FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Article Id 195200



This article describes how to manage FortiAP over L3 network with windows server.

If a DHCP is used to assign an IP address to the FortiAP, it is also possible to toprovide the WiFi controller IP address at the same time.

This is useful if the AP is located remotely from the WiFi controller and other discovery techniques will not work.
When the DHCP server is configured, it is possible to configure Option 138 to specify the WiFi controller IP address either on the Fortigate FortiWifi Controller or on an external DHCP server.


To use FortiGate or FortiWifi then use the config below:

  1. Step1: Enable DHCP server on the relevant interface.
  2.  Go to advanced à Wireless controllers à specify the IP address of the FortiGate managing the FortiAP.




If an external DHCP server is used, additional configuration might be required on the DHCP server.

This article explains how to configure the Windows DHCP server to serve the FortiAP with option 138.

On the Windows server, this configuration can be made either using the command line or GUI:


Command line:


netsh dhcp>server \\<server_machine_name>

netsh dhcp>add optiondef 138 Capwap IPADDRESS 1 comment=CAPWAP
netsh dhcp>set optionvalue 138 IPADDRESS <A.B.C.D> <E.F.G.H> 
netsh dhcp>show optiondef


To define a new option type for use on the DHCP server.


add optiondef <OptCode> <OptName> <DataType><IsArray[1|0]> [vendor=VendorClass][comment=OptComment] [DefValue]
OptCode: Unique option code that identifies the option you are defining. The value should be a number between 0 and 255.
OptName: Name of the newly created option type for use at this server.
DataType: Data type of the option. Should be of the following: BYTE | WORD | DWORD | STRING | IPADDRESS 
IsArray: 0=The data type is Unary or non-arrayed (Default) - 1=The data type is arrayed
VendorName: The name of the vendor class for which the option is to be added.  If unspecified, the default is to use the default vendor class, the DHCP Standard Options class.
OptComment: An optional comment. If used, the comment= field tag must be provided. The default value is NULL.
DefValue:  A default value to be used for this option type if one is not specified otherwise.

Notes: For parameters, <angle brackets> indicate a required parameter and [braces] an optional parameter. If parameters that require field tags are used, you must provide and use all parameters that precede them in the fully ordered command syntax.

To set a default value for a specified option type at the DHCP server.


set optionvalue <OptCode> <DataType> [user=UserName][vendor= VendorName] <OptValue>
OptCode: Unique code for the defined option type for which a value is to be set.
DataType:  The data type of the defined option type. Should be of the following:        BYTE | WORD | DWORD | STRING | IPADDRESS
UserName: Sets the applicable user class name that this command will apply towards. If not specified, the Default User Class is assumed.
VendorName: Sets the applicable vendor class name that this command will apply towards. If not specified, the DHCP Standard Options class is assumed. 
OptValue: The new server default value for the option type identified by OptCode. The value must be of the associated data type.



 GUI configuration:

Screenshots of step by step configuration are attached to this KB article 



FortiAP is configured to receive AC_IPADDR from option 138.
Windows server is used to send AC_IPADDR to FortiAP.

Expectations, Requirements:


A Windows DHCP Server must already be configured and running.



This will work: 
  • if the FortiAP is configured to auto mode or DHCP.
  • If the option code is matching on both the DHCP server and the FortiAP:
FAP# cfg -s
Discovery types:
        0(auto), 1(static), 2(dhcp), 3(dns), 5(broadcast), 6(multicast)

Now, FortiAP knows the IP address of the wireless controller. The CAPWAP control and data port at the FortiGate is the well-known UDP port 5246 and 5247.

If the L3 device is a firewall then make sure it allows the CAPWAP communication.

Also, the port of the FortiGate (Wireless controller) that is listening for CAPWAP traffic must have Security Fabric Connection enabled.



Now, the FortiAP is online.




If the network between the FortiAP and FortiGate (wireless controller) is not secure, it is possible to encrypt the data channel as per the commands below:


config wireless-controller wtp-profile
    edit "FortiAP-profile-name"
       set dtls-policy clear-text|dtls-enabled|ipsec-vpn



Of the three settings, clear-text has the highest possible data throughput. Furthermore, FortiGates with hardware acceleration chips can offload CAPWAP data traffic in clear-text and achieve much higher throughput performance.