Fortinet black logo

Handbook

Complex wireless network example

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:547298
Download PDF

Complex wireless network example

This example creates multiple networks and uses custom AP profiles.

Scenario

In this example, Example Co. provides two wireless networks, one for its employees and the other for customers or other guests of its business. Guest users have access only to the Internet, not to the company’s private network. The equipment for these WiFi networks consists of FortiAP-220B units controlled by a FortiGate unit.

The employee network operates in 802.11n mode on both the 2.4GHz and 5GHz bands. Client IP addresses are in the 10.10.120.0/24 subnet, with 10.10.120.1 the IP address of the WAP. The guest network also operates in 802.11n mode, but only on the 2.4GHz band. Client IP addresses are on the 10.10.115.0/24 subnet, with 10.10.115.1 the IP address of the WAP.

On FortiAP-220B units, the 802.11n mode also supports 802.11g and 802.11b clients on the 2.4GHz band and 802.11a clients on the 5GHz band.

The guest network WAP broadcasts its SSID, the employee network WAP does not.

The employees network uses WPA-Enterprise authentication through a FortiGate user group. The guest network features a captive portal. When a guest first tries to connect to the Internet, a login page requests logon credentials. Guests use numbered guest accounts authenticated by RADIUS. The captive portal for the guests includes a disclaimer page.

In this example, the FortiAP units connect to port 3 and are assigned addresses on the 192.168.8.0/24 subnet.

Configuration

To configure these wireless networks, you must:

  • Configure authentication for wireless users
  • Configure the SSIDs (network interfaces)
  • Configure the AP profile
  • Configure the WiFi LAN interface and a DHCP server
  • Configure firewall policies

Configuring authentication for employee wireless users

Employees have user accounts on the FortiGate unit. This example shows creation of one user account, but you can create multiple accounts and add them as members to the user group.

To configure a WiFi user - GUI
  1. Go to User & Device > User Definition and select Create New.
  2. Select Local User and then click Next.
  3. Enter a User Name and Password and then click Next.
  4. Click Next.
  5. Make sure that Enable is selected and then click Create.
To configure the user group for employee access - GUI
  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
  3. Name

    employee-group

    Type

    Firewall

    Members

    Add users.

To configure a WiFi user and the user group for employee access - CLI

config user user

edit "user01"

set type password

set passwd "asdf12ghjk"

end

config user group

edit "employee-group"

set member "user01"

end

The user authentication setup will be complete when you select the employee-group in the SSID configuration.

Configuring authentication for guest wireless users

Guests are assigned temporary user accounts created on a RADIUS server. The RADIUS server stores each user’s group name in the Fortinet-Group-Name attribute. Wireless users are in the group named “wireless”.

The FortiGate unit must be configured to access the RADIUS server.

To configure the FortiGate unit to access the guest RADIUS server - GUI
  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter the following information and select OK:
  3. Name

    guestRADIUS

    Primary Server IP/Name

    10.11.102.100

    Primary Server Secret

    grikfwpfdfg

    Secondary Server IP/Name

    Optional

    Secondary Server Secret

    Optional

    Authentication Scheme

    Use default, unless server requires otherwise.

    Leave other settings at their default values.

To configure the FortiGate unit to access the guest RADIUS server - CLI

config user radius

edit guestRADIUS

set auth-type auto

set server 10.11.102.100

set secret grikfwpfdfg

end

To configure the user group for guest access - GUI
  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
  3. Name

    guest-group

    Type

    Firewall

    Members

    Leave empty.

  4. Select Create new.
  5. Enter:
  6. Remote Server

    Select guestRADIUS.

    Groups

    Select wireless

  7. Select OK.
To configure the user group for guest access - CLI

config user group

edit "guest-group"

set member "guestRADIUS"

config match

edit 0

set server-name "guestRADIUS"

set group-name "wireless"

end

end

The user authentication setup will be complete when you select the guest-group user group in the SSID configuration.

Configuring the SSIDs

First, establish the SSIDs (network interfaces) for the employee and guest networks. This is independent of the number of physical access points that will be deployed. Both networks assign IP addresses using DHCP.

To configure the employee SSID - GUI
  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter the following information and select OK:
  3. Interface Name

    example_inc

    Traffic Mode

    Tunnel to Wireless Controller

    IP/Netmask

    10.10.120.1/24

    Administrative Access

    Ping (to assist with testing)

    Enable DHCP

    Enable

    Address Range

    10.10.120.2 - 10.10.120.199

    Netmask

    255.255.255.0

    Default Gateway

    Same As Interface IP

    DNS Server

    Same as System DNS

    SSID

    example_inc

    Security Mode

    WPA/WPA2-Enterprise

    Authentication

    Select Local, then select employee-group.

    Leave other settings at their default values.

To configure the employee SSID - CLI

config wireless-controller vap

edit example_inc

set ssid "example_inc"

set security wpa-enterprise

set auth usergroup

set usergroup employee-group

set schedule always

end

config system interface

edit example_inc

set ip 10.10.120.1 255.255.255.0

end

config system dhcp server

edit 0

set default-gateway 10.10.120.1

set dns-service default

set interface example_inc

config ip-range

edit 1

set end-ip 10.10.120.199

set start-ip 10.10.120.2

end

set lease-time 7200

set netmask 255.255.255.0

end

To configure the example_guest SSID - GUI
  1. Go to WiFi & Switch Controller > SSID and select Create New.
  2. Enter the following information and select OK:
  3. Name

    example_guest

    IP/Netmask

    10.10.115.1/24

    Administrative Access

    Ping (to assist with testing)

    Enable DHCP

    Enable

    Address Range

    10.10.115.2 - 10.10.115.50

    Netmask

    255.255.255.0

    Default Gateway

    Same as Interface IP

    DNS Server

    Same as System DNS

    SSID

    example_guest

    Security Mode

    Captive Portal

    Portal Type

    Authentication

    Authentication Portal

    Local

    User Groups

    Select guest-group

    Leave other settings at their default values.

To configure the example_guest SSID - CLI

config wireless-controller vap

edit example_guest

set ssid "example_guest"

set security captive-portal

set selected-usergroups guest-group

set schedule always

end

config system interface

edit example_guest

set ip 10.10.115.1 255.255.255.0

end

config system dhcp server

edit 0

set default-gateway 10.10.115.1

set dns-service default

set interface "example_guest"

config ip-range

edit 1

set end-ip 10.10.115.50

set start-ip 10.10.115.2

end

set lease-time 7200

set netmask 255.255.255.0

end

Configuring the FortiAP profile

The FortiAP Profile defines the radio settings for the networks. The profile provides access to both Radio 1 (2.4GHz) and Radio 2 (5GHz) for the employee virtual AP, but provides access only to Radio 1 for the guest virtual AP.

To configure the FortiAP Profile - GUI
  1. Go to WiFi & Switch Controller > FortiAP Profiles and select Create New.
  2. Enter the following information and select OK:
  3. Name

    example_AP

    Platform

    FAP220B

    Radio 1

    Mode

    Access Point

    Band

    802.11n

    Channel

    Select 1, 6, and 11.

    Tx Power

    100%

    SSID

    Select SSIDs and select example_inc and example_guest.

    Radio 2

    Mode

    Access Point

    Band

    802.11n_5G

    Channel

    Select all.

    Tx Power

    100%

    SSID

    Select SSIDs and select example_inc.

To configure the AP Profile - CLI

config wireless-controller wtp-profile

edit "example_AP"

config platform

set type 220B

end

config radio-1

set ap-bgscan enable

set band 802.11n

set channel "1" "6" "11"

set vaps "example_inc" "example_guest"

end

config radio-2

set ap-bgscan enable

set band 802.11n-5G

set channel "36" "40" "44" "48" "149" "153" "157" "161" "165"

set vaps "example_inc"

end

Configuring firewall policies

Identity-based firewall policies are needed to enable the WLAN users to access the Internet on Port1. First you create firewall addresses for employee and guest users, then you create the firewall policies.

To create firewall addresses for employee and guest WiFi users
  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information and select OK.
  3. Address Name

    employee-wifi-net

    Type

    Subnet / IP Range

    Subnet / IP Range

    10.10.120.0/24

    Interface

    example_inc

  4. Select Create New, enter the following information and select OK.
  5. Address Name

    guest-wifi-net

    Type

    Subnet / IP Range

    Subnet / IP Range

    10.10.115.0/24

    Interface

    example_guest

To create firewall policies for employee WiFi users - GUI
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK:
  3. Incoming Interface

    example_inc

    Source Address

    employee-wifi-net

    Outgoing Interface

    port1

    Destination Address

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    Enable NAT

  4. Optionally, select security profile for wireless users.
  5. Select OK.
  6. Repeat steps 1 through 4 but select Internal as the Destination Interface/Zone to provides access to the ExampleCo private network.
To create firewall policies for employee WiFi users - CLI

config firewall policy

edit 0

set srcintf "employee_inc"

set dstintf "port1"

set srcaddr "employee-wifi-net"

set dstaddr "all"

set action accept

set schedule "always"

set service "ANY"

set nat enable

set schedule "always"

set service "ANY"

next

edit 0

set srcintf "employee_inc"

set dstintf "internal"

set srcaddr "employee-wifi-net"

set dstaddr "all"

set action accept

set schedule "always"

set service "ANY"

set nat enable

set schedule "always"

set service "ANY"

end

To create a firewall policy for guest WiFi users - GUI
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK:
  3. Incoming Interface

    example_guest

    Source Address

    guest-wifi-net

    Outgoing Interface

    port1

    Destination Address

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    Enable NAT

  4. Optionally, select UTM and set up UTM features for wireless users.
  5. Select OK.
To create a firewall policy for guest WiFi users - CLI

config firewall policy

edit 0

set srcintf "example_guest"

set dstintf "port1"

set srcaddr "guest-wifi-net"

set dstaddr "all"

set action accept

set schedule "always"

set service "ANY"

set nat enable

end

Connecting the FortiAP units

You need to connect each FortiAP-220B unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 10.10.70.0/24 network.

To configure the interface for the AP unit - GUI
  1. On the FortiGate unit, go to Network > Interfaces.
  2. Edit the interface that the FortiAP unit connects to.
  3. Make sure that Role is LAN.
  4. In Addressing mode, select Manual.
  5. In IP/Network Mask, enter an IP address and netmask for the interface, for example: 10.10.70.1/255.255.255.0.

    If enabled, DHCP provides addresses to connected devices. To maximize the number of available addresses, the interface address must end with 1, for example 192.168.10.1.

  6. Under Administrative Access, for IPv4, enable CAPWAP.
  7. Click OK.
To configure the interface for the AP unit - CLI

config system interface

edit "port3"

set mode static

set ip 10.10.70.1 255.255.255.0

set allowaccess capwap

next

end

To configure the DHCP server for AP units - CLI

config system dhcp server

edit 3

set interface "port3"

config ip-range

edit 1

set start-ip 10.10.70.2

set end-ip 10.10.70.254

next

end

set default-gateway 10.10.70.1

set netmask 255.255.255.0

set vci-match enable

set vci-string "FortiAP"

next

end

The optional vci-match and vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.

To connect a FortiAP-220B unit - GUI
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Connect the FortiAP unit to port 3.
  3. Periodically select Refresh while waiting for the FortiAP unit to be listed.
    Recognition of the FortiAP unit can take up to two minutes.
    If there is persistent difficulty recognizing FortiAP units, try disabling VCI-Match in the DHCP server settings.
  4. When the FortiAP unit is listed, select the entry to edit it.
    The Edit Managed Access Point window opens.
  5. In State, select Authorize.
  6. In the AP Profile, select [Change] and then select the example_AP profile.
  7. Select OK.
  8. Repeat Steps 2 through 7 for each FortiAP unit.
To connect a FortiAP-220B unit - CLI
  1. Connect the FortiAP unit to port 3.
  2. Enter:

    config wireless-controller wtp

  3. Wait 30 seconds, then enter get.
  4. Retry the get command every 15 seconds or so until the unit is listed, like this:

    == [ FAP22B3U10600118 ]

    wtp-id: FAP22B3U10600118

  5. Edit the discovered FortiAP unit like this:

    edit FAP22B3U10600118

    set admin enable

    set wtp-profile example_AP

    end

  6. Repeat Steps 2 through 5 for each FortiAP unit.

Complex wireless network example

This example creates multiple networks and uses custom AP profiles.

Scenario

In this example, Example Co. provides two wireless networks, one for its employees and the other for customers or other guests of its business. Guest users have access only to the Internet, not to the company’s private network. The equipment for these WiFi networks consists of FortiAP-220B units controlled by a FortiGate unit.

The employee network operates in 802.11n mode on both the 2.4GHz and 5GHz bands. Client IP addresses are in the 10.10.120.0/24 subnet, with 10.10.120.1 the IP address of the WAP. The guest network also operates in 802.11n mode, but only on the 2.4GHz band. Client IP addresses are on the 10.10.115.0/24 subnet, with 10.10.115.1 the IP address of the WAP.

On FortiAP-220B units, the 802.11n mode also supports 802.11g and 802.11b clients on the 2.4GHz band and 802.11a clients on the 5GHz band.

The guest network WAP broadcasts its SSID, the employee network WAP does not.

The employees network uses WPA-Enterprise authentication through a FortiGate user group. The guest network features a captive portal. When a guest first tries to connect to the Internet, a login page requests logon credentials. Guests use numbered guest accounts authenticated by RADIUS. The captive portal for the guests includes a disclaimer page.

In this example, the FortiAP units connect to port 3 and are assigned addresses on the 192.168.8.0/24 subnet.

Configuration

To configure these wireless networks, you must:

  • Configure authentication for wireless users
  • Configure the SSIDs (network interfaces)
  • Configure the AP profile
  • Configure the WiFi LAN interface and a DHCP server
  • Configure firewall policies

Configuring authentication for employee wireless users

Employees have user accounts on the FortiGate unit. This example shows creation of one user account, but you can create multiple accounts and add them as members to the user group.

To configure a WiFi user - GUI
  1. Go to User & Device > User Definition and select Create New.
  2. Select Local User and then click Next.
  3. Enter a User Name and Password and then click Next.
  4. Click Next.
  5. Make sure that Enable is selected and then click Create.
To configure the user group for employee access - GUI
  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
  3. Name

    employee-group

    Type

    Firewall

    Members

    Add users.

To configure a WiFi user and the user group for employee access - CLI

config user user

edit "user01"

set type password

set passwd "asdf12ghjk"

end

config user group

edit "employee-group"

set member "user01"

end

The user authentication setup will be complete when you select the employee-group in the SSID configuration.

Configuring authentication for guest wireless users

Guests are assigned temporary user accounts created on a RADIUS server. The RADIUS server stores each user’s group name in the Fortinet-Group-Name attribute. Wireless users are in the group named “wireless”.

The FortiGate unit must be configured to access the RADIUS server.

To configure the FortiGate unit to access the guest RADIUS server - GUI
  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter the following information and select OK:
  3. Name

    guestRADIUS

    Primary Server IP/Name

    10.11.102.100

    Primary Server Secret

    grikfwpfdfg

    Secondary Server IP/Name

    Optional

    Secondary Server Secret

    Optional

    Authentication Scheme

    Use default, unless server requires otherwise.

    Leave other settings at their default values.

To configure the FortiGate unit to access the guest RADIUS server - CLI

config user radius

edit guestRADIUS

set auth-type auto

set server 10.11.102.100

set secret grikfwpfdfg

end

To configure the user group for guest access - GUI
  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
  3. Name

    guest-group

    Type

    Firewall

    Members

    Leave empty.

  4. Select Create new.
  5. Enter:
  6. Remote Server

    Select guestRADIUS.

    Groups

    Select wireless

  7. Select OK.
To configure the user group for guest access - CLI

config user group

edit "guest-group"

set member "guestRADIUS"

config match

edit 0

set server-name "guestRADIUS"

set group-name "wireless"

end

end

The user authentication setup will be complete when you select the guest-group user group in the SSID configuration.

Configuring the SSIDs

First, establish the SSIDs (network interfaces) for the employee and guest networks. This is independent of the number of physical access points that will be deployed. Both networks assign IP addresses using DHCP.

To configure the employee SSID - GUI
  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter the following information and select OK:
  3. Interface Name

    example_inc

    Traffic Mode

    Tunnel to Wireless Controller

    IP/Netmask

    10.10.120.1/24

    Administrative Access

    Ping (to assist with testing)

    Enable DHCP

    Enable

    Address Range

    10.10.120.2 - 10.10.120.199

    Netmask

    255.255.255.0

    Default Gateway

    Same As Interface IP

    DNS Server

    Same as System DNS

    SSID

    example_inc

    Security Mode

    WPA/WPA2-Enterprise

    Authentication

    Select Local, then select employee-group.

    Leave other settings at their default values.

To configure the employee SSID - CLI

config wireless-controller vap

edit example_inc

set ssid "example_inc"

set security wpa-enterprise

set auth usergroup

set usergroup employee-group

set schedule always

end

config system interface

edit example_inc

set ip 10.10.120.1 255.255.255.0

end

config system dhcp server

edit 0

set default-gateway 10.10.120.1

set dns-service default

set interface example_inc

config ip-range

edit 1

set end-ip 10.10.120.199

set start-ip 10.10.120.2

end

set lease-time 7200

set netmask 255.255.255.0

end

To configure the example_guest SSID - GUI
  1. Go to WiFi & Switch Controller > SSID and select Create New.
  2. Enter the following information and select OK:
  3. Name

    example_guest

    IP/Netmask

    10.10.115.1/24

    Administrative Access

    Ping (to assist with testing)

    Enable DHCP

    Enable

    Address Range

    10.10.115.2 - 10.10.115.50

    Netmask

    255.255.255.0

    Default Gateway

    Same as Interface IP

    DNS Server

    Same as System DNS

    SSID

    example_guest

    Security Mode

    Captive Portal

    Portal Type

    Authentication

    Authentication Portal

    Local

    User Groups

    Select guest-group

    Leave other settings at their default values.

To configure the example_guest SSID - CLI

config wireless-controller vap

edit example_guest

set ssid "example_guest"

set security captive-portal

set selected-usergroups guest-group

set schedule always

end

config system interface

edit example_guest

set ip 10.10.115.1 255.255.255.0

end

config system dhcp server

edit 0

set default-gateway 10.10.115.1

set dns-service default

set interface "example_guest"

config ip-range

edit 1

set end-ip 10.10.115.50

set start-ip 10.10.115.2

end

set lease-time 7200

set netmask 255.255.255.0

end

Configuring the FortiAP profile

The FortiAP Profile defines the radio settings for the networks. The profile provides access to both Radio 1 (2.4GHz) and Radio 2 (5GHz) for the employee virtual AP, but provides access only to Radio 1 for the guest virtual AP.

To configure the FortiAP Profile - GUI
  1. Go to WiFi & Switch Controller > FortiAP Profiles and select Create New.
  2. Enter the following information and select OK:
  3. Name

    example_AP

    Platform

    FAP220B

    Radio 1

    Mode

    Access Point

    Band

    802.11n

    Channel

    Select 1, 6, and 11.

    Tx Power

    100%

    SSID

    Select SSIDs and select example_inc and example_guest.

    Radio 2

    Mode

    Access Point

    Band

    802.11n_5G

    Channel

    Select all.

    Tx Power

    100%

    SSID

    Select SSIDs and select example_inc.

To configure the AP Profile - CLI

config wireless-controller wtp-profile

edit "example_AP"

config platform

set type 220B

end

config radio-1

set ap-bgscan enable

set band 802.11n

set channel "1" "6" "11"

set vaps "example_inc" "example_guest"

end

config radio-2

set ap-bgscan enable

set band 802.11n-5G

set channel "36" "40" "44" "48" "149" "153" "157" "161" "165"

set vaps "example_inc"

end

Configuring firewall policies

Identity-based firewall policies are needed to enable the WLAN users to access the Internet on Port1. First you create firewall addresses for employee and guest users, then you create the firewall policies.

To create firewall addresses for employee and guest WiFi users
  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information and select OK.
  3. Address Name

    employee-wifi-net

    Type

    Subnet / IP Range

    Subnet / IP Range

    10.10.120.0/24

    Interface

    example_inc

  4. Select Create New, enter the following information and select OK.
  5. Address Name

    guest-wifi-net

    Type

    Subnet / IP Range

    Subnet / IP Range

    10.10.115.0/24

    Interface

    example_guest

To create firewall policies for employee WiFi users - GUI
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK:
  3. Incoming Interface

    example_inc

    Source Address

    employee-wifi-net

    Outgoing Interface

    port1

    Destination Address

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    Enable NAT

  4. Optionally, select security profile for wireless users.
  5. Select OK.
  6. Repeat steps 1 through 4 but select Internal as the Destination Interface/Zone to provides access to the ExampleCo private network.
To create firewall policies for employee WiFi users - CLI

config firewall policy

edit 0

set srcintf "employee_inc"

set dstintf "port1"

set srcaddr "employee-wifi-net"

set dstaddr "all"

set action accept

set schedule "always"

set service "ANY"

set nat enable

set schedule "always"

set service "ANY"

next

edit 0

set srcintf "employee_inc"

set dstintf "internal"

set srcaddr "employee-wifi-net"

set dstaddr "all"

set action accept

set schedule "always"

set service "ANY"

set nat enable

set schedule "always"

set service "ANY"

end

To create a firewall policy for guest WiFi users - GUI
  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK:
  3. Incoming Interface

    example_guest

    Source Address

    guest-wifi-net

    Outgoing Interface

    port1

    Destination Address

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    Enable NAT

  4. Optionally, select UTM and set up UTM features for wireless users.
  5. Select OK.
To create a firewall policy for guest WiFi users - CLI

config firewall policy

edit 0

set srcintf "example_guest"

set dstintf "port1"

set srcaddr "guest-wifi-net"

set dstaddr "all"

set action accept

set schedule "always"

set service "ANY"

set nat enable

end

Connecting the FortiAP units

You need to connect each FortiAP-220B unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 10.10.70.0/24 network.

To configure the interface for the AP unit - GUI
  1. On the FortiGate unit, go to Network > Interfaces.
  2. Edit the interface that the FortiAP unit connects to.
  3. Make sure that Role is LAN.
  4. In Addressing mode, select Manual.
  5. In IP/Network Mask, enter an IP address and netmask for the interface, for example: 10.10.70.1/255.255.255.0.

    If enabled, DHCP provides addresses to connected devices. To maximize the number of available addresses, the interface address must end with 1, for example 192.168.10.1.

  6. Under Administrative Access, for IPv4, enable CAPWAP.
  7. Click OK.
To configure the interface for the AP unit - CLI

config system interface

edit "port3"

set mode static

set ip 10.10.70.1 255.255.255.0

set allowaccess capwap

next

end

To configure the DHCP server for AP units - CLI

config system dhcp server

edit 3

set interface "port3"

config ip-range

edit 1

set start-ip 10.10.70.2

set end-ip 10.10.70.254

next

end

set default-gateway 10.10.70.1

set netmask 255.255.255.0

set vci-match enable

set vci-string "FortiAP"

next

end

The optional vci-match and vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.

To connect a FortiAP-220B unit - GUI
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Connect the FortiAP unit to port 3.
  3. Periodically select Refresh while waiting for the FortiAP unit to be listed.
    Recognition of the FortiAP unit can take up to two minutes.
    If there is persistent difficulty recognizing FortiAP units, try disabling VCI-Match in the DHCP server settings.
  4. When the FortiAP unit is listed, select the entry to edit it.
    The Edit Managed Access Point window opens.
  5. In State, select Authorize.
  6. In the AP Profile, select [Change] and then select the example_AP profile.
  7. Select OK.
  8. Repeat Steps 2 through 7 for each FortiAP unit.
To connect a FortiAP-220B unit - CLI
  1. Connect the FortiAP unit to port 3.
  2. Enter:

    config wireless-controller wtp

  3. Wait 30 seconds, then enter get.
  4. Retry the get command every 15 seconds or so until the unit is listed, like this:

    == [ FAP22B3U10600118 ]

    wtp-id: FAP22B3U10600118

  5. Edit the discovered FortiAP unit like this:

    edit FAP22B3U10600118

    set admin enable

    set wtp-profile example_AP

    end

  6. Repeat Steps 2 through 5 for each FortiAP unit.