Defining a wireless network interface (SSID)
You begin configuring your wireless network by defining one or more SSIDs to which your users can connect. When you create an SSID, a virtual network interface is also created with the Name you specified in the SSID configuration.
If a software switch interface contains an SSID (but only one), the WiFi SSID settings are available in the switch interface settings. |
To create a new SSID
- Go to WiFi and Switch Controller > SSIDs and select Create New > SSID.
-
Fill in the following SSID fields as needed:
Name
Enter a name for the SSID interface.
Type
WiFi SSID.
Traffic Mode
Tunnel — (Tunnel to Wireless Controller) Data for WLAN passes through WiFi Controller. This is the default.
Bridge — (Local bridge with FortiAP Interface) FortiAP unit Ethernet and WiFi interfaces are bridged.
Mesh — (Mesh Downlink) Radio receives data for WLAN from mesh backhaul SSID.Address
IP/Network Mask
Enter the IP address and netmask for the SSID.
IPv6 Address/Prefix
Enter the IPv6 address. This is available only when IPv6 has been enabled on the unit.
Secondary IP Address
Optionally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces.
Administrative Access
IPv4
If you have IPv4 addresses, select the permitted IPv4 administrative access types for this SSID.
IPv6
If you have IPv6 addresses, select the permitted IPv6 administrative access types for this SSID.
DHCP Server
To assign IP addresses to clients, enable DHCP server. You can define IP address ranges for a DHCP server on the FortiGate unit or relay DHCP requests to an external server.
Note: If the unit is in transparent mode, the DHCP server settings will be unavailable.For more information, see Configuring DHCP for WiFi clients.
Network
Device Detection
Detect connected device type. Enabled by default.
WiFi Settings
SSID
Enter the SSID. By default, this field contains
fortinet
.Client limit
Limit the number of clients allowed in the SSID.
Broadcast SSID
Disable broadcast of SSID. By default, the SSID is broadcast.
Beacon advertising
Enable to advertise specified vendor specific elements over beacon frames containing information about the FortiAP name, model and serial number. This can be used to determine the coverage area of a FortiAP.
-
Name – The FortiAP name.
-
Model – The FortiAP model.
-
Serial Number – The FortiAP serial number.
For more information, see Determining the coverage area of a FortiAP.
Security Mode
Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. Additional security mode options are available in the CLI. For more information, see Configuring security.
- Captive Portal – authenticates users through a customizable web page. For more information, see Captive Portal Security.
- WPA2-Personal – WPA2 is WiFi Protected Access version 2. Users use a pre-shared key (password) to obtain access.
- WPA2-Personal with Captive Portal – The user will need to know the pre-shared key and will also be authenticated through the custom portal.
- WPA2-Enterprise – similar to WPA2-Personal, but is best used for enterprise networks. Each user is separately authenticated by user name and password.
- Other choices are: WPA3-Enterprise, WPA3-SAE, WPA3-SAE-Transition, OWE, and OSEN.
Authentication
Available only when Security Mode is WPA2-Enterprise.
Select one of the following:
RADIUS Server — Select the RADIUS server that will authenticate the clients.
Local – Select the user group(s) that can authenticate.
Portal Type
Available only when Security Mode is Captive Portal. Choose the captive portal type. Authentication is available with or without a usage policy disclaimer notice.
Authentication Portal
Local - portal hosted on the FortiGate unit
External - enter FQDN or IP address of external portalUser Groups
Select permitted user groups for captive portal authentication.
Exempt List
Select exempt lists whose members will not be subject to captive portal authentication.
Customize Portal Messages
Click the listed portal pages to edit them.
Pre-shared Key
Available only when Security Mode is WPA2-Personal.
Select between Single or Multiple encryption key modes that clients must use.
Setting multiple pre-shared keys will enable dynamic VLAN assignment.
Additional Settings
Schedule
Select when the SSID is enabled. You can choose any schedule defined in Policy & Objects > Objects > Schedules.
Block intra-SSID traffic
Select to enable the unit to block intra-SSID traffic.
Optional VLAN ID
Enter the ID of the VLAN this SSID belongs to. Enter 0 for non-VLAN operation. See Reserved VLAN IDs.
Broadcast suppression
Enable and add broadcasts you want to suppress.
Quarantine host
Enable so you can quarantine clients connected to the SSID.
Split Tunneling
Select to enable some subnets to remain local to the remote FortiAP. Traffic for these networks is not routed through the WiFi Controller. Specify split-tunnel networks in the FortiAP Profile. See Remote WLAN FortiAPs.
Enable Explicit Web Proxy
Select to enable explicit web proxy for the SSID.
Listen for RADIUS Accounting Messages
Enable if you are using RADIUS-based single sign-on (SSO).
Comments
Enter a description or comment for the SSID.
-
- Click OK to save.
To edit the settings of an existing SSID
- Either
- Go to WiFi and Switch Controller > SSIDs.
or
- Go to Network > Interfaces.
WiFi interfaces list the SSID beside the interface Name.
- Go to WiFi and Switch Controller > SSIDs.
- Edit the SSID fields, as needed.
To configure a virtual access point (VAP)/SSID - CLI
The example below creates an access point with SSID "example" and WPA2-Personal security. The wireless interface is named example_wlan.
WiFi SSIDs include a schedule that determines when the WiFi network is available. The default schedule is Always. You can choose any schedule (but not schedule group) that is defined in Policy & Objects > Objects > Schedules.
config wireless-controller vap
edit example_wlan
set ssid "example"
set broadcast-ssid enable
set security wpa2-only-personal
set passphrase "hardtoguess”
set schedule always
set vdom root
end
config system interface
edit example_wlan
set ip 10.10.120.1 255.255.255.0
end
Configuring DHCP for WiFi clients
Wireless clients need to have IP addresses. If you use RADIUS authentication, each user’s IP address can be stored in the Framed-IP-Address attribute. Otherwise, you need to configure a DHCP server on the WLAN interface to assign IP addresses to wireless clients.
To configure a DHCP server for WiFi clients - GUI
- Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
- In DHCP Server select Enable.
- In Address Range, select Create New.
- In the Starting IP and End IP fields, enter the IP address range to assign.
By default an address range is created in the same subnet as the wireless interface IP address, but not including that address. - Set the Netmask to an appropriate value, such as 255.255.255.0.
- Set the Default Gateway to Same as Interface IP.
- Set the DNS Server to Same as System DNS.
- If you want to restrict access to the wireless network by MAC address, see Adding a MAC filter.
- Select OK.
To configure a DHCP server for WiFi clients - CLI
In this example, WiFi clients on the example_wlan interface are assigned addresses in the 10.10.120.2-9 range to connect with the WiFi access point on 10.10.120.1.
config system dhcp server
edit 0
set default-gateway 10.10.120.1
set dns-service default
set interface example_wlan
set netmask 255.255.255.0
config ip-range
edit 1
set end-ip 10.10.120.9
set start-ip 10.10.120.2
end
end
You cannot delete an SSID (wireless interface) that has DHCP enabled on it. |
Configuring DNS for local standalone NAT VAPs
For SSIDs in local standalone NAT mode, up to three DNS servers can be defined and assigned to wireless endpoints through DHCP. Wireless endpoints can then receive these DNS server IPs through DHCP when connecting to the SSID.
To configure the DNS servers
In this example, an SSID (wifi.fap.01) is configured in local standalone mode with local standalone NAT enabled. Two DNS servers, 8.8.8.8 and 8.8.4.4, are specified.
config wireless-controller vap
edit "wifi.fap.01"
set ssid "wifi-ssid.fap.01"
set passphrase **********
set local-standalone enable
set local-standalone-nat enable
set local-standalone-dns enable
set local-standalone-dns-ip 8.8.8.8 8.8.4.4
set local-bridging enable
set local-authentication enable
next
end
You can check the configured DNS server with the following commands:
|