Adding a WPA3-OWE/WPA3-OWE Transition SSID to a FortiAP network
Use this procedure to add a WPA3 opportunistic wireless (OWE) or WPA3-OWE Transition SSID to a FortiAP network.
- If you want to use the MAC access control, make sure to import MAC addresses (see the Configuring MAC access control and MAC filtering procedure).
- If you want to apply a QoS profile, make sure that the QoS profile exists (see the Adding a QoS profile procedure).
- If you want the SSID to be available to APs with specific tags only, make sure that the AP tags exist (see the Adding AP tags procedure).
- If you want to block intra-SSID traffic, and customize radio and rate optional settings, then purchase a FAP Advanced Management License.
- On the FortiAP Cloud Home page, select the FortiAP network to which you want to add a WPA3 OWE SSID.
- In the Menu bar, click Configure.
- In the Navigation bar, click SSIDs.
- Click Add SSID.
- Complete the following fields:
Type a name for this wireless network. Wireless clients use this name to find and connect to this wireless network.
Select to have the SSID active.
Select to advertise the SSID. All wireless clients within range can see the SSID when they scan for available networks.
MAC Access Control
Select to allow clients identified in the MAC address import list to connect to that SSID.
Select to enable the mesh link.
A wireless mesh eliminates the need for Ethernet wiring by connecting Wi-Fi APs to each other by radio. AP networks can be configured in this way so that only one AP unit is connected to the wired network.
Enable OWE Transition to allow clients that do not support OWE to connect to an OWE enabled network. This mode requires an Open OWE Transition SSID for such clients to connect.
Add a captive portal to the SSID.
To add a FortiAP Cloud captive portal, see section Adding a FortiAP Cloud captive portal SSID.
To add your own captive portal, see section Adding a My Captive Portal SSID to a FortiAP network.
Select Bridge or NAT. If you choose NAT, then complete the following:
- Local LAN: Select Allow or Deny.
- IP/Network Mask: Type the IP address and network mask of the SSID.
- DHCP Lease Time: Default is 3600 seconds (or one hour).
If you want to apply a QoS profile that you have already created, select it from the list.
If the IP assignment is Bridge, you can type the ID of the VLAN for your wireless network (SSID).
Default is 0 for non-VLAN operation.
With a FortiAP advanced management license, you can enable the following advanced settings:
Airtime Fairness Weight (%)
Wi-Fi has a natural tendency for clients farther away or clients at lower data rates to monopolize the airtime and drag down the overall performance. Airtime Fairness (ATF) helps to improve the overall network performance.
Airtime Fairness is configured per SSID, each SSID is granted airtime according to the configured allocation. It is configurable on both 2.4 GHz and 5 GHz radios.
Data frames that exceed the configured % allocation are dropped. Enable Airtime Fairness when creating a Platform profile.
Applicable only on downlink traffic.
Applicable only on data, management and control functions are excluded.
Applicable on all types of SSIDs; Tunnel, Bridge and Mesh.
Applicable on all authentication modes.
Airtime Fairness is supported with FOS 6.2.0 and on all Smart (FortiAP-S) W2 models and FAP (FortiAP) W2 models.
Note: Enable ATF processing on desired radios in AP Platform Profile.
- Block intra-SSID traffic
- Tunnel Settings
Select Tunnel Profile to add an existing GRE/L2TP Tunnel profile.
FortiAP Cloud supports tunnel redundancy. When the primary tunnel goes down, data traffic is automatically redirected to the secondary or the standby tunnel. Select the Primary Tunnel Profile and the Secondary Tunnel Profile. For more information, see Adding a Tunnel profile.
Tunnel Echo Interval: The time interval to send echo requests to primary and secondary tunnel peers. The valid range is 1 to 65535 seconds; default is 300 seconds.
- Tunnel Fallback Interval: The time interval for secondary tunnel to fall back to the primary tunnel once it is active. The valid range is 1 to 65535 seconds; default is 7200 seconds.
- DHCP Option 82
DHCP option 82 (DHCP relay information) secures wireless networks served by FortiAPs against vulnerabilities that facilitate DHCP IP address starvation and spoofing/forging of IP and MAC addresses. The Circuit ID and Remote ID parameters enhance this security mechanism by allowing the FortiAP to include specific AP and client device information into the DHCP request packets. Both these options are disabled by default.
The DHCP server can use the location of a DHCP client when assigning IP addresses or other parameters.
Note: This feature is supported with FOS 6.2.0 and above.
Circuit ID: The AP information is inserted in the following formats:
- Style-1: ASCII string composed in the format <AP MAC address>;<SSID>;<SSID-TYPE>. For example, " 00:12:F2:00:00:59;SSID12;Bridge".
- Style-2: ASCII string composed of the AP MAC address. For example, "00:12:F2:00:00:59".
Style-3: ASCII string composed in the format <Network-Type:WTPProfile-Name:VLAN:SSID:AP-Model:AP-Hostname:AP-MAC address>. For example, "WLAN:FAPS221E-default:100:wifi:PS221E:FortiAP-S221E: 00:12:F2:00:00:59".
Remote ID: The MAC address of the client device is inserted in the following format:
Style-1 - ASCII string composed of the client MAC address. For example,"00:12:F2:00:00:59".
- Radio and Rates Optional Settings
- To go to Security, click Next.
- If the FortiAP model supports security features, then select the ones you want to enable.
- To go to Availability, click Next.
- Complete the following fields:
Select which radios you want to be active.
Select whether you want the SSID to be available to all APs or APs with specific tags.
Select a schedule for when the SSID is available.
- To go to Preview, click Next.
- Review the summary. If you need to make changes, click Prev.
- To complete the changes, click Apply.
- You can now go to the Deploying a FortiAP device to a FortiAP network procedure.