Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Configuration Guide

    Home FortiAP / FortiWiFi 6.2.0 FortiWiFi and FortiAP Configuration Guide
    6.2.0
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.1
    7.2.0
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.6
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.2
    6.2.0
    6.0.5
    6.0.4
    6.0.3
    5.6.4
    5.4.3

    Configuring security

    Configuring security

    An SSID supports the following security modes:

    • Open
    • Captive portal
    • Wi-Fi Protected Access version 2 (WPA2), WPA2-Personal and WPA2-Enterprise
    • WPA3-Enterprise
    • WPA3-Simultaneous Authentication of Equals (SAE)
    • WPA3-SAE Transition
    • Opportunistic Wireless Encryption (OWE)
    • OWE Transition
    • OSU Server-Only Authenticated L2 Encryption Network (OSEN)

    WPA2 security with a pre-shared key for authentication is called WPA2-Personal. This can work well for one person or a small group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.

    A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes possible Role-Based Access Control (RBAC).

    By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP). You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accommodate clients with either TKIP or AES, enter:

    config wireless-controller vap

    edit example_wlan

    set security wpa-personal

    set passphrase "hardtoguess"

    set encrypt TKIP-AES

    end

    Captive portal security connects users to an open web portal defined in replacement messages. To navigate to any location beyond the web portal, the user must pass FortiGate user authentication.

    WPA-Personal security

    WPA2-Personal security setup requires only the preshared key that you will provide to your clients.

    To configure WPA2-Personal security - GUI
    1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
    2. In Security Mode, select WPA2 Personal.
    3. In Pre-shared Key, enter a key between 8 and 63 characters long.
    4. Select OK.
    To configure WPA2-Personal security - CLI

    config wireless-controller vap

    edit example_wlan

    set security wpa2-personal

    set passphrase "hardtoguess"

    end

    WPA-Enterprise security

    If you will use FortiOS user groups for authentication, go to User & Device > User > User Groups and create those groups first. The groups should be Firewall groups.

    If you will use a RADIUS server to authenticate wireless clients, you must first configure the FortiGate unit to access the RADIUS server.

    To configure FortiGate unit access to the RADIUS server - GUI
    1. Go to User & Device > RADIUS Servers and select Create New.
    2. Enter a Name for the server.
      1. In Primary Server area:
        1. IP/Name — enter the network name or IP address for the server.
        2. Secret — enter the shared secret used to access the server.
    4. Optionally, enter the information for a secondary or backup RADIUS server.
    5. Select OK.
    To configure the FortiGate unit to access the RADIUS server - CLI

    config user radius

    edit exampleRADIUS

    set auth-type auto

    set server 10.11.102.100

    set secret aoewmntiasf

    end

    RADIUS Change of Authorization (CoA) support

    The CoA feature enables the FortiGate to receive a client disconnect message from the RADIUS server. This is used to disconnect clients when their time, credit or bandwidth had been used up. Enable this on the RADIUS server using the CLI:

    config user radius

    edit <name>

    set radius-coa enable

    end

    To configure WPA-Enterprise security - GUI
    1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
    2. In Security Mode, select WPA2 Enterprise.
    3. In Authentication, do one of the following:
      • If you will use a RADIUS server for authentication, select RADIUS Server and then select the RADIUS server.
      • If you will use a local user group for authentication, select Local and then select the user group(s) permitted to use the wireless network.
    4. Select OK.
    To configure WPA-Enterprise security - CLI

    config wireless-controller vap

    edit example_wlan

    set security wpa2-enterprise

    set auth radius

    set radius-server exampleRADIUS

    end

    Captive portal security

    Captive portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

    The captive portal can be hosted on the FortiGate unit, or externally. For details see

    Configuring WiFi captive portal security - FortiGate captive portal

    Configuring WiFi captive portal security - external server

    For general information about captive portals, see the Captive Portal chapter of the Authentication Guide.

    Configuring WiFi captive portal security - FortiGate captive portal

    The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.

    To configure a WiFi Captive Portal - GUI:
    1. Go to WiFi & Switch Controller > SSID and create your SSID.
      If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
    2. In Security Mode, select Captive Portal.
    3. Enter

      4. Portal Type

      The portal can provide authentication and/or disclaimer, or perform user email address collection.

      Authentication Portal

      Local

      User Groups

      Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

      Exempt List

      Select exempt lists whose members will not be subject to captive portal authentication.

      Customize Portal Messages

      Click the link of the portal page that you want to modify. For more information see the Captive Portal chapter of the Authentication Guide.
    4. Select OK.

    Configuring WiFi captive portal security - external server

    An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.

    On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data
    magic=session_id&username=<username>&password=<password>.
    (The magic value was provided in the initial FortiGate request to the web server.)

    To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

    config user setting

    set auth-secure-http enable

    end

    To configure use of an external WiFi Captive Portal - GUI:
    1. Go to WiFi & Switch Controller > SSID and create your SSID.
      If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
    2. In Security Mode, select Captive Portal.
    3. Enter

      4. Portal Type

      The portal can provide authentication and/or disclaimer, or perform user email address collection.

      Authentication Portal

      External - enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.

      User Groups

      Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

      Exempt List

      Select exempt lists whose members will not be subject to captive portal authentication.

      Redirect after Captive Portal

      Original Request

      Specific URL - enter URL
    4. Select OK.

    Adding a MAC filter

    On each SSID or FortiAP, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

    This is actually not as secure as it appears. Someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

    To block a specific client from connecting to an SSID using a MAC filter - CLI

    1. Create a wireless controller address with the client's MAC address, and set the policy to deny:

      config wireless-controller address

      edit "client_1"

      set mac b4:ae:2b:cb:d1:72

      set policy deny

      next

      end

    2. Create a wireless controller address group using the above address and setting the default policy to allow:

      config wireless-controller addrgrp

      edit mac_grp

      set addresses "client_1"

      set default-policy allow

      next

      end

    3. On the VAP, select the above address group:

      config wireless-controller vap

      edit wifi-vap

      set ssid "Fortinet-psk"

      set security wpa2-only-personal

      set passphrase fortinet

      set address-group "mac_grp"

      next

      end

    The client's MAC address (b4:ae:2b:cb:d1:72 in this example) will be denied a connection to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be allowed to connect.

    To allow a specific client to connect to an SSID using a MAC filter - CLI

    1. Create a wireless controller address with the client's MAC address, and set the policy to allow:

      config wireless-controller address

      edit "client_1"

      set mac b4:ae:2b:cb:d1:72

      set policy allow

      next

      end

    2. Create a wireless controller address group using the above address and setting the default policy to deny:

      config wireless-controller addrgrp

      edit mac_grp

      set addresses "client_1"

      set default-policy deny

      next

      end

    3. On the VAP, select the above address group:

      config wireless-controller vap

      edit wifi-vap

      set ssid "Fortinet-psk"

      set security wpa2-only-personal

      set passphrase fortinet

      set address-group "mac_grp"

      next

      end

    The client's MAC address (b4:ae:2b:cb:d1:73 in this example) will be allowed to connect to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be denied a connection.

    To block a specific client from connecting to a WTP or FortiAP - CLI

    config wireless-controller wtp-profile

    edit "FAP-profile"

    config deny-mac-list

    edit 1

    set mac 00:09:11:ef:37:67

    next

    end

    end

    You can log in to the FortiAP CLI to see the list of denied MAC addresses with the following command:

    cw_diag -c deny-mac-list

    WTP Configured Access Control List:

    00:09:11:ef:37:67

    ---------------Total 1 MAC entries----------------

    You can also see the denied event recorded from the FortiGate wireless event log.

    Limiting the number of clients

    You might want to prevent overloading of your access point by limiting the number of clients who can associate with it at the same time. Limits can be applied per SSID, per AP, or per radio.

    To limit the number of clients per SSID - GUI
    1. Go to WiFi & Switch Controller > SSID and edit your SSID.
    2. Turn on Maximum Clients and enter the maximum number of clients in Limit Concurrent WiFi Clients.
    To limit the number of clients per AP- CLI

    Edit the wtp-profile (FortiAP profile), like this:

    config wireless-controller wtp-profile

    edit "FAP221C-default"

    set max-clients 30

    end

    To limit the number of clients per radio - CLI

    Edit the wtp-profile (FortiAP profile), like this:

    config wireless-controller wtp-profile

    edit "FAP221C-default"

    config radio-1

    set max-clients 10

    end

    config radio-2

    set max-clients 30

    end

    end

    Enabling multicast enhancement

    FortiOS can translate multicast traffic into unicast traffic to send to clients, maintaining its own multicast client through IGMP snooping. You can configure this in the CLI:

    config wireless-controller vap

    edit example_wlan

    set multicast-enhance enable

    set me-disable-thresh 32

    end

    If the number of clients on the SSID is larger than me-disable-thresh, multicast enhancement is disabled.

    Previous
    Next

    Configuring security

    Configuring security

    An SSID supports the following security modes:

    • Open
    • Captive portal
    • Wi-Fi Protected Access version 2 (WPA2), WPA2-Personal and WPA2-Enterprise
    • WPA3-Enterprise
    • WPA3-Simultaneous Authentication of Equals (SAE)
    • WPA3-SAE Transition
    • Opportunistic Wireless Encryption (OWE)
    • OWE Transition
    • OSU Server-Only Authenticated L2 Encryption Network (OSEN)

    WPA2 security with a pre-shared key for authentication is called WPA2-Personal. This can work well for one person or a small group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.

    A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes possible Role-Based Access Control (RBAC).

    By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP). You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accommodate clients with either TKIP or AES, enter:

    config wireless-controller vap

    edit example_wlan

    set security wpa-personal

    set passphrase "hardtoguess"

    set encrypt TKIP-AES

    end

    Captive portal security connects users to an open web portal defined in replacement messages. To navigate to any location beyond the web portal, the user must pass FortiGate user authentication.

    WPA-Personal security

    WPA2-Personal security setup requires only the preshared key that you will provide to your clients.

    To configure WPA2-Personal security - GUI
    1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
    2. In Security Mode, select WPA2 Personal.
    3. In Pre-shared Key, enter a key between 8 and 63 characters long.
    4. Select OK.
    To configure WPA2-Personal security - CLI

    config wireless-controller vap

    edit example_wlan

    set security wpa2-personal

    set passphrase "hardtoguess"

    end

    WPA-Enterprise security

    If you will use FortiOS user groups for authentication, go to User & Device > User > User Groups and create those groups first. The groups should be Firewall groups.

    If you will use a RADIUS server to authenticate wireless clients, you must first configure the FortiGate unit to access the RADIUS server.

    To configure FortiGate unit access to the RADIUS server - GUI
    1. Go to User & Device > RADIUS Servers and select Create New.
    2. Enter a Name for the server.
      1. In Primary Server area:
        1. IP/Name — enter the network name or IP address for the server.
        2. Secret — enter the shared secret used to access the server.
    4. Optionally, enter the information for a secondary or backup RADIUS server.
    5. Select OK.
    To configure the FortiGate unit to access the RADIUS server - CLI

    config user radius

    edit exampleRADIUS

    set auth-type auto

    set server 10.11.102.100

    set secret aoewmntiasf

    end

    RADIUS Change of Authorization (CoA) support

    The CoA feature enables the FortiGate to receive a client disconnect message from the RADIUS server. This is used to disconnect clients when their time, credit or bandwidth had been used up. Enable this on the RADIUS server using the CLI:

    config user radius

    edit <name>

    set radius-coa enable

    end

    To configure WPA-Enterprise security - GUI
    1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
    2. In Security Mode, select WPA2 Enterprise.
    3. In Authentication, do one of the following:
      • If you will use a RADIUS server for authentication, select RADIUS Server and then select the RADIUS server.
      • If you will use a local user group for authentication, select Local and then select the user group(s) permitted to use the wireless network.
    4. Select OK.
    To configure WPA-Enterprise security - CLI

    config wireless-controller vap

    edit example_wlan

    set security wpa2-enterprise

    set auth radius

    set radius-server exampleRADIUS

    end

    Captive portal security

    Captive portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

    The captive portal can be hosted on the FortiGate unit, or externally. For details see

    Configuring WiFi captive portal security - FortiGate captive portal

    Configuring WiFi captive portal security - external server

    For general information about captive portals, see the Captive Portal chapter of the Authentication Guide.

    Configuring WiFi captive portal security - FortiGate captive portal

    The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.

    To configure a WiFi Captive Portal - GUI:
    1. Go to WiFi & Switch Controller > SSID and create your SSID.
      If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
    2. In Security Mode, select Captive Portal.
    3. Enter

      4. Portal Type

      The portal can provide authentication and/or disclaimer, or perform user email address collection.

      Authentication Portal

      Local

      User Groups

      Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

      Exempt List

      Select exempt lists whose members will not be subject to captive portal authentication.

      Customize Portal Messages

      Click the link of the portal page that you want to modify. For more information see the Captive Portal chapter of the Authentication Guide.
    4. Select OK.

    Configuring WiFi captive portal security - external server

    An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.

    On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data
    magic=session_id&username=<username>&password=<password>.
    (The magic value was provided in the initial FortiGate request to the web server.)

    To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

    config user setting

    set auth-secure-http enable

    end

    To configure use of an external WiFi Captive Portal - GUI:
    1. Go to WiFi & Switch Controller > SSID and create your SSID.
      If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
    2. In Security Mode, select Captive Portal.
    3. Enter

      4. Portal Type

      The portal can provide authentication and/or disclaimer, or perform user email address collection.

      Authentication Portal

      External - enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.

      User Groups

      Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

      Exempt List

      Select exempt lists whose members will not be subject to captive portal authentication.

      Redirect after Captive Portal

      Original Request

      Specific URL - enter URL
    4. Select OK.

    Adding a MAC filter

    On each SSID or FortiAP, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

    This is actually not as secure as it appears. Someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

    To block a specific client from connecting to an SSID using a MAC filter - CLI

    1. Create a wireless controller address with the client's MAC address, and set the policy to deny:

      config wireless-controller address

      edit "client_1"

      set mac b4:ae:2b:cb:d1:72

      set policy deny

      next

      end

    2. Create a wireless controller address group using the above address and setting the default policy to allow:

      config wireless-controller addrgrp

      edit mac_grp

      set addresses "client_1"

      set default-policy allow

      next

      end

    3. On the VAP, select the above address group:

      config wireless-controller vap

      edit wifi-vap

      set ssid "Fortinet-psk"

      set security wpa2-only-personal

      set passphrase fortinet

      set address-group "mac_grp"

      next

      end

    The client's MAC address (b4:ae:2b:cb:d1:72 in this example) will be denied a connection to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be allowed to connect.

    To allow a specific client to connect to an SSID using a MAC filter - CLI

    1. Create a wireless controller address with the client's MAC address, and set the policy to allow:

      config wireless-controller address

      edit "client_1"

      set mac b4:ae:2b:cb:d1:72

      set policy allow

      next

      end

    2. Create a wireless controller address group using the above address and setting the default policy to deny:

      config wireless-controller addrgrp

      edit mac_grp

      set addresses "client_1"

      set default-policy deny

      next

      end

    3. On the VAP, select the above address group:

      config wireless-controller vap

      edit wifi-vap

      set ssid "Fortinet-psk"

      set security wpa2-only-personal

      set passphrase fortinet

      set address-group "mac_grp"

      next

      end

    The client's MAC address (b4:ae:2b:cb:d1:73 in this example) will be allowed to connect to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be denied a connection.

    To block a specific client from connecting to a WTP or FortiAP - CLI

    config wireless-controller wtp-profile

    edit "FAP-profile"

    config deny-mac-list

    edit 1

    set mac 00:09:11:ef:37:67

    next

    end

    end

    You can log in to the FortiAP CLI to see the list of denied MAC addresses with the following command:

    cw_diag -c deny-mac-list

    WTP Configured Access Control List:

    00:09:11:ef:37:67

    ---------------Total 1 MAC entries----------------

    You can also see the denied event recorded from the FortiGate wireless event log.

    Limiting the number of clients

    You might want to prevent overloading of your access point by limiting the number of clients who can associate with it at the same time. Limits can be applied per SSID, per AP, or per radio.

    To limit the number of clients per SSID - GUI
    1. Go to WiFi & Switch Controller > SSID and edit your SSID.
    2. Turn on Maximum Clients and enter the maximum number of clients in Limit Concurrent WiFi Clients.
    To limit the number of clients per AP- CLI

    Edit the wtp-profile (FortiAP profile), like this:

    config wireless-controller wtp-profile

    edit "FAP221C-default"

    set max-clients 30

    end

    To limit the number of clients per radio - CLI

    Edit the wtp-profile (FortiAP profile), like this:

    config wireless-controller wtp-profile

    edit "FAP221C-default"

    config radio-1

    set max-clients 10

    end

    config radio-2

    set max-clients 30

    end

    end

    Enabling multicast enhancement

    FortiOS can translate multicast traffic into unicast traffic to send to clients, maintaining its own multicast client through IGMP snooping. You can configure this in the CLI:

    config wireless-controller vap

    edit example_wlan

    set multicast-enhance enable

    set me-disable-thresh 32

    end

    If the number of clients on the SSID is larger than me-disable-thresh, multicast enhancement is disabled.

    Previous
    Next