Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Configuration Guide

Defining a wireless network interface (SSID)

Defining a wireless network interface (SSID)

You begin configuring your wireless network by defining one or more SSIDs to which your users can connect. When you create an SSID, a virtual network interface is also created with the Name you specified in the SSID configuration.

Note

If a software switch interface contains an SSID (but only one), the WiFi SSID settings are available in the switch interface settings.

To create a new SSID
  1. Go to WiFi and Switch Controller > SSIDs and select Create New > SSID.
  2. Fill in the SSID fields as described below.
To edit the settings of an existing SSID
  1. Either
    • Go to WiFi and Switch Controller > SSIDs.

      or

    • Go to Network > Interfaces.

      WiFi interfaces list the SSID beside the interface Name.

  2. Edit the SSID fields, as needed.
SSID fields

Interface Name

Enter a name for the SSID interface.

Type

WiFi SSID.

Traffic Mode

Tunnel — (Tunnel to Wireless Controller) Data for WLAN passes through WiFi Controller. This is the default.

Bridge — (Local bridge with FortiAP Interface) FortiAP unit Ethernet and WiFi interfaces are bridged.

Mesh — (Mesh Downlink) Radio receives data for WLAN from mesh backhaul SSID.

IP/Network Mask

Enter the IP address and netmask for the SSID.

IPv6 Address

Enter the IPv6 address. This is available only when IPv6 has been enabled on the unit.

Administrative Access

Select which types of administrative access are permitted on this SSID.

IPv6 Administrative Access

If you have IPv6 addresses, select the permitted IPv6 administrative access types for this SSID.

DHCP Server

To assign IP addresses to clients, enable DHCP server. You can define IP address ranges for a DHCP server on the FortiGate unit or relay DHCP requests to an external server.

If the unit is in transparent mode, the DHCP server settings will be unavailable.

For more information, see Configuring DHCP for WiFi clients.

Device Detection

Detect connected device type. Enabled by default.

Active Scanning

Enabled by default.

WiFi Settings

SSID

Enter the SSID. By default, this field contains fortinet.

Security Mode

Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. Additional security mode options are available in the CLI. For more information, see Configuring security.

Captive Portal – authenticates users through a customizable web page.

WPA2-Personal – WPA2 is WiFi Protected Access version 2. Users use a pre-shared key (password) to obtain access..

WPA2-Personal with Captive Portal – The user will need to know the pre-shared key and will also be authenticated through the custom portal.

WPA2-Enterprise – similar to WPA2-Personal, but is best used for enterprise networks. Each user is separately authenticated by user name and password.

Other choices are: WPA3-Enterprise, WPA3-SAE, WPA3-SAE-Transition, OWE, and OSEN.

Pre-shared Key

Available only when Security Mode is WPA2-Personal.

Select between Single or Multiple encryption key modes that clients must use.

Setting multiple pre-shared keys will enable dynamic VLAN assignment.

Authentication

Available only when Security Mode is WPA2-Enterprise.

Select one of the following:

RADIUS Server — Select the RADIUS server that will authenticate the clients.

Local – Select the user group(s) that can authenticate.

Portal Type

Available only when Security Mode is Captive Portal. Choose the captive portal type. Authentication is available with or without a usage policy disclaimer notice.

Authentication Portal

Local - portal hosted on the FortiGate unit
External - enter FQDN or IP address of external portal

User Groups

Select permitted user groups for captive portal authentication.

Exempt List

Select exempt lists whose members will not be subject to captive portal authentication.

Customize Portal Messages

Click the listed portal pages to edit them.

Redirect after Captive Portal

Optionally, select Specific URL and enter a URL for user redirection after captive portal authentication. By default, users are redirected to the URL that they originally requested.

Allow New WiFi Client Connections When Controller Is Down

This option is available for local bridge SSIDs with WPA-Personal security. See Continued FortiAP operation when WiFi controller connection is down.

Broadcast SSID

Optionally, disable broadcast of SSID. By default, the SSID is broadcast.

Schedule

Select when the SSID is enabled. You can choose any schedule defined in Policy & Objects > Objects > Schedules.

Block Intra-SSID Traffic

Select to enable the unit to block intra-SSID traffic.

Maximum Clients

Select to limit the number of clients permitted to connect simultaneously. Enter the limit value.

Split Tunneling

Select to enable some subnets to remain local to the remote FortiAP. Traffic for these networks is not routed through the WiFi Controller. Specify split-tunnel networks in the FortiAP Profile. See Remote WLAN FortiAPs.

Optional VLAN ID

Enter the ID of the VLAN this SSID belongs to. Enter 0 for non-VLAN operation. See Reserved VLAN IDs.

Enable Explicit Web Proxy

Select to enable explicit web proxy for the SSID.

Listen for RADIUS Accounting Messages

Enable if you are using RADIUS-based single sign-on (SSO).

Secondary IP Address

Optionally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces.

Comments

Enter a description or comment for the SSID.

To configure a virtual access point (VAP)/SSID - CLI

The example below creates an access point with SSID “example” and WPA2-Personal security. The wireless interface is named example_wlan.

WiFi SSIDs include a schedule that determines when the WiFi network is available. The default schedule is Always. You can choose any schedule (but not schedule group) that is defined in Policy & Objects > Objects > Schedules.

config wireless-controller vap

edit example_wlan

set ssid "example"

set broadcast-ssid enable

set security wpa2-only-personal

set passphrase "hardtoguess”

set schedule always

set vdom root

end

config system interface

edit example_wlan

set ip 10.10.120.1 255.255.255.0

end

Configuring DHCP for WiFi clients

Wireless clients need to have IP addresses. If you use RADIUS authentication, each user’s IP address can be stored in the Framed-IP-Address attribute. Otherwise, you need to configure a DHCP server on the WLAN interface to assign IP addresses to wireless clients.

To configure a DHCP server for WiFi clients - GUI
  1. Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
  2. In DHCP Server select Enable.
  3. In Address Range, select Create New.
  4. In the Starting IP and End IP fields, enter the IP address range to assign.
    By default an address range is created in the same subnet as the wireless interface IP address, but not including that address.
  5. Set the Netmask to an appropriate value, such as 255.255.255.0.
  6. Set the Default Gateway to Same as Interface IP.
  7. Set the DNS Server to Same as System DNS.
  8. If you want to restrict access to the wireless network by MAC address, see Adding a MAC filter.
  9. Select OK.
To configure a DHCP server for WiFi clients - CLI

In this example, WiFi clients on the example_wlan interface are assigned addresses in the 10.10.120.2-9 range to connect with the WiFi access point on 10.10.120.1.

config system dhcp server

edit 0

set default-gateway 10.10.120.1

set dns-service default

set interface example_wlan

set netmask 255.255.255.0

config ip-range

edit 1

set end-ip 10.10.120.9

set start-ip 10.10.120.2

end

end

Note

You cannot delete an SSID (wireless interface) that has DHCP enabled on it.

Configuring DNS for local standalone NAT VAPs

For SSIDs in local standalone NAT mode, up to three DNS servers can be defined and assigned to wireless endpoints through DHCP. Wireless endpoints can then receive these DNS server IPs through DHCP when connecting to the SSID.

To configure the DNS servers

In this example, an SSID (wifi.fap.01) is configured in local standalone mode with local standalone NAT enabled. Two DNS servers, 8.8.8.8 and 8.8.4.4, are specified.

config wireless-controller vap

edit "wifi.fap.01"

set ssid "wifi-ssid.fap.01"

set passphrase **********

set local-standalone enable

set local-standalone-nat enable

set local-standalone-dns enable

set local-standalone-dns-ip 8.8.8.8 8.8.4.4

set local-bridging enable

set local-authentication enable

next

end

Note

You cancheck the configured DNS server with the following commands:

  • On FortiGate:

    # diagnose wireless-controller wlac -c wlan wifi.fap.01

  • On the managed FortiAP:

    FortiAP-431F # vcfg

    FortiAP-431F # dhcpconf

Defining a wireless network interface (SSID)

Defining a wireless network interface (SSID)

You begin configuring your wireless network by defining one or more SSIDs to which your users can connect. When you create an SSID, a virtual network interface is also created with the Name you specified in the SSID configuration.

Note

If a software switch interface contains an SSID (but only one), the WiFi SSID settings are available in the switch interface settings.

To create a new SSID
  1. Go to WiFi and Switch Controller > SSIDs and select Create New > SSID.
  2. Fill in the SSID fields as described below.
To edit the settings of an existing SSID
  1. Either
    • Go to WiFi and Switch Controller > SSIDs.

      or

    • Go to Network > Interfaces.

      WiFi interfaces list the SSID beside the interface Name.

  2. Edit the SSID fields, as needed.
SSID fields

Interface Name

Enter a name for the SSID interface.

Type

WiFi SSID.

Traffic Mode

Tunnel — (Tunnel to Wireless Controller) Data for WLAN passes through WiFi Controller. This is the default.

Bridge — (Local bridge with FortiAP Interface) FortiAP unit Ethernet and WiFi interfaces are bridged.

Mesh — (Mesh Downlink) Radio receives data for WLAN from mesh backhaul SSID.

IP/Network Mask

Enter the IP address and netmask for the SSID.

IPv6 Address

Enter the IPv6 address. This is available only when IPv6 has been enabled on the unit.

Administrative Access

Select which types of administrative access are permitted on this SSID.

IPv6 Administrative Access

If you have IPv6 addresses, select the permitted IPv6 administrative access types for this SSID.

DHCP Server

To assign IP addresses to clients, enable DHCP server. You can define IP address ranges for a DHCP server on the FortiGate unit or relay DHCP requests to an external server.

If the unit is in transparent mode, the DHCP server settings will be unavailable.

For more information, see Configuring DHCP for WiFi clients.

Device Detection

Detect connected device type. Enabled by default.

Active Scanning

Enabled by default.

WiFi Settings

SSID

Enter the SSID. By default, this field contains fortinet.

Security Mode

Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. Additional security mode options are available in the CLI. For more information, see Configuring security.

Captive Portal – authenticates users through a customizable web page.

WPA2-Personal – WPA2 is WiFi Protected Access version 2. Users use a pre-shared key (password) to obtain access..

WPA2-Personal with Captive Portal – The user will need to know the pre-shared key and will also be authenticated through the custom portal.

WPA2-Enterprise – similar to WPA2-Personal, but is best used for enterprise networks. Each user is separately authenticated by user name and password.

Other choices are: WPA3-Enterprise, WPA3-SAE, WPA3-SAE-Transition, OWE, and OSEN.

Pre-shared Key

Available only when Security Mode is WPA2-Personal.

Select between Single or Multiple encryption key modes that clients must use.

Setting multiple pre-shared keys will enable dynamic VLAN assignment.

Authentication

Available only when Security Mode is WPA2-Enterprise.

Select one of the following:

RADIUS Server — Select the RADIUS server that will authenticate the clients.

Local – Select the user group(s) that can authenticate.

Portal Type

Available only when Security Mode is Captive Portal. Choose the captive portal type. Authentication is available with or without a usage policy disclaimer notice.

Authentication Portal

Local - portal hosted on the FortiGate unit
External - enter FQDN or IP address of external portal

User Groups

Select permitted user groups for captive portal authentication.

Exempt List

Select exempt lists whose members will not be subject to captive portal authentication.

Customize Portal Messages

Click the listed portal pages to edit them.

Redirect after Captive Portal

Optionally, select Specific URL and enter a URL for user redirection after captive portal authentication. By default, users are redirected to the URL that they originally requested.

Allow New WiFi Client Connections When Controller Is Down

This option is available for local bridge SSIDs with WPA-Personal security. See Continued FortiAP operation when WiFi controller connection is down.

Broadcast SSID

Optionally, disable broadcast of SSID. By default, the SSID is broadcast.

Schedule

Select when the SSID is enabled. You can choose any schedule defined in Policy & Objects > Objects > Schedules.

Block Intra-SSID Traffic

Select to enable the unit to block intra-SSID traffic.

Maximum Clients

Select to limit the number of clients permitted to connect simultaneously. Enter the limit value.

Split Tunneling

Select to enable some subnets to remain local to the remote FortiAP. Traffic for these networks is not routed through the WiFi Controller. Specify split-tunnel networks in the FortiAP Profile. See Remote WLAN FortiAPs.

Optional VLAN ID

Enter the ID of the VLAN this SSID belongs to. Enter 0 for non-VLAN operation. See Reserved VLAN IDs.

Enable Explicit Web Proxy

Select to enable explicit web proxy for the SSID.

Listen for RADIUS Accounting Messages

Enable if you are using RADIUS-based single sign-on (SSO).

Secondary IP Address

Optionally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces.

Comments

Enter a description or comment for the SSID.

To configure a virtual access point (VAP)/SSID - CLI

The example below creates an access point with SSID “example” and WPA2-Personal security. The wireless interface is named example_wlan.

WiFi SSIDs include a schedule that determines when the WiFi network is available. The default schedule is Always. You can choose any schedule (but not schedule group) that is defined in Policy & Objects > Objects > Schedules.

config wireless-controller vap

edit example_wlan

set ssid "example"

set broadcast-ssid enable

set security wpa2-only-personal

set passphrase "hardtoguess”

set schedule always

set vdom root

end

config system interface

edit example_wlan

set ip 10.10.120.1 255.255.255.0

end

Configuring DHCP for WiFi clients

Wireless clients need to have IP addresses. If you use RADIUS authentication, each user’s IP address can be stored in the Framed-IP-Address attribute. Otherwise, you need to configure a DHCP server on the WLAN interface to assign IP addresses to wireless clients.

To configure a DHCP server for WiFi clients - GUI
  1. Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
  2. In DHCP Server select Enable.
  3. In Address Range, select Create New.
  4. In the Starting IP and End IP fields, enter the IP address range to assign.
    By default an address range is created in the same subnet as the wireless interface IP address, but not including that address.
  5. Set the Netmask to an appropriate value, such as 255.255.255.0.
  6. Set the Default Gateway to Same as Interface IP.
  7. Set the DNS Server to Same as System DNS.
  8. If you want to restrict access to the wireless network by MAC address, see Adding a MAC filter.
  9. Select OK.
To configure a DHCP server for WiFi clients - CLI

In this example, WiFi clients on the example_wlan interface are assigned addresses in the 10.10.120.2-9 range to connect with the WiFi access point on 10.10.120.1.

config system dhcp server

edit 0

set default-gateway 10.10.120.1

set dns-service default

set interface example_wlan

set netmask 255.255.255.0

config ip-range

edit 1

set end-ip 10.10.120.9

set start-ip 10.10.120.2

end

end

Note

You cannot delete an SSID (wireless interface) that has DHCP enabled on it.

Configuring DNS for local standalone NAT VAPs

For SSIDs in local standalone NAT mode, up to three DNS servers can be defined and assigned to wireless endpoints through DHCP. Wireless endpoints can then receive these DNS server IPs through DHCP when connecting to the SSID.

To configure the DNS servers

In this example, an SSID (wifi.fap.01) is configured in local standalone mode with local standalone NAT enabled. Two DNS servers, 8.8.8.8 and 8.8.4.4, are specified.

config wireless-controller vap

edit "wifi.fap.01"

set ssid "wifi-ssid.fap.01"

set passphrase **********

set local-standalone enable

set local-standalone-nat enable

set local-standalone-dns enable

set local-standalone-dns-ip 8.8.8.8 8.8.4.4

set local-bridging enable

set local-authentication enable

next

end

Note

You cancheck the configured DNS server with the following commands:

  • On FortiGate:

    # diagnose wireless-controller wlac -c wlan wifi.fap.01

  • On the managed FortiAP:

    FortiAP-431F # vcfg

    FortiAP-431F # dhcpconf