Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
simonorch
Contributor

Third party wifi APs?

In the Fortios-wireless documentation under ' third-party WAPs' it states that FortiOS implements the capwap standard. Has anyone any experience of using other wifi APs with a fortigate?

NSE8
Fortinet Expert partner - Norway

NSE8Fortinet Expert partner - Norway
9 REPLIES 9
vanc
New Contributor II

No direct experience. But from this wikipedia article, only Cisco' s wireless products support CAPWAP. Maybe it was wrong.
vanc
New Contributor II

http://en.wikipedia.org/wiki/Lightweight_Access_Point_Protocol
emnoc
Esteemed Contributor III

Not 100& correct. Aruba has been back and forth on CAPWAP support in their controllers & the general answer is ; Yes we support it, but no we don' t have full support yet in all of our hrdware . The CAPWAP std is open ( same as Rip, OSPF,BGP,etc....) and a rfc exists ( can' t remember number ). The problem is nobody has fully developed against it and still have their private wireless extensions and development. I would like too see fortinet policy on CAPWAP support, but I guess they have it in the OSes,so they have to have some type of committment to the publish standard. Time will only tell if it' s well supported in the future.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Faulty_Male
New Contributor III

I would be interested in this too, ideally Cisco AP support would be great. I think it was our disti who said recently that this was on the cards. I can' t seem to find anywhere to set it up as it only lists the forti AP' s.
Faulty_Male
New Contributor III

I spoke to our SE who advised this was not possible and not in v5 either - Fortigates can only act as an AP controller for Forti AP' s
VMat
New Contributor

Hi all,

 

I'm researching the same issue, but it seems the state of interoperability between vendors has not changed too much in last years. I'm trying to use a Cisco AP with FortiGate (v5.2.2) without success. The Cisco APs and FortiAPs send CAPWAP discovery requests in similar way, but FortiGate only reply to the requests from FortiAPs and not to requests from Cisco APs.

 

Furthermore, Wireshark cannot decode the CAPWAP requests for Fortinet and Cisco with the same settings. I mean, there is a setting under protocol>properties that enables it to decode CAPWAP for Cisco, but if I enable this option then it is not able to decode CAPWAP for Fortinet. It seems there is some type of issue with the WTP descriptor, but I don't know what is exactly the problem and the debug logs in FortiGate do not shed light on this issue.

 

Does anybody know anything more about this?

VMat
New Contributor

Well, I've was researching about this and I finally verified that FortiGate does not accept third-party APs.

 

Although Fortinet talks CAPWAP, as it's defined in RFC 5415, FortiGate does not add any AP to their list of managed APs if it is not a known FortiAP model. In similar way that happens through the GUI, the FortiGate will not answer any CAPWAP discovery request from any AP which does not have a 'supported' serial number, etc.

 

Furthermore, I've seen Cisco does not talk CAPWAP exactly as defined in RFC 5415. The Cisco AP should specify its encryption capabilities in a 3-byte sub-element under the WTP descriptor message element but it doesn't.

Jeroen
Contributor

The fact that you could not analyze the packet is due to DTLS encryption between the Fortigate unit and the FortiAP. You could try to set the encryption to "Clear Text" and then try it again.

VMat
New Contributor

mail@jeroenmelis.nl wrote:

The fact that you could not analyze the packet is due to DTLS encryption between the Fortigate unit and the FortiAP. You could try to set the encryption to "Clear Text" and then try it again.

Hello Jeroen,

 

Who said that I could not analyze the packet? :) The discovery requests and responses are in clear. What I'm referring with "encryption capabilities" is the message element in the CAPWAP packet. The AP from Cisco should follow the encryption number with a 3-byte sub-element, but it doesn't.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors