Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Configuration Guide

    Home FortiAP / FortiWiFi 7.4.5 FortiWiFi and FortiAP Configuration Guide
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.1
    7.2.0
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.6
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.2
    6.2.0
    6.0.5
    6.0.4
    6.0.3
    5.6.4
    5.4.3

    Creating a FortiAP profile

    Creating a FortiAP profile

    A FortiAP profile defines radio settings for a particular platform (FortiAP model). The profile also selects which SSIDs (virtual APs) the APs will carry. Depending on the model, FortiAP units contain two or more radio transceivers, making it possible to provide 2.4 GHz 802.11b/g/n/ax, 5 GHz 802.11a/n/ac/ax/be, or 6 GHz 802.11ax/be service from the same access point. The radios can also be used for monitoring accepted or rogue APs through the Rogue AP detection feature.

    You can modify existing FortiAP profiles or create new ones of your own.

    To configure a FortiAP profile - GUI:
    1. Go to WiFi and Switch Controller > FortiAP Profiles and select Create New.
    2. Enter a Name for the FortiAP Profile.

    3. Configure the following options:

      Platform

      Select the FortiWiFi or FortiAP model to which this profile applies.

      If you selected a WiFi 6E capable model, select a Platform mode:

      • Single 5G - Only one radio operates on the 5GHz 802.11ax/ac/n/a band.
      • Dual 5G - Two radios operate on the 5GHz 802.11ax/ac/n/a band and dedicated scanning is always disabled.
      Indoor/Outdoor Select where the FortiAP is being installed. You can override the default designation of the FortiAP to change the available channels based on your region.
      Country/Region

      Select the country or region to apply the Country Code for where the FortiAP will be used.
      Split Tunneling Subnets

      If split tunneling is used, enter a comma-separated list all of the destination IP address ranges that should not be routed through the FortiGate WiFi controller.
      AP login password

      Select if you want set a new AP login password or leave the password unchanged.
      Administrative access

      Select which types of administrative access you want to allow for the FortiAP:

      • HTTPS
      • SSH
      • SNMP
      Client load balancing

      Select a handoff type as needed (see Wireless client load balancing for high-density deployments).
      802.1X authentication

      Enable if you want to configure the FortiAP to act as a 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS or EAP-PEAP (see Configuring 802.1X supplicant on LAN).
      UNII-4 5GHz band channels

      Only available on G-series models.

      Enable if you want to use UNII-4 5GHz band channels (see Configuring UNII-4 5GHz radio bands).

    4. For each radio, enter:

      Mode

      Select the type of mode:

      • Disabled – The radio is disabled.
      • Access Point – The platform is an access point.
      • Dedicated Monitor – The platform is a dedicated monitor. See Wireless network monitoring.

      WIDS profile

      Optionally, select a Wireless Intrusion Detection (WIDS) profile. See Wireless Intrusion Detection System.

      Radio resource
      provision

      Select to enable the distributed radio resource provisioning (DARRP) feature. This feature measures utilization and interference on the available channels and selects the clearest channel at each access point. The measurement can be repeated periodically to respond to changing conditions. See Understanding Distributed Radio Resource Provisioning.

      Band

      Select the wireless protocols that you want to support. The available choices depend on the radio's capabilities. Where multiple protocols are supported, the letter suffixes are combined: "802.11g/b" means 802.11g and 802.11b.

      Note that on two-radio units such as the FortiAP-221C it is not possible to put both radios on the same band.

      Channel width

      Select channel width for 802.11n/ac/ax/be on 5 and 6 GHz radios.

      Channel plan

      Select if you want to automatically configure a Channel plan or if want to select custom channels.

      • Three Channels – Automatically selects channel 1, 6, and 11.

      • Four Channels – Automatically selects channels 1, 4, 8, and 11.

      • Custom – Select custom channels.

      Channels

      Select the channel or channels to include. The available channels depend on which IEEE wireless protocol you selected in Band. By default, all available channels are enabled.

      For 5 and 6 GHz radios, clicking Set Channels loads a channel selector panel where you can select individual channels.

      • Toggle DFS Channels – Select DFS channels.
      • Toggle Weather Radar Channels – Select Weather Radar channels.

      The channel chart also shows channel availability for 40MHz or 80MHz channel-bonding.

      On 6 GHz radio with 802.11be on a 320MHz channel width, you can select a channel extension.

      Short guard
      interval

      Select to enable the short guard interval for 802.11ac or 802.11n on 5 GHz.

      Transmit power mode

      Select how you want to determine transmit power:

      • Percent – Transmit power is determined by multiplying set percentage with maximum available power determined by region and FortiAP device.
      • dBm – Transmit power is set using a dBm value.
      • Auto – Specify a range of dBm values and the power is set automatically.

      Transmit power

      Specify either the minimum and maximum Transmit power levels in dBm or as a percentage.

      SSIDs

      Select a traffic mode for SSIDs.

      • Tunnel – Available tunnel-mode SSIDs are automatically assigned to this radio.
      • Bridge – Available bridge-mode SSIDs are automatically assigned to this radio. This option is not available for FortiWiFi local radio platforms.
      • Manual – Manually select which available SSIDs and SSID groups to assign to this radio.

      Monitor channel utilization

      Select to enable monitoring channel utilization.

      5. Radio 2 and 3 settings are available for FortiAP models with multiple radios.

    5. In Syslog profile, enable if you want your FortiAPs to send logs to a syslog server (see Configuring a Syslog profile).
    6. Click OK.
    To configure a FortiAP profile - CLI:

    This example configures a FortiAP-220B to carry all SSIDs on Radio 1 but only SSID example_wlan on Radio 2.

    config wireless-controller wtp-profile

    edit "guest_prof"

    config platform

    set type 220B

    end

    config radio-1

    set mode ap

    set band 802.11g

    set vap-all enable

    end

    config radio-2

    set mode ap

    set band 802.11g

    set vaps example_wlan

    end

    end

    To configure a FortiAP profile with Wi-Fi 7 - CLI:

    This example configures a FAP-441K to broadcast 802.11be on Radios 2 and 3. Radio 2 and 3 have manual VAPs selected with the "sae-trans-akm" and "sae-akm24" VAPs applied respectively. Radio 3 also has a channel-bonding extension of 320MHz selected.

    1. Create a WPA3-SAE security VAP with akm24-only enabled.

      config wireless-controller vap
  edit "sae-akm24"
    set ssid "sae-akm24"
    set security wpa3-sae
    set pmf enable
    set beacon-protection enable
    set sae-h2e-only enable
    set akm24-only enable
    set local-bridging enable
    set schedule "always"
    set sae-password ENC
  next
end

      akm24-only

      WPA3 SAE using group-dependent hash only (default = disable).

      • disable: Disable WPA3 SAE using group-dependent hash only.
      • enable: Enable WPA3 SAE using group-dependent hash only.

      akm24-only is only supported for Wi-Fi7 clients and there is no backward compatibility. If you know that all the clients are Wi-Fi7 capable, then the VAPs can be configured with akm24-only enabled.

      Note: WPA3-SAE SSID allows configuring either of the akm24-only and additional-akms features.

    2. Create a WPA3-SAE-Transition security VAP with additional-akms enabled.

      config wireless-controller vap
  edit "sae-trans-akm"
    set ssid "sae-trans-akm"
    set security wpa3-sae-transition
    set pmf optional
    set beacon-protection enable
    set additional-akms akm24
    set passphrase ENC
    set sae-h2e-only enable
    set local-bridging enable
    set schedule "always"
    set sae-password ENC
  next
end

      additional-akms

      Additional AKMs.

      • akm6: Use AKM suite employing PSK_SHA256.

      • akm24: Use AKM suite employing SAE_EXT.

      When additional-akms is enabled in the VAP, clients are given a choice to pick the highest akm they support. WPA3-SAE-Transition SSID allows backward compatibility and supports clients with mixed mode, so additional-akms has akm6 and akm24 options.

    3. Create a FortiAP profile for a FortiAP K-series model with Wi-Fi 7 enabled on the radio. This example uses FAP441K.

      config wireless-controller wtp-profile
  edit "FAP441K-profile"
    config platform
      set type 441K
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set allowaccess ssh
    config radio-1
      set band 802.11ax-2G
      set vap-all manual
    end
    config radio-2
      set band 802.11be-5G
      set channel-bonding 40MHz
      set vap-all manual
      set vaps "sae-trans-akm"
      set channel "44" "48"
    end
    config radio-3
      set band 802.11be-6G
      set channel-bonding 320MHz
      set channel-bonding-ext 320MHz-1
      set vap-all manual
      set vaps "sae-akm24"
      set channel "45" "49" "65" "69" "73" "77" "81" "85" "89" "93" "97" "101" "105" "109" "113" "117" "121" "125"
    end
    config radio-4
      set mode monitor
    end
  next
end

    channel-bonding-ext

    Channel bandwidth extension: 320 MHz-1 and 320 MHz-2 (default = 320 MHz-2).

    • 320MHz-1: 320 MHz channel with channel center frequency numbered 31, 95, and 159.

    • 320MHz-2: 320 MHz channel with channel center frequency numbered 63, 127, and 191.
    Previous
    Next

    Creating a FortiAP profile

    Creating a FortiAP profile

    A FortiAP profile defines radio settings for a particular platform (FortiAP model). The profile also selects which SSIDs (virtual APs) the APs will carry. Depending on the model, FortiAP units contain two or more radio transceivers, making it possible to provide 2.4 GHz 802.11b/g/n/ax, 5 GHz 802.11a/n/ac/ax/be, or 6 GHz 802.11ax/be service from the same access point. The radios can also be used for monitoring accepted or rogue APs through the Rogue AP detection feature.

    You can modify existing FortiAP profiles or create new ones of your own.

    To configure a FortiAP profile - GUI:
    1. Go to WiFi and Switch Controller > FortiAP Profiles and select Create New.
    2. Enter a Name for the FortiAP Profile.

    3. Configure the following options:

      Platform

      Select the FortiWiFi or FortiAP model to which this profile applies.

      If you selected a WiFi 6E capable model, select a Platform mode:

      • Single 5G - Only one radio operates on the 5GHz 802.11ax/ac/n/a band.
      • Dual 5G - Two radios operate on the 5GHz 802.11ax/ac/n/a band and dedicated scanning is always disabled.
      Indoor/Outdoor Select where the FortiAP is being installed. You can override the default designation of the FortiAP to change the available channels based on your region.
      Country/Region

      Select the country or region to apply the Country Code for where the FortiAP will be used.
      Split Tunneling Subnets

      If split tunneling is used, enter a comma-separated list all of the destination IP address ranges that should not be routed through the FortiGate WiFi controller.
      AP login password

      Select if you want set a new AP login password or leave the password unchanged.
      Administrative access

      Select which types of administrative access you want to allow for the FortiAP:

      • HTTPS
      • SSH
      • SNMP
      Client load balancing

      Select a handoff type as needed (see Wireless client load balancing for high-density deployments).
      802.1X authentication

      Enable if you want to configure the FortiAP to act as a 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS or EAP-PEAP (see Configuring 802.1X supplicant on LAN).
      UNII-4 5GHz band channels

      Only available on G-series models.

      Enable if you want to use UNII-4 5GHz band channels (see Configuring UNII-4 5GHz radio bands).

    4. For each radio, enter:

      Mode

      Select the type of mode:

      • Disabled – The radio is disabled.
      • Access Point – The platform is an access point.
      • Dedicated Monitor – The platform is a dedicated monitor. See Wireless network monitoring.

      WIDS profile

      Optionally, select a Wireless Intrusion Detection (WIDS) profile. See Wireless Intrusion Detection System.

      Radio resource
      provision

      Select to enable the distributed radio resource provisioning (DARRP) feature. This feature measures utilization and interference on the available channels and selects the clearest channel at each access point. The measurement can be repeated periodically to respond to changing conditions. See Understanding Distributed Radio Resource Provisioning.

      Band

      Select the wireless protocols that you want to support. The available choices depend on the radio's capabilities. Where multiple protocols are supported, the letter suffixes are combined: "802.11g/b" means 802.11g and 802.11b.

      Note that on two-radio units such as the FortiAP-221C it is not possible to put both radios on the same band.

      Channel width

      Select channel width for 802.11n/ac/ax/be on 5 and 6 GHz radios.

      Channel plan

      Select if you want to automatically configure a Channel plan or if want to select custom channels.

      • Three Channels – Automatically selects channel 1, 6, and 11.

      • Four Channels – Automatically selects channels 1, 4, 8, and 11.

      • Custom – Select custom channels.

      Channels

      Select the channel or channels to include. The available channels depend on which IEEE wireless protocol you selected in Band. By default, all available channels are enabled.

      For 5 and 6 GHz radios, clicking Set Channels loads a channel selector panel where you can select individual channels.

      • Toggle DFS Channels – Select DFS channels.
      • Toggle Weather Radar Channels – Select Weather Radar channels.

      The channel chart also shows channel availability for 40MHz or 80MHz channel-bonding.

      On 6 GHz radio with 802.11be on a 320MHz channel width, you can select a channel extension.

      Short guard
      interval

      Select to enable the short guard interval for 802.11ac or 802.11n on 5 GHz.

      Transmit power mode

      Select how you want to determine transmit power:

      • Percent – Transmit power is determined by multiplying set percentage with maximum available power determined by region and FortiAP device.
      • dBm – Transmit power is set using a dBm value.
      • Auto – Specify a range of dBm values and the power is set automatically.

      Transmit power

      Specify either the minimum and maximum Transmit power levels in dBm or as a percentage.

      SSIDs

      Select a traffic mode for SSIDs.

      • Tunnel – Available tunnel-mode SSIDs are automatically assigned to this radio.
      • Bridge – Available bridge-mode SSIDs are automatically assigned to this radio. This option is not available for FortiWiFi local radio platforms.
      • Manual – Manually select which available SSIDs and SSID groups to assign to this radio.

      Monitor channel utilization

      Select to enable monitoring channel utilization.

      5. Radio 2 and 3 settings are available for FortiAP models with multiple radios.

    5. In Syslog profile, enable if you want your FortiAPs to send logs to a syslog server (see Configuring a Syslog profile).
    6. Click OK.
    To configure a FortiAP profile - CLI:

    This example configures a FortiAP-220B to carry all SSIDs on Radio 1 but only SSID example_wlan on Radio 2.

    config wireless-controller wtp-profile

    edit "guest_prof"

    config platform

    set type 220B

    end

    config radio-1

    set mode ap

    set band 802.11g

    set vap-all enable

    end

    config radio-2

    set mode ap

    set band 802.11g

    set vaps example_wlan

    end

    end

    To configure a FortiAP profile with Wi-Fi 7 - CLI:

    This example configures a FAP-441K to broadcast 802.11be on Radios 2 and 3. Radio 2 and 3 have manual VAPs selected with the "sae-trans-akm" and "sae-akm24" VAPs applied respectively. Radio 3 also has a channel-bonding extension of 320MHz selected.

    1. Create a WPA3-SAE security VAP with akm24-only enabled.

      config wireless-controller vap
  edit "sae-akm24"
    set ssid "sae-akm24"
    set security wpa3-sae
    set pmf enable
    set beacon-protection enable
    set sae-h2e-only enable
    set akm24-only enable
    set local-bridging enable
    set schedule "always"
    set sae-password ENC
  next
end

      akm24-only

      WPA3 SAE using group-dependent hash only (default = disable).

      • disable: Disable WPA3 SAE using group-dependent hash only.
      • enable: Enable WPA3 SAE using group-dependent hash only.

      akm24-only is only supported for Wi-Fi7 clients and there is no backward compatibility. If you know that all the clients are Wi-Fi7 capable, then the VAPs can be configured with akm24-only enabled.

      Note: WPA3-SAE SSID allows configuring either of the akm24-only and additional-akms features.

    2. Create a WPA3-SAE-Transition security VAP with additional-akms enabled.

      config wireless-controller vap
  edit "sae-trans-akm"
    set ssid "sae-trans-akm"
    set security wpa3-sae-transition
    set pmf optional
    set beacon-protection enable
    set additional-akms akm24
    set passphrase ENC
    set sae-h2e-only enable
    set local-bridging enable
    set schedule "always"
    set sae-password ENC
  next
end

      additional-akms

      Additional AKMs.

      • akm6: Use AKM suite employing PSK_SHA256.

      • akm24: Use AKM suite employing SAE_EXT.

      When additional-akms is enabled in the VAP, clients are given a choice to pick the highest akm they support. WPA3-SAE-Transition SSID allows backward compatibility and supports clients with mixed mode, so additional-akms has akm6 and akm24 options.

    3. Create a FortiAP profile for a FortiAP K-series model with Wi-Fi 7 enabled on the radio. This example uses FAP441K.

      config wireless-controller wtp-profile
  edit "FAP441K-profile"
    config platform
      set type 441K
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set allowaccess ssh
    config radio-1
      set band 802.11ax-2G
      set vap-all manual
    end
    config radio-2
      set band 802.11be-5G
      set channel-bonding 40MHz
      set vap-all manual
      set vaps "sae-trans-akm"
      set channel "44" "48"
    end
    config radio-3
      set band 802.11be-6G
      set channel-bonding 320MHz
      set channel-bonding-ext 320MHz-1
      set vap-all manual
      set vaps "sae-akm24"
      set channel "45" "49" "65" "69" "73" "77" "81" "85" "89" "93" "97" "101" "105" "109" "113" "117" "121" "125"
    end
    config radio-4
      set mode monitor
    end
  next
end

    channel-bonding-ext

    Channel bandwidth extension: 320 MHz-1 and 320 MHz-2 (default = 320 MHz-2).

    • 320MHz-1: 320 MHz channel with channel center frequency numbered 31, 95, and 159.

    • 320MHz-2: 320 MHz channel with channel center frequency numbered 63, 127, and 191.
    Previous
    Next