Fortinet black logo

Handbook

Discovering and authorizing APs

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:827468
Download PDF

Discovering and authorizing APs

After you prepare your FortiGate, you can connect your APs to discover them using the discovery methods described earlier. To prepare the FortiGate, you need to

  • Configure the network interface to which the AP will connect.
  • Configure DHCP service on the interface to which the AP will connect.
  • Optionally, preauthorize FortiAP units. They will begin to function when connected.
  • Connect the AP units and let the FortiGate unit discover them.
  • Enable each discovered AP and configure it or assign it to an AP profile.

Configuring the network interface for the AP unit

The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled.

In this example, the FortiAP units connect to port3 and are controlled through IP addresses on the 10.10.70.0/24 network.

To configure the interface for the AP unit - GUI
  1. On the FortiGate unit, go to Network > Interfaces.
  2. Edit the interface that the FortiAP unit connects to.
  3. Make sure that Role is LAN.
  4. In Addressing mode, select Manual.
  5. In IP/Network Mask, enter an IP address and netmask for the interface, for example: 10.10.70.1/255.255.255.0.

    If enabled, DHCP provides addresses to connected devices. To maximize the number of available addresses, the interface address must end with 1, for example 192.168.10.1.

  6. Under Administrative Access, for IPv4, enable CAPWAP.
  7. Click OK.
To configure the interface for the AP unit - CLI

In the CLI, you must configure the interface IP address and DHCP server separately.

config system interface
    edit "port3"
        set mode static
        set ip 10.10.70.1 255.255.255.0
        set allowaccess capwap
    next
end
config system dhcp server
    edit 3
        set interface "port3"
        config ip-range
            edit 1
                set start-ip 10.10.70.2
                set end-ip 10.10.70.254
            next
        end
        set default-gateway 10.10.70.1
        set netmask 255.255.255.0
        set vci-match enable
        set vci-string "FortiAP"
    next
end 

The optional vci-match and vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.

Pre-authorizing a FortiAP unit

If you enter the FortiAP unit information in advance, it is authorized and will begin to function when it is connected.

To pre-authorize a FortiAP unit
  1. Go to WiFi & Switch Controller > Managed FortiAPs and select Create New.
    On some models the WiFi Controller menu is called WiFi & Switch Controller.
  2. Enter the Serial Number of the FortiAP unit.
  3. Configure the Wireless Settings as required.
  4. Select OK.

Enabling and configuring a discovered AP

Within two minutes of connecting the AP unit to the FortiGate unit, the discovered unit should be listed on WiFi Controller > Managed FortiAPs page. After you select the unit, you can authorize, edit or delete it.

Discovered access point unit

When you authorize (enable) a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). You can create and select a different profile if needed. The FortiAP profile defines the entire configuration for the AP.

To add and configure the discovered AP unit - GUI
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
    This configuration also applies to local WiFi radio on FortiWiFi models.
  2. Select the FortiAP unit from the list and edit it.
  3. Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
  4. Select Authorize.
  5. Select a FortiAP Profile.
  6. Select OK.

The physical access point is now added to the system. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP.

To add the discovered AP unit - CLI

First get a list of the discovered access point unit serial numbers:

get wireless-controller wtp

Add a discovered unit and associate it with AP-profile1, for example:

config wireless-controller wtp

edit FAP22A3U10600118

set admin enable

set wtp-profile AP-profile1

end

To view the status of the added AP unit

config wireless-controller wtp

edit FAP22A3U10600118

get

The join-time field should show a time, not “N/A”. See the preceding GUI procedure for more information.

Disable automatic discovery of unknown FortiAPs

By default, the FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator's authorization. Optionally, you can disable this automatic registration function to avoid adding unknown FortiAPs. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface.

To disable automatic discovery and registration, enter the following command:

config system interface

edit port15

set ap-discover disable

end

Automatic authorization of extension devices

To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually.

This feature is only configurable in the CLI.

To enable automatic authorization on all dedicated interfaces

config system global

set auto-auth-extension-device enable

end

To enable automatic authorization per-interface

config system interface

edit <port>

set auto-auth-extension-device enable

end

Assigning the same profile to multiple FortiAP units

The same profile can now be applied to multiple managed FortiAP units at the same time. To do this, do the following:

  1. Go to WiFi & Switch Controller > Managed FortiAPs to view the AP list.
  2. Select all FortiAP units you wish to apply the profile to.
  3. Right click on one of the selected FortiAPs and select Assign Profile.
  4. Choose the profile you wish to apply.

Overriding the FortiAP profile

In the FortiAP configuration WiFi & Switch Controller > Managed FortiAPs, there several radio settings under Override Radio 1 and Override Radio 2 to choose a value independently of the FortiAP profile setting. When each of the radios are disabled, you will see what the FortiAP Profile has each of the settings configured to.

Band

The available options depend on the capability of the radio. Overriding Band also overrides Channels. Make appropriate settings in Channels.

Channels

Choose channels. The available channels depend on the Band.

TX Power Control

If you enable Auto, adjust to set the power range in dBm.
If you enable Manual, adjust the slider. The 100% setting is the maximum power permitted in your region. See WiFi LAN configuration.

SSIDs

Select between Auto or Manual. Selecting Auto eliminates the need to re-edit the profile when new SSIDs are created. However, you can still select SSIDs individually using Manual.

To override radio settings in the CLI

In this example, Radio 1 is set to 802.11n on channel 11, regardless of the profile setting.

config wireless-controller wtp

edit FP221C3X14019926

config radio-1

set override-band enable

set band 802.11n

set override-channel enable

set channel 11

end

Override settings are available for band, channel, vaps (SSIDs), and txpower.

Outside of configuring radio settings, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, split tunneling, and login password settings.

Accessing the FortiAP CLI through the FortiGate unit

Enable remote login for the FortiAP. In the FortiAP Profile for this FortiAP, enable remote access.

Connecting to the FortiAP CLI

The FortiAP unit has a CLI through which some configuration options can be set. You can access the CLI using Telnet.

To access the FortiAP unit CLI through the FortiAP Ethernet port
  1. Connect your computer to the FortiAP Ethernet interface, either directly with a cross-over cable or through a separate switch or hub.
  2. Change your computer’s IP address to 192.168.1.3
  3. Telnet to IP address 192.168.1.2.
    Ensure that FortiAP is in a private network with no DHCP server for the static IP address to be accessible.
  4. Login with user name admin and no password.
  5. Enter commands as needed.
  6. Optionally, use the passwd command to assign an administrative password for better security.
  7. Save the configuration by entering the following command:

    cfg –c .

  8. Unplug the FortiAP and then plug it back in, in order for the configuration to take effect.

Accessing the FortiAP CLI through the FortiGate

After the FortiAP has been installed, physical access to the unit might be inconvenient. You can access a connected FortiAP unit's CLI through the FortiGate unit that controls it.

To enable remote access to the FortiAP CLI

In the CLI, edit the FortiAP Profile that applies to this FortiAP.

config wireless-controller wtp-profile

edit FAP221C-default

set allowaccess telnet

end

note icon

FortiAP now supports HTTPS and SSH administrative access, as well as HTTP and Telnet. Use the command above to set administrative access to telnet, http, https, or ssh.

To access the FortiAP unit CLI through the FortiGate unit - GUI
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. In the list, right-click the FortiAP unit and select >_Connect to CLI.

    A detached Console window opens.

  3. At the FortiAP login prompt, enter admin. When you are finished using the FortiAP CLI, enter exit.
To access the FortiAP unit CLI through the FortiGate unit - CLI
  1. Use the FortiGate CLI execute telnet command to access the FortiAP. For example, if the FortiAP unit IP address is 192.168.1.2, enter:

    execute telnet 192.168.1.2

  2. At the FortiAP login prompt, enter admin. When you are finished using the FortiAP CLI, enter exit.

note icon

When a WiFi controller takes control of the FortiAP unit, Telnet access to the FortiAP unit CLI is no longer available.

Checking and updating FortiAP unit firmware

You can view and update the FortiAP unit firmware from the FortiGate unit that acts as its WiFi controller.

Checking the FortiAP unit firmware version

Go to WiFi & Switch Controller > Managed FortiAPs to view the list of FortiAP units that the FortiGate unit can manage. The OS Version column shows the current firmware version running on each AP.

Updating FortiAP firmware using FortiGuard

If your managed FortiAP units are registered with FortiGuard, you can update their firmware from the FortiGate GUI by selecting to upgrade them from FortiGuard. You can use the following procedure to upgrade the firmware running on one or multiple managed FortiAP units.

Note FortiGuard prevents you from repeatedly downloading the same firmware image. So if you have multiple FortiAPs of the same model, rather than downloading the same firmware image over and over again from FortiGuard you can should use the following procedure to download a firmware image file once and then loads that same firmware image onto each matching FortiAP unit.
To update FortiAP firmware from FortiGuard - GUI
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Select one or more managed FortiAPs to upgrade their firmware. Use Ctrl-click to select multiple FortiAPs.
  3. Select Upgrade either by right clicking or selecting Upgrade at the top of the page.
  4. Select FortiGuard.

    The GUI indicates which FortiAPs can be upgraded from FortiGuard.

  5. Verify that the FortiAPs that you want to update are selected.
  6. Select Upgrade.

    The FortiGate downloads the required FortiAP firmware images from FortiGuard and updates the selected FortiAPs. If you are updating multiple FortiAPs of the same model, the FortiGate downloads their firmware image once and installs it on all of the matching FortiAPs.

Updating FortiAP firmware from the FortiGate unit

You can update the FortiAP firmware using either the GUI or the CLI. Only the CLI method can update all FortiAP units at once.

To update FortiAP unit firmware - GUI
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Right-click the FortiAP unit in the list and select Upgrade.
    or
    Edit the FortiAP entry and select Upgrade under Firmware.
  3. Select Browse and locate the firmware upgrade file.
  4. Select OK.
  5. When the upgrade process completes, select OK.
    The FortiAP unit restarts.
To update FortiAP unit firmware - CLI
  1. Upload the FortiAP image to the FortiGate unit.

    For example, the Firmware file is FAP_22A_v4.3.0_b0212_fortinet.out and the server IP address is 192.168.0.100.

    execute wireless-controller upload-wtp-image tftp FAP_22A_v4.3.0_b0212_fortinet.out 192.168.0.100

    If your server is FTP, change tftp to ftp, and if necessary add your user name and password at the end of the command.

  2. Verify that the image is uploaded:

    execute wireless-controller list-wtp-image

  3. Upgrade the FortiAP units:

    exec wireless-controller reset-wtp all

    If you want to upgrade only one FortiAP unit, enter its serial number instead of all.

Updating FortiAP firmware from the FortiAP unit

You can connect to a FortiAP unit’s internal CLI to update its firmware from a TFTP server on the same network. This method does not require access to the wireless controller.

  1. Place the FortiAP firmware image on a TFTP server on your computer.
  2. Connect the FortiAP unit to a separate private switch or hub or directly connect to your computer via a cross-over cable.
  3. Change your computer’s IP address to 192.168.1.3.
  4. Telnet to IP address 192.168.1.2.
    This IP address is overwritten if the FortiAP is connected to a DHCP environment. Ensure that the FortiAP unit is in a private network with no DHCP server.
  5. Login with the username “admin” and no password.
  6. Enter the following command.
    For example, the FortiAP image file name is FAP_22A_v4.3.0_b0212_fortinet.out.

    restore FAP_22A_v4.3.0_b0212_fortinet.out 192.168.1.3

Discovering and authorizing APs

After you prepare your FortiGate, you can connect your APs to discover them using the discovery methods described earlier. To prepare the FortiGate, you need to

  • Configure the network interface to which the AP will connect.
  • Configure DHCP service on the interface to which the AP will connect.
  • Optionally, preauthorize FortiAP units. They will begin to function when connected.
  • Connect the AP units and let the FortiGate unit discover them.
  • Enable each discovered AP and configure it or assign it to an AP profile.

Configuring the network interface for the AP unit

The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled.

In this example, the FortiAP units connect to port3 and are controlled through IP addresses on the 10.10.70.0/24 network.

To configure the interface for the AP unit - GUI
  1. On the FortiGate unit, go to Network > Interfaces.
  2. Edit the interface that the FortiAP unit connects to.
  3. Make sure that Role is LAN.
  4. In Addressing mode, select Manual.
  5. In IP/Network Mask, enter an IP address and netmask for the interface, for example: 10.10.70.1/255.255.255.0.

    If enabled, DHCP provides addresses to connected devices. To maximize the number of available addresses, the interface address must end with 1, for example 192.168.10.1.

  6. Under Administrative Access, for IPv4, enable CAPWAP.
  7. Click OK.
To configure the interface for the AP unit - CLI

In the CLI, you must configure the interface IP address and DHCP server separately.

config system interface
    edit "port3"
        set mode static
        set ip 10.10.70.1 255.255.255.0
        set allowaccess capwap
    next
end
config system dhcp server
    edit 3
        set interface "port3"
        config ip-range
            edit 1
                set start-ip 10.10.70.2
                set end-ip 10.10.70.254
            next
        end
        set default-gateway 10.10.70.1
        set netmask 255.255.255.0
        set vci-match enable
        set vci-string "FortiAP"
    next
end 

The optional vci-match and vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.

Pre-authorizing a FortiAP unit

If you enter the FortiAP unit information in advance, it is authorized and will begin to function when it is connected.

To pre-authorize a FortiAP unit
  1. Go to WiFi & Switch Controller > Managed FortiAPs and select Create New.
    On some models the WiFi Controller menu is called WiFi & Switch Controller.
  2. Enter the Serial Number of the FortiAP unit.
  3. Configure the Wireless Settings as required.
  4. Select OK.

Enabling and configuring a discovered AP

Within two minutes of connecting the AP unit to the FortiGate unit, the discovered unit should be listed on WiFi Controller > Managed FortiAPs page. After you select the unit, you can authorize, edit or delete it.

Discovered access point unit

When you authorize (enable) a FortiAP unit, it is configured by default to use the default FortiAP profile (determined by model). You can create and select a different profile if needed. The FortiAP profile defines the entire configuration for the AP.

To add and configure the discovered AP unit - GUI
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
    This configuration also applies to local WiFi radio on FortiWiFi models.
  2. Select the FortiAP unit from the list and edit it.
  3. Optionally, enter a Name. Otherwise, the unit will be identified by serial number.
  4. Select Authorize.
  5. Select a FortiAP Profile.
  6. Select OK.

The physical access point is now added to the system. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP.

To add the discovered AP unit - CLI

First get a list of the discovered access point unit serial numbers:

get wireless-controller wtp

Add a discovered unit and associate it with AP-profile1, for example:

config wireless-controller wtp

edit FAP22A3U10600118

set admin enable

set wtp-profile AP-profile1

end

To view the status of the added AP unit

config wireless-controller wtp

edit FAP22A3U10600118

get

The join-time field should show a time, not “N/A”. See the preceding GUI procedure for more information.

Disable automatic discovery of unknown FortiAPs

By default, the FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list, awaiting the administrator's authorization. Optionally, you can disable this automatic registration function to avoid adding unknown FortiAPs. A FortiAP will be registered and listed only if its serial number has already been added manually to the Managed FortiAPs list. AP registration is configured on each interface.

To disable automatic discovery and registration, enter the following command:

config system interface

edit port15

set ap-discover disable

end

Automatic authorization of extension devices

To simplify adding FortiAP or FortiSwitch devices to your network, you can enable automatic authorization of devices as they are connected, instead of authorizing each one individually.

This feature is only configurable in the CLI.

To enable automatic authorization on all dedicated interfaces

config system global

set auto-auth-extension-device enable

end

To enable automatic authorization per-interface

config system interface

edit <port>

set auto-auth-extension-device enable

end

Assigning the same profile to multiple FortiAP units

The same profile can now be applied to multiple managed FortiAP units at the same time. To do this, do the following:

  1. Go to WiFi & Switch Controller > Managed FortiAPs to view the AP list.
  2. Select all FortiAP units you wish to apply the profile to.
  3. Right click on one of the selected FortiAPs and select Assign Profile.
  4. Choose the profile you wish to apply.

Overriding the FortiAP profile

In the FortiAP configuration WiFi & Switch Controller > Managed FortiAPs, there several radio settings under Override Radio 1 and Override Radio 2 to choose a value independently of the FortiAP profile setting. When each of the radios are disabled, you will see what the FortiAP Profile has each of the settings configured to.

Band

The available options depend on the capability of the radio. Overriding Band also overrides Channels. Make appropriate settings in Channels.

Channels

Choose channels. The available channels depend on the Band.

TX Power Control

If you enable Auto, adjust to set the power range in dBm.
If you enable Manual, adjust the slider. The 100% setting is the maximum power permitted in your region. See WiFi LAN configuration.

SSIDs

Select between Auto or Manual. Selecting Auto eliminates the need to re-edit the profile when new SSIDs are created. However, you can still select SSIDs individually using Manual.

To override radio settings in the CLI

In this example, Radio 1 is set to 802.11n on channel 11, regardless of the profile setting.

config wireless-controller wtp

edit FP221C3X14019926

config radio-1

set override-band enable

set band 802.11n

set override-channel enable

set channel 11

end

Override settings are available for band, channel, vaps (SSIDs), and txpower.

Outside of configuring radio settings, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, split tunneling, and login password settings.

Accessing the FortiAP CLI through the FortiGate unit

Enable remote login for the FortiAP. In the FortiAP Profile for this FortiAP, enable remote access.

Connecting to the FortiAP CLI

The FortiAP unit has a CLI through which some configuration options can be set. You can access the CLI using Telnet.

To access the FortiAP unit CLI through the FortiAP Ethernet port
  1. Connect your computer to the FortiAP Ethernet interface, either directly with a cross-over cable or through a separate switch or hub.
  2. Change your computer’s IP address to 192.168.1.3
  3. Telnet to IP address 192.168.1.2.
    Ensure that FortiAP is in a private network with no DHCP server for the static IP address to be accessible.
  4. Login with user name admin and no password.
  5. Enter commands as needed.
  6. Optionally, use the passwd command to assign an administrative password for better security.
  7. Save the configuration by entering the following command:

    cfg –c .

  8. Unplug the FortiAP and then plug it back in, in order for the configuration to take effect.

Accessing the FortiAP CLI through the FortiGate

After the FortiAP has been installed, physical access to the unit might be inconvenient. You can access a connected FortiAP unit's CLI through the FortiGate unit that controls it.

To enable remote access to the FortiAP CLI

In the CLI, edit the FortiAP Profile that applies to this FortiAP.

config wireless-controller wtp-profile

edit FAP221C-default

set allowaccess telnet

end

note icon

FortiAP now supports HTTPS and SSH administrative access, as well as HTTP and Telnet. Use the command above to set administrative access to telnet, http, https, or ssh.

To access the FortiAP unit CLI through the FortiGate unit - GUI
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. In the list, right-click the FortiAP unit and select >_Connect to CLI.

    A detached Console window opens.

  3. At the FortiAP login prompt, enter admin. When you are finished using the FortiAP CLI, enter exit.
To access the FortiAP unit CLI through the FortiGate unit - CLI
  1. Use the FortiGate CLI execute telnet command to access the FortiAP. For example, if the FortiAP unit IP address is 192.168.1.2, enter:

    execute telnet 192.168.1.2

  2. At the FortiAP login prompt, enter admin. When you are finished using the FortiAP CLI, enter exit.

note icon

When a WiFi controller takes control of the FortiAP unit, Telnet access to the FortiAP unit CLI is no longer available.

Checking and updating FortiAP unit firmware

You can view and update the FortiAP unit firmware from the FortiGate unit that acts as its WiFi controller.

Checking the FortiAP unit firmware version

Go to WiFi & Switch Controller > Managed FortiAPs to view the list of FortiAP units that the FortiGate unit can manage. The OS Version column shows the current firmware version running on each AP.

Updating FortiAP firmware using FortiGuard

If your managed FortiAP units are registered with FortiGuard, you can update their firmware from the FortiGate GUI by selecting to upgrade them from FortiGuard. You can use the following procedure to upgrade the firmware running on one or multiple managed FortiAP units.

Note FortiGuard prevents you from repeatedly downloading the same firmware image. So if you have multiple FortiAPs of the same model, rather than downloading the same firmware image over and over again from FortiGuard you can should use the following procedure to download a firmware image file once and then loads that same firmware image onto each matching FortiAP unit.
To update FortiAP firmware from FortiGuard - GUI
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Select one or more managed FortiAPs to upgrade their firmware. Use Ctrl-click to select multiple FortiAPs.
  3. Select Upgrade either by right clicking or selecting Upgrade at the top of the page.
  4. Select FortiGuard.

    The GUI indicates which FortiAPs can be upgraded from FortiGuard.

  5. Verify that the FortiAPs that you want to update are selected.
  6. Select Upgrade.

    The FortiGate downloads the required FortiAP firmware images from FortiGuard and updates the selected FortiAPs. If you are updating multiple FortiAPs of the same model, the FortiGate downloads their firmware image once and installs it on all of the matching FortiAPs.

Updating FortiAP firmware from the FortiGate unit

You can update the FortiAP firmware using either the GUI or the CLI. Only the CLI method can update all FortiAP units at once.

To update FortiAP unit firmware - GUI
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Right-click the FortiAP unit in the list and select Upgrade.
    or
    Edit the FortiAP entry and select Upgrade under Firmware.
  3. Select Browse and locate the firmware upgrade file.
  4. Select OK.
  5. When the upgrade process completes, select OK.
    The FortiAP unit restarts.
To update FortiAP unit firmware - CLI
  1. Upload the FortiAP image to the FortiGate unit.

    For example, the Firmware file is FAP_22A_v4.3.0_b0212_fortinet.out and the server IP address is 192.168.0.100.

    execute wireless-controller upload-wtp-image tftp FAP_22A_v4.3.0_b0212_fortinet.out 192.168.0.100

    If your server is FTP, change tftp to ftp, and if necessary add your user name and password at the end of the command.

  2. Verify that the image is uploaded:

    execute wireless-controller list-wtp-image

  3. Upgrade the FortiAP units:

    exec wireless-controller reset-wtp all

    If you want to upgrade only one FortiAP unit, enter its serial number instead of all.

Updating FortiAP firmware from the FortiAP unit

You can connect to a FortiAP unit’s internal CLI to update its firmware from a TFTP server on the same network. This method does not require access to the wireless controller.

  1. Place the FortiAP firmware image on a TFTP server on your computer.
  2. Connect the FortiAP unit to a separate private switch or hub or directly connect to your computer via a cross-over cable.
  3. Change your computer’s IP address to 192.168.1.3.
  4. Telnet to IP address 192.168.1.2.
    This IP address is overwritten if the FortiAP is connected to a DHCP environment. Ensure that the FortiAP unit is in a private network with no DHCP server.
  5. Login with the username “admin” and no password.
  6. Enter the following command.
    For example, the FortiAP image file name is FAP_22A_v4.3.0_b0212_fortinet.out.

    restore FAP_22A_v4.3.0_b0212_fortinet.out 192.168.1.3