Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Wireless client not receiving an IP through Tu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wireless client not receiving an IP through Tunneled SSID
Hello,
My wireless clients do not receive an IP Address when connecting to a SSID.
My Infrastructure is as follow;
FortiGate 120G <fortilink> FortiSwitch FS-108F-FPOE <port1> FAP231
On the FortiSwitch port1 the native vlan is 5 and the allowed vlan are 30 and 40
On the FortiGate in the fortilink interface the vlan5 is configured with a subnet 192.168.5.32/27 and a DHCP server to provide management subnet for the FAP231 (this is working).
On the fortilink I configured the vlan 30 without any IP or DHCP server
On the fortilink I configured the vlan 40 with a subnet 192.168.40.0/24 with a DHCP server (192.168.40.10-192.168.40.250).
In the SSID section I configured the SSID GUEST_30 in Tunnel mode, with a subnet 192.168.30.0/24 and a DHCP server (192.168.30.10-192.168.30.250) open authentication with a local captive portal, and the vlanid 30.
In the SSID section I configured the SSID OFFICE_40 in Tunnel mode, without a subnet or DHCP server, WPA2 Personnal (will go to Enterprise when radius server is up) and the vlanid 40.
DHCP Snooping is disabled everywhere and just in case I trusted the port1 of the Fortiswitch where the FAP231 is connected.
Both of my SSID are well broadcasted and when I connect to both SSID, my clients do not get an IP address.
I do not know what else to check, does anyone have an idea?
Let me know if more details are needed!
Thanks in advance, Sylvain C.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiAP
-
FortiGate
-
FortiSwitch
-
SSID
-
VLAN
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Solution confirmed by Fortinet is to add another FortiSwitch where the FortiGate is located to have FortiAPs connecting to the FortiSwitch which then connect to the FortiGate.
Having FortiAPs connected to FortiSwitch and FortiGate is possible, but they cannot broadcast the same SSID and use the same subnet (possible to use the same vlan though).
Tests were made to confirm again, and deployment in production with Fortinet's solution has been made.
Hope this can help someone someday.
Sylvain C.
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Here are some configuration snippet that may help;
Spoiler
Interface configuration
FGT-120G (40_OFFICE) # show
config system interface
edit "40_OFFICE"
set vdom "root"
set type vap-switch
set device-identification enable
set role lan
set snmp-index 53
set ip-managed-by-fortiipam disable
next
end
FGT-120G (OFFICE_40) # show
config system interface
edit "OFFICE_40"
set vdom "root"
set ip 192.168.40.1 255.255.255.0
set allowaccess ping
set alias "WIFI_OFFICE"
set device-identification enable
set role lan
set snmp-index 58
set ip-managed-by-fortiipam disable
set interface "fortilink"
set vlanid 40
next
end
FGT-120G (30_GUEST) # show
config system interface
edit "30_GUEST"
set vdom "root"
set ip 192.168.30.1 255.255.255.0
set allowaccess ping
set type vap-switch
set alias "PORTAL_GUEST"
set device-identification enable
set role lan
set snmp-index 42
set ip-managed-by-fortiipam disable
next
end
FGT-120G (GUEST_30) # show
config system interface
edit "GUEST_30"
set vdom "root"
set device-identification enable
set role lan
set snmp-index 57
set ip-managed-by-fortiipam disable
set interface "fortilink"
set vlanid 30
next
end
FGT-120G (AP_5) # show
config system interface
edit "AP_5"
set vdom "root"
set ip 192.168.0.33 255.255.255.224
set allowaccess ping ssh fabric
set device-identification enable
set role lan
set snmp-index 52
set ip-managed-by-fortiipam disable
set interface "fortilink"
set vlanid 5
next
end
DHCP Server configuration
FGT-120G (13) # show
config system dhcp server
edit 13
set lease-time 28800
set dns-service default
set ntp-service default
set default-gateway 192.168.40.1
set netmask 255.255.255.0
set interface "OFFICE_40"
config ip-range
edit 1
set start-ip 192.168.40.10
set end-ip 192.168.40.250
next
end
next
end
FGT-120G (12) # show
config system dhcp server
edit 12
set lease-time 28800
set dns-service default
set default-gateway 192.168.30.1
set netmask 255.255.255.0
set interface "30_GUEST"
config ip-range
edit 1
set start-ip 192.168.30.10
set end-ip 192.168.30.250
next
end
next
end
FGT-120G (11) # show
config system dhcp server
edit 11
set lease-time 86400
set dns-service default
set default-gateway 192.168.0.33
set netmask 255.255.255.224
set interface "AP_5"
config ip-range
edit 1
set start-ip 192.168.0.34
set end-ip 192.168.0.62
next
end
next
end
Wireless-controller vap
FGT-120G (30_GUEST) # show
config wireless-controller vap
edit "30_GUEST"
set ssid "GUEST_PORTAL"
set security open
set captive-portal enable
set portal-type auth+disclaimer
set selected-usergroups "Guest-group"
set schedule "always"
set vlanid 30
next
end
FGT-120G (40_OFFICE) # show
config wireless-controller vap
edit "40_OFFICE"
set ssid "OFFICE"
set passphrase ENC ***
set schedule "always"
set vlanid 40
next
end
On the FortiSwitch
FGT-120G (ports) # show
config ports
edit "port1"
set poe-capable 1
set vlan "AP_5"
set allowed-vlans "GUEST_30" "OFFICE_40"
set untagged-vlans "quarantine"
set dhcp-snooping trusted
set export-to "root"
set mac-addr "AP MAC"
next
When connecting to the SSID GUEST_PORTAL the client is always trying to get an IP and never reach the captive portal.
When connecting to the SSID OFFICE the client is prompted for the passphrase, I put it in, the authentication works as the client then attempt to get an IP but never get one.
If you think there is another "better" way to configure what I'm attempting to achieve, do not hesitate!
Have a good day, Sylvain C.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Solution confirmed by Fortinet is to add another FortiSwitch where the FortiGate is located to have FortiAPs connecting to the FortiSwitch which then connect to the FortiGate.
Having FortiAPs connected to FortiSwitch and FortiGate is possible, but they cannot broadcast the same SSID and use the same subnet (possible to use the same vlan though).
Tests were made to confirm again, and deployment in production with Fortinet's solution has been made.
Hope this can help someone someday.
Sylvain C.
Labels
-
FortiGate
10,613 -
FortiClient
2,163 -
FortiManager
891 -
5.2
687 -
FortiAnalyzer
681 -
5.4
638 -
FortiSwitch
585 -
FortiClient EMS
564 -
FortiAP
560 -
IPsec
420 -
6.0
416 -
SSL-VPN
379 -
FortiMail
372 -
5.6
362 -
FortiNAC
285 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
195 -
FortiAuthenticator
174 -
FortiGuard
160 -
5.0
152 -
Firewall policy
145 -
FortiGate-VM
133 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiToken
113 -
FortiGateCloud
112 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
86 -
FortiProxy
77 -
ZTNA
76 -
Routing
75 -
Fortivoice
73 -
SAML
71 -
DNS
71 -
VLAN
71 -
BGP
70 -
FortiEDR
69 -
FortiADC
68 -
Authentication
67 -
Certificate
66 -
RADIUS
61 -
LDAP
60 -
fortilink
56 -
SSO
54 -
NAT
54 -
FortiSandbox
53 -
FortiExtender
52 -
4.0MR3
49 -
vdom
47 -
Interface
45 -
Application control
45 -
FortiDNS
43 -
Logging
41 -
Virtual IP
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
FortiConnect
35 -
SSL SSH inspection
35 -
Web profile
35 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
API
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web rating
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
NAC policy
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2599 | |
| 1382 | |
| 803 | |
| 663 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.