Defining a wireless network interface (SSID)
You begin configuring your wireless network by defining one or more SSIDs to which your users can connect. When you create an SSID, a virtual network interface is also created with the Name you specified in the SSID configuration.
If a software switch interface contains an SSID (but only one), the WiFi SSID settings are available in the switch interface settings. |
To create a new SSID
- Go to WiFi and Switch Controller > SSIDs and select Create New > SSID.
- Fill in the SSID fields as described below.
To edit the settings of an existing SSID
- Either
- Go to WiFi and Switch Controller > SSIDs.
or
- Go to Network > Interfaces.
WiFi interfaces list the SSID beside the interface Name.
- Go to WiFi and Switch Controller > SSIDs.
- Edit the SSID fields, as needed.
SSID fields
Interface Name |
Enter a name for the SSID interface. |
Type |
WiFi SSID. |
Traffic Mode |
Tunnel — (Tunnel to Wireless Controller) Data for WLAN passes through WiFi Controller. This is the default. |
IP/Network Mask |
Enter the IP address and netmask for the SSID. |
IPv6 Address |
Enter the IPv6 address. This is available only when IPv6 has been enabled on the unit. |
Administrative Access |
Select which types of administrative access are permitted on this SSID. |
IPv6 Administrative Access |
If you have IPv6 addresses, select the permitted IPv6 administrative access types for this SSID. |
DHCP Server |
To assign IP addresses to clients, enable DHCP server. You can define IP address ranges for a DHCP server on the FortiGate unit or relay DHCP requests to an external server. |
Device Detection |
Detect connected device type. Enabled by default. |
Active Scanning |
Enabled by default. |
WiFi Settings |
|
SSID |
Enter the SSID. By default, this field contains |
Security Mode |
Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. Additional security mode options are available in the CLI. For more information, see Configuring security. |
|
Captive Portal – authenticates users through a customizable web page. |
|
WPA2-Personal – WPA2 is WiFi Protected Access version 2. Users use a pre-shared key (password) to obtain access.. |
|
WPA2-Personal with Captive Portal – The user will need to know the pre-shared key and will also be authenticated through the custom portal. |
|
WPA2-Enterprise – similar to WPA2-Personal, but is best used for enterprise networks. Each user is separately authenticated by user name and password. |
|
Other choices are: WPA3-Enterprise, WPA3-SAE, WPA3-SAE-Transition, OWE, and OSEN. |
Pre-shared Key |
Available only when Security Mode is WPA2-Personal. Select between Single or Multiple encryption key modes that clients must use. Setting multiple pre-shared keys will enable dynamic VLAN assignment. |
Authentication |
Available only when Security Mode is WPA2-Enterprise. Select one of the following: RADIUS Server — Select the RADIUS server that will authenticate the clients. Local – Select the user group(s) that can authenticate. |
Portal Type |
Available only when Security Mode is Captive Portal. Choose the captive portal type. Authentication is available with or without a usage policy disclaimer notice. |
Authentication Portal |
Local - portal hosted on the FortiGate unit |
User Groups |
Select permitted user groups for captive portal authentication. |
Exempt List |
Select exempt lists whose members will not be subject to captive portal authentication. |
Customize Portal Messages |
Click the listed portal pages to edit them. |
Redirect after Captive Portal |
Optionally, select Specific URL and enter a URL for user redirection after captive portal authentication. By default, users are redirected to the URL that they originally requested. |
Allow New WiFi Client Connections When Controller Is Down |
This option is available for local bridge SSIDs with WPA-Personal security. See Continued FortiAP operation when WiFi controller connection is down. |
Broadcast SSID |
Optionally, disable broadcast of SSID. By default, the SSID is broadcast. |
Schedule |
Select when the SSID is enabled. You can choose any schedule defined in Policy & Objects > Objects > Schedules. |
Block Intra-SSID Traffic |
Select to enable the unit to block intra-SSID traffic. |
Maximum Clients |
Select to limit the number of clients permitted to connect simultaneously. Enter the limit value. |
Split Tunneling |
Select to enable some subnets to remain local to the remote FortiAP. Traffic for these networks is not routed through the WiFi Controller. Specify split-tunnel networks in the FortiAP Profile. See Remote WLAN FortiAPs. |
Optional VLAN ID |
Enter the ID of the VLAN this SSID belongs to. Enter 0 for non-VLAN operation. See Reserved VLAN IDs. |
Enable Explicit Web Proxy |
Select to enable explicit web proxy for the SSID. |
Listen for RADIUS Accounting Messages |
Enable if you are using RADIUS-based single sign-on (SSO). |
Secondary IP Address |
Optionally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces. |
Comments |
Enter a description or comment for the SSID. |
To configure a virtual access point (VAP)/SSID - CLI
The example below creates an access point with SSID “example” and WPA2-Personal security. The wireless interface is named example_wlan.
WiFi SSIDs include a schedule that determines when the WiFi network is available. The default schedule is Always. You can choose any schedule (but not schedule group) that is defined in Policy & Objects > Objects > Schedules.
config wireless-controller vap
edit example_wlan
set ssid "example"
set broadcast-ssid enable
set security wpa2-only-personal
set passphrase "hardtoguess”
set schedule always
set vdom root
end
config system interface
edit example_wlan
set ip 10.10.120.1 255.255.255.0
end
Configuring DHCP for WiFi clients
Wireless clients need to have IP addresses. If you use RADIUS authentication, each user’s IP address can be stored in the Framed-IP-Address attribute. Otherwise, you need to configure a DHCP server on the WLAN interface to assign IP addresses to wireless clients.
To configure a DHCP server for WiFi clients - GUI
- Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
- In DHCP Server select Enable.
- In Address Range, select Create New.
- In the Starting IP and End IP fields, enter the IP address range to assign.
By default an address range is created in the same subnet as the wireless interface IP address, but not including that address. - Set the Netmask to an appropriate value, such as 255.255.255.0.
- Set the Default Gateway to Same as Interface IP.
- Set the DNS Server to Same as System DNS.
- If you want to restrict access to the wireless network by MAC address, see Adding a MAC filter.
- Select OK.
To configure a DHCP server for WiFi clients - CLI
In this example, WiFi clients on the example_wlan interface are assigned addresses in the 10.10.120.2-9 range to connect with the WiFi access point on 10.10.120.1.
config system dhcp server
edit 0
set default-gateway 10.10.120.1
set dns-service default
set interface example_wlan
set netmask 255.255.255.0
config ip-range
edit 1
set end-ip 10.10.120.9
set start-ip 10.10.120.2
end
end
You cannot delete an SSID (wireless interface) that has DHCP enabled on it. |
Configuring DNS for local standalone NAT VAPs
For SSIDs in local standalone NAT mode, up to three DNS servers can be defined and assigned to wireless endpoints through DHCP. Wireless endpoints can then receive these DNS server IPs through DHCP when connecting to the SSID.
To configure the DNS servers
In this example, an SSID (wifi.fap.01) is configured in local standalone mode with local standalone NAT enabled. Two DNS servers, 8.8.8.8 and 8.8.4.4, are specified.
config wireless-controller vap
edit "wifi.fap.01"
set ssid "wifi-ssid.fap.01"
set passphrase **********
set local-standalone enable
set local-standalone-nat enable
set local-standalone-dns enable
set local-standalone-dns-ip 8.8.8.8 8.8.4.4
set local-bridging enable
set local-authentication enable
next
end
You cancheck the configured DNS server with the following commands:
|