Skip to content

Add and Authorize a FortiAP

A FortiAP is Fortinet's managed wireless access point. The FortiGate (acting as a wireless controller) discovers APs, pushes config, and tunnels client traffic via CAPWAP. Once authorized, the FortiAP's radios become extensions of the FortiGate's wireless config.

Before You Start

  • A FortiAP plugged into a network the FortiGate can reach (typically on a VLAN where FortiGate is the gateway, OR on a port managed via FortiLink to a FortiSwitch).
  • FortiAP gets power (PoE+ on most models).
  • CAPWAP (UDP 5246/5247) reachable from FortiAP to FortiGate.

Steps

Let FortiAP discover the FortiGate

FortiAP discovers controllers via: 1. DHCP option 138 — DHCP scope hands out FortiGate IP. 2. Static config — set via console on the AP. 3. DNSwifi.<your-domain> resolves to FortiGate. 4. Layer-2 broadcast — same VLAN as FortiGate.

For typical small setups, just have the AP on a VLAN where FortiGate is the gateway — L2 discovery works automatically.

Authorize the AP

  1. WiFi & Switch Controller → Managed FortiAPs. AP appears as "Discovered."
  2. Click the AP → Authorize.
  3. Wait 1-3 minutes for config sync. Status changes to Online.

📸 Screenshot needed

Managed FortiAPs list showing the discovered AP, plus the Authorize button.

Assign an AP Profile

The AP Profile defines radios, SSIDs, and country (regulatory). Default profile usually works for first-time setup.

  1. Click the AP → AP Profile dropdown → pick or create.
  2. Apply.

CLI Equivalent

config wireless-controller wtp
edit "FP221E1234567890"
    set admin enable
    set wtp-profile "FAP221E-default"
next
end

Verify

diagnose wireless-controller wlac -c wtp
get wireless-controller wtp

Status connected = AP is online.

Check radio status:

diagnose wireless-controller wlac -c wtp <ap-serial> | grep -E "radio|chan|tx-power"

Common Issues

  • AP doesn't appear in Discovered. CAPWAP unreachable. Verify routing + firewall.
  • AP discovered, won't authorize. Wrong AP Profile (radio mode incompatible with hardware) or license issue.
  • AP authorized but no clients can connect. No SSIDs assigned to the profile. See Create an SSID.
  • AP loses connection periodically. PoE undersupplied, or CAPWAP tunnel MTU issue. Check switch port logs.