Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
anru
New Contributor

FortiAP and FG with Cisco controller

Hi,

I've to connect two FortiAP-221B in my wireless networks where there are several Cisco AP managed by Cisco WLAN Controller in bridged configuration with 3 different SSIDs. Now, I'd like configure my FortiAP without change the actual network configuration: now FG is def gw of wireless networks that use different subnets (and VLANs) corresponding to different wireless users. Users obtain IP address from external DHCP server. My problems when I try to configure FG-600C as wlan controller are following:

- In my case, I have to configure FG wlan controller in tunnel mode or bridged? 

- IP address of Wifi SSID (def gw of FortiAP) cannot be the same of Cisco wireless network? FG gives error when I configure the same IP of other intrface as Wifi SSID

- Can FortiAP have IP addresses of other subnets than wireless networks (for example IP of wired networks?)

 

thanks!! 

 

5 Solutions
Dave_Hall
Honored Contributor

From my understanding: the physical FortiAPs can use any "LAN" connection as long as it can reach/contact the wifi controller -- it will use this connection as a transport or management connection. The SSID interface is what defines the actual "network or subnet" -- this is what can not overlap with other "interfaces".  But keep in mind you can add the SSID interface(s) as a member of soft switches, thus putting them on the "same subnet".

 

config wireless-controller vap
    edit "wifi"
        set vdom "root"
        set ssid "work-wifi"
        set encrypt TKIP-AES
        set passphrase ENC GxNm
    next
end
config system switch-interface
    edit "internal_net"
        set vdom "root"
        set member "port1" "port2" "port3" "port4" "wifi"
    next
end
config system interface
    edit "port1"
        set vdom "root"
        set type physical
        set snmp-index 1
    next
    edit "port2"
        set vdom "root"
        set type physical
        set snmp-index 11
    next
    edit "port3"
        set vdom "root"
        set type physical
        set snmp-index 12
    next
    edit "port4"
        set vdom "root"
        set type physical
        set snmp-index 13
    next
    edit "wifi"
        set vdom "root"
        set type vap-switch
        set snmp-index 26
    next
    edit "internal_net"
        set vdom "root"
        set ip 192.168.1.99 255.255.255.0
        set allowaccess ping https ssh fgfm capwap
        set type switch
        set snmp-index 27
    next
end

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dave_Hall
Honored Contributor

Hi Anru.

 

The manual that comes with your FortiAP-221Bs should provide details on how to setup the wifi controller discovery method or review the Deploying Wireless Networks Handbook (link for 5.0). 

 

It would help us greatly if you provide us with the firmware version running on both the Fortigate and the FortiAPs.  If need be, review the firmware patch notes for both devices to confirm they are compatible with each other.

 

As for integrating the 221Bs, it would help a lot if you provided a network topology, including what's what.

 

Thanks.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Bromont_FTNT

I would create both SSIDs in bridge mode ( Local bridge with FortiAP's Interface) and assign the same vlan IDs for both like you have configured on the Cisco controller.

View solution in original post

Dave_Hall
Honored Contributor

When you connect the FortiAP to the network, it will try to use one of the Controller discovery methods to try to locate the wifi controller -- in this case the FortiGate.  Make sure you have CAPWAP enable on the interface that the AP(s) are physically  connected to.  After a while, you should be able to see the AP show up under "Wifi & Swith Controller->Managed FortiAPs".  Right-click on the AP and choose "Authorize".

 

If you do not see the AP in the Managed FortiAP list, make sure the APs are getting a valid IP address that you can ping from the Fortigate then try connecting directly to the AP (it has it's own GUI).  You may need to configure an alternate discovery method. 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dave_Hall
Honored Contributor

Anru:

 

To get a better understanding on how to implement wifi access on the Fortigate, check out the WiFi section of the Cookbook site, linked here.

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
18 REPLIES 18
Dave_Hall
Honored Contributor

From my understanding: the physical FortiAPs can use any "LAN" connection as long as it can reach/contact the wifi controller -- it will use this connection as a transport or management connection. The SSID interface is what defines the actual "network or subnet" -- this is what can not overlap with other "interfaces".  But keep in mind you can add the SSID interface(s) as a member of soft switches, thus putting them on the "same subnet".

 

config wireless-controller vap
    edit "wifi"
        set vdom "root"
        set ssid "work-wifi"
        set encrypt TKIP-AES
        set passphrase ENC GxNm
    next
end
config system switch-interface
    edit "internal_net"
        set vdom "root"
        set member "port1" "port2" "port3" "port4" "wifi"
    next
end
config system interface
    edit "port1"
        set vdom "root"
        set type physical
        set snmp-index 1
    next
    edit "port2"
        set vdom "root"
        set type physical
        set snmp-index 11
    next
    edit "port3"
        set vdom "root"
        set type physical
        set snmp-index 12
    next
    edit "port4"
        set vdom "root"
        set type physical
        set snmp-index 13
    next
    edit "wifi"
        set vdom "root"
        set type vap-switch
        set snmp-index 26
    next
    edit "internal_net"
        set vdom "root"
        set ip 192.168.1.99 255.255.255.0
        set allowaccess ping https ssh fgfm capwap
        set type switch
        set snmp-index 27
    next
end

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
anru
New Contributor

I don't know where is my problem, but FortiAP on LANx doesn't contact controller on LANy (SSID tunnel mode), also if I define a policy on FG that LAN x->LANy and LANy->LANx.

Defining "software switch" it mean delete all actual configuration, because physical interfaces are grouped in a trunk 802.3ad with different VLAN. Now I cannot delete all.

I didn't think that configuration of FortiAP and controller on FG was so difficult!

 

Integration with other system and vendor is so impossibile??? 

 

Dave_Hall
Honored Contributor

Hi Anru.

 

The manual that comes with your FortiAP-221Bs should provide details on how to setup the wifi controller discovery method or review the Deploying Wireless Networks Handbook (link for 5.0). 

 

It would help us greatly if you provide us with the firmware version running on both the Fortigate and the FortiAPs.  If need be, review the firmware patch notes for both devices to confirm they are compatible with each other.

 

As for integrating the 221Bs, it would help a lot if you provided a network topology, including what's what.

 

Thanks.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
anru
New Contributor

Hi,

thanks all for replies. Details of firmware of my FortiAP and FG are the following:

- FortiAP-221B v5.2,build216,140916 - FG-600C v5.2.2,build642 (GA).

 

I attached an image with my network architecture, so the question is: how do I have to configure the FortiAP and FG as WLAN controller to integrate FortiAP in the actual Cisco AP scenario?

 

Thank for your help!

 

Bromont_FTNT

I would create both SSIDs in bridge mode ( Local bridge with FortiAP's Interface) and assign the same vlan IDs for both like you have configured on the Cisco controller.

anru
New Contributor

Ok, and how I can assign VLAN ID to bridge SSID?

Bromont_FTNT

It's under "Optional VLAN ID" when you create the SSID.

 

anru
New Contributor

Ok, perfect!

I define two different SSID bridged with two different VLAN. And now, on the fortiAP which WLAN Controller IP address I have specify?

 

Bromont_FTNT

The FortiAPs should be able to discover the Fortigate controller without specifying the AC IP although you may need to configure vlan ID on the APs if tagging is required for access through the switch.

Top Kudoed Authors