This article describes how to configure a FortiGate interface to manage FortiAPs.
Based on the above topology, this example uses port16 as the interface used to manage connection to FortiAPs.
- You must enable a DHCP server on port16:
- In FortiOS, go to Network > Interfaces.
- Edit port16.
- In the IP/Network Mask field, enter an IP address for port16.
- Enable DHCP Server, keeping the default settings.
- If required, you can enable the VCI-match feature using the CLI. When VCI-match is enabled, only devices with a VCI name that matches the preconfigured string can acquire an IP address from the DHCP server. To configure VCI-match, run the following commands:
- config system dhcp server
- edit 1
- set interface port16
- set vci-match enable
- set vci-string “FortiAP”
- next
- edit 1
- end
- config system dhcp server
- As it is a minimum management requirement that FortiAP establish a CAPWAP tunnel with the FortiGate, you must enable CAPWAP access on port16 to allow it to manage FortiAPs:
- Go to Network > Interfaces.
- Double-click port16.
- Under Administrative Access, select Security Fabric Connection.
- Click OK.
- To create a new FortiAP entry automatically when a new FortiAP unit is discovered, run the following command. By default, this option is enabled.
- config system interface
- edit port16
- set allow-access fabric
- set ap-discover enable
- next
- end
- edit port16
- config system interface
- To allow FortiGate to authorize a newly discovered FortiAP to be controlled by the FortiGate, run the following command. By default, this option is disabled.
- config system interface
- edit port16
- set allow-access fabric
- set auto-auth-extension-device enable
- next
- edit port16
- end
- config system interface