Hello,
My wireless clients do not receive an IP Address when connecting to a SSID.
My Infrastructure is as follow;
FortiGate 120G <fortilink> FortiSwitch FS-108F-FPOE <port1> FAP231
On the FortiSwitch port1 the native vlan is 5 and the allowed vlan are 30 and 40
On the FortiGate in the fortilink interface the vlan5 is configured with a subnet 192.168.5.32/27 and a DHCP server to provide management subnet for the FAP231 (this is working).
On the fortilink I configured the vlan 30 without any IP or DHCP server
On the fortilink I configured the vlan 40 with a subnet 192.168.40.0/24 with a DHCP server (192.168.40.10-192.168.40.250).
In the SSID section I configured the SSID GUEST_30 in Tunnel mode, with a subnet 192.168.30.0/24 and a DHCP server (192.168.30.10-192.168.30.250) open authentication with a local captive portal, and the vlanid 30.
In the SSID section I configured the SSID OFFICE_40 in Tunnel mode, without a subnet or DHCP server, WPA2 Personnal (will go to Enterprise when radius server is up) and the vlanid 40.
DHCP Snooping is disabled everywhere and just in case I trusted the port1 of the Fortiswitch where the FAP231 is connected.
Both of my SSID are well broadcasted and when I connect to both SSID, my clients do not get an IP address.
I do not know what else to check, does anyone have an idea?
Let me know if more details are needed!
Thanks in advance, Sylvain C.
Solved! Go to Solution.
Hello,
Solution confirmed by Fortinet is to add another FortiSwitch where the FortiGate is located to have FortiAPs connecting to the FortiSwitch which then connect to the FortiGate.
Having FortiAPs connected to FortiSwitch and FortiGate is possible, but they cannot broadcast the same SSID and use the same subnet (possible to use the same vlan though).
Tests were made to confirm again, and deployment in production with Fortinet's solution has been made.
Hope this can help someone someday.
Sylvain C.
Hello,
Here are some configuration snippet that may help;
Interface configuration
FGT-120G (40_OFFICE) # show
config system interface
edit "40_OFFICE"
set vdom "root"
set type vap-switch
set device-identification enable
set role lan
set snmp-index 53
set ip-managed-by-fortiipam disable
next
end
FGT-120G (OFFICE_40) # show
config system interface
edit "OFFICE_40"
set vdom "root"
set ip 192.168.40.1 255.255.255.0
set allowaccess ping
set alias "WIFI_OFFICE"
set device-identification enable
set role lan
set snmp-index 58
set ip-managed-by-fortiipam disable
set interface "fortilink"
set vlanid 40
next
end
FGT-120G (30_GUEST) # show
config system interface
edit "30_GUEST"
set vdom "root"
set ip 192.168.30.1 255.255.255.0
set allowaccess ping
set type vap-switch
set alias "PORTAL_GUEST"
set device-identification enable
set role lan
set snmp-index 42
set ip-managed-by-fortiipam disable
next
end
FGT-120G (GUEST_30) # show
config system interface
edit "GUEST_30"
set vdom "root"
set device-identification enable
set role lan
set snmp-index 57
set ip-managed-by-fortiipam disable
set interface "fortilink"
set vlanid 30
next
end
FGT-120G (AP_5) # show
config system interface
edit "AP_5"
set vdom "root"
set ip 192.168.0.33 255.255.255.224
set allowaccess ping ssh fabric
set device-identification enable
set role lan
set snmp-index 52
set ip-managed-by-fortiipam disable
set interface "fortilink"
set vlanid 5
next
end
DHCP Server configuration
FGT-120G (13) # show
config system dhcp server
edit 13
set lease-time 28800
set dns-service default
set ntp-service default
set default-gateway 192.168.40.1
set netmask 255.255.255.0
set interface "OFFICE_40"
config ip-range
edit 1
set start-ip 192.168.40.10
set end-ip 192.168.40.250
next
end
next
end
FGT-120G (12) # show
config system dhcp server
edit 12
set lease-time 28800
set dns-service default
set default-gateway 192.168.30.1
set netmask 255.255.255.0
set interface "30_GUEST"
config ip-range
edit 1
set start-ip 192.168.30.10
set end-ip 192.168.30.250
next
end
next
end
FGT-120G (11) # show
config system dhcp server
edit 11
set lease-time 86400
set dns-service default
set default-gateway 192.168.0.33
set netmask 255.255.255.224
set interface "AP_5"
config ip-range
edit 1
set start-ip 192.168.0.34
set end-ip 192.168.0.62
next
end
next
end
Wireless-controller vap
FGT-120G (30_GUEST) # show
config wireless-controller vap
edit "30_GUEST"
set ssid "GUEST_PORTAL"
set security open
set captive-portal enable
set portal-type auth+disclaimer
set selected-usergroups "Guest-group"
set schedule "always"
set vlanid 30
next
end
FGT-120G (40_OFFICE) # show
config wireless-controller vap
edit "40_OFFICE"
set ssid "OFFICE"
set passphrase ENC ***
set schedule "always"
set vlanid 40
next
end
On the FortiSwitch
FGT-120G (ports) # show
config ports
edit "port1"
set poe-capable 1
set vlan "AP_5"
set allowed-vlans "GUEST_30" "OFFICE_40"
set untagged-vlans "quarantine"
set dhcp-snooping trusted
set export-to "root"
set mac-addr "AP MAC"
next
When connecting to the SSID GUEST_PORTAL the client is always trying to get an IP and never reach the captive portal.
When connecting to the SSID OFFICE the client is prompted for the passphrase, I put it in, the authentication works as the client then attempt to get an IP but never get one.
If you think there is another "better" way to configure what I'm attempting to achieve, do not hesitate!
Have a good day, Sylvain C.
Hello,
Solution confirmed by Fortinet is to add another FortiSwitch where the FortiGate is located to have FortiAPs connecting to the FortiSwitch which then connect to the FortiGate.
Having FortiAPs connected to FortiSwitch and FortiGate is possible, but they cannot broadcast the same SSID and use the same subnet (possible to use the same vlan though).
Tests were made to confirm again, and deployment in production with Fortinet's solution has been made.
Hope this can help someone someday.
Sylvain C.
User | Count |
---|---|
2534 | |
1351 | |
795 | |
641 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.