Configuring WPA2-Enterprise SSID
This section provides configuration instructions for deploying WPA2-Enterprise SSID with FortiAP using either FortiOS user groups or a RADIUS server for authentication. Once you configure your authentication method, the remaining steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.
The following shows the network topology using RADIUS server authentication:
For instructions on how to configure user authentication with locally stored FortiOS user groups, see Basic wireless network example. Note that authentication with local groups only supports PEAP, not EAP-TLS.
To configure WPA2-Enterprise SSID to FortiAP units with RADIUS server authentication - GUI
- Create a RADIUS server:
- Go to User & Authentication > RADIUS Servers and click Create New.
- Enter a Name for the server.
- Under Primary Server, enter the IP address or server name.
- In the Secret field, enter the secret key used to access the server.
- Click Test Connectivity to verify the connection with the RADIUS server.
- Click Test User Credentials to verify that the user account can be authenticated with the RADIUS server.
- Optionally, enter the information for a secondary or backup RADIUS server.
- Click OK.
- Create a WPA2-Enterprise SSID:
- Go to WiFi and Switch Controller > SSIDs and click Create New > SSID.
- Enter the desired interface name. For Traffic mode, select Tunnel.
- In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
- In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
- In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step 1.
- Click OK.
To configure WPA2-Enterprise SSID to FortiAP units with user group authentication - GUI
- Create a user group:
- Go to User & Authentication > User Groups and click Create New.
- Enter a group name.
- For Type, select Firewall.
- For Remote Groups, click the + button. In the dropdown list, select the desired RADIUS server. Click OK.
- Click OK.
- Create a WPA2-Enterprise SSID:
- Go to WiFi and Switch Controller > SSIDs and click Create New > SSID..
- Enter an interface name. For Traffic mode, select Tunnel.
- In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
- In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
- In the Authentication field, select Local. From the dropdown list, select the user group(s) permitted to use the wireless network.
- Click OK.
To deploy WPA2-Enterprise SSID to FortiAP units - GUI
Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C. Do one of the following:
- Select the SSID by editing the FortiAP:
- Go to WiFi & Switch Controller > Managed FortiAPs. Select the FortiAP-320C and click Edit.
- Ensure that Managed AP Status is Connected.
- Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
- To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
- To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
- Click OK.
- Select the SSID by editing the FortiAP profile:
- Go to WiFi & Switch Controller > FortiAP Profile. Select the FAP320C-default profile, then click Edit.
- To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
- To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
- Click OK.
-
Create the SSID-to-Internet firewall policy:
- Go to Policy & Objects > Firewall Policy, then click Create New.
- Enter the desired policy name.
- From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
- From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
- In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
- Click OK.
To deploy WPA2-Enterprise SSID to FortiAP units - CLI
- Configure an authentication method (RADIUS server or user group):
- Create a RADIUS server:
config user radius
edit "wifi-radius"
set server "172.16.200.55"
set secret fortinet
next
end
-
Create a user group:
config user group
edit "group-radius"
set member "wifi-radius"
next
end
- Create an SSID with authentication from the RADIUS server:
config wireless-controller vap
edit "wifi-vap"
set ssid "Fortinet-Ent-Radius"
set security wpa2-only-enterprise
set auth radius
set radius-server "wifi-radius"
next
end
- Create an SSID with authentication from the user group:
config wireless-controller vap
edit "wifi-vap"
set ssid "Fortinet-Ent-Radius"
set security wpa2-only-enterprise
set auth usergroup
set usergroup "group-radius"
next
end
config system interface
edit "wifi-vap"
set ip 10.10.80.1 255.255.255.0
next
end
config system dhcp server
edit 1
set dns-service default
set default-gateway 10.10.80.1
set netmask 255.255.255.0
set interface "wifi-vap"
config ip-range
edit 1
set start-ip 10.10.80.2
set end-ip 10.10.80.254
next
end
set timezone-option default
next
end
config wireless-controller wtp
edit "FP320C3X14000640"
set admin enable
set wtp-profile "FAP320C-default"
next
end
config wireless-controller wtp-profile
edit "FAP320C-default"
config radio-1
set vap-all disable
set vaps "wifi-vap"
end
config radio-2
set vap-all disable
set vaps "wifi-vap"
end
next
end
config firewall policy
edit 1
set name "WiFi to Internet"
set srcintf "wifi-vap"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set nat enable
next
end