Method 2: Connecting through the FortiGate unit

1. Connect the branch FortiAP unit’s Ethernet port to the FortiGate network interface that you configured for

FortiAPs. Connect the FortiAP unit to a power source unless POE is used.

2. Go to WiFi & Switch Controller > Managed FortiAPs.

If the FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the FortiAP unit and try again.

3. Select the discovered FortiAP unit and authorize it. Click Refresh every 10 seconds until the State indicator is green.

4. Right-click the FortiAP and select >_Connect to CLI. The CLI Console window opens. Log in as “admin”.

5. Enter the following commands, substituting your own SSID and password (pre-shared key):

cfg	-a	MESH_AP_TYPE=1
cfg	-a	MESH_AP_SSID=fortinet.mesh.root
cfg	-a	MESH_AP_PASSWD=hardtoguess
cfg	-c

exit

6. Disconnect the branch FortiAP and delete it from the Managed FortiAP list.

7. Repeat the preceding steps for each branch FortiAP.

 

Authorizing leaf APs

When the root FortiAP is connected and online, apply power to the pre-configured leaf FortiAPs. The leaf FortiAPs will connect themselves wirelessly to the WiFi Controller through the mesh network. You must authorize each unit.

1. Go to WiFi & Switch Controller > Managed FortiAPs. Periodically select Refresh until the FortiAP unit is listed. This can take up to three minutes.

The State of the FortiAP unit should be Waiting for Authorization.

2. Right-click the FortiAP entry and choose your profile from the Assign Profile submenu.

3. Right-click the FortiAP entry and select Authorize.

Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

 

Creating security policies

You need to create security policies to permit traffic to flow from the end-user WiFi network to the network interfaces for the Internet and other networks. Enable NAT.

 

Viewing the status of the mesh network

Go to WiFi & Switch Controller > Managed FortiAPs to view the list of APs.

The Connected Via field lists the IP address of each FortiAP and uses icons to show whether the FortiAP is connected by Ethernet or Mesh.

Ethernet

Mesh

If you mouse over the Connected Via information, a topology displays, showing how the FortiGate wireless controller connects to the FortiAP.

 

Configuring a point-to-point bridge

You can create a point-to-point bridge to connect two wired network segments using a WiFi link. The effect is the same as connecting the two network segments to the same wired switch.

You need to:

• Configure a backhaul link and root mesh AP as described in Configuring a point-to-point bridge on page 875. Note: The root mesh AP for a point-to-point bridge must be a FortiAP unit, not the internal AP of a FortiWiFi unit.
• Configure bridging on the leaf AP unit.

To configure the leaf AP unit for bridged operation – FortiAP web-based manager

1. With your browser, connect to the FortiAP unit web-based manager.

You can temporarily connect to the unit’s Ethernet port and use its default address: 192.168.1.2.

2. Enter:

 

Operation Mode                        Mesh

Mesh AP SSID                           fortinet-ap

Mesh AP Password                   fortinet

Ethernet Bridge                         Select

3. Select Apply.

4. Connect the local wired network to the Ethernet port on the FortiAP unit.

Users are assigned IP addresses from the DHCP server on the wired network connected to the root mesh AP unit.

 

To configure a FortiAP unit as a leaf AP – FortiAP CLI

 

cfg	-a	MESH_AP_SSID=fortinet-ap
cfg	-a	MESH_AP_PASSWD=fortinet
cfg cfg	-a -a	MESH_ETH_BRIDGE=1 MESH_AP_TYPE=1
cfg	-c

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!