Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Wireless client not receiving an IP through Tu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wireless client not receiving an IP through Tunneled SSID
Hello,
My wireless clients do not receive an IP Address when connecting to a SSID.
My Infrastructure is as follow;
FortiGate 120G <fortilink> FortiSwitch FS-108F-FPOE <port1> FAP231
On the FortiSwitch port1 the native vlan is 5 and the allowed vlan are 30 and 40
On the FortiGate in the fortilink interface the vlan5 is configured with a subnet 192.168.5.32/27 and a DHCP server to provide management subnet for the FAP231 (this is working).
On the fortilink I configured the vlan 30 without any IP or DHCP server
On the fortilink I configured the vlan 40 with a subnet 192.168.40.0/24 with a DHCP server (192.168.40.10-192.168.40.250).
In the SSID section I configured the SSID GUEST_30 in Tunnel mode, with a subnet 192.168.30.0/24 and a DHCP server (192.168.30.10-192.168.30.250) open authentication with a local captive portal, and the vlanid 30.
In the SSID section I configured the SSID OFFICE_40 in Tunnel mode, without a subnet or DHCP server, WPA2 Personnal (will go to Enterprise when radius server is up) and the vlanid 40.
DHCP Snooping is disabled everywhere and just in case I trusted the port1 of the Fortiswitch where the FAP231 is connected.
Both of my SSID are well broadcasted and when I connect to both SSID, my clients do not get an IP address.
I do not know what else to check, does anyone have an idea?
Let me know if more details are needed!
Thanks in advance, Sylvain C.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiAP
-
FortiGate
-
FortiSwitch
-
SSID
-
VLAN
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Solution confirmed by Fortinet is to add another FortiSwitch where the FortiGate is located to have FortiAPs connecting to the FortiSwitch which then connect to the FortiGate.
Having FortiAPs connected to FortiSwitch and FortiGate is possible, but they cannot broadcast the same SSID and use the same subnet (possible to use the same vlan though).
Tests were made to confirm again, and deployment in production with Fortinet's solution has been made.
Hope this can help someone someday.
Sylvain C.
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Here are some configuration snippet that may help;
Spoiler
Interface configuration
FGT-120G (40_OFFICE) # show
config system interface
edit "40_OFFICE"
set vdom "root"
set type vap-switch
set device-identification enable
set role lan
set snmp-index 53
set ip-managed-by-fortiipam disable
next
end
FGT-120G (OFFICE_40) # show
config system interface
edit "OFFICE_40"
set vdom "root"
set ip 192.168.40.1 255.255.255.0
set allowaccess ping
set alias "WIFI_OFFICE"
set device-identification enable
set role lan
set snmp-index 58
set ip-managed-by-fortiipam disable
set interface "fortilink"
set vlanid 40
next
end
FGT-120G (30_GUEST) # show
config system interface
edit "30_GUEST"
set vdom "root"
set ip 192.168.30.1 255.255.255.0
set allowaccess ping
set type vap-switch
set alias "PORTAL_GUEST"
set device-identification enable
set role lan
set snmp-index 42
set ip-managed-by-fortiipam disable
next
end
FGT-120G (GUEST_30) # show
config system interface
edit "GUEST_30"
set vdom "root"
set device-identification enable
set role lan
set snmp-index 57
set ip-managed-by-fortiipam disable
set interface "fortilink"
set vlanid 30
next
end
FGT-120G (AP_5) # show
config system interface
edit "AP_5"
set vdom "root"
set ip 192.168.0.33 255.255.255.224
set allowaccess ping ssh fabric
set device-identification enable
set role lan
set snmp-index 52
set ip-managed-by-fortiipam disable
set interface "fortilink"
set vlanid 5
next
end
DHCP Server configuration
FGT-120G (13) # show
config system dhcp server
edit 13
set lease-time 28800
set dns-service default
set ntp-service default
set default-gateway 192.168.40.1
set netmask 255.255.255.0
set interface "OFFICE_40"
config ip-range
edit 1
set start-ip 192.168.40.10
set end-ip 192.168.40.250
next
end
next
end
FGT-120G (12) # show
config system dhcp server
edit 12
set lease-time 28800
set dns-service default
set default-gateway 192.168.30.1
set netmask 255.255.255.0
set interface "30_GUEST"
config ip-range
edit 1
set start-ip 192.168.30.10
set end-ip 192.168.30.250
next
end
next
end
FGT-120G (11) # show
config system dhcp server
edit 11
set lease-time 86400
set dns-service default
set default-gateway 192.168.0.33
set netmask 255.255.255.224
set interface "AP_5"
config ip-range
edit 1
set start-ip 192.168.0.34
set end-ip 192.168.0.62
next
end
next
end
Wireless-controller vap
FGT-120G (30_GUEST) # show
config wireless-controller vap
edit "30_GUEST"
set ssid "GUEST_PORTAL"
set security open
set captive-portal enable
set portal-type auth+disclaimer
set selected-usergroups "Guest-group"
set schedule "always"
set vlanid 30
next
end
FGT-120G (40_OFFICE) # show
config wireless-controller vap
edit "40_OFFICE"
set ssid "OFFICE"
set passphrase ENC ***
set schedule "always"
set vlanid 40
next
end
On the FortiSwitch
FGT-120G (ports) # show
config ports
edit "port1"
set poe-capable 1
set vlan "AP_5"
set allowed-vlans "GUEST_30" "OFFICE_40"
set untagged-vlans "quarantine"
set dhcp-snooping trusted
set export-to "root"
set mac-addr "AP MAC"
next
When connecting to the SSID GUEST_PORTAL the client is always trying to get an IP and never reach the captive portal.
When connecting to the SSID OFFICE the client is prompted for the passphrase, I put it in, the authentication works as the client then attempt to get an IP but never get one.
If you think there is another "better" way to configure what I'm attempting to achieve, do not hesitate!
Have a good day, Sylvain C.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Solution confirmed by Fortinet is to add another FortiSwitch where the FortiGate is located to have FortiAPs connecting to the FortiSwitch which then connect to the FortiGate.
Having FortiAPs connected to FortiSwitch and FortiGate is possible, but they cannot broadcast the same SSID and use the same subnet (possible to use the same vlan though).
Tests were made to confirm again, and deployment in production with Fortinet's solution has been made.
Hope this can help someone someday.
Sylvain C.
Labels
-
FortiGate
10,491 -
FortiClient
2,131 -
FortiManager
883 -
5.2
687 -
FortiAnalyzer
672 -
5.4
638 -
FortiSwitch
575 -
FortiAP
561 -
FortiClient EMS
551 -
6.0
416 -
IPsec
404 -
FortiMail
371 -
SSL-VPN
370 -
5.6
362 -
FortiNAC
277 -
6.2
251 -
FortiWeb
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
190 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
125 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
66 -
Authentication
64 -
Certificate
61 -
RADIUS
58 -
LDAP
57 -
SSO
54 -
FortiSandbox
53 -
FortiLink
53 -
FortiExtender
51 -
NAT
51 -
4.0MR3
49 -
FortiDNS
44 -
VDOM
44 -
Application control
44 -
Interface
42 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
API
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
FortiRecorder
11 -
Users
11 -
Port policy
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Authentication rule and scheme
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
FortiAI
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
FortiAIOps
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2534 | |
| 1351 | |
| 795 | |
| 641 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.