Has anyone successully used Option 43 on a Linux based DHCP

thedude78 · ‎04-13-2018

Has anyone successfully used Option 43 on a Linux based DHCP server to allow FortiAP's to discover controllers on multiple subnets?

We have recently purchased 3, 200d controllers. We have them in an nplus1 configuration. We also purchased 250 access points. We will be putting half the access points on one VLAN/Subnet and Half on another. We Would like to use DHCP option 43 on each of the subnets to direct them to their own controller. I don't see anyway around this (correct me if I am wrong) as both networks are on the same DNS domain so DNS discovery would push them all to a single controller. We also don't want to manually tell each AP to prefer a specific controller.

We currently have this configured and I can see that the APs are receiving option 43 but don't seem to be receiving the ip address in the correct format.

Documentation for this seems to be sorely lacking. We are Using FortiAP U321ev access points that seem to send a vendor class identifier of "Access Point FAP321" So below is the config we have pieced together for this As documentation is sparse and every forum post seems different I thought I would reach out.

My First Questions is "Do Fortinet AP's look for Code 241 within option 43 for the controller list like Cisco APs do or is there a different code I should specify?"

option space FORTIAP;
option FORTIAP.controller code 241 = array of ip-address;

subnet 10.10.12.0 netmask 255.255.255.0 {
        authoritative;
        option routers 10.10.12.1;
        option subnet-mask 255.255.255.0;
        range 10.10.12.11 10.10.12.254;

        class "FORTIAP" {
                match option vendor-class-identifier;
        }

        subclass "FORTIAP" "Access Point FAP321" {
                vendor-option-space FORTIAP;
                option FORTIAP.controller 10.10.10.51,10.10.10.52;
        }
}

subnet 10.10.13.0 netmask 255.255.255.0 {
        authoritative;
        option routers 10.10.13.1;
        option subnet-mask 255.255.255.0;
        range 10.10.13.11 10.10.13.254;
        class "FORTIAP" {
                match option vendor-class-identifier;
        }

        subclass "FORTIAP" "Access Point FAP321" {
                vendor-option-space FORTIAP;
                option FORTIAP.controller 10.10.10.52,10.10.10.51;
        }
}

jbattam_FTNT · ‎04-13-2018

Hi Dan,

I'm quite sure option 241 is not supported.

The VCI string 'Access Point FAP321' is DHCP Option 60 not DHCP option 43. This can be found in a packet capture during the DHCP request phase. See attached image.

I'm no linux DHCP expert but you don't seem to have defined a DHCP option anywhere in your output (aside from 241) i.e. DHCP option 43 is missing.

Depending on the code version you are running on the FWC-200D, option 43 may no longer be valid. As CAPWAP is being used from SD v8.3+. CAPWAP uses DHCP Option 138.

An example of DHCP option 138 can be found here. http://www.bintec-elmeg.com/portal/downloadcenter/dateien/workshops/current_en/ws_wlan_html_en_HTML/ws_wlan-intro-appendix-linux.html

#JB

John Battam
Principal CSE - Wireless/IAM International Region
Fortinet
Sydney | Australia
CWNE #327

View solution in original post

jbattam_FTNT · ‎04-13-2018