Can a FortiAP WiFi client access SSL VPN when both are on same firewall
I have a Fortigate 60F configured with SSL-VPN on WAN1 and external remote users (authenticated with Forticlient, user/pw + Fortitoken 2FA) who are able to connect to internal resources without issues. I have recently added 2 FortiAPs managed by the same 60F and have set policies for WiFi users to access internet - all works great. I would like some WiFi users to access the VPN (via Forticlient) as if they were working remotely while in the office (I am trying for a consistent user experience when remote workers are in the office). Initially, I tried WPA2 + captive portal with policies to internal resources but this didn't work across all clients (Windows and Macs) and if it did, it took a long time (10s of minutes) for the portal to appear - not very usable. I tried configuring all wireless clients to use WAN2 as gateway to the internet with separate static IP. They could access the internet but their VPN client timed out accessing the VPN port on WAN1. Turning off their WiFi and using external WiFi or cell data connects no problem.
Is it possible to have VPN clients on a FortiAP that is controlled by the same Fortigate that hosts the VPN server ?
Can I add policies to route WiFi users to the SSL.root interface and make that work ?
An internal client (wifi or wired, does not matter) should absolutely be able to connect to the SSL-VPN, at least on the superficial level.
Given that the listening interface for VPN will be some WAN, you need to ensure that you have a firewall policy that allows this traffic: <wifi-intf> -> <WAN-intf>, allowing the SSL-VPN' IP (WAN IP) and port, both TCP and UDP. I would strongly recommend not to do any UTM inspection of this (at least initially), so a specific policy just for this traffic may be desirable.
One possible road-bump, although not a default setting, is having source-restrictions.
Some customers restrict availability of the VPN to specific source-IPs (e.g. their country). If this is your case, you may need to adjust this list to include the local IPs from wifi.
Another possiblity is source-interface (+IP) restrictions in the individual group->portal mappings. It is not set by default, but I've encountered customers that don't even remember that they configured it, so it won't hurt to check it as well.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.