Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Configuration Guide

Defining a wireless network interface (SSID)

Defining a wireless network interface (SSID)

You begin configuring your wireless network by defining one or more SSIDs to which your users can connect. When you create an SSID, a virtual network interface is also created with the Name you specified in the SSID configuration.

Note

If a software switch interface contains an SSID (but only one), the WiFi SSID settings are available in the switch interface settings.

To create a new SSID
  1. Go to WiFi and Switch Controller > SSIDs and select Create New > SSID.
  2. Fill in the following SSID fields as needed:

    Name

    Enter a name for the SSID interface.

    Type

    WiFi SSID.

    Traffic Mode

    Tunnel — (Tunnel to Wireless Controller) Data for WLAN passes through WiFi Controller. This is the default.
    Bridge — (Local bridge with FortiAP Interface) FortiAP unit Ethernet and WiFi interfaces are bridged.
    Mesh — (Mesh Downlink) Radio receives data for WLAN from mesh backhaul SSID.

    Address

    IP/Network Mask

    Enter the IP address and netmask for the SSID.

    IPv6 Address/Prefix

    Enter the IPv6 address. This is available only when IPv6 has been enabled on the unit.

    Secondary IP Address

    Optionally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces.

    Administrative Access

    IPv4

    If you have IPv4 addresses, select the permitted IPv4 administrative access types for this SSID.

    IPv6

    If you have IPv6 addresses, select the permitted IPv6 administrative access types for this SSID.

    DHCP Server

    To assign IP addresses to clients, enable DHCP server. You can define IP address ranges for a DHCP server on the FortiGate unit or relay DHCP requests to an external server.
    Note: If the unit is in transparent mode, the DHCP server settings will be unavailable.

    For more information, see Configuring DHCP for WiFi clients.

    Network

    Device Detection

    Detect connected device type. Enabled by default.

    WiFi Settings

    SSID

    Enter the SSID. By default, this field contains fortinet.

    Client limit

    Limit the number of clients allowed in the SSID.

    Broadcast SSID

    Disable broadcast of SSID. By default, the SSID is broadcast.

    Beacon advertising

    Enable to advertise specified vendor specific elements over beacon frames containing information about the FortiAP name, model and serial number. This can be used to determine the coverage area of a FortiAP.

    • Name – The FortiAP name.

    • Model – The FortiAP model.

    • Serial Number – The FortiAP serial number.

    For more information, see Determining the coverage area of a FortiAP.

    Security Mode

    Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. Additional security mode options are available in the CLI. For more information, see Configuring security.

    • Captive Portal – authenticates users through a customizable web page. For more information, see Captive Portal Security.
    • WPA2-Personal – WPA2 is WiFi Protected Access version 2. Users use a pre-shared key (password) to obtain access.
    • WPA2-Personal with Captive Portal – The user will need to know the pre-shared key and will also be authenticated through the custom portal.
    • WPA2-Enterprise – similar to WPA2-Personal, but is best used for enterprise networks. Each user is separately authenticated by user name and password.
    • Other choices are: WPA3-Enterprise, WPA3-SAE, WPA3-SAE-Transition, OWE, and OSEN.

    Authentication

    Available only when Security Mode is WPA2-Enterprise.

    Select one of the following:

    RADIUS Server — Select the RADIUS server that will authenticate the clients.

    Local – Select the user group(s) that can authenticate.

    Portal Type

    Available only when Security Mode is Captive Portal. Choose the captive portal type. Authentication is available with or without a usage policy disclaimer notice.

    Authentication Portal

    Local - portal hosted on the FortiGate unit
    External - enter FQDN or IP address of external portal

    User Groups

    Select permitted user groups for captive portal authentication.

    Exempt List

    Select exempt lists whose members will not be subject to captive portal authentication.

    Customize Portal Messages

    Click the listed portal pages to edit them.

    Pre-shared Key

    Available only when Security Mode is WPA2-Personal.

    Select between Single or Multiple encryption key modes that clients must use.

    Setting multiple pre-shared keys will enable dynamic VLAN assignment.

    Additional Settings

    Schedule

    Select when the SSID is enabled. You can choose any schedule defined in Policy & Objects > Objects > Schedules.

    Block intra-SSID traffic

    Select to enable the unit to block intra-SSID traffic.

    Optional VLAN ID

    Enter the ID of the VLAN this SSID belongs to. Enter 0 for non-VLAN operation. See Reserved VLAN IDs.

    Broadcast suppression

    Enable and add broadcasts you want to suppress.

    Quarantine host

    Enable so you can quarantine clients connected to the SSID.

    Split Tunneling

    Select to enable some subnets to remain local to the remote FortiAP. Traffic for these networks is not routed through the WiFi Controller. Specify split-tunnel networks in the FortiAP Profile. See Remote WLAN FortiAPs.

    Enable Explicit Web Proxy

    Select to enable explicit web proxy for the SSID.

    Listen for RADIUS Accounting Messages

    Enable if you are using RADIUS-based single sign-on (SSO).

    Comments

    Enter a description or comment for the SSID.

  3. Click OK to save.
To edit the settings of an existing SSID
  1. Either
    • Go to WiFi and Switch Controller > SSIDs.

      or

    • Go to Network > Interfaces.

      WiFi interfaces list the SSID beside the interface Name.

  2. Edit the SSID fields, as needed.
To configure a virtual access point (VAP)/SSID - CLI

The example below creates an access point with SSID "example" and WPA2-Personal security. The wireless interface is named example_wlan.

WiFi SSIDs include a schedule that determines when the WiFi network is available. The default schedule is Always. You can choose any schedule (but not schedule group) that is defined in Policy & Objects > Objects > Schedules.

config wireless-controller vap

edit example_wlan

set ssid "example"

set broadcast-ssid enable

set security wpa2-only-personal

set passphrase "hardtoguess”

set schedule always

set vdom root

end

config system interface

edit example_wlan

set ip 10.10.120.1 255.255.255.0

end

Configuring DHCP for WiFi clients

Wireless clients need to have IP addresses. If you use RADIUS authentication, each user’s IP address can be stored in the Framed-IP-Address attribute. Otherwise, you need to configure a DHCP server on the WLAN interface to assign IP addresses to wireless clients.

To configure a DHCP server for WiFi clients - GUI
  1. Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
  2. In DHCP Server select Enable.
  3. In Address Range, select Create New.
  4. In the Starting IP and End IP fields, enter the IP address range to assign.
    By default an address range is created in the same subnet as the wireless interface IP address, but not including that address.
  5. Set the Netmask to an appropriate value, such as 255.255.255.0.
  6. Set the Default Gateway to Same as Interface IP.
  7. Set the DNS Server to Same as System DNS.
  8. If you want to restrict access to the wireless network by MAC address, see Adding a MAC filter.
  9. Select OK.
To configure a DHCP server for WiFi clients - CLI

In this example, WiFi clients on the example_wlan interface are assigned addresses in the 10.10.120.2-9 range to connect with the WiFi access point on 10.10.120.1.

config system dhcp server

edit 0

set default-gateway 10.10.120.1

set dns-service default

set interface example_wlan

set netmask 255.255.255.0

config ip-range

edit 1

set end-ip 10.10.120.9

set start-ip 10.10.120.2

end

end

Note

You cannot delete an SSID (wireless interface) that has DHCP enabled on it.

Configuring DNS for local standalone NAT VAPs

For SSIDs in local standalone NAT mode, up to three DNS servers can be defined and assigned to wireless endpoints through DHCP. Wireless endpoints can then receive these DNS server IPs through DHCP when connecting to the SSID.

To configure the DNS servers

In this example, an SSID (wifi.fap.01) is configured in local standalone mode with local standalone NAT enabled. Two DNS servers, 8.8.8.8 and 8.8.4.4, are specified.

config wireless-controller vap

edit "wifi.fap.01"

set ssid "wifi-ssid.fap.01"

set passphrase **********

set local-standalone enable

set local-standalone-nat enable

set local-standalone-dns enable

set local-standalone-dns-ip 8.8.8.8 8.8.4.4

set local-bridging enable

set local-authentication enable

next

end

Note

You can check the configured DNS server with the following commands:

  • On FortiGate:

    # diagnose wireless-controller wlac -c wlan wifi.fap.01

  • On the managed FortiAP:

    FortiAP-431F # vcfg

    FortiAP-431F # dhcpconf

Defining a wireless network interface (SSID)

Defining a wireless network interface (SSID)

You begin configuring your wireless network by defining one or more SSIDs to which your users can connect. When you create an SSID, a virtual network interface is also created with the Name you specified in the SSID configuration.

Note

If a software switch interface contains an SSID (but only one), the WiFi SSID settings are available in the switch interface settings.

To create a new SSID
  1. Go to WiFi and Switch Controller > SSIDs and select Create New > SSID.
  2. Fill in the following SSID fields as needed:

    Name

    Enter a name for the SSID interface.

    Type

    WiFi SSID.

    Traffic Mode

    Tunnel — (Tunnel to Wireless Controller) Data for WLAN passes through WiFi Controller. This is the default.
    Bridge — (Local bridge with FortiAP Interface) FortiAP unit Ethernet and WiFi interfaces are bridged.
    Mesh — (Mesh Downlink) Radio receives data for WLAN from mesh backhaul SSID.

    Address

    IP/Network Mask

    Enter the IP address and netmask for the SSID.

    IPv6 Address/Prefix

    Enter the IPv6 address. This is available only when IPv6 has been enabled on the unit.

    Secondary IP Address

    Optionally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces.

    Administrative Access

    IPv4

    If you have IPv4 addresses, select the permitted IPv4 administrative access types for this SSID.

    IPv6

    If you have IPv6 addresses, select the permitted IPv6 administrative access types for this SSID.

    DHCP Server

    To assign IP addresses to clients, enable DHCP server. You can define IP address ranges for a DHCP server on the FortiGate unit or relay DHCP requests to an external server.
    Note: If the unit is in transparent mode, the DHCP server settings will be unavailable.

    For more information, see Configuring DHCP for WiFi clients.

    Network

    Device Detection

    Detect connected device type. Enabled by default.

    WiFi Settings

    SSID

    Enter the SSID. By default, this field contains fortinet.

    Client limit

    Limit the number of clients allowed in the SSID.

    Broadcast SSID

    Disable broadcast of SSID. By default, the SSID is broadcast.

    Beacon advertising

    Enable to advertise specified vendor specific elements over beacon frames containing information about the FortiAP name, model and serial number. This can be used to determine the coverage area of a FortiAP.

    • Name – The FortiAP name.

    • Model – The FortiAP model.

    • Serial Number – The FortiAP serial number.

    For more information, see Determining the coverage area of a FortiAP.

    Security Mode

    Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. Additional security mode options are available in the CLI. For more information, see Configuring security.

    • Captive Portal – authenticates users through a customizable web page. For more information, see Captive Portal Security.
    • WPA2-Personal – WPA2 is WiFi Protected Access version 2. Users use a pre-shared key (password) to obtain access.
    • WPA2-Personal with Captive Portal – The user will need to know the pre-shared key and will also be authenticated through the custom portal.
    • WPA2-Enterprise – similar to WPA2-Personal, but is best used for enterprise networks. Each user is separately authenticated by user name and password.
    • Other choices are: WPA3-Enterprise, WPA3-SAE, WPA3-SAE-Transition, OWE, and OSEN.

    Authentication

    Available only when Security Mode is WPA2-Enterprise.

    Select one of the following:

    RADIUS Server — Select the RADIUS server that will authenticate the clients.

    Local – Select the user group(s) that can authenticate.

    Portal Type

    Available only when Security Mode is Captive Portal. Choose the captive portal type. Authentication is available with or without a usage policy disclaimer notice.

    Authentication Portal

    Local - portal hosted on the FortiGate unit
    External - enter FQDN or IP address of external portal

    User Groups

    Select permitted user groups for captive portal authentication.

    Exempt List

    Select exempt lists whose members will not be subject to captive portal authentication.

    Customize Portal Messages

    Click the listed portal pages to edit them.

    Pre-shared Key

    Available only when Security Mode is WPA2-Personal.

    Select between Single or Multiple encryption key modes that clients must use.

    Setting multiple pre-shared keys will enable dynamic VLAN assignment.

    Additional Settings

    Schedule

    Select when the SSID is enabled. You can choose any schedule defined in Policy & Objects > Objects > Schedules.

    Block intra-SSID traffic

    Select to enable the unit to block intra-SSID traffic.

    Optional VLAN ID

    Enter the ID of the VLAN this SSID belongs to. Enter 0 for non-VLAN operation. See Reserved VLAN IDs.

    Broadcast suppression

    Enable and add broadcasts you want to suppress.

    Quarantine host

    Enable so you can quarantine clients connected to the SSID.

    Split Tunneling

    Select to enable some subnets to remain local to the remote FortiAP. Traffic for these networks is not routed through the WiFi Controller. Specify split-tunnel networks in the FortiAP Profile. See Remote WLAN FortiAPs.

    Enable Explicit Web Proxy

    Select to enable explicit web proxy for the SSID.

    Listen for RADIUS Accounting Messages

    Enable if you are using RADIUS-based single sign-on (SSO).

    Comments

    Enter a description or comment for the SSID.

  3. Click OK to save.
To edit the settings of an existing SSID
  1. Either
    • Go to WiFi and Switch Controller > SSIDs.

      or

    • Go to Network > Interfaces.

      WiFi interfaces list the SSID beside the interface Name.

  2. Edit the SSID fields, as needed.
To configure a virtual access point (VAP)/SSID - CLI

The example below creates an access point with SSID "example" and WPA2-Personal security. The wireless interface is named example_wlan.

WiFi SSIDs include a schedule that determines when the WiFi network is available. The default schedule is Always. You can choose any schedule (but not schedule group) that is defined in Policy & Objects > Objects > Schedules.

config wireless-controller vap

edit example_wlan

set ssid "example"

set broadcast-ssid enable

set security wpa2-only-personal

set passphrase "hardtoguess”

set schedule always

set vdom root

end

config system interface

edit example_wlan

set ip 10.10.120.1 255.255.255.0

end

Configuring DHCP for WiFi clients

Wireless clients need to have IP addresses. If you use RADIUS authentication, each user’s IP address can be stored in the Framed-IP-Address attribute. Otherwise, you need to configure a DHCP server on the WLAN interface to assign IP addresses to wireless clients.

To configure a DHCP server for WiFi clients - GUI
  1. Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
  2. In DHCP Server select Enable.
  3. In Address Range, select Create New.
  4. In the Starting IP and End IP fields, enter the IP address range to assign.
    By default an address range is created in the same subnet as the wireless interface IP address, but not including that address.
  5. Set the Netmask to an appropriate value, such as 255.255.255.0.
  6. Set the Default Gateway to Same as Interface IP.
  7. Set the DNS Server to Same as System DNS.
  8. If you want to restrict access to the wireless network by MAC address, see Adding a MAC filter.
  9. Select OK.
To configure a DHCP server for WiFi clients - CLI

In this example, WiFi clients on the example_wlan interface are assigned addresses in the 10.10.120.2-9 range to connect with the WiFi access point on 10.10.120.1.

config system dhcp server

edit 0

set default-gateway 10.10.120.1

set dns-service default

set interface example_wlan

set netmask 255.255.255.0

config ip-range

edit 1

set end-ip 10.10.120.9

set start-ip 10.10.120.2

end

end

Note

You cannot delete an SSID (wireless interface) that has DHCP enabled on it.

Configuring DNS for local standalone NAT VAPs

For SSIDs in local standalone NAT mode, up to three DNS servers can be defined and assigned to wireless endpoints through DHCP. Wireless endpoints can then receive these DNS server IPs through DHCP when connecting to the SSID.

To configure the DNS servers

In this example, an SSID (wifi.fap.01) is configured in local standalone mode with local standalone NAT enabled. Two DNS servers, 8.8.8.8 and 8.8.4.4, are specified.

config wireless-controller vap

edit "wifi.fap.01"

set ssid "wifi-ssid.fap.01"

set passphrase **********

set local-standalone enable

set local-standalone-nat enable

set local-standalone-dns enable

set local-standalone-dns-ip 8.8.8.8 8.8.4.4

set local-bridging enable

set local-authentication enable

next

end

Note

You can check the configured DNS server with the following commands:

  • On FortiGate:

    # diagnose wireless-controller wlac -c wlan wifi.fap.01

  • On the managed FortiAP:

    FortiAP-431F # vcfg

    FortiAP-431F # dhcpconf