Access point deployment
Access point deployment
This chapter describes how to configure access points for your wireless network. Overview
Network topology for managed APs Discovering and authorizing APs Advanced WiFi controller discovery
Wireless client load balancing for high-density deployments
LAN port options
Preventing IP fragmentation of packets in CAPWAP tunnels
FortiAP units discover WiFi controllers. The administrator of the WiFi controller authorizes the FortiAP units that the controller will manage.
In most cases, FortiAP units can find WiFi controllers through the wired Ethernet without any special configuration. Review the following section, Access point deployment on page 850, to make sure that your method of connecting the FortiAP unit to the WiFi controller is valid. Then, you are ready to follow the procedures in Access point deployment on page 850.
If your FortiAP units are unable to find the WiFi controller, refer to Access point deployment on page 850 for detailed information about the FortiAP unit’s controller discovery methods and how you can configure them.
Network topology for managed APs
The FortiAP unit can be connected to the FortiGate unit in any of the following ways:
Direct connection: The FortiAP unit is directly connected to the FortiGate unit with no switches between them. This configuration is common for locations where the number of FortiAP’s matches up with the number of ‘internal’ ports available on the FortiGate. In this configuration the FortiAP unit requests an IP address from the FortiGate unit, enters discovery mode and should quickly find the FortiGate WiFi controller. This is also known as a wirecloset deployment. See “Wirecloset and Gateway deployments” below.
Switched Connection: The FortiAP unit is connected to the FortiGate WiFi controller by an Ethernet switch operating in L2 switching mode or L3 routing mode. There must be a routable path between the FortiAP unit and the FortiGate unit and ports 5246 and 5247 must be open. This is also known as a gateway deployment. See Gateway Deployment below.
Connection over WAN: The FortiGate WiFi controller is off-premises and connected by a VPN tunnel to a local FortiGate. In this method of connectivity its best to configure each FortiAP with the static IP address of the WiFi controller. Each FortiAP can be configured with three WiFi controller IP addresses for redundant failover. This is also known as a datacenter remote management deployment. See Remote deployment below.
Discovering and authorizing APs
After you prepare your FortiGate unit, you can connect your APs to discover them using the discovery methods described earlier. To prepare the FortiGate unit, you need to
- Configure the network interface to which the AP will connect.
- Configure DHCP service on the interface to which the AP will connect.
- Optionally, preauthorize FortiAP units. They will begin to function when connected.
- Connect the AP units and let the FortiGate unit discover them.
- Enable each discovered AP and configure it or assign it to an AP profile.
Configuring the network interface for the AP unit
The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled.
To configure the interface for the AP unit – web-based manager
1. Go to Network > Interfaces and edit the interface to which the AP unit connects.
2. Set Addressing Mode to Dedicate to Extension Device.
3. Enter the IP address and netmask to use.
This FortiGate unit automatically configures a DHCP server on the interface that will assign the remaining higher addresses up to .254 to FortiAP units. For example, if the IP address is 10.10.1.100, the FortiAP units will be assigned 10.10.1.101 to 10.10.1.254. To maximize the available addresses, use the .1 address for the interface:
10.10.1.1, for example.
4. Select OK.
To configure the interface for the AP unit – CLI
In the CLI, you must configure the interface IP address and DHCP server separately.
config system interface edit port3
set mode static
set ip 10.10.70.1 255.255.255.0 end
config system dhcp server edit 0
set interface “dmz” config ip-range
set end-ip 10.10.70.254 set start-ip 10.10.70.2
set netmask 255.255.255.0 set vci-match enable
set vci-string “FortiAP” end
The optional vci-match and vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.
Pre–authorizing a FortiAP unit
If you enter the FortiAP unit information in advance, it is authorized and will begin to function when it is connected.
To pre-authorize a FortiAP unit
1. Go to WiFi & Switch Controller > Managed FortiAPs and select Create New.
On some models the WiFi Controller menu is called WiFi & Switch Controller.
2. Enter the Serial Number of the FortiAP unit.
3. Configure the Wireless Settings as required.
4. Select OK.
Enabling and configuring a discovered AP
Within two minutes of connecting the AP unit to the FortiGate unit, the discovered unit should be listed on WiFi Controller > Managed FortiAPs page. After you select the unit, you can authorize, edit or delete it.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
Leave a Reply