Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
anru
New Contributor

FortiAP and FG with Cisco controller

Hi,

I've to connect two FortiAP-221B in my wireless networks where there are several Cisco AP managed by Cisco WLAN Controller in bridged configuration with 3 different SSIDs. Now, I'd like configure my FortiAP without change the actual network configuration: now FG is def gw of wireless networks that use different subnets (and VLANs) corresponding to different wireless users. Users obtain IP address from external DHCP server. My problems when I try to configure FG-600C as wlan controller are following:

- In my case, I have to configure FG wlan controller in tunnel mode or bridged? 

- IP address of Wifi SSID (def gw of FortiAP) cannot be the same of Cisco wireless network? FG gives error when I configure the same IP of other intrface as Wifi SSID

- Can FortiAP have IP addresses of other subnets than wireless networks (for example IP of wired networks?)

 

thanks!! 

 

5 Solutions
Dave_Hall
Honored Contributor

From my understanding: the physical FortiAPs can use any "LAN" connection as long as it can reach/contact the wifi controller -- it will use this connection as a transport or management connection. The SSID interface is what defines the actual "network or subnet" -- this is what can not overlap with other "interfaces".  But keep in mind you can add the SSID interface(s) as a member of soft switches, thus putting them on the "same subnet".

 

config wireless-controller vap
    edit "wifi"
        set vdom "root"
        set ssid "work-wifi"
        set encrypt TKIP-AES
        set passphrase ENC GxNm
    next
end
config system switch-interface
    edit "internal_net"
        set vdom "root"
        set member "port1" "port2" "port3" "port4" "wifi"
    next
end
config system interface
    edit "port1"
        set vdom "root"
        set type physical
        set snmp-index 1
    next
    edit "port2"
        set vdom "root"
        set type physical
        set snmp-index 11
    next
    edit "port3"
        set vdom "root"
        set type physical
        set snmp-index 12
    next
    edit "port4"
        set vdom "root"
        set type physical
        set snmp-index 13
    next
    edit "wifi"
        set vdom "root"
        set type vap-switch
        set snmp-index 26
    next
    edit "internal_net"
        set vdom "root"
        set ip 192.168.1.99 255.255.255.0
        set allowaccess ping https ssh fgfm capwap
        set type switch
        set snmp-index 27
    next
end

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dave_Hall
Honored Contributor

Hi Anru.

 

The manual that comes with your FortiAP-221Bs should provide details on how to setup the wifi controller discovery method or review the Deploying Wireless Networks Handbook (link for 5.0). 

 

It would help us greatly if you provide us with the firmware version running on both the Fortigate and the FortiAPs.  If need be, review the firmware patch notes for both devices to confirm they are compatible with each other.

 

As for integrating the 221Bs, it would help a lot if you provided a network topology, including what's what.

 

Thanks.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Bromont_FTNT

I would create both SSIDs in bridge mode ( Local bridge with FortiAP's Interface) and assign the same vlan IDs for both like you have configured on the Cisco controller.

View solution in original post

Dave_Hall
Honored Contributor

When you connect the FortiAP to the network, it will try to use one of the Controller discovery methods to try to locate the wifi controller -- in this case the FortiGate.  Make sure you have CAPWAP enable on the interface that the AP(s) are physically  connected to.  After a while, you should be able to see the AP show up under "Wifi & Swith Controller->Managed FortiAPs".  Right-click on the AP and choose "Authorize".

 

If you do not see the AP in the Managed FortiAP list, make sure the APs are getting a valid IP address that you can ping from the Fortigate then try connecting directly to the AP (it has it's own GUI).  You may need to configure an alternate discovery method. 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dave_Hall
Honored Contributor

Anru:

 

To get a better understanding on how to implement wifi access on the Fortigate, check out the WiFi section of the Cookbook site, linked here.

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
18 REPLIES 18
anru

Ok, but where i can define IP address of controller on FG? When I configure SSID bridged I can configure only SSID and VLAN and not IP of FG controller . Excuse me but I don't understand it.
Dave_Hall
Honored Contributor

When you connect the FortiAP to the network, it will try to use one of the Controller discovery methods to try to locate the wifi controller -- in this case the FortiGate.  Make sure you have CAPWAP enable on the interface that the AP(s) are physically  connected to.  After a while, you should be able to see the AP show up under "Wifi & Swith Controller->Managed FortiAPs".  Right-click on the AP and choose "Authorize".

 

If you do not see the AP in the Managed FortiAP list, make sure the APs are getting a valid IP address that you can ping from the Fortigate then try connecting directly to the AP (it has it's own GUI).  You may need to configure an alternate discovery method. 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dave_Hall
Honored Contributor

Anru:

 

To get a better understanding on how to implement wifi access on the Fortigate, check out the WiFi section of the Cookbook site, linked here.

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
anru
New Contributor

Dave Hall wrote:

When you connect the FortiAP to the network, it will try to use one of the Controller discovery methods to try to locate the wifi controller -- in this case the FortiGate.  Make sure you have CAPWAP enable on the interface that the AP(s) are physically  connected to.  After a while, you should be able to see the AP show up under "Wifi & Swith Controller->Managed FortiAPs".  Right-click on the AP and choose "Authorize".

 

If you do not see the AP in the Managed FortiAP list, make sure the APs are getting a valid IP address that you can ping from the Fortigate then try connecting directly to the AP (it has it's own GUI).  You may need to configure an alternate discovery method. 

 

[attachImg]https://forum.fortinet.com/download.axd?file=0;122066&where=message&f=AP-discovery.jpg[/attachImg]

 

I configured FG as you, but it doesn't discover the FortiAP.

I think the problem can be that FortiAP is not physically connected to FG, but by aggregated link/vlan?

 

Can you show me how you has configured your FortiAP to diiscover the controller?

Thanks

Bromont_FTNT

 

Your diagram states that the FortiAP addresses must be in subnet A, B or C.... Are the APs getting an address via a DHCP server? Do all these subnets have vlan tagging? If so and the access switch doesn't allow native vlan access to the Fortigate then you'll need to set the vlan ID on the FortiAP itself via either web gui or cli (AP_MGMT_VLAN_ID).

anru

Bromont wrote:

 

Your diagram states that the FortiAP addresses must be in subnet A, B or C.... Are the APs getting an address via a DHCP server? Do all these subnets have vlan tagging? If so and the access switch doesn't allow native vlan access to the Fortigate then you'll need to set the vlan ID on the FortiAP itself via either web gui or cli (AP_MGMT_VLAN_ID).

AP gets an IP address from DHCP server of subnet A.

All VLANs are tagged and so I set VLAN ID of VLAN/subnet A on AP_MGMT_VLAN_ID, but FG does'nt discover AP!

VLAN ID A: 100

Subnet A: 10.10.10.0/22

FG IP on subnet A: 10.10.10.1 (def gw for subnet)

FortiAP IP: 10.10.10.20 and VLAN ID MGMT: 100 (the AP is linked to a untagged switch port, is it necessary add VLAN ID on AP configuration?)

AC IP address on FortiAP: 10.10.10.1 (static and port 5246)

Wifi SSID configured on FG: Local Bridge with NO option VLAN ID (correct?).

 

Where's the mistake??

Bromont_FTNT

If the APs get an address in the right subnet via DHCP then no need to set vlan on the APs. Does the Fortigate interface with 10.10.10.1 have CAPWAP enabled?

anru

AP gets correctly IP 10.10.10.20 from DHCP and FG can ping it. Analyzing FG traffic logs I see that packets from AP 10.10.10.20 to FG WLAN controller 10.10.10.1-def GW (UDP/5246) are discarded (action=deny) because Dst interface is Unknown! Why?? CAPWAP is enabled both on aggregared link than VLAN interface id=100.
anru

Ok, but where i can define IP address of controller on FG? When I configure SSID bridged I can configure only SSID and VLAN and not IP of FG controller . Excuse me but I don't understand it.
Top Kudoed Authors