Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Configuration Guide

Configuring a meshed WiFi network

Configuring a meshed WiFi network

To configure a mesh WiFi network, perform the following tasks:

This section assumes that the end-user SSIDs already exist.

Creating the mesh root SSID

The mesh route SSID is the radio backhaul that conveys the user SSID traffic to the leaf FortiAPs.

To configure the mesh root SSID - GUI:
  1. Go to WiFi and Switch Controller > SSIDs and select Create New > SSID.
  2. Enter a Name for the WiFi interface.
  3. In Traffic Mode, select Mesh.
  4. Enter the SSID.
  5. Select a Security Mode. You can choose between the following:

    • WPA2 Personal.

      If you select WPA2 Personal, you must enter a Pre-shared key. Remember the key because you need to enter it for the leaf FortiAP configuration.

    • WPA3 SAE.

      If you select WPA3 SAE, you must enter an SAE password. Hash-to-Element (H2E) only is enabled by default and cannot be disabled as it is mandatory for WiFi 6E technology.

  6. When you are finished, click OK.
To configure the mesh root SSID - CLI:
config wireless-controller vap
  edit "MESHROOT"
    set mesh-backhaul enable
    set ssid "fortinet.mesh.root"
    set security wpa3-sae
    set pmf enable
    set sae-h2e-only enable
    set schedule "always"
    set sae-password ENC *
  next
end

You can set the security mode to WPA3-SAE when using the CLI. WPA3-SAE (with Hash-to-Element only enabled) is mandatory in Wi-Fi 6E technology, so you must select it if you want to use Wi-Fi 6E FortiAPs to set up mesh connections over the 6GHz band.

Note

By default, sae-h2e-only is enabled when you set the security mode to wpa3-sae.

Creating the FortiAP profile

Create a FortiAP profile for the meshed FortiAPs. If more than one FortiAP model is involved, you need to create a profile for each model. Typically, the profile is configured so that Radio 1 (5GHz) carries the mesh backhaul SSID while Radio 2 (2.4GHz) carries the SSIDs to which users connect.

For Radio 1, use the Select SSIDs option and choose only the backhaul SSID. The radio that carries the backhaul traffic must not carry other SSIDs.

Radio 2 carries user SSIDs and shouldn't carry the backhaul. Use the Select SSIDs option and choose the networks that you want to provide.

For more information, see Creating a FortiAP profile.

Configuring the mesh root AP

The mesh root AP can be either a FortiWiFi unit's built-in AP or a FortiAP unit.

To enable a FortiWiFi unit's local radio as mesh root:
  1. On the FortiWiFi unit, go to WiFi & and Switch Controller > Local WiFi Radio.
  2. Select Enable WiFi Radio.
  3. In SSID, select Select SSIDs, then select the mesh root SSID.
  4. Optionally, adjust Transmit power amount or select Auto.
  5. Select Apply.
Note

In a network with multiple wireless controllers, make sure that each mesh root has a unique SSID. Other controllers using the same mesh root SSID may be detected as fake or rogue APs. Go to WiFi and Switch Controller > SSIDs to change the SSID.

To configure a network interface for the mesh root FortiAP unit:
  1. On the FortiGate unit, go to Network > Interfaces, and edit the interface to which the AP unit connects.
  2. In Addressing mode, select Manual.
  3. In IP/Network Mask, enter an IP address and netmask for the interface.

  4. In the Administrative Access section, go to IPv4 and select the Security Fabric Connection checkbox.
  5. When FortiAP units are connected to the interface on FortiGate (directly or through a switch), you can go to the Edit Interface section and set the Role to LAN.

    Selecting the LAN role loads the DHCP Server toggle. If you enable DHCP Server, the GUI can automatically set the DHCP IP range based on the interface IP address.

  6. Click OK.

At this point you can connect the mesh root FortiAP (see below). If you are planning to configure leaf FortiAPs through the wireless controller (see Configuring the mesh leaf FortiAPs), then connect the root unit later.

To enable the root FortiAP unit:
  1. Connect the root FortiAP unit's Ethernet port to the FortiGate network interface that you configured.
  2. On the FortiGate unit, go to WiFi and Switch Controller > Managed FortiAPs.

    If the root FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the root FortiAP unit and try again.

  3. Right-click the FortiAP entry and choose your profile from the Assign Profile submenu.
  4. Right-click the FortiAP entry and select Authorize.

    Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

  5. Select OK.

Configuring the mesh leaf FortiAPs

The FortiAP units that serve as leaf nodes must be preconfigured. This involves changing the FortiAP unit's internal configuration. You can do this by direct connection or through the FortiGate wireless controller.

Method 1: Direct connection to the FortiAP:
  1. Configure the computer IP as 192.168.1.3.
  2. Connect the computer to the FortiAP unit's Ethernet port and use the default IP address, 192.168.1.2.
  3. Log in to the FortiAP as admin. By default, no password is set.
  4. Enter the following commands:
    1. If you are using the GUI, go to Connectivity > Uplink and select the Mesh option. Then enter the Mesh AP SSID and Mesh AP Password (pre-shared key).
    2. If you are using the FortiAP CLI (SSH), enter the following commands, substituting your own SSID, password (pre-shared key), and security mode:

      cfg -a MESH_AP_TYPE=1

      cfg -a MESH_AP_SSID=fortinet.mesh.root

      cfg -a MESH_AP_PASSWD=hardtoguess

      cfg -a MESH_AP_SECURITY=2

      cfg -c

      exit

      Note: By default, MESH_AP_SECURITY is set to 0 (Open network). Depending on the security mode of your mesh backhaul SSID, you must explicitly set it to either 1 (WPA/WPA2-Personal) or 2 (WPA3-SAE).

  5. Disconnect the computer.
  6. Power down the FortiAP.
  7. Repeat the preceding steps for each leaf FortiAP.
Method 2: Connecting through the FortiGate unit:
  1. Connect the Ethernet port on the leaf FortiAP to the FortiGate network interface that you configured for FortiAPs. Connect the FortiAP unit to a power source unless PoE is used.
  2. On the FortiGate unit, go to WiFi and Switch Controller > Managed FortiAPs.

    If the FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the FortiAP unit and try again.

  3. Select the discovered FortiAP unit and authorize it. Click Refresh every 10 seconds until the State indicator changes to Online.
  4. Right-click the FortiAP and select >_Connect to CLI. The CLI Console window opens. Log in as "admin".
  5. Enter the following commands, substituting your own SSID, password (pre-shared key), and security mode:

    cfg -a MESH_AP_TYPE=1

    cfg -a MESH_AP_SSID=fortinet.mesh.root

    cfg -a MESH_AP_PASSWD=hardtoguess

    cfg -a MESH_AP_SECURITY=2

    cfg -c

    exit

    Note: By default, MESH_AP_SECURITY is set to 0 (Open network). Depending on the security mode of your mesh backhaul SSID, you must explicitly set it to either 1 (WPA/WPA2-Personal) or 2 (WPA3-SAE).

  6. Disconnect the FortiAP and delete it from the Managed FortiAP list.
  7. Repeat the preceding steps for each leaf FortiAP.

Authorizing leaf APs

When the root FortiAP is connected and online, apply power to the preconfigured leaf FortiAPs. The leaf FortiAPs will connect themselves wirelessly to the WiFi Controller through the mesh network. You must authorize each unit.

  1. On the FortiGate unit, go to WiFi and Switch Controller > Managed FortiAPs. Periodically select Refresh until the FortiAP unit is listed. This can take up to three minutes.

    The State of the FortiAP unit should be Waiting for Authorization.

  2. Right-click the FortiAP entry and choose your profile from the Assign Profile submenu.
  3. Right-click the FortiAP entry and select Authorize.

    Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

Creating security policies

To permit traffic to flow from the end-user WiFi network to the network interfaces for the Internet and other networks, you need to create security policies and enable NAT.

See Configuring firewall policies for the SSID.

Viewing the status of the mesh network

On the FortiGate unit, go to WiFi and Switch Controller > Managed FortiAPs to view the list of APs.

The SSIDs column lists the SSID of each FortiAP radio and uses icons to show the Traffic mode of each radio.

Bridge

Mesh

Tunnel

To see more information about each radio, hover over the SSIDs information.

Configuring a meshed WiFi network

Configuring a meshed WiFi network

To configure a mesh WiFi network, perform the following tasks:

This section assumes that the end-user SSIDs already exist.

Creating the mesh root SSID

The mesh route SSID is the radio backhaul that conveys the user SSID traffic to the leaf FortiAPs.

To configure the mesh root SSID - GUI:
  1. Go to WiFi and Switch Controller > SSIDs and select Create New > SSID.
  2. Enter a Name for the WiFi interface.
  3. In Traffic Mode, select Mesh.
  4. Enter the SSID.
  5. Select a Security Mode. You can choose between the following:

    • WPA2 Personal.

      If you select WPA2 Personal, you must enter a Pre-shared key. Remember the key because you need to enter it for the leaf FortiAP configuration.

    • WPA3 SAE.

      If you select WPA3 SAE, you must enter an SAE password. Hash-to-Element (H2E) only is enabled by default and cannot be disabled as it is mandatory for WiFi 6E technology.

  6. When you are finished, click OK.
To configure the mesh root SSID - CLI:
config wireless-controller vap
  edit "MESHROOT"
    set mesh-backhaul enable
    set ssid "fortinet.mesh.root"
    set security wpa3-sae
    set pmf enable
    set sae-h2e-only enable
    set schedule "always"
    set sae-password ENC *
  next
end

You can set the security mode to WPA3-SAE when using the CLI. WPA3-SAE (with Hash-to-Element only enabled) is mandatory in Wi-Fi 6E technology, so you must select it if you want to use Wi-Fi 6E FortiAPs to set up mesh connections over the 6GHz band.

Note

By default, sae-h2e-only is enabled when you set the security mode to wpa3-sae.

Creating the FortiAP profile

Create a FortiAP profile for the meshed FortiAPs. If more than one FortiAP model is involved, you need to create a profile for each model. Typically, the profile is configured so that Radio 1 (5GHz) carries the mesh backhaul SSID while Radio 2 (2.4GHz) carries the SSIDs to which users connect.

For Radio 1, use the Select SSIDs option and choose only the backhaul SSID. The radio that carries the backhaul traffic must not carry other SSIDs.

Radio 2 carries user SSIDs and shouldn't carry the backhaul. Use the Select SSIDs option and choose the networks that you want to provide.

For more information, see Creating a FortiAP profile.

Configuring the mesh root AP

The mesh root AP can be either a FortiWiFi unit's built-in AP or a FortiAP unit.

To enable a FortiWiFi unit's local radio as mesh root:
  1. On the FortiWiFi unit, go to WiFi & and Switch Controller > Local WiFi Radio.
  2. Select Enable WiFi Radio.
  3. In SSID, select Select SSIDs, then select the mesh root SSID.
  4. Optionally, adjust Transmit power amount or select Auto.
  5. Select Apply.
Note

In a network with multiple wireless controllers, make sure that each mesh root has a unique SSID. Other controllers using the same mesh root SSID may be detected as fake or rogue APs. Go to WiFi and Switch Controller > SSIDs to change the SSID.

To configure a network interface for the mesh root FortiAP unit:
  1. On the FortiGate unit, go to Network > Interfaces, and edit the interface to which the AP unit connects.
  2. In Addressing mode, select Manual.
  3. In IP/Network Mask, enter an IP address and netmask for the interface.

  4. In the Administrative Access section, go to IPv4 and select the Security Fabric Connection checkbox.
  5. When FortiAP units are connected to the interface on FortiGate (directly or through a switch), you can go to the Edit Interface section and set the Role to LAN.

    Selecting the LAN role loads the DHCP Server toggle. If you enable DHCP Server, the GUI can automatically set the DHCP IP range based on the interface IP address.

  6. Click OK.

At this point you can connect the mesh root FortiAP (see below). If you are planning to configure leaf FortiAPs through the wireless controller (see Configuring the mesh leaf FortiAPs), then connect the root unit later.

To enable the root FortiAP unit:
  1. Connect the root FortiAP unit's Ethernet port to the FortiGate network interface that you configured.
  2. On the FortiGate unit, go to WiFi and Switch Controller > Managed FortiAPs.

    If the root FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the root FortiAP unit and try again.

  3. Right-click the FortiAP entry and choose your profile from the Assign Profile submenu.
  4. Right-click the FortiAP entry and select Authorize.

    Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

  5. Select OK.

Configuring the mesh leaf FortiAPs

The FortiAP units that serve as leaf nodes must be preconfigured. This involves changing the FortiAP unit's internal configuration. You can do this by direct connection or through the FortiGate wireless controller.

Method 1: Direct connection to the FortiAP:
  1. Configure the computer IP as 192.168.1.3.
  2. Connect the computer to the FortiAP unit's Ethernet port and use the default IP address, 192.168.1.2.
  3. Log in to the FortiAP as admin. By default, no password is set.
  4. Enter the following commands:
    1. If you are using the GUI, go to Connectivity > Uplink and select the Mesh option. Then enter the Mesh AP SSID and Mesh AP Password (pre-shared key).
    2. If you are using the FortiAP CLI (SSH), enter the following commands, substituting your own SSID, password (pre-shared key), and security mode:

      cfg -a MESH_AP_TYPE=1

      cfg -a MESH_AP_SSID=fortinet.mesh.root

      cfg -a MESH_AP_PASSWD=hardtoguess

      cfg -a MESH_AP_SECURITY=2

      cfg -c

      exit

      Note: By default, MESH_AP_SECURITY is set to 0 (Open network). Depending on the security mode of your mesh backhaul SSID, you must explicitly set it to either 1 (WPA/WPA2-Personal) or 2 (WPA3-SAE).

  5. Disconnect the computer.
  6. Power down the FortiAP.
  7. Repeat the preceding steps for each leaf FortiAP.
Method 2: Connecting through the FortiGate unit:
  1. Connect the Ethernet port on the leaf FortiAP to the FortiGate network interface that you configured for FortiAPs. Connect the FortiAP unit to a power source unless PoE is used.
  2. On the FortiGate unit, go to WiFi and Switch Controller > Managed FortiAPs.

    If the FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the FortiAP unit and try again.

  3. Select the discovered FortiAP unit and authorize it. Click Refresh every 10 seconds until the State indicator changes to Online.
  4. Right-click the FortiAP and select >_Connect to CLI. The CLI Console window opens. Log in as "admin".
  5. Enter the following commands, substituting your own SSID, password (pre-shared key), and security mode:

    cfg -a MESH_AP_TYPE=1

    cfg -a MESH_AP_SSID=fortinet.mesh.root

    cfg -a MESH_AP_PASSWD=hardtoguess

    cfg -a MESH_AP_SECURITY=2

    cfg -c

    exit

    Note: By default, MESH_AP_SECURITY is set to 0 (Open network). Depending on the security mode of your mesh backhaul SSID, you must explicitly set it to either 1 (WPA/WPA2-Personal) or 2 (WPA3-SAE).

  6. Disconnect the FortiAP and delete it from the Managed FortiAP list.
  7. Repeat the preceding steps for each leaf FortiAP.

Authorizing leaf APs

When the root FortiAP is connected and online, apply power to the preconfigured leaf FortiAPs. The leaf FortiAPs will connect themselves wirelessly to the WiFi Controller through the mesh network. You must authorize each unit.

  1. On the FortiGate unit, go to WiFi and Switch Controller > Managed FortiAPs. Periodically select Refresh until the FortiAP unit is listed. This can take up to three minutes.

    The State of the FortiAP unit should be Waiting for Authorization.

  2. Right-click the FortiAP entry and choose your profile from the Assign Profile submenu.
  3. Right-click the FortiAP entry and select Authorize.

    Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

Creating security policies

To permit traffic to flow from the end-user WiFi network to the network interfaces for the Internet and other networks, you need to create security policies and enable NAT.

See Configuring firewall policies for the SSID.

Viewing the status of the mesh network

On the FortiGate unit, go to WiFi and Switch Controller > Managed FortiAPs to view the list of APs.

The SSIDs column lists the SSID of each FortiAP radio and uses icons to show the Traffic mode of each radio.

Bridge

Mesh

Tunnel

To see more information about each radio, hover over the SSIDs information.