time 86400        set dns-service default        set default-gateway 192.168.0.33        set netmask 255.255.255.224        set interface "AP_5"        config ip-range            edit 1                set start-ip 192.168.0.34                set end-ip 192.168.0.62            next        end    nextend  Wireless-controller vapFGT-120G (30_GUEST) # showconfig wireless-controller vap    edit "30_GUEST"        set ssid "GUEST_PORTAL"        set security open        set captive-portal enable        set portal-type auth+disclaimer        set selected-usergroups "Guest-group"        set schedule "always"        set vlanid 30    nextend FGT-120G (40_OFFICE) # showconfig wireless-controller vap    edit "40_OFFICE"        set ssid "OFFICE"        set passphrase ENC ***        set schedule "always"        set vlanid 40    nextend  On the FortiSwitchFGT-120G  (ports) # showconfig ports    edit "port1"        set poe-capable 1        set vlan "AP_5"        set allowed-vlans "GUEST_30" "OFFICE_40"        set untagged-vlans "quarantine"        set dhcp-snooping trusted        set export-to "root"        set mac-addr "AP MAC"    nextInterface configurationFGT-120G (40_OFFICE) # showconfig system interface    edit "40_OFFICE"        set vdom "root"        set type vap-switch        set device-identification enable        set role lan        set snmp-index 53        set ip-managed-by-fortiipam disable    nextend FGT-120G (OFFICE_40) # showconfig system interface    edit "OFFICE_40"        set vdom "root"        set ip 192.168.40.1 255.255.255.0        set allowaccess ping        set alias "WIFI_OFFICE"        set device-identification enable        set role lan        set snmp-index 58        set ip-managed-by-fortiipam disable        set interface "fortilink"        set vlanid 40    nextend FGT-120G (30_GUEST) # showconfig system interface    edit "30_GUEST"        set vdom "root"        set ip 192.168.30.1 255.255.255.0        set allowaccess ping        set type vap-switch        set alias "PORTAL_GUEST"        set device-identification enable        set role lan        set snmp-index 42        set ip-managed-by-fortiipam disable    nextend FGT-120G (GUEST_30) # showconfig system interface    edit "GUEST_30"        set vdom "root"        set device-identification enable        set role lan        set snmp-index 57        set ip-managed-by-fortiipam disable        set interface "fortilink"        set vlanid 30    nextend FGT-120G (AP_5) # showconfig system interface    edit "AP_5"        set vdom "root"        set ip 192.168.0.33 255.255.255.224        set allowaccess ping ssh fabric        set device-identification enable        set role lan        set snmp-index 52        set ip-managed-by-fortiipam disable        set interface "fortilink"        set vlanid 5    nextend  DHCP Server configurationFGT-120G (13) # showconfig system dhcp server    edit 13        set lease-time 28800        set dns-service default        set ntp-service default        set default-gateway 192.168.40.1        set netmask 255.255.255.0        set interface "OFFICE_40"        config ip-range            edit 1                set start-ip 192.168.40.10                set end-ip 192.168.40.250            next        end    nextend FGT-120G (12) # showconfig system dhcp server    edit 12        set lease-time 28800        set dns-service default        set default-gateway 192.168.30.1        set netmask 255.255.255.0        set interface "30_GUEST"        config ip-range            edit 1                set start-ip 192.168.30.10                set end-ip 192.168.30.250            next        end    nextend FGT-120G (11) # showconfig system dhcp server    edit 11        set lease-time 86400        set dns-service default        set default-gateway 192.168.0.33        set netmask 255.255.255.224        set interface "AP_5"        config ip-range            edit 1                set start-ip 192.168.0.34                set end-ip 192.168.0.62            next        end    nextend  Wireless-controller vapFGT-120G (30_GUEST) # showconfig wireless-controller vap    edit "30_GUEST"        set ssid "GUEST_PORTAL"        set security open        set captive-portal enable        set portal-type auth+disclaimer        set selected-usergroups "Guest-group"        set schedule "always"        set vlanid 30    nextend FGT-120G (40_OFFICE) # showconfig wireless-controller vap    edit "40_OFFICE"        set ssid "OFFICE"        set passphrase ENC ***        set schedule "always"        set vlanid 40    nextend  On the FortiSwitchFGT-120G  (ports) # showconfig ports    edit "port1"        set poe-capable 1        set vlan "AP_5"        set allowed-vlans "GUEST_30" "OFFICE_40"        set untagged-vlans "quarantine"        set dhcp-snooping trusted        set export-to "root"        set mac-addr "AP MAC"    nextWhen connecting to the SSID GUEST_PORTAL the client is always trying to get an IP and never reach the captive portal.When connecting to the SSID OFFICE the client is prompted for the passphrase, I put it in, the authentication works as the client then attempt to get an IP but never get one.If you think there is another "better" way to configure what I'm attempting to achieve, do not hesitate!Have a good day, Sylvain C.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded