Yep, adding anything we don't already have is not an option. The FGT are already acting as DHCP servers for the wireless networks.
We're going to test a workaround by setting the lease time to 5 mins. but the basics of what's happening is that each location has 1-4 managed switches (aruba, same as the wifi), most ports are configured as access ports on vlan xxx which has until now not had dhcp, static ip's only (long story and ended up that way over the years, nothing to do with us or ftnt). the Aruba APs are put in to their correct vlans and the ports reconfigured automatically as trunk ports, which worked fine without dhcp on that vlan, but when we enabled dhcp to test, LLDP was beaten to it by dhcp, so the AP's get an IP from the wrong vlan, but are subsequently placed in their correct vlan, but with no renewal.
We're going to test a workaround tomorrow by setting the lease time down to 5mins (the scope is only 16 addresses and the number of dhcp devices per location shouldn't exceed 10, so it shouldn't be a performance hit we hope). The idea being that when the AP goes to renew its lease it will get its new IP from the correct vlan. Not ideal, but it may be good enough.
It just would be nice if i was able to block dhcp offers based on a Vendor portion of the MAC only, the reverse of VCI option 60 i think
Fortinet Expert partner - Norway