You begin configuring your wireless network by defining one or more SSIDs to which your users can connect. When you create an SSID, a virtual network interface is also created with the Name you specified in the SSID configuration.
If a software switch interface contains an SSID (but only one), the WiFi SSID settings are available in the switch interface settings.
- Go to WiFi and Switch Controller > SSIDs and select Create New > SSID.
Fill in the following SSID fields as needed:
Enter a name for the SSID interface.
Tunnel — (Tunnel to Wireless Controller) Data for WLAN passes through WiFi Controller. This is the default.
Bridge — (Local bridge with FortiAP Interface) FortiAP unit Ethernet and WiFi interfaces are bridged.
Mesh — (Mesh Downlink) Radio receives data for WLAN from mesh backhaul SSID.
Enter the IP address and netmask for the SSID.
Enter the IPv6 address. This is available only when IPv6 has been enabled on the unit.
If you have IPv4 addresses, select the permitted IPv4 administrative access types for this SSID.
If you have IPv6 addresses, select the permitted IPv6 administrative access types for this SSID.
To assign IP addresses to clients, enable DHCP server. You can define IP address ranges for a DHCP server on the FortiGate unit or relay DHCP requests to an external server.
Note: If the unit is in transparent mode, the DHCP server settings will be unavailable.
For more information, see Configuring DHCP for WiFi clients.
Detect connected device type. Enabled by default.
Enter the SSID. By default, this field contains
Limit the number of clients allowed in the SSID.
Disable broadcast of SSID. By default, the SSID is broadcast.
Enable to advertise specified vendor specific elements over beacon frames containing information about the FortiAP name, model and serial number. This can be used to determine the coverage area of a FortiAP.
Name – The FortiAP name.
Model – The FortiAP model.
Serial Number – The FortiAP serial number.
For more information, see Determining the coverage area of a FortiAP.
Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. Additional security mode options are available in the CLI. For more information, see Configuring security.
- Captive Portal – authenticates users through a customizable web page. For more information, see Captive Portal Security.
- WPA2-Personal – WPA2 is WiFi Protected Access version 2. Users use a pre-shared key (password) to obtain access.
- WPA2-Personal with Captive Portal – The user will need to know the pre-shared key and will also be authenticated through the custom portal.
- WPA2-Enterprise – similar to WPA2-Personal, but is best used for enterprise networks. Each user is separately authenticated by user name and password.
- Other choices are: WPA3-Enterprise, WPA3-SAE, WPA3-SAE-Transition, OWE, and OSEN.
Available only when Security Mode is WPA2-Enterprise.
Select one of the following:
RADIUS Server — Select the RADIUS server that will authenticate the clients.
Local – Select the user group(s) that can authenticate.
Available only when Security Mode is Captive Portal. Choose the captive portal type. Authentication is available with or without a usage policy disclaimer notice.
Local - portal hosted on the FortiGate unit
External - enter FQDN or IP address of external portal
Select permitted user groups for captive portal authentication.
Select exempt lists whose members will not be subject to captive portal authentication.
Customize Portal Messages
Click the listed portal pages to edit them.
Available only when Security Mode is WPA2-Personal.
Select between Single or Multiple encryption key modes that clients must use.
Setting multiple pre-shared keys will enable dynamic VLAN assignment.
Allow New WiFi Client Connections When Controller Is Down
This option is available for local bridge SSIDs with WPA-Personal security. See Continued FortiAP operation when WiFi controller connection is down.
Select when the SSID is enabled. You can choose any schedule defined in Policy & Objects > Objects > Schedules.
Block Intra-SSID Traffic
Select to enable the unit to block intra-SSID traffic.
Optional VLAN ID
Enter the ID of the VLAN this SSID belongs to. Enter 0 for non-VLAN operation. See Reserved VLAN IDs.
Select to limit the number of clients permitted to connect simultaneously. Enter the limit value.
Select to enable some subnets to remain local to the remote FortiAP. Traffic for these networks is not routed through the WiFi Controller. Specify split-tunnel networks in the FortiAP Profile. See Remote WLAN FortiAPs.
Enable Explicit Web Proxy
Select to enable explicit web proxy for the SSID.
Listen for RADIUS Accounting Messages
Enable if you are using RADIUS-based single sign-on (SSO).
Secondary IP Address
Optionally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces.
Enter a description or comment for the SSID.
- Click OK to save.
- Go to WiFi and Switch Controller > SSIDs.
- Go to Network > Interfaces.
WiFi interfaces list the SSID beside the interface Name.
- Go to WiFi and Switch Controller > SSIDs.
- Edit the SSID fields, as needed.
The example below creates an access point with SSID "example" and WPA2-Personal security. The wireless interface is named example_wlan.
WiFi SSIDs include a schedule that determines when the WiFi network is available. The default schedule is Always. You can choose any schedule (but not schedule group) that is defined in Policy & Objects > Objects > Schedules.
config wireless-controller vap
set ssid "example"
set broadcast-ssid enable
set security wpa2-only-personal
set passphrase "hardtoguess”
set schedule always
set vdom root
config system interface
set ip 10.10.120.1 255.255.255.0
Wireless clients need to have IP addresses. If you use RADIUS authentication, each user’s IP address can be stored in the Framed-IP-Address attribute. Otherwise, you need to configure a DHCP server on the WLAN interface to assign IP addresses to wireless clients.
- Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
- In DHCP Server select Enable.
- In Address Range, select Create New.
- In the Starting IP and End IP fields, enter the IP address range to assign.
By default an address range is created in the same subnet as the wireless interface IP address, but not including that address.
- Set the Netmask to an appropriate value, such as 255.255.255.0.
- Set the Default Gateway to Same as Interface IP.
- Set the DNS Server to Same as System DNS.
- If you want to restrict access to the wireless network by MAC address, see Adding a MAC filter.
- Select OK.
In this example, WiFi clients on the example_wlan interface are assigned addresses in the 10.10.120.2-9 range to connect with the WiFi access point on 10.10.120.1.
config system dhcp server
set default-gateway 10.10.120.1
set dns-service default
set interface example_wlan
set netmask 255.255.255.0
set end-ip 10.10.120.9
set start-ip 10.10.120.2
You cannot delete an SSID (wireless interface) that has DHCP enabled on it.
For SSIDs in local standalone NAT mode, up to three DNS servers can be defined and assigned to wireless endpoints through DHCP. Wireless endpoints can then receive these DNS server IPs through DHCP when connecting to the SSID.
In this example, an SSID (wifi.fap.01) is configured in local standalone mode with local standalone NAT enabled. Two DNS servers, 18.104.22.168 and 22.214.171.124, are specified.
config wireless-controller vap
set ssid "wifi-ssid.fap.01"
set passphrase **********
set local-standalone enable
set local-standalone-nat enable
set local-standalone-dns enable
set local-standalone-dns-ip 126.96.36.199 188.8.131.52
set local-bridging enable
set local-authentication enable
You can check the configured DNS server with the following commands: