Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
laltuzar
Staff
Staff

Created on ‎05-30-2023 10:49 PM Edited on ‎01-11-2024 06:51 AM By Moderator

Article Id 258589

Troubleshooting Tip: Authentication issues on FortiAP-C after upgrading to FortiOS 7.0.11 or a FortiGate with NPU acceleration

Description This article describes how to solve an issue where users can no longer authenticate to FortiAPs after migration or upgrade to FortiOS 7.0.11 from 6.4.12 or earlier versions.
Scope

FortiAP-XXXC.

FortiOS 7.0.X.
Solution

After the migration to newer FortiGates, it is necessary to check the FortiAP and FortiOS Compatibility Matrix as some old FortiAPs do not support strong ciphers. To allow connections, input the following commands in the FortiOS CLI.

 

For FortiOS 7.0.0:

 

config system global

    set ssl-static-key-ciphers enable

    set strong-crypto disable

end

 

For FortiOS 7.0.1+:


config wireless-controller global
    set tunnel-mode compatible
end

 

It is also necessary to disable capwap offload and re-authorize the FortiAPs by running the following commands on FortiGate.

 

Configure NPU and disable capwap-offload:


config system npu

set capwap-offload disable

end

 

Note:

Sometimes it will be necessary to restart the whole device after disabling capwap-offload on FortiGate.

 

Reset WTP for the FortiAP with issues or to all WTPs:


exec wireless-controller reset-wtp {all | FAP_SN}
This operation will reboot all specified WTP!
Do you want to continue? (y/n)y

 

Solution description

CAPWAP offloading does not work with legacy APs. FortiAP-XXXC models are considered legacy models. Newer FortiGates with NPU acceleration (NPx based platforms) for CAPWAP cannot handle the 4-way handshake correctly, meaning open networks will work correctly but not SSIDs with authentication of some sort.

 

Disabling capwap-offload on FortiGate will make the CAPWAP traffic be handled by the CPU instead of the NPU. A light increase on the CPU usage may be observed after this configuration: this is normal.

 

Additionally, note that this configuration is not necessary for newer FortiAP models (E, F, G series). CAPWAP traffic for newer models can be accelerated through NPU with no issues. If problems are encountered, contact Fortinet Support.

 

Documentation

Further details can be found in this documentation regarding NP7 CAPWAP offloading compatibility.

 

NP7 CAPWAP offloading is not compatible with FortiAP models that cannot be upgraded to the versions mentioned above, and is also not compatible with FortiAP B, C, CR, or D models.

Work around this issue by disabling CAPWAP offloading and then restarting the FortiGate.
1428
Suggest New Article
Article Feedback
Comments
Adolfo_Z_H
Staff
Staff
‎06-02-2023 11:31 AM

Great stuff! thank you!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.