Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SylvainC
New Contributor II

Wireless client not receiving an IP through Tunneled SSID

Hello,

 

My wireless clients do not receive an IP Address when connecting to a SSID.


My Infrastructure is as follow;
FortiGate 120G <fortilink> FortiSwitch FS-108F-FPOE <port1> FAP231

 

On the FortiSwitch port1 the native vlan is 5 and the allowed vlan are 30 and 40

 

On the FortiGate in the fortilink interface the vlan5 is configured with a subnet 192.168.5.32/27 and a DHCP server to provide management subnet for the FAP231 (this is working).
On the fortilink I configured the vlan 30 without any IP or DHCP server

On the fortilink I configured the vlan 40 with a subnet 192.168.40.0/24 with a DHCP server (192.168.40.10-192.168.40.250).

In the SSID section I configured the SSID GUEST_30 in Tunnel mode, with a subnet 192.168.30.0/24 and a DHCP server (192.168.30.10-192.168.30.250) open authentication with a local captive portal, and the vlanid 30.

In the SSID section I configured the SSID OFFICE_40 in Tunnel mode, without a subnet or DHCP server, WPA2 Personnal (will go to Enterprise when radius server is up) and the vlanid 40.
DHCP Snooping is disabled everywhere and just in case I trusted the port1 of the Fortiswitch where the FAP231 is connected.

 

Both of my SSID are well broadcasted and when I connect to both SSID, my clients do not get an IP address.

 

I do not know what else to check, does anyone have an idea?
Let me know if more details are needed!

Thanks in advance, Sylvain C.

1 Solution
SylvainC
New Contributor II

Hello,

 

Solution confirmed by Fortinet is to add another FortiSwitch where the FortiGate is located to have FortiAPs connecting to the FortiSwitch which then connect to the FortiGate.
Having FortiAPs connected to FortiSwitch and FortiGate is possible, but they cannot broadcast the same SSID and use the same subnet (possible to use the same vlan though).


Tests were made to confirm again, and deployment in production with Fortinet's solution has been made.


Hope this can help someone someday.
Sylvain C.

View solution in original post

2 REPLIES 2
SylvainC
New Contributor II

Hello,

 

Here are some configuration snippet that may help;

Spoiler

Interface configuration

FGT-120G (40_OFFICE) # show

config system interface

    edit "40_OFFICE"

        set vdom "root"

        set type vap-switch

        set device-identification enable

        set role lan

        set snmp-index 53

        set ip-managed-by-fortiipam disable

    next

end

 

FGT-120G (OFFICE_40) # show

config system interface

    edit "OFFICE_40"

        set vdom "root"

        set ip 192.168.40.1 255.255.255.0

        set allowaccess ping

        set alias "WIFI_OFFICE"

        set device-identification enable

        set role lan

        set snmp-index 58

        set ip-managed-by-fortiipam disable

        set interface "fortilink"

        set vlanid 40

    next

end

 

FGT-120G (30_GUEST) # show

config system interface

    edit "30_GUEST"

        set vdom "root"

        set ip 192.168.30.1 255.255.255.0

        set allowaccess ping

        set type vap-switch

        set alias "PORTAL_GUEST"

        set device-identification enable

        set role lan

        set snmp-index 42

        set ip-managed-by-fortiipam disable

    next

end

 

FGT-120G (GUEST_30) # show

config system interface

    edit "GUEST_30"

        set vdom "root"

        set device-identification enable

        set role lan

        set snmp-index 57

        set ip-managed-by-fortiipam disable

        set interface "fortilink"

        set vlanid 30

    next

end

 

FGT-120G (AP_5) # show

config system interface

    edit "AP_5"

        set vdom "root"

        set ip 192.168.0.33 255.255.255.224

        set allowaccess ping ssh fabric

        set device-identification enable

        set role lan

        set snmp-index 52

        set ip-managed-by-fortiipam disable

        set interface "fortilink"

        set vlanid 5

    next

end

 

 

DHCP Server configuration

FGT-120G (13) # show

config system dhcp server

    edit 13

        set lease-time 28800

        set dns-service default

        set ntp-service default

        set default-gateway 192.168.40.1

        set netmask 255.255.255.0

        set interface "OFFICE_40"

        config ip-range

            edit 1

                set start-ip 192.168.40.10

                set end-ip 192.168.40.250

            next

        end

    next

end

 

FGT-120G (12) # show

config system dhcp server

    edit 12

        set lease-time 28800

        set dns-service default

        set default-gateway 192.168.30.1

        set netmask 255.255.255.0

        set interface "30_GUEST"

        config ip-range

            edit 1

                set start-ip 192.168.30.10

                set end-ip 192.168.30.250

            next

        end

    next

end

 

FGT-120G (11) # show

config system dhcp server

    edit 11

        set lease-time 86400

        set dns-service default

        set default-gateway 192.168.0.33

        set netmask 255.255.255.224

        set interface "AP_5"

        config ip-range

            edit 1

                set start-ip 192.168.0.34

                set end-ip 192.168.0.62

            next

        end

    next

end

 

 

Wireless-controller vap

FGT-120G (30_GUEST) # show

config wireless-controller vap

    edit "30_GUEST"

        set ssid "GUEST_PORTAL"

        set security open

        set captive-portal enable

        set portal-type auth+disclaimer

        set selected-usergroups "Guest-group"

        set schedule "always"

        set vlanid 30

    next

end

 

FGT-120G (40_OFFICE) # show

config wireless-controller vap

    edit "40_OFFICE"

        set ssid "OFFICE"

        set passphrase ENC ***

        set schedule "always"

        set vlanid 40

    next

end

 

 

On the FortiSwitch

FGT-120G  (ports) # show

config ports

    edit "port1"

        set poe-capable 1

        set vlan "AP_5"

        set allowed-vlans "GUEST_30" "OFFICE_40"

        set untagged-vlans "quarantine"

        set dhcp-snooping trusted

        set export-to "root"

        set mac-addr "AP MAC"

    next

When connecting to the SSID GUEST_PORTAL the client is always trying to get an IP and never reach the captive portal.
When connecting to the SSID OFFICE the client is prompted for the passphrase, I put it in, the authentication works as the client then attempt to get an IP but never get one.

If you think there is another "better" way to configure what I'm attempting to achieve, do not hesitate!

Have a good day, Sylvain C.

SylvainC
New Contributor II

Hello,

 

Solution confirmed by Fortinet is to add another FortiSwitch where the FortiGate is located to have FortiAPs connecting to the FortiSwitch which then connect to the FortiGate.
Having FortiAPs connected to FortiSwitch and FortiGate is possible, but they cannot broadcast the same SSID and use the same subnet (possible to use the same vlan though).


Tests were made to confirm again, and deployment in production with Fortinet's solution has been made.


Hope this can help someone someday.
Sylvain C.

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors