See LAN port uplink redundancy without LACP.

Optional: Configure IP addresses of both VLANs on FortiAP to accelerate the discovery and management process.

By default, the discovery type of all FortiAPs is set to automatic. This means that they will try to be managed following the order below, until they receive a response from a wireless controller:

1(static) → 2(dhcp) → 3(dns) → 7(fortiapcloud) → 5(multicast) → 6(broadcast).

There is a possibility to enhance the recovery time for the FortiAP to become managed again on FortiGate. This is achieved by changing the discovery type to Static (1).

Following the example, configure the IP addresses as follows:

On the FortiAP CLI:

cfg -a AC_IPADDR_1=192.168.2.1
cfg -a AC_IPADDR_2=192.168.44.1
cfg -c

This process can be automated by FortiGate. See Technical Tip: Enhance recovery times for FortiAPs after disconnection from FortiGate so a new FortiAP can receive these configuration changes once it comes online on FortiGate at least once.

Behaviors to keep in mind:

• No additional license needed.
• FortiAP will get the IP address from the first DHCP server that responds to the DHCP Discovery message.
• FortiAP will not try to connect to the older management VLAN after a failover.
• Failover to the secondary management VLAN cannot be triggered manually.
• Once the current management VLAN fails, FortiAP will try to connect to it for about 90 seconds. After failing, it will try to connect to the second management VLAN.
• Only if the FortiAP is connected to PoE ports on both FortiSwitches, FortiAP will not reboot after an uplink failure.
• On automatic AC discovery, once the management VLAN that failed once becomes available again, the AP will not switch to that older VLAN. That is, if AP is being managed by VLAN 2 and fails, then it will switch to VLAN 4. But once VLAN 2 becomes available again, it will not switch from VLAN 4 to VLAN 2.
• On static AC discovery (as suggested on Step 4 of this example), AP will follow the order of AC_IPADDR_X. Being 1, the first option, and 2, the second option. If the VLAN from AC_IPADDR_1 fails, FortiAP will try to connect to the AC_IPADDR_2. Once the AC_IPADDR_1 becomes available again, FortiAP will disconnect from AC_IPADDR_2 and connect to AC_IPADDR_1.

If FortiAP already joined a FortiGate, FortiAP configuration can be done with an AP configuration profile on the FortiGate Wireless Controller module.

First, a profile needs to be created (FortiGate commands)

config wireless-controller apcfg-profile
    edit "WLCassignation"
        config command-list
            edit 1
                set name "AC_IPADDR_1"
                set value "192.168.2.1"
            next
            edit 2
                set name "AC_IPADDR_2"
                set value "192.168.44.1"
            next

            edit 3
                set name "AC_DISCOVERY_TYPE"
                set value "1"
            next
        end
    next
end

Once 'apcfg-profile' has been created, it can be assigned to one AP profile.

config wireless-controller wtp-profile
    edit "AP-Profile"
        config platform
            set type 231E
            set ddscan enable
        end
        set apcfg-profile "WLCassignation"

end

With 'cfg -s' command on FortiAP, the configuration can be validated.

FP231ETF19001958 # cfg -s
BAUD_RATE:=9600
WTP_VERSION:=FortiAP-231E v7.4.4,build0644,241030 (GA)
FACTORY_RESET:=0
LOGIN_PASSWD_ENC:=Pgk3GYm5h9TKXB2NOXbqSHg0NQ0lUwKHK5hYNun0MXUANUD4qZBY41pq8PeOZf2l/

2rguBHCVBxMOR84wdqEeWOS5suVO6LuTlc6zBbf4+4Zc4aZ/Ncw2wswlhjDqdV3mZQMLL0VnyWXwt6

rEvf2yEq1BzJ2be24Q9EiNXa1eBDkIsrz3jTDPF/LUPr3pKAbKUwhwg==
ADMIN_TIMEOUT:=5
WANLAN_MODE:=WAN-ONLY
AP_MODE:=0
STP_MODE:=0
AP_MGMT_VLAN_ID:=0
ADDR_MODE:=DHCP
AP_IPADDR:=192.168.1.2
AP_NETMASK:=255.255.255.0
IPGW:=192.168.1.1
DNS_SERVER:=208.91.112.53
ALLOW_HTTPS:=2
ALLOW_SSH:=2
AC_DISCOVERY_TYPE:=1
AC_IPADDR_1:=192.168.2.1
AC_IPADDR_2:=192.168.44.1