Hi,
I've to connect two FortiAP-221B in my wireless networks where there are several Cisco AP managed by Cisco WLAN Controller in bridged configuration with 3 different SSIDs. Now, I'd like configure my FortiAP without change the actual network configuration: now FG is def gw of wireless networks that use different subnets (and VLANs) corresponding to different wireless users. Users obtain IP address from external DHCP server. My problems when I try to configure FG-600C as wlan controller are following:
- In my case, I have to configure FG wlan controller in tunnel mode or bridged?
- IP address of Wifi SSID (def gw of FortiAP) cannot be the same of Cisco wireless network? FG gives error when I configure the same IP of other intrface as Wifi SSID
- Can FortiAP have IP addresses of other subnets than wireless networks (for example IP of wired networks?)
thanks!!
Solved! Go to Solution.
From my understanding: the physical FortiAPs can use any "LAN" connection as long as it can reach/contact the wifi controller -- it will use this connection as a transport or management connection. The SSID interface is what defines the actual "network or subnet" -- this is what can not overlap with other "interfaces". But keep in mind you can add the SSID interface(s) as a member of soft switches, thus putting them on the "same subnet".
config wireless-controller vap
edit "wifi"
set vdom "root"
set ssid "work-wifi"
set encrypt TKIP-AES
set passphrase ENC GxNm
next
end
config system switch-interface
edit "internal_net"
set vdom "root"
set member "port1" "port2" "port3" "port4" "wifi"
next
end
config system interface
edit "port1"
set vdom "root"
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set type physical
set snmp-index 11
next
edit "port3"
set vdom "root"
set type physical
set snmp-index 12
next
edit "port4"
set vdom "root"
set type physical
set snmp-index 13
next
edit "wifi"
set vdom "root"
set type vap-switch
set snmp-index 26
next
edit "internal_net"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh fgfm capwap
set type switch
set snmp-index 27
next
end
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hi Anru.
The manual that comes with your FortiAP-221Bs should provide details on how to setup the wifi controller discovery method or review the Deploying Wireless Networks Handbook (link for 5.0).
It would help us greatly if you provide us with the firmware version running on both the Fortigate and the FortiAPs. If need be, review the firmware patch notes for both devices to confirm they are compatible with each other.
As for integrating the 221Bs, it would help a lot if you provided a network topology, including what's what.
Thanks.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I would create both SSIDs in bridge mode ( Local bridge with FortiAP's Interface) and assign the same vlan IDs for both like you have configured on the Cisco controller.
When you connect the FortiAP to the network, it will try to use one of the Controller discovery methods to try to locate the wifi controller -- in this case the FortiGate. Make sure you have CAPWAP enable on the interface that the AP(s) are physically connected to. After a while, you should be able to see the AP show up under "Wifi & Swith Controller->Managed FortiAPs". Right-click on the AP and choose "Authorize".
If you do not see the AP in the Managed FortiAP list, make sure the APs are getting a valid IP address that you can ping from the Fortigate then try connecting directly to the AP (it has it's own GUI). You may need to configure an alternate discovery method.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Anru:
To get a better understanding on how to implement wifi access on the Fortigate, check out the WiFi section of the Cookbook site, linked here.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
From my understanding: the physical FortiAPs can use any "LAN" connection as long as it can reach/contact the wifi controller -- it will use this connection as a transport or management connection. The SSID interface is what defines the actual "network or subnet" -- this is what can not overlap with other "interfaces". But keep in mind you can add the SSID interface(s) as a member of soft switches, thus putting them on the "same subnet".
config wireless-controller vap
edit "wifi"
set vdom "root"
set ssid "work-wifi"
set encrypt TKIP-AES
set passphrase ENC GxNm
next
end
config system switch-interface
edit "internal_net"
set vdom "root"
set member "port1" "port2" "port3" "port4" "wifi"
next
end
config system interface
edit "port1"
set vdom "root"
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set type physical
set snmp-index 11
next
edit "port3"
set vdom "root"
set type physical
set snmp-index 12
next
edit "port4"
set vdom "root"
set type physical
set snmp-index 13
next
edit "wifi"
set vdom "root"
set type vap-switch
set snmp-index 26
next
edit "internal_net"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh fgfm capwap
set type switch
set snmp-index 27
next
end
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I don't know where is my problem, but FortiAP on LANx doesn't contact controller on LANy (SSID tunnel mode), also if I define a policy on FG that LAN x->LANy and LANy->LANx.
Defining "software switch" it mean delete all actual configuration, because physical interfaces are grouped in a trunk 802.3ad with different VLAN. Now I cannot delete all.
I didn't think that configuration of FortiAP and controller on FG was so difficult!
Integration with other system and vendor is so impossibile???
Hi Anru.
The manual that comes with your FortiAP-221Bs should provide details on how to setup the wifi controller discovery method or review the Deploying Wireless Networks Handbook (link for 5.0).
It would help us greatly if you provide us with the firmware version running on both the Fortigate and the FortiAPs. If need be, review the firmware patch notes for both devices to confirm they are compatible with each other.
As for integrating the 221Bs, it would help a lot if you provided a network topology, including what's what.
Thanks.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hi,
thanks all for replies. Details of firmware of my FortiAP and FG are the following:
- FortiAP-221B v5.2,build216,140916 - FG-600C v5.2.2,build642 (GA).
I attached an image with my network architecture, so the question is: how do I have to configure the FortiAP and FG as WLAN controller to integrate FortiAP in the actual Cisco AP scenario?
Thank for your help!
I would create both SSIDs in bridge mode ( Local bridge with FortiAP's Interface) and assign the same vlan IDs for both like you have configured on the Cisco controller.
Ok, and how I can assign VLAN ID to bridge SSID?
It's under "Optional VLAN ID" when you create the SSID.
Ok, perfect!
I define two different SSID bridged with two different VLAN. And now, on the fortiAP which WLAN Controller IP address I have specify?
The FortiAPs should be able to discover the Fortigate controller without specifying the AC IP although you may need to configure vlan ID on the APs if tagging is required for access through the switch.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.