FortiAP groups
FortiAP groups facilitate the application of FortiAP profiles to large numbers of FortiAPs. A FortiAP can belong to no more than one FortiAP group. A FortiAP group can include only one model of FortiAP.
Through the VLAN pool feature, a FortiAP group can be associated with a VLAN to which WiFi clients will be assigned. For more on VLAN pool assignment, see VLAN assignment by VLAN pool.
FortiAP groups are only configurable in the CLI Console.
To create a FortiAP group – CLI
In this example, wtp-group-1 is created for a FortiAP-221C and one member device is added.
config wireless-controller wtp-group edit wtp-group-1 set platform-type 221C config wtp-list edit FP221C3X14019926
end
end
LAN port options
Some FortiAP models have one or more LAN interfaces that can provide wired network access. LAN ports can be
LAN port options
l bridged to the incoming WAN interface l bridged to one of the WiFi SSIDs that the FortiAP unit carries l connected by NAT to the incoming WAN interface There are some differences among FortiAP models.
Models like 11C and 14C have one port labeled WAN and one or more ports labeled LAN. By default, the LAN ports are offline. You can configure LAN port operation in the FortiAP Profile in the GUI (Wireless Controller > FortiAP Profiles) or in the CLI (config wireless-controller wtp-profile, config lan subcommand).
Models like 320C, 320B, 112D, and 112B have two ports, labeled LAN1 and LAN2. LAN1 acts as a WAN port connecting the FortiAP to a FortiGate or FortiCloud. By default, LAN2 is bridged to LAN1. Other modes of LAN2 operation must be enabled in the CLI:
config wireless-controller wtp-profile edit <profile_name> set wan-port-mode wan-lan
end
By default wan-port-mode is set to wan-only.
When wan-port-mode is set to wan-lan, LAN2 Port options are available in the GUI and the CLI the same as the other FortiAP models that have labeled WAN and LAN ports.
Bridging a LAN port with an SSID
Bridging a LAN port with a FortiAP SSID combines traffic from both sources to provide a single broadcast domain for wired and wireless users. In this configuration l The IP addresses for LAN clients come from the DHCP server that serves the wireless clients.
- Traffic from LAN clients is bridged to the SSID’s VLAN. Dynamic VLAN assignment for hosts on the LAN port is not supported.
- Wireless and LAN clients are on the same network and can communicate locally, via the FortiAP.
- Any host connected to the LAN port will be taken as authenticated. RADIUS MAC authentication for hosts on the LAN port is not supported.
For configuration instructions, see LAN port options on page 69.
Bridging a LAN port with the WAN port
Bridging a LAN port with the WAN port enables the FortiAP unit to be used as a hub which is also an access point. In this configuration l The IP addresses for LAN clients come from the WAN directly and will typically be in the same range as the AP itself. l All LAN client traffic is bridged directly to the WAN interface.
l Communication between wireless and LAN clients can only occur if a policy on the FortiGate unit allows it.
For configuration instructions, see LAN port options on page 69.