Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Configuring WPA2-Personal security

Copy Link
Copy Doc ID 89ea0dba-bc2e-11ec-9fd1-fa163e15d75b:421999
Download PDF

Configuring WPA2-Personal security

WPA2-Personal security setup requires a pre-shared key (PSK) that you provide to clients. You can select between creating a single PSK or batch generating multiple pre-shared keys (MPSK). This section provides configuration instructions for deploying WPA2-Personal SSID with FortiAP. The steps include creating an SSID with a PSK, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows a simple network topology:

To deploy WPA2-Personal SSID to FortiAP units - GUI
  1. Create a WPA2-Personal SSID:
    1. Go to WiFi and Switch Controller > SSIDs, select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Personal.
    5. In the Pre-Shared Key field, select Single as the pre-shared key mode.
    6. Enter the password. The password must be 8 to 63 characters long.
    7. Click OK.
  2. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C. Do one of the following:
    1. Select the SSID by editing the FortiAP:
      1. Go to WiFi and Switch Controller > Managed FortiAPs. Select the FortiAP-320C and click Edit.
      2. Ensure that Managed AP Status is Connected.
      3. Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
      4. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
      5. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
      6. Click OK.
    2. Select the SSID by editing the FortiAP profile:
      1. Go to WiFi and Switch Controller > FortiAP Profiles. Select the FAP320C-default profile, then click Edit.
      2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
      3. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
      4. Click OK.
  3. Create the SSID-to-Internet firewall policy:
    1. Go to Policy & Objects > Firewall Policy, then click Create New.
    2. Enter the desired policy name.
    3. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
    4. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
    5. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
    6. Click OK.
To deploy WPA2-Personal SSID to FortiAP units - CLI
  1. Create a WPA2-Personal SSID:
    1. Create a VAP interface named "wifi-vap":

      config wireless-controller vap

      edit "wifi-vap"

      set ssid "Fortinet-psk"

      set security wpa2-only-personal

      set passphrase "fortinet"

      next

      end

    2. Configure an IP address and enable DHCP:

      config system interface

      edit "wifi-vap"

      set ip 10.10.80.1 255.255.255.0

      next

      end

      config system dhcp server

      edit 1

      set dns-service default

      set default-gateway 10.10.80.1

      set netmask 255.255.255.0

      set interface "wifi-vap"

      config ip-range

      edit 1

      set start-ip 10.10.80.2

      set end-ip 10.10.80.254

      next

      end

      set timezone-option default

      next

      end

  2. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C:

    config wireless-controller wtp

    edit "FP320C3X14000640"

    set admin enable

    set wtp-profile "FAP320C-default"

    next

    end

    config wireless-controller wtp-profile

    edit "FAP320C-default"

    config radio-1

    set vap-all disable

    set vaps "wifi-vap"

    end

    config radio-2

    set vap-all disable

    set vaps "wifi-vap"

    end

    next

    end

  3. Create the SSID-to-Internet firewall policy:

    config firewall policy

    edit 1

    set name "WiFi to Internet"

    set srcintf "wifi-vap"

    set dstintf "wan1"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set fsso disable

    set nat enable

    next

    end

Configuring WPA2-Personal security with MPSK

You can batch generate or import MPSK keys, export MPSK keys to a CSV file, dynamically assign VLANs based on used MPSK, and apply an MPSK schedule in the GUI.

In the GUI, MPSK key entries are organized in different MPSK groups. An MPSK group can be created manually or imported. When MPSK is enabled, the previous single passphrase is dropped and a dynamic VLAN is automatically enabled.

In the CLI, an mpsk-profile is assigned in the VAP settings and MPSK is enabled. The dynamic VLAN is automatically enabled. Only one MPSK profile can be assigned to one VAP at a time.

To configure WPA2-Personal security with an MPSK group - GUI
  1. Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
  2. In Security Mode, select WPA2 Personal.
  3. In Pre-shared Key, select Multiple as the PSK mode.
  4. In the table, click Add > Create Group.
  5. Enter a group name and VLAN ID.
  6. Configure the pre-shared key settings:
    1. In the table, click Add > Generate Keys.
    2. Configure the settings as needed and click OK.
  7. Click OK to close the Pre-shared Key Group window.
  8. Click OK.

You can go to WiFi and Switch Controller > WiFi Clients to view the MPSK name in the Pre-shared Key column.

To use an MPSK profile in the CLI
  1. Configure the MPSK profile:

    config wireless-controller mpsk-profile

    edit "wifi-mpsk"

    config mpsk-group

    edit "group-a"

    set vlan-type fixed-vlan

    set vlan-id 10

    config mpsk-key

    edit "key-a-1"

    set passphrase ENC

    set mpsk-schedules "always"

    next

    end

    next

    edit "group-b"

    set vlan-type fixed-vlan

    set vlan-id 20

    config mpsk-key

    edit "key-b-1"

    set passphrase ENC

    set concurrent-client-limit-type unlimited

    set mpsk-schedules "always"

    next

    end

    next

    end

    next

    end

  2. Configure the VAP settings:

    config wireless-controller vap

    edit "wifi-mpsk"

    set ssid "wifi-mpsk"

    set local-bridging enable

    set schedule "always"

    set mpsk-profile "wifi-mpsk"

    set dynamic-vlan enable

    next

    end

  3. Verify the event log after the WiFi client is connected:

    1: date=2020-07-10 time=16:57:20 logid="0104043573" type="event" subtype="wireless" level="notice" vd="root" eventtime=1594425440439070726 tz="-0700" logdesc="Wireless client authenticated" sn="FP423E3X16000320" ap="FP423E3X16000320" vap="wifi-mpsk" ssid="wifi-mpsk" radioid=2 user="N/A" group="N/A" stamac="3c:2e:ff:83:91:33" srcip=10.0.10.2 channel=144 radioband="802.11ac" signal=-52 snr=50 security="WPA2 Personal" encryption="AES" action="client-authentication" reason="Reserved 0" mpsk="key-a-1" msg="Client 3c:2e:ff:83:91:33 authenticated."

Configuring WPA2-Personal security

WPA2-Personal security setup requires a pre-shared key (PSK) that you provide to clients. You can select between creating a single PSK or batch generating multiple pre-shared keys (MPSK). This section provides configuration instructions for deploying WPA2-Personal SSID with FortiAP. The steps include creating an SSID with a PSK, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows a simple network topology:

To deploy WPA2-Personal SSID to FortiAP units - GUI
  1. Create a WPA2-Personal SSID:
    1. Go to WiFi and Switch Controller > SSIDs, select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Personal.
    5. In the Pre-Shared Key field, select Single as the pre-shared key mode.
    6. Enter the password. The password must be 8 to 63 characters long.
    7. Click OK.
  2. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C. Do one of the following:
    1. Select the SSID by editing the FortiAP:
      1. Go to WiFi and Switch Controller > Managed FortiAPs. Select the FortiAP-320C and click Edit.
      2. Ensure that Managed AP Status is Connected.
      3. Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
      4. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
      5. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
      6. Click OK.
    2. Select the SSID by editing the FortiAP profile:
      1. Go to WiFi and Switch Controller > FortiAP Profiles. Select the FAP320C-default profile, then click Edit.
      2. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
      3. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
      4. Click OK.
  3. Create the SSID-to-Internet firewall policy:
    1. Go to Policy & Objects > Firewall Policy, then click Create New.
    2. Enter the desired policy name.
    3. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
    4. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
    5. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
    6. Click OK.
To deploy WPA2-Personal SSID to FortiAP units - CLI
  1. Create a WPA2-Personal SSID:
    1. Create a VAP interface named "wifi-vap":

      config wireless-controller vap

      edit "wifi-vap"

      set ssid "Fortinet-psk"

      set security wpa2-only-personal

      set passphrase "fortinet"

      next

      end

    2. Configure an IP address and enable DHCP:

      config system interface

      edit "wifi-vap"

      set ip 10.10.80.1 255.255.255.0

      next

      end

      config system dhcp server

      edit 1

      set dns-service default

      set default-gateway 10.10.80.1

      set netmask 255.255.255.0

      set interface "wifi-vap"

      config ip-range

      edit 1

      set start-ip 10.10.80.2

      set end-ip 10.10.80.254

      next

      end

      set timezone-option default

      next

      end

  2. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C:

    config wireless-controller wtp

    edit "FP320C3X14000640"

    set admin enable

    set wtp-profile "FAP320C-default"

    next

    end

    config wireless-controller wtp-profile

    edit "FAP320C-default"

    config radio-1

    set vap-all disable

    set vaps "wifi-vap"

    end

    config radio-2

    set vap-all disable

    set vaps "wifi-vap"

    end

    next

    end

  3. Create the SSID-to-Internet firewall policy:

    config firewall policy

    edit 1

    set name "WiFi to Internet"

    set srcintf "wifi-vap"

    set dstintf "wan1"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set fsso disable

    set nat enable

    next

    end

Configuring WPA2-Personal security with MPSK

You can batch generate or import MPSK keys, export MPSK keys to a CSV file, dynamically assign VLANs based on used MPSK, and apply an MPSK schedule in the GUI.

In the GUI, MPSK key entries are organized in different MPSK groups. An MPSK group can be created manually or imported. When MPSK is enabled, the previous single passphrase is dropped and a dynamic VLAN is automatically enabled.

In the CLI, an mpsk-profile is assigned in the VAP settings and MPSK is enabled. The dynamic VLAN is automatically enabled. Only one MPSK profile can be assigned to one VAP at a time.

To configure WPA2-Personal security with an MPSK group - GUI
  1. Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
  2. In Security Mode, select WPA2 Personal.
  3. In Pre-shared Key, select Multiple as the PSK mode.
  4. In the table, click Add > Create Group.
  5. Enter a group name and VLAN ID.
  6. Configure the pre-shared key settings:
    1. In the table, click Add > Generate Keys.
    2. Configure the settings as needed and click OK.
  7. Click OK to close the Pre-shared Key Group window.
  8. Click OK.

You can go to WiFi and Switch Controller > WiFi Clients to view the MPSK name in the Pre-shared Key column.

To use an MPSK profile in the CLI
  1. Configure the MPSK profile:

    config wireless-controller mpsk-profile

    edit "wifi-mpsk"

    config mpsk-group

    edit "group-a"

    set vlan-type fixed-vlan

    set vlan-id 10

    config mpsk-key

    edit "key-a-1"

    set passphrase ENC

    set mpsk-schedules "always"

    next

    end

    next

    edit "group-b"

    set vlan-type fixed-vlan

    set vlan-id 20

    config mpsk-key

    edit "key-b-1"

    set passphrase ENC

    set concurrent-client-limit-type unlimited

    set mpsk-schedules "always"

    next

    end

    next

    end

    next

    end

  2. Configure the VAP settings:

    config wireless-controller vap

    edit "wifi-mpsk"

    set ssid "wifi-mpsk"

    set local-bridging enable

    set schedule "always"

    set mpsk-profile "wifi-mpsk"

    set dynamic-vlan enable

    next

    end

  3. Verify the event log after the WiFi client is connected:

    1: date=2020-07-10 time=16:57:20 logid="0104043573" type="event" subtype="wireless" level="notice" vd="root" eventtime=1594425440439070726 tz="-0700" logdesc="Wireless client authenticated" sn="FP423E3X16000320" ap="FP423E3X16000320" vap="wifi-mpsk" ssid="wifi-mpsk" radioid=2 user="N/A" group="N/A" stamac="3c:2e:ff:83:91:33" srcip=10.0.10.2 channel=144 radioband="802.11ac" signal=-52 snr=50 security="WPA2 Personal" encryption="AES" action="client-authentication" reason="Reserved 0" mpsk="key-a-1" msg="Client 3c:2e:ff:83:91:33 authenticated."