Fortinet Document Library

Version:

Version:


Table of Contents

FortiAP Cloud User Guide

Download PDF
Copy Link

Adding a FortiAP Cloud captive portal SSID to a FortiAP network

Use this procedure to add a FortiAP Cloud captive portal SSID to a FortiAP network. FortiAP Cloud includes captive portal settings that you can customize during the SSID addition.

If you want to create and use your own captive portal, then go to the Adding a My Captive Portal SSID to a FortiAP network procedure.

Prerequisites

  • If you want to use the MAC access control, make sure to import MAC addresses (see the Configuring MAC access control and MAC filtering procedure).
  • If you choose one of the following sign on methods, make sure to complete the required setup:
  • If you want to apply a QoS profile, make sure that the QoS profile exists (see the Adding a QoS profile procedure).
  • If you want the SSID to be available to APs with specific tags only, make sure that the AP tags exist (see the Adding AP tags procedure).
  • If you want to block intra-SSID traffic, and customize radio and rate optional settings, then purchase a FAP Advanced Management License.

Procedure steps

  1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to add a WPA2 Personal SSID.
  2. In the Menu bar, click Configure.
  3. In the Navigation pane, click SSIDs.
  4. Click Add SSID.
  5. Complete the following fields:

    SSID

    Type a name for this wireless network. Clients use this name to find and connect to this wireless network.

    Enabled

    Select to have the SSID active.

    Broadcast SSID

    Select to broadcast the SSID. All wireless clients within range can see the SSID when they scan for available networks.

    MAC Access Control

    Select to allow clients identified in the MAC address import list to connect to that SSID.

    Fail Through Mode. This mode is available if you select the Open authentication. If you select the Fail Through Mode, then the following applies:

    • If a client is not in the MAC address import list, then the client must pass captive-portal authentication to access the internet.
    • If a client is in the MAC address import list, then the client can bypass the captive-portal authentication and access the internet directly.

    Mesh Link

    Select to enable the mesh link.

    A wireless mesh eliminates the need for Ethernet wiring by connecting Wi-Fi APs to each other by radio. AP networks can be configured in this way so that only one AP unit is connected to the wired network.

    Authentication

    Select Open or WPA2-Personal.

    If you select WPA2-Personal, then type a Pre-shared Key. This password must contain from 8 to 63 characters. Characters can be any combination of upper and lower case letters, numbers, punctuation marks, and symbols.

    Captive portal

    Select FortiAPCloud Captive Portal.

    Redirect URL

    The URL to which the user is redirected after a successful login.

    Original request:

    Specific URL:

    Walled Garden

    The walled garden is a list of web domains that users can access before completing the authentication process.

    You can type an IP address, domain name, and subnetwork address/mask.

    Separate multiple entries with a comma.

    Sign on Method

    Choose one of the following:

    • Click Through: Users go to the captive portal page and click Continue to gain access to the wireless network. Users do not type a username and password.
    • My RADIUS Server: Select a configured RADIUS server.
    • FortiAP Cloud user and group: Select a configured FortiAP Cloud group.
    • Self-registered guests: Users access the captive portal page and sign up for an account. They receive their username and password details by SMS or email as defined in step 11 of this procedure.
    • Social media: Users can sign on with their social media account. FortiAP Cloud supports Facebook, Google+, LinkedIn, and Twitter accounts.

    IP assignment

    Select Bridge or NAT. If you choose NAT, then complete the following:

    • Local LAN: Select Allow or Deny.
    • IP/Network Mask: Type the IP address and network mask of the SSID.
    • DHCP Lease Time: Default is 3600 seconds (or one hour).

    QoS Profile

    If you want to apply a QoS profile that you have already created, select it from the list.

    VLAN ID

    If the IP assignment is Bridge, you can type the ID of the VLAN for your wireless network (SSID).

    Default is 0 for non-VLAN operation.

    Advanced Settings

    With a FortiAP advanced management license, you can enable the following advanced settings:

    • Airtime Fairness Weight (%)
      Wi-Fi has a natural tendency for clients farther away or clients at lower data rates to monopolize the airtime and drag down the overall performance. Airtime Fairness (ATF) helps to improve the overall network performance.
      Airtime Fairness is configured per SSID, each SSID is granted airtime according to the configured allocation. It is configurable on both 2.4 GHz and 5 GHz radios.
      Data frames that exceed the configured % allocation are dropped. Enable Airtime Fairness when creating a Platform profile.
      • Applicable only on downlink traffic.

      • Applicable only on data, management and control functions are excluded.

      • Applicable on all types of SSIDs; Tunnel, Bridge and Mesh.

      • Applicable on all authentication modes.

      Airtime Fairness is supported with FOS 6.2.0 and on all Smart (FortiAP-S) W2 models and FAP (FortiAP) W2 models.
      Note: Enable ATF processing on desired radios in AP Platform Profile.

    • Block intra-SSID traffic
    • Tunnel Settings
      Select Tunnel Profile to add an existing GRE/L2TP Tunnel profile.
      FortiAP Cloud supports tunnel redundancy. When the primary tunnel goes down, data traffic is automatically redirected to the secondary or the standby tunnel. Select the Primary Tunnel Profile and the Secondary Tunnel Profile. For more information, see Adding a Tunnel profile.
      • Tunnel Echo Interval: The time interval to send echo requests to primary and secondary tunnel peers. The valid range is 1 to 65535 seconds; default is 300 seconds.

      • Tunnel Fallback IntervalThe time interval for secondary tunnel to fall back to the primary tunnel once it is active. The valid range is 1 to 65535 seconds; default is 7200 seconds.
    • DHCP Option 82
      DHCP option 82 (DHCP relay information) secures wireless networks served by FortiAPs against vulnerabilities that facilitate DHCP IP address starvation and spoofing/forging of IP and MAC addresses. The Circuit ID and Remote ID parameters enhance this security mechanism by allowing the FortiAP to include specific AP and client device information into the DHCP request packets. Both these options are disabled by default.
      The DHCP server can use the location of a DHCP client when assigning IP addresses or other parameters.
      Note: This feature is supported with FOS 6.2.0 and above.
        • Circuit ID: The AP information is inserted in the following formats:
        • Style-1: ASCII string composed in the format <AP MAC address>;<SSID>;<SSID-TYPE>. For example, " 00:12:F2:00:00:59;SSID12;Bridge".
        • Style-2: ASCII string composed of the AP MAC address. For example, "00:12:F2:00:00:59".
        • Style-3: ASCII string composed in the format <Network-Type:WTPProfile-Name:VLAN:SSID:AP-Model:AP-Hostname:AP-MAC address>. For example, "WLAN:FAPS221E-default:100:wifi:PS221E:FortiAP-S221E: 00:12:F2:00:00:59".

      • Remote ID: The MAC address of the client device is inserted in the following format:
        Style-1 - ASCII string composed of the client MAC address. For example, "00:12:F2:00:00:59".

    • Radio and Rates Optional Settings
  6. To go to Security, click Next.
  7. If the FortiAP model supports security features, then select the ones you want to enable.
  8. To go to Availability, click Next.
  9. Complete the following fields:

    Radio

    Select which radios you want to be active.

    Per-AP

    Select whether you want the SSID to be available to all APs or APs with specific tags.

    Schedule

    Select a schedule for when the SSID is available.

  10. To go to Captive Portal, click Next.
  11. You can customize the following:

    Logo

    You can upload an image.

    Title

    You can change the appearance of the title (background color and image as well as the text color) or the text (in English, French, or Japanese).

    Message

    You can add a message (in English, French, or Japanese) and change the background color, image, and text color.

    Self-Registered

    If you selected the sign on method as self-registered guest (in step 5), then you can customize the page for self-registered guests as well as set an account expiration period and a method to generate a username and password.

  12. To go to Preview, click Next.
  13. Review the summary. If you need to make changes, click Prev.
  14. To complete the changes, click Apply.
  15. You can now go to the Deploying a FortiAP device to a FortiAP network procedure.

Adding a FortiAP Cloud captive portal SSID to a FortiAP network

Use this procedure to add a FortiAP Cloud captive portal SSID to a FortiAP network. FortiAP Cloud includes captive portal settings that you can customize during the SSID addition.

If you want to create and use your own captive portal, then go to the Adding a My Captive Portal SSID to a FortiAP network procedure.

Prerequisites

  • If you want to use the MAC access control, make sure to import MAC addresses (see the Configuring MAC access control and MAC filtering procedure).
  • If you choose one of the following sign on methods, make sure to complete the required setup:
  • If you want to apply a QoS profile, make sure that the QoS profile exists (see the Adding a QoS profile procedure).
  • If you want the SSID to be available to APs with specific tags only, make sure that the AP tags exist (see the Adding AP tags procedure).
  • If you want to block intra-SSID traffic, and customize radio and rate optional settings, then purchase a FAP Advanced Management License.

Procedure steps

  1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to add a WPA2 Personal SSID.
  2. In the Menu bar, click Configure.
  3. In the Navigation pane, click SSIDs.
  4. Click Add SSID.
  5. Complete the following fields:

    SSID

    Type a name for this wireless network. Clients use this name to find and connect to this wireless network.

    Enabled

    Select to have the SSID active.

    Broadcast SSID

    Select to broadcast the SSID. All wireless clients within range can see the SSID when they scan for available networks.

    MAC Access Control

    Select to allow clients identified in the MAC address import list to connect to that SSID.

    Fail Through Mode. This mode is available if you select the Open authentication. If you select the Fail Through Mode, then the following applies:

    • If a client is not in the MAC address import list, then the client must pass captive-portal authentication to access the internet.
    • If a client is in the MAC address import list, then the client can bypass the captive-portal authentication and access the internet directly.

    Mesh Link

    Select to enable the mesh link.

    A wireless mesh eliminates the need for Ethernet wiring by connecting Wi-Fi APs to each other by radio. AP networks can be configured in this way so that only one AP unit is connected to the wired network.

    Authentication

    Select Open or WPA2-Personal.

    If you select WPA2-Personal, then type a Pre-shared Key. This password must contain from 8 to 63 characters. Characters can be any combination of upper and lower case letters, numbers, punctuation marks, and symbols.

    Captive portal

    Select FortiAPCloud Captive Portal.

    Redirect URL

    The URL to which the user is redirected after a successful login.

    Original request:

    Specific URL:

    Walled Garden

    The walled garden is a list of web domains that users can access before completing the authentication process.

    You can type an IP address, domain name, and subnetwork address/mask.

    Separate multiple entries with a comma.

    Sign on Method

    Choose one of the following:

    • Click Through: Users go to the captive portal page and click Continue to gain access to the wireless network. Users do not type a username and password.
    • My RADIUS Server: Select a configured RADIUS server.
    • FortiAP Cloud user and group: Select a configured FortiAP Cloud group.
    • Self-registered guests: Users access the captive portal page and sign up for an account. They receive their username and password details by SMS or email as defined in step 11 of this procedure.
    • Social media: Users can sign on with their social media account. FortiAP Cloud supports Facebook, Google+, LinkedIn, and Twitter accounts.

    IP assignment

    Select Bridge or NAT. If you choose NAT, then complete the following:

    • Local LAN: Select Allow or Deny.
    • IP/Network Mask: Type the IP address and network mask of the SSID.
    • DHCP Lease Time: Default is 3600 seconds (or one hour).

    QoS Profile

    If you want to apply a QoS profile that you have already created, select it from the list.

    VLAN ID

    If the IP assignment is Bridge, you can type the ID of the VLAN for your wireless network (SSID).

    Default is 0 for non-VLAN operation.

    Advanced Settings

    With a FortiAP advanced management license, you can enable the following advanced settings:

    • Airtime Fairness Weight (%)
      Wi-Fi has a natural tendency for clients farther away or clients at lower data rates to monopolize the airtime and drag down the overall performance. Airtime Fairness (ATF) helps to improve the overall network performance.
      Airtime Fairness is configured per SSID, each SSID is granted airtime according to the configured allocation. It is configurable on both 2.4 GHz and 5 GHz radios.
      Data frames that exceed the configured % allocation are dropped. Enable Airtime Fairness when creating a Platform profile.
      • Applicable only on downlink traffic.

      • Applicable only on data, management and control functions are excluded.

      • Applicable on all types of SSIDs; Tunnel, Bridge and Mesh.

      • Applicable on all authentication modes.

      Airtime Fairness is supported with FOS 6.2.0 and on all Smart (FortiAP-S) W2 models and FAP (FortiAP) W2 models.
      Note: Enable ATF processing on desired radios in AP Platform Profile.

    • Block intra-SSID traffic
    • Tunnel Settings
      Select Tunnel Profile to add an existing GRE/L2TP Tunnel profile.
      FortiAP Cloud supports tunnel redundancy. When the primary tunnel goes down, data traffic is automatically redirected to the secondary or the standby tunnel. Select the Primary Tunnel Profile and the Secondary Tunnel Profile. For more information, see Adding a Tunnel profile.
      • Tunnel Echo Interval: The time interval to send echo requests to primary and secondary tunnel peers. The valid range is 1 to 65535 seconds; default is 300 seconds.

      • Tunnel Fallback IntervalThe time interval for secondary tunnel to fall back to the primary tunnel once it is active. The valid range is 1 to 65535 seconds; default is 7200 seconds.
    • DHCP Option 82
      DHCP option 82 (DHCP relay information) secures wireless networks served by FortiAPs against vulnerabilities that facilitate DHCP IP address starvation and spoofing/forging of IP and MAC addresses. The Circuit ID and Remote ID parameters enhance this security mechanism by allowing the FortiAP to include specific AP and client device information into the DHCP request packets. Both these options are disabled by default.
      The DHCP server can use the location of a DHCP client when assigning IP addresses or other parameters.
      Note: This feature is supported with FOS 6.2.0 and above.
        • Circuit ID: The AP information is inserted in the following formats:
        • Style-1: ASCII string composed in the format <AP MAC address>;<SSID>;<SSID-TYPE>. For example, " 00:12:F2:00:00:59;SSID12;Bridge".
        • Style-2: ASCII string composed of the AP MAC address. For example, "00:12:F2:00:00:59".
        • Style-3: ASCII string composed in the format <Network-Type:WTPProfile-Name:VLAN:SSID:AP-Model:AP-Hostname:AP-MAC address>. For example, "WLAN:FAPS221E-default:100:wifi:PS221E:FortiAP-S221E: 00:12:F2:00:00:59".

      • Remote ID: The MAC address of the client device is inserted in the following format:
        Style-1 - ASCII string composed of the client MAC address. For example, "00:12:F2:00:00:59".

    • Radio and Rates Optional Settings
  6. To go to Security, click Next.
  7. If the FortiAP model supports security features, then select the ones you want to enable.
  8. To go to Availability, click Next.
  9. Complete the following fields:

    Radio

    Select which radios you want to be active.

    Per-AP

    Select whether you want the SSID to be available to all APs or APs with specific tags.

    Schedule

    Select a schedule for when the SSID is available.

  10. To go to Captive Portal, click Next.
  11. You can customize the following:

    Logo

    You can upload an image.

    Title

    You can change the appearance of the title (background color and image as well as the text color) or the text (in English, French, or Japanese).

    Message

    You can add a message (in English, French, or Japanese) and change the background color, image, and text color.

    Self-Registered

    If you selected the sign on method as self-registered guest (in step 5), then you can customize the page for self-registered guests as well as set an account expiration period and a method to generate a username and password.

  12. To go to Preview, click Next.
  13. Review the summary. If you need to make changes, click Prev.
  14. To complete the changes, click Apply.
  15. You can now go to the Deploying a FortiAP device to a FortiAP network procedure.