Deploying WPA2-Enterprise SSID to FortiAP units
This topic provides simple configuration instructions for deploying WPA2-Enterprise SSID with FortiAP. The steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.
The following shows a simple network topology for this recipe:
To deploy WPA2-Enterprise SSID to FortiAP units on the FortiWiFi and FortiAP GUI:
Create an SSID as WPA2-Enterprise. Do one of the following:
- Create an SSID as WPA2-Enterprise with authentication from a RADIUS server:
- Create a RADIUS server:
- Go to User & Device > RADIUS Servers, then click Create New.
- Enter a server name.
- In the Primary Server > IP/Name field, enter the IP address or server name.
- In the Primary Server > Secret field, enter the secret key.
- Click Test Connectivity to verify the connection with the RADIUS server.
- Click Test User Credentials to verify that the user account can be authenticated with the RADIUS server.
- Click OK.
- Create a WPA2-Enterprise SSID:
- Go to WiFi & Switch Controller > SSID, select SSID, then click Create New.
- Enter the desired interface name. For Traffic mode, select Tunnel.
- In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
- In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
- In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step i.
- Click OK.
- Create a RADIUS server:
- Create an SSID as WPA2-Enterprise with authentication from a user group:
- Create a user group:
- Go to User & Device > User Groups, then click Create New.
- Enter the desired group name.
- For Type, select Firewall.
- For Remote Groups, click the + button. In the dropdown list, select the desired RADIUS server. Click OK.
- Click OK.
- Create a WPA2-Enterprise SSID:
- Go to WiFi & Switch Controller > SSID, select SSID, then click Create New.
- Enter the desired interface name. For Traffic mode, select Tunnel.
- In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
- In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
- In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step i.
- Click OK.
- Create a user group:
Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C. Do one of the following:
- Select the SSID by editing the FortiAP:
- Go to WiFi & Switch Controller > Managed FortiAPs. Select the FortiAP-320C and click Edit.
- Ensure that Managed AP Status is Connected.
- Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
- To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
- To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
- Click OK.
- Select the SSID by editing the FortiAP profile:
- Go to WiFi & Switch Controller > FortiAP Profile. Select the FAP320C-default profile, then click Edit.
- To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
- To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
- Click OK.
Create the SSID-to-Internet firewall policy:
- Go to Policy & Objects > IPv4 Policy, then click Create New.
- Enter the desired policy name.
- From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
- From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
- In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
- Click OK.
To deploy WPA2-Enterprise SSID to FortiAP units using the FortiWiFi and FortiAP CLI:
- Create a RADIUS server:
config user radius
edit "wifi-radius"
set server "172.16.200.55"
set secret fortinet
next
end
- Create a user group:
config user group
edit "group-radius"
set member "wifi-radius"
next
end
- Create a WPA2-Enterprise SSID:
- Create an SSID with authentication from the RADIUS server:
config wireless-controller vap
edit "wifi-vap"
set ssid "Fortinet-Ent-Radius"
set security wpa2-only-enterprise
set auth radius
set radius-server "wifi-radius"
next
end
- Create an SSID with authentication from the user group:
config wireless-controller vap
edit "wifi-vap"
set ssid "Fortinet-Ent-Radius"
set security wpa2-only-enterprise
set auth usergroup
set usergroup "group-radius"
next
end
- Configure an IP address and enable DHCP:
config system interface
edit "wifi-vap"
set ip 10.10.80.1 255.255.255.0
next
end
config system dhcp server
edit 1
set dns-service default
set default-gateway 10.10.80.1
set netmask 255.255.255.0
set interface "wifi-vap"
config ip-range
edit 1
set start-ip 10.10.80.2
set end-ip 10.10.80.254
next
end
set timezone-option default
next
end
- Create an SSID with authentication from the RADIUS server:
- Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a "FAP320C-default" profile that is applied to the FortiAP-320C:
config wireless-controller wtp
edit "FP320C3X14000640"
set admin enable
set wtp-profile "FAP320C-default"
next
end
config wireless-controller wtp-profile
edit "FAP320C-default"
config radio-1
set vap-all disable
set vaps "wifi-vap"
end
config radio-2
set vap-all disable
set vaps "wifi-vap"
end
next
end
- Create the SSID-to-Internet firewall policy:
config firewall policy
edit 1
set name "WiFi to Internet"
set srcintf "wifi-vap"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set nat enable
next
end