I can't find clear answers in the documentation regarding VDOMs and Wifi. When running VDOMs, do registered FortiAPs also have the same VDOMs? Is it possible to register FortiAPs to a VDOM, yet turn up SSIDs for different VDOMs on the same AP? Or does both the control and dataplane of the AP stay only the VDOM where it's registered?
Ideally we can install a single group of APs and use them for all VDOMs!
Thanks,
Brian
Each vdom should have own wireless-controller config because they're basically separate routers/FWs. So you need to control each FortiAP from one of vdoms, and can't belong to multiple vdoms at the same time. To make your idea sharing a cluster of FAPs at one vdom (like root) and share them with different vdoms, you just need to route those SSID networks (WLANs) through vdom-links to connect them to each vdom separately.
and can't belong to multiple vdoms at the same time. To make your idea sharing a cluster of FAPs at one vdom (like root) and share them with different vdoms, you just need to route those SSID networks (WLANs) through vdom-links to connect them to each vdom separately.
Not sure about that. I'm sure you can set multiple WLANs for an array of APs and associate these in various vdoms.
also take heed of ;
"
Sharing Tunnel SSIDs within a single managed AP between VDOMs as a Virtual AP for multi-tenancy (439751) Support has been added for the ability to move a tunnel mode VAP into a VDOM, similar to an interface/VLAN in VDOMs. FortiAP is registered into the root VDOM. Within a customer VDOM, customer VAPs can be created/added. In the root VDOM, the customer VAP can be added to the registered FortiAP. Any necessary firewall rules and interfaces can be configured between the two VDOMs. Syntax config wireless-controller global set wtp-share {enable | disable} end
"
So for the OP, your answer is yes. A single array and share between 2 or more vdom is good. Control/Management plane of the AP is still within management but SSID and VAP can be delivered in a multi-tenant. I do that today in my home with a WLAN in 2x vdoms and that's in a sml SOHO FGT.
Ken Felix
PCNSE
NSE
StrongSwan
Thank you for the correction, Ken. I'll test it out myself.
Toshi
This looks like v5.6 added feature (can't find "Virtual AP" in 5.4 online help). You need to enable this "virtual AP" at below:
config wireless-controller global set wtp-share enableend What this does seems to be making tunnel SSIDs/VAPs floatable to different vdom from the one an FortiAP is controlled at, like root vdom. So technically the APs are still controlled by only one VDOM, root. But VAPs can be defined each customer vdom. And again each SSID/VAP belongs to one customer vdom and not be shared. APs are logically shared between them instead.I'm running v6.4.1 and have added an AP. I'm trying to attach the new FAP221E to its own VDOM but the Fortigate will only acknowledge it in the root VDOM. How do I force this AP to belong to its own VDOM?
Thanks,
Ken
Got it seeing the FAP221E by adding a static route AND adding a Security Profile with a source of "any" and the destination of "port1". I would have figured Fortinet internal traffic would have flowed between the VDOM and port1 considering the VDOM owns port1 but I'm not going to argue with success.
When creating SSIDs via FortiManager, they are always placed into root vdom. Is it possible to define SSIDs via FM AP Manager that belong to a different vdom?
delete me
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.