http://en.wikipedia.org/wiki/Lightweight_Access_Point_Protocol

Not 100& correct. Aruba has been back and forth on CAPWAP support in their controllers & the general answer is ; Yes we support it, but no we don' t have full support yet in all of our hrdware . The CAPWAP std is open ( same as Rip, OSPF,BGP,etc....) and a rfc exists ( can' t remember number ). The problem is nobody has fully developed against it and still have their private wireless extensions and development. I would like too see fortinet policy on CAPWAP support, but I guess they have it in the OSes,so they have to have some type of committment to the publish standard. Time will only tell if it' s well supported in the future.

I would be interested in this too, ideally Cisco AP support would be great. I think it was our disti who said recently that this was on the cards. I can' t seem to find anywhere to set it up as it only lists the forti AP' s.

I spoke to our SE who advised this was not possible and not in v5 either - Fortigates can only act as an AP controller for Forti AP' s

Hi all,

 

I'm researching the same issue, but it seems the state of interoperability between vendors has not changed too much in last years. I'm trying to use a Cisco AP with FortiGate (v5.2.2) without success. The Cisco APs and FortiAPs send CAPWAP discovery requests in similar way, but FortiGate only reply to the requests from FortiAPs and not to requests from Cisco APs.

 

Furthermore, Wireshark cannot decode the CAPWAP requests for Fortinet and Cisco with the same settings. I mean, there is a setting under protocol>properties that enables it to decode CAPWAP for Cisco, but if I enable this option then it is not able to decode CAPWAP for Fortinet. It seems there is some type of issue with the WTP descriptor, but I don't know what is exactly the problem and the debug logs in FortiGate do not shed light on this issue.

 

Does anybody know anything more about this?

Well, I've was researching about this and I finally verified that FortiGate does not accept third-party APs.

 

Although Fortinet talks CAPWAP, as it's defined in RFC 5415, FortiGate does not add any AP to their list of managed APs if it is not a known FortiAP model. In similar way that happens through the GUI, the FortiGate will not answer any CAPWAP discovery request from any AP which does not have a 'supported' serial number, etc.

 

Furthermore, I've seen Cisco does not talk CAPWAP exactly as defined in RFC 5415. The Cisco AP should specify its encryption capabilities in a 3-byte sub-element under the WTP descriptor message element but it doesn't.

The fact that you could not analyze the packet is due to DTLS encryption between the Fortigate unit and the FortiAP. You could try to set the encryption to "Clear Text" and then try it again.