You can enable the advertising of vendor specific elements in beacons that contain FortiAP information such as its name, model, and serial number. This enables administrators to easily identify the coverage areas using site surveys.

Consider the following scenarios that use this feature effectively.

• The administrator is able to gradually move away from the FortiAP while continuously sniffing the beacons to determine if they can still hear from the FortiAP.

• The FortiAP are easily identified during network troubleshooting.

1. Cloud Address Group Policy: Select an option to specify how the addresses in the MAC Access Control list must be handled. (For details on MAC Access Control list, see MAC Access Control and MAC Filtering)

   Choose between Disable, Allow, and Deny.

   • Disable: Select to bypass the authentication of the MAC addresses listed in MAC Access Control list.

   • Allow: Select to allow access to MAC addresses listed in MAC Access Control list.

   • Deny: Select to deny access to MAC addresses listed in MAC Access Control list.

   For Allow and Deny option, select the Address Group using the drop down.

2. External RADIUS MAC Authentication: Enable to validate MAC addresses in a RADIUS server.

   Select the RADIUS Server using the drop down.

   • MAC Username delimiter: Select the type of delimiter that the system can allow in the MAC usernames during validation. Choose between Hyphen, Single-hyphen, Colon, and None.

   • MAC Password delimiter: Select the type of delimiter that the system can allow in the MAC passwords during validation. Choose between Hyphen, Single-hyphen, Colon, and None.

   • MAC case: Choose between Uppercase and Lowercase.

Note:

• When Cloud Address Group Policy is enabled, MAC address is validated in MAC Access Control list.

• We can select either External RADIUS MAC Authentication or Cloud Address Group Policy, not both. When External RADIUS MAC Authentication is chosen, AP acts as authenticator and when Cloud Address Group Policy is chosen, cloud acts as authenticator.

Only one AP (root AP) is connected to the wired network and all other APs (leaf APs) connect to this mesh root AP over the wireless backhaul SSID.

This is supported for WPA3 - SAE, WPA2 - Personal, and Open modes of authentication.

Simple Multiple PSKs can also be configured for Personal SSIDs, in which case stations will be able to connect to an SSID using either a common PSK or their own PSK. You can select the configured schedule profile for activating multiple PSKs. For more information, see Schedule Profile.

Note:A maximum of 128 multiple PSKs are allowed per SSID.

You can create multiple pre-shared key groups to associate with VLANs; up to 16000 keys are supported per network.

Adding MPSK Groups

• Click Add and enter a unique Group Name and VLAN ID to associate the MPSK group with and configure pre-shared keys.
• Click Import to import (.csv) and populate existing MPSK groups into the SSID profile.
• Click Export to export the existing MPSK groups into your local machine in .csv format.

Adding Pre-shared keys

• Click Add to create new pre-shared keys and update the following.
  1. A unique Name and Pre-shared Key (8 to 63 characters or 64 hexadecimal digits).
  2. The client MAC Address for which this key is used. This field takes precedence over the client limit.
  3. Select the Client Limit.
     Default - The maximum number of clients is determined by the default client limit which is set at the SSID level. If this is value not set, then an unlimited number of clients can connect to the key.
     Unlimited - An unlimited number of clients can connect to the key.
     Specify - The specified maximum number of clients can connect to the key.
  4. Select a configured Schedule Profile. See Schedule Profile.
  5. Enter User Name, User Email address, and Mobile number (prefixed with the country code). These credentials are used to send pre-shared keys to email addresses (Send Keys via Email) or via SMS (Send Keys via SMS) on the associated mobile number.
• Click Generate to auto-generate pre-shared keys and update the following.
  1. A unique Name Prefix (1 -32 alphanumeric characters) for the generated keys and the Number of Keys to generate (1 - 16383).
  2. The required Key Length (8 - 63 characters).
  3. Specify the Client Limit and the configured Schedule Profile. See Schedule Profile.
• Click Import to import (.csv) and populate existing pre-shared keys in the MPSK group.
• Click Export to export the existing pre-shared keys into your local machine in .csv format.

The FortiAP acts as a RADIUS client and sends accounting information to the configured RADIUS server.

This configuration parameter is applicable ONLY when the SSID operates in the OPEN security mode with external captive portal and RADIUS authentication and accounting parameters.

When RADIUS Authentication by is enabled, the FortiAP redirects clients to the configured external captive portal, collects credentials and performs RADIUS authentication and accounting. When disabled (default), the legacy functionality continues where the FortiAP redirects all clients to a centralized FortiEdge Cloud which then redirects them to the configured external captive portal.

When you enable RADIUS Authentication by, the following parameters become configurable.

• Secure HTTP - Secure HTTP is used to post credentials from the configured external captive portal web server to the FortiAP. This is disabled by default.
• Session Interval - The time interval after which the captive portal authentication session is invalidated and the user is required to log in again. The valid range for the session interval is 0 - 864000 seconds, 0 (default) indicates that the user is never logged out.

Note: This feature is supported on FAP-S and FAP-W2 models with firmware versions 6.2 and 6.4.

Select the RADIUS profile for accounting.

CoA is also supported and can be enabled in RADIUS Accounting profile.

Select Bridge or NAT. If you choose NAT, then complete the following:

• Local LAN: Select Allow or Deny.
• DHCP Lease Time: Default is 3600 seconds (or one hour).
• IP/Network Mask: Type the IP address and network mask of the SSID.
• DNS Status: You can push DNS configuration to a DHCP server running on the FortiAP. When creating an SSID, enable DNS Status and the wireless endpoints receive the configured DNS server IP addresses via DHCP when connecting the SSID. You can configure a maximum of 3 DNS server IP addresses (IPv4 only), in case of Enterprise SSIDs, the RADIUS server can assign/override these DNS servers.

If you want to apply a QoS profile that you have already created, select it from the list.