Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bascheew
New Contributor III

VDOMs and Wireless - can someone point me to the documentation?

I can't find clear answers in the documentation regarding VDOMs and Wifi.  When running VDOMs, do registered FortiAPs also have the same VDOMs?  Is it possible to register FortiAPs to a VDOM, yet turn up SSIDs for different VDOMs on the same AP?  Or does both the control and dataplane of the AP stay only the VDOM where it's registered?

 

Ideally we can install a single group of APs and use them for all VDOMs!

 

Thanks,

Brian

8 REPLIES 8
Toshi_Esumi
Esteemed Contributor II

Each vdom should have own wireless-controller config because they're basically separate routers/FWs. So you need to control each FortiAP from one of vdoms, and can't belong to multiple vdoms at the same time. To make your idea sharing a cluster of FAPs at one vdom (like root) and share them with different vdoms, you just need to route those SSID networks (WLANs) through vdom-links to connect them to each vdom separately.

emnoc
Esteemed Contributor III

 

and can't belong to multiple vdoms at the same time. To make your idea sharing a cluster of FAPs at one vdom (like root) and share them with different vdoms, you just need to route those SSID networks (WLANs) through vdom-links to connect them to each vdom separately.

 

Not sure about that. I'm sure you can set multiple WLANs for an array of APs and associate these in various vdoms.

also take heed of ;

 

"

Sharing Tunnel SSIDs within a single managed AP between VDOMs as a Virtual AP for multi-tenancy (439751) Support has been added for the ability to move a tunnel mode VAP into a VDOM, similar to an interface/VLAN in VDOMs. FortiAP is registered into the root VDOM. Within a customer VDOM, customer VAPs can be created/added. In the root VDOM, the customer VAP can be added to the registered FortiAP. Any necessary firewall rules and interfaces can be configured between the two VDOMs. Syntax config wireless-controller global set wtp-share {enable | disable} end

"

 

So for the OP, your answer is yes. A single array and share between 2 or more vdom is good. Control/Management plane of the AP is still within management but SSID and VAP can be delivered in a multi-tenant.  I do that today in my home with a WLAN in 2x vdoms and that's in a sml SOHO FGT.

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

Toshi_Esumi
Esteemed Contributor II

Thank you for the correction, Ken. I'll test it out myself.

 

Toshi

Toshi_Esumi
Esteemed Contributor II

This looks like v5.6 added feature (can't find "Virtual AP" in 5.4 online help). You need to enable this "virtual AP" at below:

config wireless-controller global

   set wtp-share enable

end

 

What this does seems to be making tunnel SSIDs/VAPs floatable to different vdom from the one an FortiAP is controlled at, like root vdom. So technically the APs are still controlled by only one VDOM, root. But VAPs can be defined each customer vdom. And again each SSID/VAP belongs to one customer vdom and not be shared.  APs are logically shared between them instead.

 

kmcfadden

I'm running v6.4.1 and have added an AP. I'm trying to attach the new FAP221E to its own VDOM but the Fortigate will only acknowledge it in the root VDOM.  How do I force this AP to belong to its own VDOM?

Thanks,

Ken

kmcfadden

Got it seeing the FAP221E by adding a static route AND adding a Security Profile with a source of "any" and the destination of "port1". I would have figured Fortinet internal traffic would have flowed between the VDOM and port1 considering the VDOM owns port1 but I'm not going to argue with success.

WiFiGuY

When creating SSIDs via FortiManager, they are always placed into root vdom. Is it possible to define SSIDs via FM AP Manager that belong to a different vdom?

WiFiGuY
New Contributor

delete me