Virtual LANs (VLANs) are used to assign wireless users to different networks without requiring the use of multiple SSIDs. Each user's VLAN assignment is stored in the user database of the RADIUS server that authenticates the users.
This example creates dynamic VLANs for the Techdoc and Marketing departments. The RADIUS server is a FortiAuthenticator.
Go to Authentication > RADIUS Service > Clients to register the FortiGate as a client.
Enter a Secret (a password) and remember it. It will also be used in the FortiGate configuration.
Go to Authentication > User Management > Local Users and create local user accounts as needed.
For each user, add these RADIUS attributes which specify the VLAN information to be sent to the FortiGate.
Tunnel-Private-Group-Id specifies the VLAN ID.
In this example, jsmith is assigned VLAN 100 and twhite is assigned VLAN 200.
Go to User & Device > RADIUS Servers. Select Create New.
Enter the FortiAuthenticator IP address and the server secret that you entered on the FortiAuthenticator. Optionally, you can click Test Connectivity. Enter a RADIUS user's ID and password. The result should be “Successful”.
Go to WiFi Controller > SSID. Create a new SSID.
Set up DHCP service.
Select WPA2 Enterprise security and select your RADIUS server for authentication.
Set the default VLAN ID to 10. This VLAN is used when RADIUS doesn't assign a VLAN.
Go to the Dashboard and use the CLI Console to enable dynamic VLANs on the SSID.
config wireless-controller vap edit example-wifi set dynamic-vlan enable next end
Go to Network > Interfaces.
Create the VLAN interface for default VLAN-10 and set up DHCP service.
Create the VLAN interface for marketing-100 and set up DHCP service.
Create the VLAN interface for techdoc-200 and set up DHCP service.
Go to Policy & Objects > IPv4 Policy.
Create a policy that allows outbound traffic from marketing-100 to the Internet.
In Logging Options, enable logging for all sessions.
Create a policy that allows outbound traffic from techdoc-200 to the Internet.
For this policy too, in Logging Options enable logging for all sessions.
Go to WiFi Controller > FortiAP Profiles.
Create a new profile for your FortiAP model and select the new SSID for both Radio 1 and Radio 2.
Go to Network > Interfaces and choose an unused interface.
Set Addressing mode to Dedicated to Extension Device.
Connect the FortiAP unit to the this interface and apply power.
Go to WiFi Controller > Managed FortiAPs.
Right-click on the FortiAP unit. Select Authorize.
Right-click on the FortiAP unit again. Select Assign Profile and select the FortiAP profile that you created.
The SSID will appear in the list of available wireless networks on the users' devices.
Both twhite and jsmith can connect to the SSID with their credentials and access the Internet (if a certificate warning message appears, accept the certificate).
Go to Log & Report > Forward Traffic.
Note that traffic for jsmith and twhite pass through different policies (the column selections were customized for clarity).
The security policies could be made different so that Marketing and Techdoc departments were allowed different access, but didn't think that was fair.