NSE8
Fortinet Expert partner - Norway
PCNSE
NSE
StrongSwan
Hi all,
I'm researching the same issue, but it seems the state of interoperability between vendors has not changed too much in last years. I'm trying to use a Cisco AP with FortiGate (v5.2.2) without success. The Cisco APs and FortiAPs send CAPWAP discovery requests in similar way, but FortiGate only reply to the requests from FortiAPs and not to requests from Cisco APs.
Furthermore, Wireshark cannot decode the CAPWAP requests for Fortinet and Cisco with the same settings. I mean, there is a setting under protocol>properties that enables it to decode CAPWAP for Cisco, but if I enable this option then it is not able to decode CAPWAP for Fortinet. It seems there is some type of issue with the WTP descriptor, but I don't know what is exactly the problem and the debug logs in FortiGate do not shed light on this issue.
Does anybody know anything more about this?
Well, I've was researching about this and I finally verified that FortiGate does not accept third-party APs.
Although Fortinet talks CAPWAP, as it's defined in RFC 5415, FortiGate does not add any AP to their list of managed APs if it is not a known FortiAP model. In similar way that happens through the GUI, the FortiGate will not answer any CAPWAP discovery request from any AP which does not have a 'supported' serial number, etc.
Furthermore, I've seen Cisco does not talk CAPWAP exactly as defined in RFC 5415. The Cisco AP should specify its encryption capabilities in a 3-byte sub-element under the WTP descriptor message element but it doesn't.
The fact that you could not analyze the packet is due to DTLS encryption between the Fortigate unit and the FortiAP. You could try to set the encryption to "Clear Text" and then try it again.
mail@jeroenmelis.nl wrote:Hello Jeroen,The fact that you could not analyze the packet is due to DTLS encryption between the Fortigate unit and the FortiAP. You could try to set the encryption to "Clear Text" and then try it again.
Who said that I could not analyze the packet? :) The discovery requests and responses are in clear. What I'm referring with "encryption capabilities" is the message element in the CAPWAP packet. The AP from Cisco should follow the encryption number with a 3-byte sub-element, but it doesn't.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.