Fortinet Document Library

Version:

Version:


Table of Contents

FortiAP Cloud User Guide

Download PDF
Copy Link

Adding a WPA3-SAE/WPA3-SAE Transition SSID to a FortiAP network

Use this procedure to add a WPA3 simultaneous authentication of equals (SAE) or WPA3-SAE Transition SSID to a FortiAP network.

 

Prerequisites

  • If you want to use the MAC access control, make sure to import MAC addresses (see the Configuring MAC access control and MAC filtering procedure).
  • If you want to apply a QoS profile, make sure that the QoS profile exists (see the Adding a QoS profile procedure).
  • If you want the SSID to be available to APs with specific tags only, make sure that the AP tags exist (see the Adding AP tags procedure).
  • If you want to block intra-SSID traffic, and customize radio and rate optional settings, then purchase a FAP Advanced Management License.

Procedure steps

  1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to add a WPA3 SAE SSID.
  2. In the Menu bar, click Configure.
  3. In the Navigation bar, click SSIDs.
  4. Click Add SSID.
  5. Complete the following fields:

    SSID

    Type a name for this wireless network. Wireless clients use this name to find and connect to this wireless network.

    Enabled

    Select to have the SSID active.

    Broadcast SSID

    Select to advertise the SSID. All wireless clients within range can see the SSID when they scan for available networks.

    MAC Access Control

    Select to allow clients identified in the MAC address import list to connect to that SSID.

    Mesh Link

    Select to enable the mesh link.

    A wireless mesh eliminates the need for Ethernet wiring by connecting Wi-Fi APs to each other by radio. AP networks can be configured in this way so that only one AP unit is connected to the wired network.

    Authentication

    Select WPA3-SAE or WPA3-SAE Transition.

    • WPA3-SAE: Type an SAE Password. This password must contain 8 to 32 alphanumeric characters or exactly 64 hexadecimal numbers.
    • WPA3-SAE Transition: Enables mixed (WPA2 and WPA3) mode authentication. Two passwords are used in the SSID; if the SAE Password is used, client connects with WPA3 SAE and if Pre-shared Key is used, client connects with WPA2 PSK. This PSK must contain from 8 to 63 printable ASCII characters or exactly 64 hexadecimal numbers.

    Captive Portal

    Add a captive portal to the SSID.

    To add a FortiAP Cloud captive portal, see section Adding a FortiAP Cloud captive portal SSID.

    To add your own captive portal, see section Adding a My Captive Portal SSID to a FortiAP network.

    IP assignment

    Select Bridge or NAT. If you choose NAT, then complete the following:

    • Local LAN: Select Allow or Deny.
    • IP/Network Mask: Type the IP address and network mask of the SSID.
    • DHCP Lease Time: Default is 3600 seconds (or one hour).

    QoS Profile

    If you want to apply a QoS profile that you have already created, select it from the list.

    VLAN ID

    If the IP assignment is Bridge, you can type the ID of the VLAN for your wireless network (SSID).

    Default is 0 for non-VLAN operation.

    Advanced Settings

    With a FortiAP advanced management license, you can enable the following advanced settings:

    • Airtime Fairness Weight (%)
      Wi-Fi has a natural tendency for clients farther away or clients at lower data rates to monopolize the airtime and drag down the overall performance. Airtime Fairness (ATF) helps to improve the overall network performance.
      Airtime Fairness is configured per SSID, each SSID is granted airtime according to the configured allocation. It is configurable on both 2.4 GHz and 5 GHz radios.
      Data frames that exceed the configured % allocation are dropped. Enable Airtime Fairness when creating a Platform profile.
      • Applicable only on downlink traffic.

      • Applicable only on data, management and control functions are excluded.

      • Applicable on all types of SSIDs; Tunnel, Bridge and Mesh.

      • Applicable on all authentication modes.

      Airtime Fairness is supported with FOS 6.2.0 and on all Smart (FortiAP-S) W2 models and FAP (FortiAP) W2 models.
      Note: Enable ATF processing on desired radios in AP Platform Profile.

    • Block intra-SSID traffic
    • Tunnel Settings
      Select Tunnel Profile to add an existing GRE/L2TP Tunnel profile.
      FortiAP Cloud supports tunnel redundancy. When the primary tunnel goes down, data traffic is automatically redirected to the secondary or the standby tunnel. Select the Primary Tunnel Profile and the Secondary Tunnel Profile. For more information, see Adding a Tunnel profile.
      • Tunnel Echo Interval: The time interval to send echo requests to primary and secondary tunnel peers. The valid range is 1 to 65535 seconds; default is 300 seconds.

      • Tunnel Fallback IntervalThe time interval for secondary tunnel to fall back to the primary tunnel once it is active. The valid range is 1 to 65535 seconds; default is 7200 seconds.
    • DHCP Option 82
      DHCP option 82 (DHCP relay information) secures wireless networks served by FortiAPs against vulnerabilities that facilitate DHCP IP address starvation and spoofing/forging of IP and MAC addresses. The Circuit ID and Remote ID parameters enhance this security mechanism by allowing the FortiAP to include specific AP and client device information into the DHCP request packets. Both these options are disabled by default.
      The DHCP server can use the location of a DHCP client when assigning IP addresses or other parameters.
      Note: This feature is supported with FOS 6.2.0 and above.
        • Circuit ID: The AP information is inserted in the following formats:
        • Style-1: ASCII string composed in the format <AP MAC address>;<SSID>;<SSID-TYPE>. For example, " 00:12:F2:00:00:59;SSID12;Bridge".
        • Style-2: ASCII string composed of the AP MAC address. For example, "00:12:F2:00:00:59".
        • Style-3: ASCII string composed in the format <Network-Type:WTPProfile-Name:VLAN:SSID:AP-Model:AP-Hostname:AP-MAC address>. For example, "WLAN:FAPS221E-default:100:wifi:PS221E:FortiAP-S221E: 00:12:F2:00:00:59".

      • Remote ID: The MAC address of the client device is inserted in the following format:
        Style-1 - ASCII string composed of the client MAC address. For example,"00:12:F2:00:00:59".

    • Radio and Rates Optional Settings
  6. To go to Security, click Next.
  7. If the FortiAP model supports security features, then select the ones you want to enable.
  8. To go to Availability, click Next.
  9. Complete the following fields:

    Radio

    Select which radios you want to be active.

    Per-AP

    Select whether you want the SSID to be available to all APs or APs with specific tags.

    Schedule

    Select a schedule for when the SSID is available.

  10. To go to Preview, click Next.
  11. Review the summary. If you need to make changes, click Prev.
  12. To complete the changes, click Apply.
  13. You can now go to the Deploying a FortiAP device to a FortiAP network procedure.

Adding a WPA3-SAE/WPA3-SAE Transition SSID to a FortiAP network

Use this procedure to add a WPA3 simultaneous authentication of equals (SAE) or WPA3-SAE Transition SSID to a FortiAP network.

 

Prerequisites

  • If you want to use the MAC access control, make sure to import MAC addresses (see the Configuring MAC access control and MAC filtering procedure).
  • If you want to apply a QoS profile, make sure that the QoS profile exists (see the Adding a QoS profile procedure).
  • If you want the SSID to be available to APs with specific tags only, make sure that the AP tags exist (see the Adding AP tags procedure).
  • If you want to block intra-SSID traffic, and customize radio and rate optional settings, then purchase a FAP Advanced Management License.

Procedure steps

  1. On the FortiAP Cloud Home page, select the FortiAP network to which you want to add a WPA3 SAE SSID.
  2. In the Menu bar, click Configure.
  3. In the Navigation bar, click SSIDs.
  4. Click Add SSID.
  5. Complete the following fields:

    SSID

    Type a name for this wireless network. Wireless clients use this name to find and connect to this wireless network.

    Enabled

    Select to have the SSID active.

    Broadcast SSID

    Select to advertise the SSID. All wireless clients within range can see the SSID when they scan for available networks.

    MAC Access Control

    Select to allow clients identified in the MAC address import list to connect to that SSID.

    Mesh Link

    Select to enable the mesh link.

    A wireless mesh eliminates the need for Ethernet wiring by connecting Wi-Fi APs to each other by radio. AP networks can be configured in this way so that only one AP unit is connected to the wired network.

    Authentication

    Select WPA3-SAE or WPA3-SAE Transition.

    • WPA3-SAE: Type an SAE Password. This password must contain 8 to 32 alphanumeric characters or exactly 64 hexadecimal numbers.
    • WPA3-SAE Transition: Enables mixed (WPA2 and WPA3) mode authentication. Two passwords are used in the SSID; if the SAE Password is used, client connects with WPA3 SAE and if Pre-shared Key is used, client connects with WPA2 PSK. This PSK must contain from 8 to 63 printable ASCII characters or exactly 64 hexadecimal numbers.

    Captive Portal

    Add a captive portal to the SSID.

    To add a FortiAP Cloud captive portal, see section Adding a FortiAP Cloud captive portal SSID.

    To add your own captive portal, see section Adding a My Captive Portal SSID to a FortiAP network.

    IP assignment

    Select Bridge or NAT. If you choose NAT, then complete the following:

    • Local LAN: Select Allow or Deny.
    • IP/Network Mask: Type the IP address and network mask of the SSID.
    • DHCP Lease Time: Default is 3600 seconds (or one hour).

    QoS Profile

    If you want to apply a QoS profile that you have already created, select it from the list.

    VLAN ID

    If the IP assignment is Bridge, you can type the ID of the VLAN for your wireless network (SSID).

    Default is 0 for non-VLAN operation.

    Advanced Settings

    With a FortiAP advanced management license, you can enable the following advanced settings:

    • Airtime Fairness Weight (%)
      Wi-Fi has a natural tendency for clients farther away or clients at lower data rates to monopolize the airtime and drag down the overall performance. Airtime Fairness (ATF) helps to improve the overall network performance.
      Airtime Fairness is configured per SSID, each SSID is granted airtime according to the configured allocation. It is configurable on both 2.4 GHz and 5 GHz radios.
      Data frames that exceed the configured % allocation are dropped. Enable Airtime Fairness when creating a Platform profile.
      • Applicable only on downlink traffic.

      • Applicable only on data, management and control functions are excluded.

      • Applicable on all types of SSIDs; Tunnel, Bridge and Mesh.

      • Applicable on all authentication modes.

      Airtime Fairness is supported with FOS 6.2.0 and on all Smart (FortiAP-S) W2 models and FAP (FortiAP) W2 models.
      Note: Enable ATF processing on desired radios in AP Platform Profile.

    • Block intra-SSID traffic
    • Tunnel Settings
      Select Tunnel Profile to add an existing GRE/L2TP Tunnel profile.
      FortiAP Cloud supports tunnel redundancy. When the primary tunnel goes down, data traffic is automatically redirected to the secondary or the standby tunnel. Select the Primary Tunnel Profile and the Secondary Tunnel Profile. For more information, see Adding a Tunnel profile.
      • Tunnel Echo Interval: The time interval to send echo requests to primary and secondary tunnel peers. The valid range is 1 to 65535 seconds; default is 300 seconds.

      • Tunnel Fallback IntervalThe time interval for secondary tunnel to fall back to the primary tunnel once it is active. The valid range is 1 to 65535 seconds; default is 7200 seconds.
    • DHCP Option 82
      DHCP option 82 (DHCP relay information) secures wireless networks served by FortiAPs against vulnerabilities that facilitate DHCP IP address starvation and spoofing/forging of IP and MAC addresses. The Circuit ID and Remote ID parameters enhance this security mechanism by allowing the FortiAP to include specific AP and client device information into the DHCP request packets. Both these options are disabled by default.
      The DHCP server can use the location of a DHCP client when assigning IP addresses or other parameters.
      Note: This feature is supported with FOS 6.2.0 and above.
        • Circuit ID: The AP information is inserted in the following formats:
        • Style-1: ASCII string composed in the format <AP MAC address>;<SSID>;<SSID-TYPE>. For example, " 00:12:F2:00:00:59;SSID12;Bridge".
        • Style-2: ASCII string composed of the AP MAC address. For example, "00:12:F2:00:00:59".
        • Style-3: ASCII string composed in the format <Network-Type:WTPProfile-Name:VLAN:SSID:AP-Model:AP-Hostname:AP-MAC address>. For example, "WLAN:FAPS221E-default:100:wifi:PS221E:FortiAP-S221E: 00:12:F2:00:00:59".

      • Remote ID: The MAC address of the client device is inserted in the following format:
        Style-1 - ASCII string composed of the client MAC address. For example,"00:12:F2:00:00:59".

    • Radio and Rates Optional Settings
  6. To go to Security, click Next.
  7. If the FortiAP model supports security features, then select the ones you want to enable.
  8. To go to Availability, click Next.
  9. Complete the following fields:

    Radio

    Select which radios you want to be active.

    Per-AP

    Select whether you want the SSID to be available to all APs or APs with specific tags.

    Schedule

    Select a schedule for when the SSID is available.

  10. To go to Preview, click Next.
  11. Review the summary. If you need to make changes, click Prev.
  12. To complete the changes, click Apply.
  13. You can now go to the Deploying a FortiAP device to a FortiAP network procedure.