Hi,
I've to connect two FortiAP-221B in my wireless networks where there are several Cisco AP managed by Cisco WLAN Controller in bridged configuration with 3 different SSIDs. Now, I'd like configure my FortiAP without change the actual network configuration: now FG is def gw of wireless networks that use different subnets (and VLANs) corresponding to different wireless users. Users obtain IP address from external DHCP server. My problems when I try to configure FG-600C as wlan controller are following:
- In my case, I have to configure FG wlan controller in tunnel mode or bridged?
- IP address of Wifi SSID (def gw of FortiAP) cannot be the same of Cisco wireless network? FG gives error when I configure the same IP of other intrface as Wifi SSID
- Can FortiAP have IP addresses of other subnets than wireless networks (for example IP of wired networks?)
thanks!!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
From my understanding: the physical FortiAPs can use any "LAN" connection as long as it can reach/contact the wifi controller -- it will use this connection as a transport or management connection. The SSID interface is what defines the actual "network or subnet" -- this is what can not overlap with other "interfaces". But keep in mind you can add the SSID interface(s) as a member of soft switches, thus putting them on the "same subnet".
config wireless-controller vap
edit "wifi"
set vdom "root"
set ssid "work-wifi"
set encrypt TKIP-AES
set passphrase ENC GxNm
next
end
config system switch-interface
edit "internal_net"
set vdom "root"
set member "port1" "port2" "port3" "port4" "wifi"
next
end
config system interface
edit "port1"
set vdom "root"
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set type physical
set snmp-index 11
next
edit "port3"
set vdom "root"
set type physical
set snmp-index 12
next
edit "port4"
set vdom "root"
set type physical
set snmp-index 13
next
edit "wifi"
set vdom "root"
set type vap-switch
set snmp-index 26
next
edit "internal_net"
set vdom "root"
set ip 192.168.1.99 255.255.255.0
set allowaccess ping https ssh fgfm capwap
set type switch
set snmp-index 27
next
end
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hi Anru.
The manual that comes with your FortiAP-221Bs should provide details on how to setup the wifi controller discovery method or review the Deploying Wireless Networks Handbook (link for 5.0).
It would help us greatly if you provide us with the firmware version running on both the Fortigate and the FortiAPs. If need be, review the firmware patch notes for both devices to confirm they are compatible with each other.
As for integrating the 221Bs, it would help a lot if you provided a network topology, including what's what.
Thanks.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I would create both SSIDs in bridge mode ( Local bridge with FortiAP's Interface) and assign the same vlan IDs for both like you have configured on the Cisco controller.
When you connect the FortiAP to the network, it will try to use one of the Controller discovery methods to try to locate the wifi controller -- in this case the FortiGate. Make sure you have CAPWAP enable on the interface that the AP(s) are physically connected to. After a while, you should be able to see the AP show up under "Wifi & Swith Controller->Managed FortiAPs". Right-click on the AP and choose "Authorize".
If you do not see the AP in the Managed FortiAP list, make sure the APs are getting a valid IP address that you can ping from the Fortigate then try connecting directly to the AP (it has it's own GUI). You may need to configure an alternate discovery method.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Anru:
To get a better understanding on how to implement wifi access on the Fortigate, check out the WiFi section of the Cookbook site, linked here.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
When you connect the FortiAP to the network, it will try to use one of the Controller discovery methods to try to locate the wifi controller -- in this case the FortiGate. Make sure you have CAPWAP enable on the interface that the AP(s) are physically connected to. After a while, you should be able to see the AP show up under "Wifi & Swith Controller->Managed FortiAPs". Right-click on the AP and choose "Authorize".
If you do not see the AP in the Managed FortiAP list, make sure the APs are getting a valid IP address that you can ping from the Fortigate then try connecting directly to the AP (it has it's own GUI). You may need to configure an alternate discovery method.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Anru:
To get a better understanding on how to implement wifi access on the Fortigate, check out the WiFi section of the Cookbook site, linked here.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dave Hall wrote:When you connect the FortiAP to the network, it will try to use one of the Controller discovery methods to try to locate the wifi controller -- in this case the FortiGate. Make sure you have CAPWAP enable on the interface that the AP(s) are physically connected to. After a while, you should be able to see the AP show up under "Wifi & Swith Controller->Managed FortiAPs". Right-click on the AP and choose "Authorize".
If you do not see the AP in the Managed FortiAP list, make sure the APs are getting a valid IP address that you can ping from the Fortigate then try connecting directly to the AP (it has it's own GUI). You may need to configure an alternate discovery method.
[attachImg]https://forum.fortinet.com/download.axd?file=0;122066&where=message&f=AP-discovery.jpg[/attachImg]
I configured FG as you, but it doesn't discover the FortiAP.
I think the problem can be that FortiAP is not physically connected to FG, but by aggregated link/vlan?
Can you show me how you has configured your FortiAP to diiscover the controller?
Thanks
Your diagram states that the FortiAP addresses must be in subnet A, B or C.... Are the APs getting an address via a DHCP server? Do all these subnets have vlan tagging? If so and the access switch doesn't allow native vlan access to the Fortigate then you'll need to set the vlan ID on the FortiAP itself via either web gui or cli (AP_MGMT_VLAN_ID).
Bromont wrote:
Your diagram states that the FortiAP addresses must be in subnet A, B or C.... Are the APs getting an address via a DHCP server? Do all these subnets have vlan tagging? If so and the access switch doesn't allow native vlan access to the Fortigate then you'll need to set the vlan ID on the FortiAP itself via either web gui or cli (AP_MGMT_VLAN_ID).
AP gets an IP address from DHCP server of subnet A.
All VLANs are tagged and so I set VLAN ID of VLAN/subnet A on AP_MGMT_VLAN_ID, but FG does'nt discover AP!
VLAN ID A: 100
Subnet A: 10.10.10.0/22
FG IP on subnet A: 10.10.10.1 (def gw for subnet)
FortiAP IP: 10.10.10.20 and VLAN ID MGMT: 100 (the AP is linked to a untagged switch port, is it necessary add VLAN ID on AP configuration?)
AC IP address on FortiAP: 10.10.10.1 (static and port 5246)
Wifi SSID configured on FG: Local Bridge with NO option VLAN ID (correct?).
Where's the mistake??
If the APs get an address in the right subnet via DHCP then no need to set vlan on the APs. Does the Fortigate interface with 10.10.10.1 have CAPWAP enabled?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.