Support for CAPWAP
FortiWLC supports Control and Provisioning of Wireless Access Points (CAPWAP) protocol to allow Fortinet access points to discover Fortinet WLAN controllers. In addition to controller discovery, APs can send keep-alive packets to controllers via CAPWAP.
This is a partial implementation of the CAPWAP protocol that is limited to controller discovery, keepalive packets (echo request and response), AP image upgrade, and tunnelled client data packets between AP and controller.
Legacy Discovery Process
There are three types of access point discovery:
- Layer 2 only-Access point is in the same subnet as controller.
- Layer 2 preferred-Access point sends broadcasts to find the controller by trying Layer 2 discovery first. If the access point gets no response, it tries Layer 3 discovery.
- Layer 3 preferred-Access point sends discovery message to the controller by trying Layer 3 discovery first. If the access point gets no response, it tries Layer 2 discovery.
- Layer 3 only-Access point sends discovery message to the controller by trying Layer 3 only.
For Layer 2 and Layer 3 discovery, the access point cycles between Layer 2, Layer 3, and Mesh (if mesh is enabled) until it finds the controller.
An access point obtains its own IP address from DHCP (the default method), or you can assign a static IP address. After the access point has an IP address, it must find a controller’s IP address. By default, when using Layer 3 discovery, the access point obtains the controller’s IP address by using DNS and querying for hostname. The default hostname is “wlan-controller.” This presumes the DNS server knows the domain name where the controller is located. The domain name can be entered via the AP configuration or it can be obtained from the DHCP server, but without it, an Layer 3-configured AP will fail to find a controller. Alternately, you can configure the AP to point to the controller’s IP directly (if the controller has a static IP configuration).
After the access point obtains the controller IP address, it sends discovery messages using UDP port 9393. After the controller acknowledges the messages, a link is formed between the AP and the controller.
Discovery sequence for OAP832 and OAP433
Even if OAP832 and OAP433 are configured in the L3-only mode, the access points will be use L3 preferred mode to find controller. If the L3-preferred mode fails, they will fall back to L2 mode.
Legacy Discovery Process
CAPWAP and Legacy Reference
Port Requirements
| Activity | CAPWAP UDP Ports | L3 UDP Ports | Ethertype (L2) |
| Discovery | 5246 | 9292 | 0x4003 |
| Configuration and KeepAlive | 5246 | 5000 | 0x4001 |
| Data Flow | 5247 | 9393 | 0x4000 |
Controller and AP Communication Ports
| AP firmware version | Discovery Mode | Discovery
Port / Ethertype |
keep-alive ports /
Ethertype |
Configuration ports/
Ethertype |
Data
Flow Ports / Ethertype |
Notes |
| Pre-8.3 (8.2, 8.1, 8.0, 7.0, etc.,) | L2
L3 |
0x4003
9292 |
0x4001
5000 |
0x4001
5000 |
0x4000
9393 |
After upgrade,
UDP 5246 and |
| 8.3.0 | L2 | 0x4003 | 0x4001 | 0x4001 | 0x4000 | 5247 is used for future discovery process and data flow respectively. |
| L3 | 5246 | 5246 | 5000 | 5247 |
CAPWAP Discovery
The CAPWAP protocol requires the UDP ports 5246 and 5247 to exchange control and data packets respectively
Legacy Discovery Process
Discovery Sequence
The CAPWAP discovery supports the following sequence on port UDP 5246:
- Unicast Options Controller IP address: AP sends discovery request to a controller based on the configured IP address in the AP.
- DHCP Option 138: AP sends discover request to the controller configured with DHCP option 138. Alternatively, option 43 is also available for discovering controller.
- DNS: AP sends discovery request based on the DNS resolution of – _capwap-control._udp.example.com
- Multicast: AP sends discovery request via multicast address – 224.0.1.140
- Broadcast: AP sends discovery request via broadcast address on – 255.255.255
Discovery Process
- In L3 discovery mode, the AP sends discovery request on both port 5246 and port 9292 to the controller.
- If the controller is already upgraded to 8.3 release, it sends response on port 5246 to complete the AP association.
- Further the keep-alive and image upgrade message exchange happens on port 5246.
- Tunnelled client data are sent to controller on port 5247.
Upgrading from Pre-8.3 Release
Using the upgrade controller command with auto‐ap‐upgrade ON
- The controller is upgraded to 8.3 and will now listen on port 5246 and 9292 for discovery request from access points. During the controller upgrade process, the pre-8.3 access points will continue re-discovery of the controller using the legacy method.
- Once the controller is upgraded, the pre-8.3 APs will associate with the controller using the legacy method.
- Now, the access points begin the upgrade process. After the upgrade is complete, the access points will send discovery request on port 5246 and port 9292. The controller that is already upgraded to 8.3 will respond on port 5246 to complete AP association.
Legacy Discovery Process
Using the upgrade system command
- The APs are upgraded first to the 8.3 release. After upgrade the APs will send discovery request using a method sequence as mentioned in the Discovery Sequence section.
- The controller is upgraded to 8.3 after the APs are upgraded. The 8.3 controller will respond to AP discovery request.
Post Upgrade
Ensure that UDP 5000 is open after the upgrade is complete.
Downgrading
When downgraded to a previous release, the discovery mechanism will switch back to the legacy discovery process. However, we recommend that you open the CAPWAP UDP ports, Kcom (L3) UDP ports, and Ethertypes.