This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.
Has anyone successfully used Option 43 on a Linux based DHCP server to allow FortiAP's to discover controllers on multiple subnets?
We have recently purchased 3, 200d controllers. We have them in an nplus1 configuration. We also purchased 250 access points. We will be putting half the access points on one VLAN/Subnet and Half on another. We Would like to use DHCP option 43 on each of the subnets to direct them to their own controller. I don't see anyway around this (correct me if I am wrong) as both networks are on the same DNS domain so DNS discovery would push them all to a single controller. We also don't want to manually tell each AP to prefer a specific controller.
We currently have this configured and I can see that the APs are receiving option 43 but don't seem to be receiving the ip address in the correct format.
Documentation for this seems to be sorely lacking. We are Using FortiAP U321ev access points that seem to send a vendor class identifier of "Access Point FAP321" So below is the config we have pieced together for this As documentation is sparse and every forum post seems different I thought I would reach out.
My First Questions is "Do Fortinet AP's look for Code 241 within option 43 for the controller list like Cisco APs do or is there a different code I should specify?"
option space FORTIAP;
option FORTIAP.controller code 241 = array of ip-address;
subnet 10.10.12.0 netmask 255.255.255.0 {
authoritative;
option routers 10.10.12.1;
option subnet-mask 255.255.255.0;
range 10.10.12.11 10.10.12.254;
class "FORTIAP" {
match option vendor-class-identifier;
}
subclass "FORTIAP" "Access Point FAP321" {
vendor-option-space FORTIAP;
option FORTIAP.controller 10.10.10.51,10.10.10.52;
}
}
subnet 10.10.13.0 netmask 255.255.255.0 {
authoritative;
option routers 10.10.13.1;
option subnet-mask 255.255.255.0;
range 10.10.13.11 10.10.13.254;
class "FORTIAP" {
match option vendor-class-identifier;
}
subclass "FORTIAP" "Access Point FAP321" {
vendor-option-space FORTIAP;
option FORTIAP.controller 10.10.10.52,10.10.10.51;
}
}
Solved! Go to Solution.
Hi Dan,
I'm quite sure option 241 is not supported.
The VCI string 'Access Point FAP321' is DHCP Option 60 not DHCP option 43. This can be found in a packet capture during the DHCP request phase. See attached image.
I'm no linux DHCP expert but you don't seem to have defined a DHCP option anywhere in your output (aside from 241) i.e. DHCP option 43 is missing.
Depending on the code version you are running on the FWC-200D, option 43 may no longer be valid. As CAPWAP is being used from SD v8.3+. CAPWAP uses DHCP Option 138.
An example of DHCP option 138 can be found here. http://www.bintec-elmeg.com/portal/downloadcenter/dateien/workshops/current_en/ws_wlan_html_en_HTML/ws_wlan-intro-appendix-linux.html
#JB
Hi Dan,
I'm quite sure option 241 is not supported.
The VCI string 'Access Point FAP321' is DHCP Option 60 not DHCP option 43. This can be found in a packet capture during the DHCP request phase. See attached image.
I'm no linux DHCP expert but you don't seem to have defined a DHCP option anywhere in your output (aside from 241) i.e. DHCP option 43 is missing.
Depending on the code version you are running on the FWC-200D, option 43 may no longer be valid. As CAPWAP is being used from SD v8.3+. CAPWAP uses DHCP Option 138.
An example of DHCP option 138 can be found here. http://www.bintec-elmeg.com/portal/downloadcenter/dateien/workshops/current_en/ws_wlan_html_en_HTML/ws_wlan-intro-appendix-linux.html
#JB
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.