Fortinet white logo
Fortinet white logo

CLI Reference

wireless-controller vap

wireless-controller vap

Use this command to configure Virtual Access Points (VAPs). The following entries have append options, whereby you can add values without needing to retype the whole list of values:

  • selected-usergroups
  • broadcast-suppression
  • rates-11a
  • rates-11bg
  • rates-11n-ss12
  • rates-11n-ss34
  • rates-11ac-ss12
  • rates-11ac-ss34

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set portal-type mac-auth

Set portal type for authentication and MAC authentication.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set radio-sensitivity {enable | disable}

set radio-5g-threshold <dbm>

set radio-2g-threshold <dbm>

Enable and specify Receiver Start of Packet (RX-SOP) detection thresholds in dBm. Received manage frames will be dropped when the signal strength is less than the configured thresholds. Set the threshold ranges between -95 and -20.

Note that radio-5g-threshold and radio-2g-threshold are only available when radio-sensitivity is set to enable.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set dhcp-option82-insertion {enable | disable}

set dhcp-option82-circuit-id-insertion {style-1 | style-2 | disable}

set dhcp-option82-remote-id-insertion {style-1 | disable}

Enable or disable DHCP option 82 insert options. All entries are set to disable by default.

Note that the id-insertion options are only available when dhcp-option82-insertion is set to enable.

set mac-auth-bypass {enable | disable}

Enable or disable MAC authentication bypass for Captive Portal SSID.

set utm-profile <name>

Apply UTM profiles, created under config wireless-controller utm-profile, to VAPs.

set local-lan {allow | deny}

Allow or deny a client connected to a VAP, whose traffic is not tunneled to the controller, to access the local network.

When local-lan is set to allow (by default), FortiAP allows clients on the SSID to access the local LAN and the Internet (same way as before). When local-lan is set to deny, FortiAP prevents clients on the SSID from accessing the local LAN but still allows them to connect to the Internet. In addtion, Intra-SSID Privacy is enforced, meaning clients on the SSID cannot communicate with each other.

Note that this entry is only available when local-standalone-nat is set to enable.

set quarantine {enable | disable}

Manual quarantining can be configured here, in order to consolidate previous CLI syntax.

Host endpoints can be entered in a single place and it will be quarantined throughout the access layer devices on the Security Fabric.

set captive-portal-session-timeout-interval <seconds>

Configure a session timeout interval in seconds for Captive Portal users. Set the range between 0 - 864000 (or no timeout to ten days). The default is set to 0.

Note that that this command is only available when local-standalone is set to enable, security is set to captive-portal, and then portal-type is set to either cmcc or cmcc-macauth.

config wireless-controller vap
    edit {name}
    # Configure Virtual Access Points (VAPs).
        set name {string}   Virtual AP name. size[15]
        set vdom {string}   Name of the VDOM that the Virtual AP has been added to. size[31] - datasource(s): system.vdom.name
        set fast-roaming {enable | disable}   Enable/disable fast-roaming, or pre-authentication, where supported by clients (default = disable).
        set external-fast-roaming {enable | disable}   Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate (default = disable).
        set mesh-backhaul {enable | disable}   Enable/disable using this VAP as a WiFi mesh backhaul (default = disable). This entry is only available when security is set to a WPA type or open.
        set max-clients {integer}   Maximum number of clients that can connect simultaneously to the VAP (default = 0, meaning no limitation). range[0-4294967295]
        set max-clients-ap {integer}   Maximum number of clients that can connect simultaneously to each radio (default = 0, meaning no limitation). range[0-4294967295]
        set ssid {string}   IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name. size[32]
        set broadcast-ssid {enable | disable}   Enable/disable broadcasting the SSID (default = enable).
        set security-obsolete-option {enable | disable}   Enable/disable obsolete security options.
        set security {option}   Security mode for the wireless interface (default = wpa2-only-personal).
                open                               Open.
                captive-portal                     Captive portal.
                wep64                              WEP 64-bit.
                wep128                             WEP 128-bit.
                wpa-personal                       WPA/WPA2 personal.
                wpa-personal+captive-portal        WPA/WPA2 personal with captive portal.
                wpa-enterprise                     WPA/WPA2 enterprise.
                wpa-only-personal                  WPA personal.
                wpa-only-personal+captive-portal   WPA personal with captive portal.
                wpa-only-enterprise                WPA enterprise.
                wpa2-only-personal                 WPA2 personal.
                wpa2-only-personal+captive-portal  WPA2 personal with captive portal.
                wpa2-only-enterprise               WPA2 enterprise.
                osen                               OSEN.
        set pmf {disable | enable | optional}   Protected Management Frames (PMF) support (default = disable).
        set pmf-assoc-comeback-timeout {integer}   Protected Management Frames (PMF) comeback maximum timeout (1-20 sec). range[1-20]
        set pmf-sa-query-retry-timeout {integer}   Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec). range[1-5]
        set okc {disable | enable}   Enable/disable Opportunistic Key Caching (OKC) (default = enable).
        set voice-enterprise {disable | enable}   Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming (default = disable).
        set fast-bss-transition {disable | enable}   Enable/disable 802.11r Fast BSS Transition (FT) (default = disable).
        set ft-mobility-domain {integer}   Mobility domain identifier in FT (1 - 65535, default = 1000). range[1-65535]
        set ft-r0-key-lifetime {integer}   Lifetime of the PMK-R0 key in FT, 1-65535 minutes. range[1-65535]
        set ft-over-ds {disable | enable}   Enable/disable FT over the Distribution System (DS).
        set eapol-key-retries {disable | enable}   Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) (default = enable).
        set tkip-counter-measure {enable | disable}   Enable/disable TKIP counter measure.
        set external-web {string}   URL of external authentication web server. size[127]
        set external-logout {string}   URL of external authentication logout server. size[127]
        set mac-auth-bypass {enable | disable}   Enable/disable MAC authentication bypass.
        set radius-mac-auth {enable | disable}   Enable/disable RADIUS-based MAC authentication of clients (default = disable).
        set radius-mac-auth-server {string}   RADIUS-based MAC authentication server. size[35]
        config radius-mac-auth-usergroups
            edit {name}
            # Selective user groups that are permitted for RADIUS mac authentication.
                set name {string}   User group name. size[64]
            next
        set auth {psk | radius | usergroup}   Authentication protocol.
                psk        Use a single Pre-shard Key (PSK) to authenticate all users.
                radius     Use a RADIUS server to authenticate clients.
                usergroup  Use a firewall usergroup to authenticate clients.
        set encrypt {TKIP | AES | TKIP-AES}   Encryption protocol to use (only available when security is set to a WPA type).
                TKIP      Use TKIP encryption.
                AES       Use AES encryption.
                TKIP-AES  Use TKIP and AES encryption.
        set keyindex {integer}   WEP key index (1 - 4). range[1-4]
        set key {password_string}   WEP Key. size[128]
        set passphrase {password_string}   WPA pre-shard key (PSK) to be used to authenticate WiFi users. size[128]
        set radius-server {string}   RADIUS server to be used to authenticate WiFi users. size[35]
        set acct-interim-interval {integer}   WiFi RADIUS accounting interim interval (60 - 86400 sec, default = 0). range[60-86400]
        set local-standalone {enable | disable}   Enable/disable AP local standalone (default = disable).
        set local-standalone-nat {enable | disable}   Enable/disable AP local standalone NAT mode.
        set ip {ipv4 classnet host}   IP address and subnet mask for the local standalone NAT subnet.
        set dhcp-lease-time {integer}   DHCP lease time in seconds for NAT IP address. range[300-8640000]
        set local-bridging {enable | disable}   Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP (default = disable).
        set local-lan {allow | deny}   Allow/deny traffic destined for a Class A, B, or C private IP address (default = allow).
                allow  Allow traffic destined for a Class A, B, or C private IP address.
                deny   Deny traffic destined for a Class A, B, or C private IP address.
        set local-authentication {enable | disable}   Enable/disable AP local authentication.
        config usergroup
            edit {name}
            # Firewall user group to be used to authenticate WiFi users.
                set name {string}   User group name. size[64]
            next
        set portal-message-override-group {string}   Replacement message group for this VAP (only available when security is set to a captive portal type). size[35]
        config portal-message-overrides
            set auth-disclaimer-page {string}   Override auth-disclaimer-page message with message from portal-message-overrides group. size[35]
            set auth-reject-page {string}   Override auth-reject-page message with message from portal-message-overrides group. size[35]
            set auth-login-page {string}   Override auth-login-page message with message from portal-message-overrides group. size[35]
            set auth-login-failed-page {string}   Override auth-login-failed-page message with message from portal-message-overrides group. size[35]
        set portal-type {option}   Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer.
                auth             Portal for authentication.
                auth+disclaimer  Portal for authentication and disclaimer.
                disclaimer       Portal for disclaimer.
                email-collect    Portal for email collection.
                cmcc             Portal for CMCC.
                cmcc-macauth     Portal for CMCC and MAC authentication.
                auth-mac         Portal for authentication and MAC authentication.
        config selected-usergroups
            edit {name}
            # Selective user groups that are permitted to authenticate.
                set name {string}   User group name. size[64]
            next
        set security-exempt-list {string}   Optional security exempt list for captive portal authentication. size[35]
        set security-redirect-url {string}   Optional URL for redirecting users after they pass captive portal authentication. size[127]
        set intra-vap-privacy {enable | disable}   Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable).
        set schedule {string}   VAP schedule name. size[35]
        set ldpc {disable | rx | tx | rxtx}   VAP low-density parity-check (LDPC) coding configuration.
                disable  Disable LDPC.
                rx       Enable LDPC when receiving traffic.
                tx       Enable LDPC when transmitting traffic.
                rxtx     Enable LDPC when both receiving and transmitting traffic.
        set mpsk {enable | disable}   Enable/disable multiple pre-shared keys (PSKs.)
        set mpsk-concurrent-clients {integer}   Number of pre-shared keys (PSKs) to allow if multiple pre-shared keys are enabled. range[0-65535]
        config mpsk-key
            edit {key-name}
            # Pre-shared keys that can be used to connect to this virtual access point.
                set key-name {string}   Pre-shared key name. size[35]
                set passphrase {password_string}   WPA Pre-shared key. size[128]
                set concurrent-clients {string}   Number of clients that can connect using this pre-shared key. size[15]
                set comment {string}   Comment. size[255]
            next
        set split-tunneling {enable | disable}   Enable/disable split tunneling (default = disable).
        set vlanid {integer}   Optional VLAN ID. range[0-4094]
        set vlan-auto {enable | disable}   Enable/disable automatic management of SSID VLAN interface.
        set dynamic-vlan {enable | disable}   Enable/disable dynamic VLAN assignment.
        set captive-portal-radius-server {string}   Captive portal RADIUS server domain name or IP address. size[63]
        set captive-portal-radius-secret {password_string}   Secret key to access the RADIUS server. size[128]
        set captive-portal-macauth-radius-server {string}   Captive portal external RADIUS server domain name or IP address. size[63]
        set captive-portal-macauth-radius-secret {password_string}   Secret key to access the macauth RADIUS server. size[128]
        set captive-portal-ac-name {string}   Local-bridging captive portal ac-name. size[35]
        set captive-portal-session-timeout-interval {integer}   Session timeout interval (0 - 864000 sec, default = 0). range[0-864000]
        set alias {string}   Alias. size[25]
        set multicast-rate {0 | 6000 | 12000 | 24000}   Multicast rate (0, 6000, 12000, or 24000 kbps, default = 0).
                0      Use the default multicast rate.
                6000   6 Mbps.
                12000  12 Mbps.
                24000  24 Mbps.
        set multicast-enhance {enable | disable}   Enable/disable converting multicast to unicast to improve performance (default = disable).
        set broadcast-suppression {option}   Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network.
                dhcp-up          Suppress broadcast uplink DHCP messages.
                dhcp-down        Suppress broadcast downlink DHCP messages.
                dhcp-starvation  Suppress broadcast DHCP starvation req messages.
                arp-known        Suppress broadcast ARP for known wireless clients.
                arp-unknown      Suppress broadcast ARP for unknown wireless clients.
                arp-reply        Suppress broadcast ARP reply from wireless clients.
                arp-poison       Suppress ARP poison messages from wireless clients.
                arp-proxy        Reply ARP requests for wireless clients as a proxy.
                netbios-ns       Suppress NetBIOS name services packets with UDP port 137.
                netbios-ds       Suppress NetBIOS datagram services packets with UDP port 138.
                ipv6             Suppress IPv6 packets.
                all-other-mc     Suppress all other multicast messages.
                all-other-bc     Suppress all other broadcast messages.
        set me-disable-thresh {integer}   Disable multicast enhancement when this many clients are receiving multicast traffic. range[2-256]
        set probe-resp-suppression {enable | disable}   Enable/disable probe response suppression (to ignore weak signals) (default = disable).
        set probe-resp-threshold {string}   Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20, default = -80). size[7]
        set radio-sensitivity {enable | disable}   Enable/disable software radio sensitivity (to ignore weak signals) (default = disable).
        set quarantine {enable | disable}   Enable/disable station quarantine (default = enable).
        set radio-5g-threshold {string}   Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20, default = -76). size[7]
        set radio-2g-threshold {string}   Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20, default = -79). size[7]
        set vlan-pooling {wtp-group | round-robin | hash | disable}   Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools (default = disable). When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group.
                wtp-group    Enable VLAN pooling with VLAN assignment by wtp-group.
                round-robin  Enable VLAN pooling with round-robin VLAN assignment.
                hash         Enable VLAN pooling with hash-based VLAN assignment.
                disable      Disable VLAN pooling.
        config vlan-pool
            edit {id}
            # VLAN pool.
                set id {integer}   ID. range[0-4094]
                set wtp-group {string}   WTP group name. size[35]
            next
        set dhcp-option82-insertion {enable | disable}   Enable/disable DHCP option 82 insert (default = disable).
        set dhcp-option82-circuit-id-insertion {style-1 | style-2 | disable}   Enable/disable DHCP option 82 circuit-id insert (default = disable).
                style-1  ASCII string composed of AP-MAC;SSID;SSID-TYPE. For example, "xx:xx:xx:xx:xx:xx;wifi;s".
                style-2  ASCII string composed of AP-MAC. For example, "xx:xx:xx:xx:xx:xx".
                disable  Disable DHCP option 82 circuit-id insert.
        set dhcp-option82-remote-id-insertion {style-1 | disable}   Enable/disable DHCP option 82 remote-id insert (default = disable).
                style-1  ASCII string in the format �xx:xx:xx:xx:xx:xx� containing MAC address of client device.
                disable  Disable DHCP option 82 remote-id insert.
        set ptk-rekey {enable | disable}   Enable/disable PTK rekey for WPA-Enterprise security.
        set ptk-rekey-intv {integer}   PTK rekey interval (1800 - 864000 sec, default = 86400). range[1800-864000]
        set gtk-rekey {enable | disable}   Enable/disable GTK rekey for WPA security.
        set gtk-rekey-intv {integer}   GTK rekey interval (1800 - 864000 sec, default = 86400). range[1800-864000]
        set eap-reauth {enable | disable}   Enable/disable EAP re-authentication for WPA-Enterprise security.
        set eap-reauth-intv {integer}   EAP re-authentication interval (1800 - 864000 sec, default = 86400). range[1800-864000]
        set qos-profile {string}   Quality of service profile name. size[35]
        set hotspot20-profile {string}   Hotspot 2.0 profile name. size[35]
        set rates-11a {option}   Allowed data rates for 802.11a.
                1          1 Mbps supported rate.
                1-basic    1 Mbps BSS basic rate.
                2          2 Mbps supported rate.
                2-basic    2 Mbps BSS basic rate.
                5.5        5.5 Mbps supported rate.
                5.5-basic  5.5 Mbps BSS basic rate.
                11         11 Mbps supported rate.
                11-basic   11 Mbps BSS basic rate.
                6          6 Mbps supported rate.
                6-basic    6 Mbps BSS basic rate.
                9          9 Mbps supported rate.
                9-basic    9 Mbps BSS basic rate.
                12         12 Mbps supported rate.
                12-basic   12 Mbps BSS basic rate.
                18         18 Mbps supported rate.
                18-basic   18 Mbps BSS basic rate.
                24         24 Mbps supported rate.
                24-basic   24 Mbps BSS basic rate.
                36         36 Mbps supported rate.
                36-basic   36 Mbps BSS basic rate.
                48         48 Mbps supported rate.
                48-basic   48 Mbps BSS basic rate.
                54         54 Mbps supported rate.
                54-basic   54 Mbps BSS basic rate.
        set rates-11bg {option}   Allowed data rates for 802.11b/g.
                1          1 Mbps supported rate.
                1-basic    1 Mbps BSS basic rate.
                2          2 Mbps supported rate.
                2-basic    2 Mbps BSS basic rate.
                5.5        5.5 Mbps supported rate.
                5.5-basic  5.5 Mbps BSS basic rate.
                11         11 Mbps supported rate.
                11-basic   11 Mbps BSS basic rate.
                6          6 Mbps supported rate.
                6-basic    6 Mbps BSS basic rate.
                9          9 Mbps supported rate.
                9-basic    9 Mbps BSS basic rate.
                12         12 Mbps supported rate.
                12-basic   12 Mbps BSS basic rate.
                18         18 Mbps supported rate.
                18-basic   18 Mbps BSS basic rate.
                24         24 Mbps supported rate.
                24-basic   24 Mbps BSS basic rate.
                36         36 Mbps supported rate.
                36-basic   36 Mbps BSS basic rate.
                48         48 Mbps supported rate.
                48-basic   48 Mbps BSS basic rate.
                54         54 Mbps supported rate.
                54-basic   54 Mbps BSS basic rate.
        set rates-11n-ss12 {option}   Allowed data rates for 802.11n with 1 or 2 spatial streams.
                mcs0/1   Data rate for MCS index 0 with 1 spatial stream.
                mcs1/1   Data rate for MCS index 1 with 1 spatial stream.
                mcs2/1   Data rate for MCS index 2 with 1 spatial stream.
                mcs3/1   Data rate for MCS index 3 with 1 spatial stream.
                mcs4/1   Data rate for MCS index 4 with 1 spatial stream.
                mcs5/1   Data rate for MCS index 5 with 1 spatial stream.
                mcs6/1   Data rate for MCS index 6 with 1 spatial stream.
                mcs7/1   Data rate for MCS index 7 with 1 spatial stream.
                mcs8/2   Data rate for MCS index 8 with 2 spatial streams.
                mcs9/2   Data rate for MCS index 9 with 2 spatial streams.
                mcs10/2  Data rate for MCS index 10 with 2 spatial streams.
                mcs11/2  Data rate for MCS index 11 with 2 spatial streams.
                mcs12/2  Data rate for MCS index 12 with 2 spatial streams.
                mcs13/2  Data rate for MCS index 13 with 2 spatial streams.
                mcs14/2  Data rate for MCS index 14 with 2 spatial streams.
                mcs15/2  Data rate for MCS index 15 with 2 spatial streams.
        set rates-11n-ss34 {option}   Allowed data rates for 802.11n with 3 or 4 spatial streams.
                mcs16/3  Data rate for MCS index 16 with 3 spatial streams.
                mcs17/3  Data rate for MCS index 17 with 3 spatial streams.
                mcs18/3  Data rate for MCS index 18 with 3 spatial streams.
                mcs19/3  Data rate for MCS index 19 with 3 spatial streams.
                mcs20/3  Data rate for MCS index 20 with 3 spatial streams.
                mcs21/3  Data rate for MCS index 21 with 3 spatial streams.
                mcs22/3  Data rate for MCS index 22 with 3 spatial streams.
                mcs23/3  Data rate for MCS index 23 with 3 spatial streams.
                mcs24/4  Data rate for MCS index 24 with 4 spatial streams.
                mcs25/4  Data rate for MCS index 25 with 4 spatial streams.
                mcs26/4  Data rate for MCS index 26 with 4 spatial streams.
                mcs27/4  Data rate for MCS index 27 with 4 spatial streams.
                mcs28/4  Data rate for MCS index 28 with 4 spatial streams.
                mcs29/4  Data rate for MCS index 29 with 4 spatial streams.
                mcs30/4  Data rate for MCS index 30 with 4 spatial streams.
                mcs31/4  Data rate for MCS index 31 with 4 spatial streams.
        set rates-11ac-ss12 {option}   Allowed data rates for 802.11ac with 1 or 2 spatial streams.
                mcs0/1   Data rate for MCS index 0 with 1 spatial stream.
                mcs1/1   Data rate for MCS index 1 with 1 spatial stream.
                mcs2/1   Data rate for MCS index 2 with 1 spatial stream.
                mcs3/1   Data rate for MCS index 3 with 1 spatial stream.
                mcs4/1   Data rate for MCS index 4 with 1 spatial stream.
                mcs5/1   Data rate for MCS index 5 with 1 spatial stream.
                mcs6/1   Data rate for MCS index 6 with 1 spatial stream.
                mcs7/1   Data rate for MCS index 7 with 1 spatial stream.
                mcs8/1   Data rate for MCS index 8 with 1 spatial stream.
                mcs9/1   Data rate for MCS index 9 with 1 spatial stream.
                mcs10/1  Data rate for MCS index 10 with 1 spatial stream.
                mcs11/1  Data rate for MCS index 11 with 1 spatial stream.
                mcs0/2   Data rate for MCS index 0 with 2 spatial streams.
                mcs1/2   Data rate for MCS index 1 with 2 spatial streams.
                mcs2/2   Data rate for MCS index 2 with 2 spatial streams.
                mcs3/2   Data rate for MCS index 3 with 2 spatial streams.
                mcs4/2   Data rate for MCS index 4 with 2 spatial streams.
                mcs5/2   Data rate for MCS index 5 with 2 spatial streams.
                mcs6/2   Data rate for MCS index 6 with 2 spatial streams.
                mcs7/2   Data rate for MCS index 7 with 2 spatial streams.
                mcs8/2   Data rate for MCS index 8 with 2 spatial streams.
                mcs9/2   Data rate for MCS index 9 with 2 spatial streams.
                mcs10/2  Data rate for MCS index 10 with 2 spatial streams.
                mcs11/2  Data rate for MCS index 11 with 2 spatial streams.
        set rates-11ac-ss34 {option}   Allowed data rates for 802.11ac with 3 or 4 spatial streams.
                mcs0/3   Data rate for MCS index 0 with 3 spatial streams.
                mcs1/3   Data rate for MCS index 1 with 3 spatial streams.
                mcs2/3   Data rate for MCS index 2 with 3 spatial streams.
                mcs3/3   Data rate for MCS index 3 with 3 spatial streams.
                mcs4/3   Data rate for MCS index 4 with 3 spatial streams.
                mcs5/3   Data rate for MCS index 5 with 3 spatial streams.
                mcs6/3   Data rate for MCS index 6 with 3 spatial streams.
                mcs7/3   Data rate for MCS index 7 with 3 spatial streams.
                mcs8/3   Data rate for MCS index 8 with 3 spatial streams.
                mcs9/3   Data rate for MCS index 9 with 3 spatial streams.
                mcs10/3  Data rate for MCS index 10 with 3 spatial streams.
                mcs11/3  Data rate for MCS index 11 with 3 spatial streams.
                mcs0/4   Data rate for MCS index 0 with 4 spatial streams.
                mcs1/4   Data rate for MCS index 1 with 4 spatial streams.
                mcs2/4   Data rate for MCS index 2 with 4 spatial streams.
                mcs3/4   Data rate for MCS index 3 with 4 spatial streams.
                mcs4/4   Data rate for MCS index 4 with 4 spatial streams.
                mcs5/4   Data rate for MCS index 5 with 4 spatial streams.
                mcs6/4   Data rate for MCS index 6 with 4 spatial streams.
                mcs7/4   Data rate for MCS index 7 with 4 spatial streams.
                mcs8/4   Data rate for MCS index 8 with 4 spatial streams.
                mcs9/4   Data rate for MCS index 9 with 4 spatial streams.
                mcs10/4  Data rate for MCS index 10 with 4 spatial streams.
                mcs11/4  Data rate for MCS index 11 with 4 spatial streams.
        set utm-profile {string}   UTM profile name. size[35]
        set mac-filter {enable | disable}   Enable/disable MAC filtering to block wireless clients by mac address.
        set mac-filter-policy-other {allow | deny}   Allow or block clients with MAC addresses that are not in the filter list.
                allow  Allow clients with MAC addresses that are not in the filter list.
                deny   Block clients with MAC addresses that are not in the filter list.
        config mac-filter-list
            edit {id}
            # Create a list of MAC addresses for MAC address filtering.
                set id {integer}   ID. range[0-4294967295]
                set mac {mac address}   MAC address.
                set mac-filter-policy {allow | deny}   Deny or allow the client with this MAC address.
                        allow  Allow the client with this MAC address.
                        deny   Block the client with this MAC address.
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

dhcp-option82-insertion {enable | disable}

Note: This feature is not supported for LAN port bridges or local-stand-alone NAT SSID. However, this feature is supported for Bridge and Tunnel modes and Mesh SSIDs. Both FortiGate and FortiAP must run FortiOS 6.0.

Enable or disable (by default) the options to set the Circuit ID (dhcp-option82-circuit-id-insertion) and Remote ID (dhcp-option82-remote-id-insertion) for DHCP packets. This can help determine which FortiAP the request came from and for which SSID it was requested.

The Circuit ID includes information specific to the circuit that the request came in in (i.e. the Ethernet MAC address of the FortiAP, with SSID and security type). The Remote ID includes information on the remote host end of the circuit (i.e. the station, or client MAC address).

vdom <name>

Name of the VLAN ID, if a VLAN will be used.

fast-roaming {enable | disable}

Enable (by default) or disable fast-roaming, or pre-authentication, where supported by clients.

external-fast-roaming {enable | disable}

Enable or disable (by default) pre-authentication with external non-managed AP.

mesh-backhaul {enable | disable}

Note: This entry is only available when security is set to a WPA type or open.

Enable or disable (by default) to use this VAP as a WiFi mesh backhaul. WiFi clients cannot connect directly to this SSID.

max-clients <number>

Maximum number of clients that can connect simultaneously. The default is set to 0, meaning no limitation.

max-clients-ap <number>

Maximum number of clients that can connect simultaneously per AP radio. The default is set to 0, meaning no limitation.

ssid <name>

IEEE 802.11 service set identifier, or network name, for the wireless interface. Users who wish to use the wireless network must configure their computers with this network name.

broadcast-ssid {enable | disable}

Enable (by default) or disable broadcasting of the SSID. Broadcasting enables clients to connect to the wireless network without first knowing the SSID. For better security, however, it is best to not broadcast the SSID.

security {open | captive-portal | wpa-personal | wpa-personal+captive-portal | wpa-enterprise | wpa2-only-personal | wpa2-only-personal+captive-portal | wpa2-only-enterprise}

Security mode for the wireless interface. Wireless users must use the same security mode to connect to the same wireless interface.

  • open: No security; any wireless user can connect to the network (not recommended).
  • captive-portal: Users are authenticated through a captive web portal.
  • wpa-personal: WPA-Personal security, WPA or WPA2.
  • wpa-personal+captive-portal: WPA-Personal security, WPA only, with captive portal.
  • wpa-enterprise: WPA-Enterprise security, WPA or WPA2.
  • wpa2-only-personal: WPA-Personal security, WPA2 only (set by default).
  • wpa2-only-personal+captive-portal: WPA-Personal security, WPA2 only, with captive portal.
  • wpa2-only-enterprise: WPA-Enterprise security, WPA2 only.

pmf {enable | disable}

Enable or disable (by default) Protected Management Frames (PMF) support. PMF works by adding a Message Integrity Check (MIC) to control packets being sent between a computer and an AP. If a control packet is being spoofed by a malicious device, the MIC check will fail, and discard the frame. This protects users from malicious attackers attempting to exchange encrypted traffic.

voice-enterprise {enable | disable}

Enable or disable (by default) 802.11k and 802.11v assisted Voice-Enterprise roaming.

fast-bss-transition {enable | disable}

Enable or disable (by default) 802.11r Fast BSS Transition .

okc {enable | disable}

Enable or disable Opportunistic Key Caching (OKC), an 802.11i defined technique available for authentication between a single AP and a station. OKC caching allows an authenticated station and AP to roam away from each other, come back, and not be required to perform a full authentication exchange. Only the 802.11i 4-way handshake is performed to establish transient encryption keys.

radius-mac-auth {enable | disable}

Enable or disable (by default) MAC address authentication of clients. Once enabled, use the radius-mac-auth-server entry to specify the server (see entry below).

radius-mac-auth-server <server>

Note: This entry is only available when radius-mac-auth is set to enable.

RADIUS-based MAC authentication server.

portal-message-override-group <name>

Note: This entry is only available when security is set to a captive portal type.

Replacement message group for this VAP. For this entry to be configured, the replacement message must have already been configured using the config system replacemsg-group command.

portal-type {auth | auth+disclaimer | disclaimer | email-collect}

Note: This entry is only available when security is set to a captive portal type.

Captive portal type:

  • auth: A purely authentication portal (set by default).
  • auth+disclaimer: Authentication portal with a disclaimer.
  • disclaimer: Just a disclaimer.
  • email-collect: Portal for email collection.
  • auth-mac: Portal for authentication and MAC authentication.

selected-usergroups <groups>

Note: This entry is only available when security is set to a captive portal type.

Selective user groups that are permitted to authenticate.

security-exempt-list [name]

Note: This entry is only available when security is set to a captive portal type.

Optional security exempt list for captive portal authentication, as configured under the config user security-exempt-list command.

security-redirect-url [url]

Note: This entry is only available when security is set to a captive portal type.

Optional URL for user-redirection after user passes captive portal authentication.

encrypt {TKIP | AES | TKIP-AES}

Note: This entry is only available when security is set to a WPA type.

Encryption protocol to use:

  • TKIP: Temporal Key Integrity Protocol, used by the older WPA standard. It is a more secure encryption than WEP, (the original WLAN security protocol), however it too is now deprecated.
  • AES: Advanced Encryption Standard. This protocol is commonly used with the newer WPA2 standard (set by default).
  • TKIP-AES: Use both TKIP and AES protocols in order to provide backward compatibility for legacy devices. This option is not recommended, however, as attackers will only need to breach the weaker encryption of the two (TKIP).

passphrase <psk>

Note: This entry is only available when security is set to a WPA type.

Pre-shared key (PSK) for WPA. Set the hexadecimal value between 8-63 characters in length.

intra-vap-privacy {enable | disable}

Enable or disable (by default) blocking of communication between clients of the same AP.

schedule <name>

VAP schedule name.

ldpc

VAP low-density parity-check (LDPC) coding configuration.

mpsk {enable | disable}

Enable or disable (by default) multiple PSK support.

local-standalone {enable | disable}

Enable or disable (by default) AP local standalone.

local-bridging {enable | disable}

Enable or disable (by default) bridging of wireless and Ethernet interfaces on the FortiAP.

split-tunneling {enable | disable}

Enable or disable (by default) split tunneling. When enabled, split tunneling allows local traffic on the AP to remain local instead of being routed through the WiFi controller.

vlanid <id>

VLAN ID, if a VLAN will be used.

dynamic-vlan {enable | disable}

Enable or disable (by default) dynamic VLAN assignment for users based on RADIUS attributes.

multicast-rate <kbps>

Multicast rate in kbps: 0 (set by default), 6000, 12000, or 24000. Higher multicast rates mean that only close, strong signals are allowed. A high device environment will require a higher multicast rate so as to decrease the range between devices and the router.

multicast-enhance {enable | disable}

Enable or disable (by default) conversion of multicast to unicast to improve performance.

broadcast-suppression [suppression-type]

Optional suppression of broadcast message types:

  • dhcp-up: Uplink DHCP messages
  • dhcp-down: Downlink DHCP messages
  • dhcp-starvation: DHCP starvation req messages
  • arp-known: ARP for known messages
  • arp-unknown: ARP for unknown messages
  • arp-reply: ARP reply from wireless clients
  • arp-poison: ARP poison messages from wireless clients
  • arp-proxy: ARP requests for wireless clients as a proxy
  • netbios-ns: NetBIOS name services packets with UDP port 137
  • netbios-ds: NetBIOS datagram services packets with UDP port 138
  • ipv6: IPv6 packets
  • all-other-mc: All other multicast messages
  • all-other-bc: All other broadcast messages

me-disable-thresh <subscribers>

Multicast enhancement threshold. Set value between 2-256 subscribers. The default is set to 32.

probe-resp-suppression {enable | disable}

Enable or disable (by default) ignoring of weak signals. When enabled, use the probe-resp-threshold entry to define the minimum signal level required for AP response.

probe-resp-threshold <min-level>

Note: This entry is only available when probe-resp-suppression is set to enable.

Minimum signal level/threshold in dBm required for AP response to probe requests. Set the value between -95 to -20. The default is set to -80.

vlan-pooling {wtp-group | disable}

Enable or disable (by default) VLAN pooling, allowing you to group multiple wireless controller VLANs into VLAN pools. These pools are used to load-balance sessions evenly across multiple VLANs. When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group.

gtk-rekey {enable | disable}

Note: This entry is only available when security is set to a WPA type. Enable or disable (by default) WPA re-key interval option. When enabled, use the gtk-rekey-intv entry to set the re-key interval time.

gtk-rekey-intv <interval>

Note: This entry is only available when gtk-rekey is set to enable.

WPA re-key interval in seconds. Increase the value for those users who may require a longer time period. Set the value between 1800-864000 (or 30 minutes to 10 days).

rates-11a <data-rate>

Data rates permitted for 802.11a in Mbps.

rates-11bg <data-rate>

Data rates permitted for 802.11b/g in Mbps.

rates-11n-ss12 <data-rate>

Data rates permitted for 802.11n with 1 or 2 spatial streams.

rates-11n-ss34 <data-rate>

Data rates permitted for 802.11n with 3 or 4 spatial streams.

rates-11ac-ss12 <data-rate>

Data rates permitted for 802.11ac with 1 or 2 spatial streams.

rates-11ac-ss34 <data-rate>

Data rates permitted for 802.11ac with 3 or 4 spatial streams.

wireless-controller vap

wireless-controller vap

Use this command to configure Virtual Access Points (VAPs). The following entries have append options, whereby you can add values without needing to retype the whole list of values:

  • selected-usergroups
  • broadcast-suppression
  • rates-11a
  • rates-11bg
  • rates-11n-ss12
  • rates-11n-ss34
  • rates-11ac-ss12
  • rates-11ac-ss34

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set portal-type mac-auth

Set portal type for authentication and MAC authentication.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set radio-sensitivity {enable | disable}

set radio-5g-threshold <dbm>

set radio-2g-threshold <dbm>

Enable and specify Receiver Start of Packet (RX-SOP) detection thresholds in dBm. Received manage frames will be dropped when the signal strength is less than the configured thresholds. Set the threshold ranges between -95 and -20.

Note that radio-5g-threshold and radio-2g-threshold are only available when radio-sensitivity is set to enable.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set dhcp-option82-insertion {enable | disable}

set dhcp-option82-circuit-id-insertion {style-1 | style-2 | disable}

set dhcp-option82-remote-id-insertion {style-1 | disable}

Enable or disable DHCP option 82 insert options. All entries are set to disable by default.

Note that the id-insertion options are only available when dhcp-option82-insertion is set to enable.

set mac-auth-bypass {enable | disable}

Enable or disable MAC authentication bypass for Captive Portal SSID.

set utm-profile <name>

Apply UTM profiles, created under config wireless-controller utm-profile, to VAPs.

set local-lan {allow | deny}

Allow or deny a client connected to a VAP, whose traffic is not tunneled to the controller, to access the local network.

When local-lan is set to allow (by default), FortiAP allows clients on the SSID to access the local LAN and the Internet (same way as before). When local-lan is set to deny, FortiAP prevents clients on the SSID from accessing the local LAN but still allows them to connect to the Internet. In addtion, Intra-SSID Privacy is enforced, meaning clients on the SSID cannot communicate with each other.

Note that this entry is only available when local-standalone-nat is set to enable.

set quarantine {enable | disable}

Manual quarantining can be configured here, in order to consolidate previous CLI syntax.

Host endpoints can be entered in a single place and it will be quarantined throughout the access layer devices on the Security Fabric.

set captive-portal-session-timeout-interval <seconds>

Configure a session timeout interval in seconds for Captive Portal users. Set the range between 0 - 864000 (or no timeout to ten days). The default is set to 0.

Note that that this command is only available when local-standalone is set to enable, security is set to captive-portal, and then portal-type is set to either cmcc or cmcc-macauth.

config wireless-controller vap
    edit {name}
    # Configure Virtual Access Points (VAPs).
        set name {string}   Virtual AP name. size[15]
        set vdom {string}   Name of the VDOM that the Virtual AP has been added to. size[31] - datasource(s): system.vdom.name
        set fast-roaming {enable | disable}   Enable/disable fast-roaming, or pre-authentication, where supported by clients (default = disable).
        set external-fast-roaming {enable | disable}   Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate (default = disable).
        set mesh-backhaul {enable | disable}   Enable/disable using this VAP as a WiFi mesh backhaul (default = disable). This entry is only available when security is set to a WPA type or open.
        set max-clients {integer}   Maximum number of clients that can connect simultaneously to the VAP (default = 0, meaning no limitation). range[0-4294967295]
        set max-clients-ap {integer}   Maximum number of clients that can connect simultaneously to each radio (default = 0, meaning no limitation). range[0-4294967295]
        set ssid {string}   IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name. size[32]
        set broadcast-ssid {enable | disable}   Enable/disable broadcasting the SSID (default = enable).
        set security-obsolete-option {enable | disable}   Enable/disable obsolete security options.
        set security {option}   Security mode for the wireless interface (default = wpa2-only-personal).
                open                               Open.
                captive-portal                     Captive portal.
                wep64                              WEP 64-bit.
                wep128                             WEP 128-bit.
                wpa-personal                       WPA/WPA2 personal.
                wpa-personal+captive-portal        WPA/WPA2 personal with captive portal.
                wpa-enterprise                     WPA/WPA2 enterprise.
                wpa-only-personal                  WPA personal.
                wpa-only-personal+captive-portal   WPA personal with captive portal.
                wpa-only-enterprise                WPA enterprise.
                wpa2-only-personal                 WPA2 personal.
                wpa2-only-personal+captive-portal  WPA2 personal with captive portal.
                wpa2-only-enterprise               WPA2 enterprise.
                osen                               OSEN.
        set pmf {disable | enable | optional}   Protected Management Frames (PMF) support (default = disable).
        set pmf-assoc-comeback-timeout {integer}   Protected Management Frames (PMF) comeback maximum timeout (1-20 sec). range[1-20]
        set pmf-sa-query-retry-timeout {integer}   Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec). range[1-5]
        set okc {disable | enable}   Enable/disable Opportunistic Key Caching (OKC) (default = enable).
        set voice-enterprise {disable | enable}   Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming (default = disable).
        set fast-bss-transition {disable | enable}   Enable/disable 802.11r Fast BSS Transition (FT) (default = disable).
        set ft-mobility-domain {integer}   Mobility domain identifier in FT (1 - 65535, default = 1000). range[1-65535]
        set ft-r0-key-lifetime {integer}   Lifetime of the PMK-R0 key in FT, 1-65535 minutes. range[1-65535]
        set ft-over-ds {disable | enable}   Enable/disable FT over the Distribution System (DS).
        set eapol-key-retries {disable | enable}   Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) (default = enable).
        set tkip-counter-measure {enable | disable}   Enable/disable TKIP counter measure.
        set external-web {string}   URL of external authentication web server. size[127]
        set external-logout {string}   URL of external authentication logout server. size[127]
        set mac-auth-bypass {enable | disable}   Enable/disable MAC authentication bypass.
        set radius-mac-auth {enable | disable}   Enable/disable RADIUS-based MAC authentication of clients (default = disable).
        set radius-mac-auth-server {string}   RADIUS-based MAC authentication server. size[35]
        config radius-mac-auth-usergroups
            edit {name}
            # Selective user groups that are permitted for RADIUS mac authentication.
                set name {string}   User group name. size[64]
            next
        set auth {psk | radius | usergroup}   Authentication protocol.
                psk        Use a single Pre-shard Key (PSK) to authenticate all users.
                radius     Use a RADIUS server to authenticate clients.
                usergroup  Use a firewall usergroup to authenticate clients.
        set encrypt {TKIP | AES | TKIP-AES}   Encryption protocol to use (only available when security is set to a WPA type).
                TKIP      Use TKIP encryption.
                AES       Use AES encryption.
                TKIP-AES  Use TKIP and AES encryption.
        set keyindex {integer}   WEP key index (1 - 4). range[1-4]
        set key {password_string}   WEP Key. size[128]
        set passphrase {password_string}   WPA pre-shard key (PSK) to be used to authenticate WiFi users. size[128]
        set radius-server {string}   RADIUS server to be used to authenticate WiFi users. size[35]
        set acct-interim-interval {integer}   WiFi RADIUS accounting interim interval (60 - 86400 sec, default = 0). range[60-86400]
        set local-standalone {enable | disable}   Enable/disable AP local standalone (default = disable).
        set local-standalone-nat {enable | disable}   Enable/disable AP local standalone NAT mode.
        set ip {ipv4 classnet host}   IP address and subnet mask for the local standalone NAT subnet.
        set dhcp-lease-time {integer}   DHCP lease time in seconds for NAT IP address. range[300-8640000]
        set local-bridging {enable | disable}   Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP (default = disable).
        set local-lan {allow | deny}   Allow/deny traffic destined for a Class A, B, or C private IP address (default = allow).
                allow  Allow traffic destined for a Class A, B, or C private IP address.
                deny   Deny traffic destined for a Class A, B, or C private IP address.
        set local-authentication {enable | disable}   Enable/disable AP local authentication.
        config usergroup
            edit {name}
            # Firewall user group to be used to authenticate WiFi users.
                set name {string}   User group name. size[64]
            next
        set portal-message-override-group {string}   Replacement message group for this VAP (only available when security is set to a captive portal type). size[35]
        config portal-message-overrides
            set auth-disclaimer-page {string}   Override auth-disclaimer-page message with message from portal-message-overrides group. size[35]
            set auth-reject-page {string}   Override auth-reject-page message with message from portal-message-overrides group. size[35]
            set auth-login-page {string}   Override auth-login-page message with message from portal-message-overrides group. size[35]
            set auth-login-failed-page {string}   Override auth-login-failed-page message with message from portal-message-overrides group. size[35]
        set portal-type {option}   Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer.
                auth             Portal for authentication.
                auth+disclaimer  Portal for authentication and disclaimer.
                disclaimer       Portal for disclaimer.
                email-collect    Portal for email collection.
                cmcc             Portal for CMCC.
                cmcc-macauth     Portal for CMCC and MAC authentication.
                auth-mac         Portal for authentication and MAC authentication.
        config selected-usergroups
            edit {name}
            # Selective user groups that are permitted to authenticate.
                set name {string}   User group name. size[64]
            next
        set security-exempt-list {string}   Optional security exempt list for captive portal authentication. size[35]
        set security-redirect-url {string}   Optional URL for redirecting users after they pass captive portal authentication. size[127]
        set intra-vap-privacy {enable | disable}   Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable).
        set schedule {string}   VAP schedule name. size[35]
        set ldpc {disable | rx | tx | rxtx}   VAP low-density parity-check (LDPC) coding configuration.
                disable  Disable LDPC.
                rx       Enable LDPC when receiving traffic.
                tx       Enable LDPC when transmitting traffic.
                rxtx     Enable LDPC when both receiving and transmitting traffic.
        set mpsk {enable | disable}   Enable/disable multiple pre-shared keys (PSKs.)
        set mpsk-concurrent-clients {integer}   Number of pre-shared keys (PSKs) to allow if multiple pre-shared keys are enabled. range[0-65535]
        config mpsk-key
            edit {key-name}
            # Pre-shared keys that can be used to connect to this virtual access point.
                set key-name {string}   Pre-shared key name. size[35]
                set passphrase {password_string}   WPA Pre-shared key. size[128]
                set concurrent-clients {string}   Number of clients that can connect using this pre-shared key. size[15]
                set comment {string}   Comment. size[255]
            next
        set split-tunneling {enable | disable}   Enable/disable split tunneling (default = disable).
        set vlanid {integer}   Optional VLAN ID. range[0-4094]
        set vlan-auto {enable | disable}   Enable/disable automatic management of SSID VLAN interface.
        set dynamic-vlan {enable | disable}   Enable/disable dynamic VLAN assignment.
        set captive-portal-radius-server {string}   Captive portal RADIUS server domain name or IP address. size[63]
        set captive-portal-radius-secret {password_string}   Secret key to access the RADIUS server. size[128]
        set captive-portal-macauth-radius-server {string}   Captive portal external RADIUS server domain name or IP address. size[63]
        set captive-portal-macauth-radius-secret {password_string}   Secret key to access the macauth RADIUS server. size[128]
        set captive-portal-ac-name {string}   Local-bridging captive portal ac-name. size[35]
        set captive-portal-session-timeout-interval {integer}   Session timeout interval (0 - 864000 sec, default = 0). range[0-864000]
        set alias {string}   Alias. size[25]
        set multicast-rate {0 | 6000 | 12000 | 24000}   Multicast rate (0, 6000, 12000, or 24000 kbps, default = 0).
                0      Use the default multicast rate.
                6000   6 Mbps.
                12000  12 Mbps.
                24000  24 Mbps.
        set multicast-enhance {enable | disable}   Enable/disable converting multicast to unicast to improve performance (default = disable).
        set broadcast-suppression {option}   Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network.
                dhcp-up          Suppress broadcast uplink DHCP messages.
                dhcp-down        Suppress broadcast downlink DHCP messages.
                dhcp-starvation  Suppress broadcast DHCP starvation req messages.
                arp-known        Suppress broadcast ARP for known wireless clients.
                arp-unknown      Suppress broadcast ARP for unknown wireless clients.
                arp-reply        Suppress broadcast ARP reply from wireless clients.
                arp-poison       Suppress ARP poison messages from wireless clients.
                arp-proxy        Reply ARP requests for wireless clients as a proxy.
                netbios-ns       Suppress NetBIOS name services packets with UDP port 137.
                netbios-ds       Suppress NetBIOS datagram services packets with UDP port 138.
                ipv6             Suppress IPv6 packets.
                all-other-mc     Suppress all other multicast messages.
                all-other-bc     Suppress all other broadcast messages.
        set me-disable-thresh {integer}   Disable multicast enhancement when this many clients are receiving multicast traffic. range[2-256]
        set probe-resp-suppression {enable | disable}   Enable/disable probe response suppression (to ignore weak signals) (default = disable).
        set probe-resp-threshold {string}   Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20, default = -80). size[7]
        set radio-sensitivity {enable | disable}   Enable/disable software radio sensitivity (to ignore weak signals) (default = disable).
        set quarantine {enable | disable}   Enable/disable station quarantine (default = enable).
        set radio-5g-threshold {string}   Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20, default = -76). size[7]
        set radio-2g-threshold {string}   Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20, default = -79). size[7]
        set vlan-pooling {wtp-group | round-robin | hash | disable}   Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools (default = disable). When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group.
                wtp-group    Enable VLAN pooling with VLAN assignment by wtp-group.
                round-robin  Enable VLAN pooling with round-robin VLAN assignment.
                hash         Enable VLAN pooling with hash-based VLAN assignment.
                disable      Disable VLAN pooling.
        config vlan-pool
            edit {id}
            # VLAN pool.
                set id {integer}   ID. range[0-4094]
                set wtp-group {string}   WTP group name. size[35]
            next
        set dhcp-option82-insertion {enable | disable}   Enable/disable DHCP option 82 insert (default = disable).
        set dhcp-option82-circuit-id-insertion {style-1 | style-2 | disable}   Enable/disable DHCP option 82 circuit-id insert (default = disable).
                style-1  ASCII string composed of AP-MAC;SSID;SSID-TYPE. For example, "xx:xx:xx:xx:xx:xx;wifi;s".
                style-2  ASCII string composed of AP-MAC. For example, "xx:xx:xx:xx:xx:xx".
                disable  Disable DHCP option 82 circuit-id insert.
        set dhcp-option82-remote-id-insertion {style-1 | disable}   Enable/disable DHCP option 82 remote-id insert (default = disable).
                style-1  ASCII string in the format �xx:xx:xx:xx:xx:xx� containing MAC address of client device.
                disable  Disable DHCP option 82 remote-id insert.
        set ptk-rekey {enable | disable}   Enable/disable PTK rekey for WPA-Enterprise security.
        set ptk-rekey-intv {integer}   PTK rekey interval (1800 - 864000 sec, default = 86400). range[1800-864000]
        set gtk-rekey {enable | disable}   Enable/disable GTK rekey for WPA security.
        set gtk-rekey-intv {integer}   GTK rekey interval (1800 - 864000 sec, default = 86400). range[1800-864000]
        set eap-reauth {enable | disable}   Enable/disable EAP re-authentication for WPA-Enterprise security.
        set eap-reauth-intv {integer}   EAP re-authentication interval (1800 - 864000 sec, default = 86400). range[1800-864000]
        set qos-profile {string}   Quality of service profile name. size[35]
        set hotspot20-profile {string}   Hotspot 2.0 profile name. size[35]
        set rates-11a {option}   Allowed data rates for 802.11a.
                1          1 Mbps supported rate.
                1-basic    1 Mbps BSS basic rate.
                2          2 Mbps supported rate.
                2-basic    2 Mbps BSS basic rate.
                5.5        5.5 Mbps supported rate.
                5.5-basic  5.5 Mbps BSS basic rate.
                11         11 Mbps supported rate.
                11-basic   11 Mbps BSS basic rate.
                6          6 Mbps supported rate.
                6-basic    6 Mbps BSS basic rate.
                9          9 Mbps supported rate.
                9-basic    9 Mbps BSS basic rate.
                12         12 Mbps supported rate.
                12-basic   12 Mbps BSS basic rate.
                18         18 Mbps supported rate.
                18-basic   18 Mbps BSS basic rate.
                24         24 Mbps supported rate.
                24-basic   24 Mbps BSS basic rate.
                36         36 Mbps supported rate.
                36-basic   36 Mbps BSS basic rate.
                48         48 Mbps supported rate.
                48-basic   48 Mbps BSS basic rate.
                54         54 Mbps supported rate.
                54-basic   54 Mbps BSS basic rate.
        set rates-11bg {option}   Allowed data rates for 802.11b/g.
                1          1 Mbps supported rate.
                1-basic    1 Mbps BSS basic rate.
                2          2 Mbps supported rate.
                2-basic    2 Mbps BSS basic rate.
                5.5        5.5 Mbps supported rate.
                5.5-basic  5.5 Mbps BSS basic rate.
                11         11 Mbps supported rate.
                11-basic   11 Mbps BSS basic rate.
                6          6 Mbps supported rate.
                6-basic    6 Mbps BSS basic rate.
                9          9 Mbps supported rate.
                9-basic    9 Mbps BSS basic rate.
                12         12 Mbps supported rate.
                12-basic   12 Mbps BSS basic rate.
                18         18 Mbps supported rate.
                18-basic   18 Mbps BSS basic rate.
                24         24 Mbps supported rate.
                24-basic   24 Mbps BSS basic rate.
                36         36 Mbps supported rate.
                36-basic   36 Mbps BSS basic rate.
                48         48 Mbps supported rate.
                48-basic   48 Mbps BSS basic rate.
                54         54 Mbps supported rate.
                54-basic   54 Mbps BSS basic rate.
        set rates-11n-ss12 {option}   Allowed data rates for 802.11n with 1 or 2 spatial streams.
                mcs0/1   Data rate for MCS index 0 with 1 spatial stream.
                mcs1/1   Data rate for MCS index 1 with 1 spatial stream.
                mcs2/1   Data rate for MCS index 2 with 1 spatial stream.
                mcs3/1   Data rate for MCS index 3 with 1 spatial stream.
                mcs4/1   Data rate for MCS index 4 with 1 spatial stream.
                mcs5/1   Data rate for MCS index 5 with 1 spatial stream.
                mcs6/1   Data rate for MCS index 6 with 1 spatial stream.
                mcs7/1   Data rate for MCS index 7 with 1 spatial stream.
                mcs8/2   Data rate for MCS index 8 with 2 spatial streams.
                mcs9/2   Data rate for MCS index 9 with 2 spatial streams.
                mcs10/2  Data rate for MCS index 10 with 2 spatial streams.
                mcs11/2  Data rate for MCS index 11 with 2 spatial streams.
                mcs12/2  Data rate for MCS index 12 with 2 spatial streams.
                mcs13/2  Data rate for MCS index 13 with 2 spatial streams.
                mcs14/2  Data rate for MCS index 14 with 2 spatial streams.
                mcs15/2  Data rate for MCS index 15 with 2 spatial streams.
        set rates-11n-ss34 {option}   Allowed data rates for 802.11n with 3 or 4 spatial streams.
                mcs16/3  Data rate for MCS index 16 with 3 spatial streams.
                mcs17/3  Data rate for MCS index 17 with 3 spatial streams.
                mcs18/3  Data rate for MCS index 18 with 3 spatial streams.
                mcs19/3  Data rate for MCS index 19 with 3 spatial streams.
                mcs20/3  Data rate for MCS index 20 with 3 spatial streams.
                mcs21/3  Data rate for MCS index 21 with 3 spatial streams.
                mcs22/3  Data rate for MCS index 22 with 3 spatial streams.
                mcs23/3  Data rate for MCS index 23 with 3 spatial streams.
                mcs24/4  Data rate for MCS index 24 with 4 spatial streams.
                mcs25/4  Data rate for MCS index 25 with 4 spatial streams.
                mcs26/4  Data rate for MCS index 26 with 4 spatial streams.
                mcs27/4  Data rate for MCS index 27 with 4 spatial streams.
                mcs28/4  Data rate for MCS index 28 with 4 spatial streams.
                mcs29/4  Data rate for MCS index 29 with 4 spatial streams.
                mcs30/4  Data rate for MCS index 30 with 4 spatial streams.
                mcs31/4  Data rate for MCS index 31 with 4 spatial streams.
        set rates-11ac-ss12 {option}   Allowed data rates for 802.11ac with 1 or 2 spatial streams.
                mcs0/1   Data rate for MCS index 0 with 1 spatial stream.
                mcs1/1   Data rate for MCS index 1 with 1 spatial stream.
                mcs2/1   Data rate for MCS index 2 with 1 spatial stream.
                mcs3/1   Data rate for MCS index 3 with 1 spatial stream.
                mcs4/1   Data rate for MCS index 4 with 1 spatial stream.
                mcs5/1   Data rate for MCS index 5 with 1 spatial stream.
                mcs6/1   Data rate for MCS index 6 with 1 spatial stream.
                mcs7/1   Data rate for MCS index 7 with 1 spatial stream.
                mcs8/1   Data rate for MCS index 8 with 1 spatial stream.
                mcs9/1   Data rate for MCS index 9 with 1 spatial stream.
                mcs10/1  Data rate for MCS index 10 with 1 spatial stream.
                mcs11/1  Data rate for MCS index 11 with 1 spatial stream.
                mcs0/2   Data rate for MCS index 0 with 2 spatial streams.
                mcs1/2   Data rate for MCS index 1 with 2 spatial streams.
                mcs2/2   Data rate for MCS index 2 with 2 spatial streams.
                mcs3/2   Data rate for MCS index 3 with 2 spatial streams.
                mcs4/2   Data rate for MCS index 4 with 2 spatial streams.
                mcs5/2   Data rate for MCS index 5 with 2 spatial streams.
                mcs6/2   Data rate for MCS index 6 with 2 spatial streams.
                mcs7/2   Data rate for MCS index 7 with 2 spatial streams.
                mcs8/2   Data rate for MCS index 8 with 2 spatial streams.
                mcs9/2   Data rate for MCS index 9 with 2 spatial streams.
                mcs10/2  Data rate for MCS index 10 with 2 spatial streams.
                mcs11/2  Data rate for MCS index 11 with 2 spatial streams.
        set rates-11ac-ss34 {option}   Allowed data rates for 802.11ac with 3 or 4 spatial streams.
                mcs0/3   Data rate for MCS index 0 with 3 spatial streams.
                mcs1/3   Data rate for MCS index 1 with 3 spatial streams.
                mcs2/3   Data rate for MCS index 2 with 3 spatial streams.
                mcs3/3   Data rate for MCS index 3 with 3 spatial streams.
                mcs4/3   Data rate for MCS index 4 with 3 spatial streams.
                mcs5/3   Data rate for MCS index 5 with 3 spatial streams.
                mcs6/3   Data rate for MCS index 6 with 3 spatial streams.
                mcs7/3   Data rate for MCS index 7 with 3 spatial streams.
                mcs8/3   Data rate for MCS index 8 with 3 spatial streams.
                mcs9/3   Data rate for MCS index 9 with 3 spatial streams.
                mcs10/3  Data rate for MCS index 10 with 3 spatial streams.
                mcs11/3  Data rate for MCS index 11 with 3 spatial streams.
                mcs0/4   Data rate for MCS index 0 with 4 spatial streams.
                mcs1/4   Data rate for MCS index 1 with 4 spatial streams.
                mcs2/4   Data rate for MCS index 2 with 4 spatial streams.
                mcs3/4   Data rate for MCS index 3 with 4 spatial streams.
                mcs4/4   Data rate for MCS index 4 with 4 spatial streams.
                mcs5/4   Data rate for MCS index 5 with 4 spatial streams.
                mcs6/4   Data rate for MCS index 6 with 4 spatial streams.
                mcs7/4   Data rate for MCS index 7 with 4 spatial streams.
                mcs8/4   Data rate for MCS index 8 with 4 spatial streams.
                mcs9/4   Data rate for MCS index 9 with 4 spatial streams.
                mcs10/4  Data rate for MCS index 10 with 4 spatial streams.
                mcs11/4  Data rate for MCS index 11 with 4 spatial streams.
        set utm-profile {string}   UTM profile name. size[35]
        set mac-filter {enable | disable}   Enable/disable MAC filtering to block wireless clients by mac address.
        set mac-filter-policy-other {allow | deny}   Allow or block clients with MAC addresses that are not in the filter list.
                allow  Allow clients with MAC addresses that are not in the filter list.
                deny   Block clients with MAC addresses that are not in the filter list.
        config mac-filter-list
            edit {id}
            # Create a list of MAC addresses for MAC address filtering.
                set id {integer}   ID. range[0-4294967295]
                set mac {mac address}   MAC address.
                set mac-filter-policy {allow | deny}   Deny or allow the client with this MAC address.
                        allow  Allow the client with this MAC address.
                        deny   Block the client with this MAC address.
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

dhcp-option82-insertion {enable | disable}

Note: This feature is not supported for LAN port bridges or local-stand-alone NAT SSID. However, this feature is supported for Bridge and Tunnel modes and Mesh SSIDs. Both FortiGate and FortiAP must run FortiOS 6.0.

Enable or disable (by default) the options to set the Circuit ID (dhcp-option82-circuit-id-insertion) and Remote ID (dhcp-option82-remote-id-insertion) for DHCP packets. This can help determine which FortiAP the request came from and for which SSID it was requested.

The Circuit ID includes information specific to the circuit that the request came in in (i.e. the Ethernet MAC address of the FortiAP, with SSID and security type). The Remote ID includes information on the remote host end of the circuit (i.e. the station, or client MAC address).

vdom <name>

Name of the VLAN ID, if a VLAN will be used.

fast-roaming {enable | disable}

Enable (by default) or disable fast-roaming, or pre-authentication, where supported by clients.

external-fast-roaming {enable | disable}

Enable or disable (by default) pre-authentication with external non-managed AP.

mesh-backhaul {enable | disable}

Note: This entry is only available when security is set to a WPA type or open.

Enable or disable (by default) to use this VAP as a WiFi mesh backhaul. WiFi clients cannot connect directly to this SSID.

max-clients <number>

Maximum number of clients that can connect simultaneously. The default is set to 0, meaning no limitation.

max-clients-ap <number>

Maximum number of clients that can connect simultaneously per AP radio. The default is set to 0, meaning no limitation.

ssid <name>

IEEE 802.11 service set identifier, or network name, for the wireless interface. Users who wish to use the wireless network must configure their computers with this network name.

broadcast-ssid {enable | disable}

Enable (by default) or disable broadcasting of the SSID. Broadcasting enables clients to connect to the wireless network without first knowing the SSID. For better security, however, it is best to not broadcast the SSID.

security {open | captive-portal | wpa-personal | wpa-personal+captive-portal | wpa-enterprise | wpa2-only-personal | wpa2-only-personal+captive-portal | wpa2-only-enterprise}

Security mode for the wireless interface. Wireless users must use the same security mode to connect to the same wireless interface.

  • open: No security; any wireless user can connect to the network (not recommended).
  • captive-portal: Users are authenticated through a captive web portal.
  • wpa-personal: WPA-Personal security, WPA or WPA2.
  • wpa-personal+captive-portal: WPA-Personal security, WPA only, with captive portal.
  • wpa-enterprise: WPA-Enterprise security, WPA or WPA2.
  • wpa2-only-personal: WPA-Personal security, WPA2 only (set by default).
  • wpa2-only-personal+captive-portal: WPA-Personal security, WPA2 only, with captive portal.
  • wpa2-only-enterprise: WPA-Enterprise security, WPA2 only.

pmf {enable | disable}

Enable or disable (by default) Protected Management Frames (PMF) support. PMF works by adding a Message Integrity Check (MIC) to control packets being sent between a computer and an AP. If a control packet is being spoofed by a malicious device, the MIC check will fail, and discard the frame. This protects users from malicious attackers attempting to exchange encrypted traffic.

voice-enterprise {enable | disable}

Enable or disable (by default) 802.11k and 802.11v assisted Voice-Enterprise roaming.

fast-bss-transition {enable | disable}

Enable or disable (by default) 802.11r Fast BSS Transition .

okc {enable | disable}

Enable or disable Opportunistic Key Caching (OKC), an 802.11i defined technique available for authentication between a single AP and a station. OKC caching allows an authenticated station and AP to roam away from each other, come back, and not be required to perform a full authentication exchange. Only the 802.11i 4-way handshake is performed to establish transient encryption keys.

radius-mac-auth {enable | disable}

Enable or disable (by default) MAC address authentication of clients. Once enabled, use the radius-mac-auth-server entry to specify the server (see entry below).

radius-mac-auth-server <server>

Note: This entry is only available when radius-mac-auth is set to enable.

RADIUS-based MAC authentication server.

portal-message-override-group <name>

Note: This entry is only available when security is set to a captive portal type.

Replacement message group for this VAP. For this entry to be configured, the replacement message must have already been configured using the config system replacemsg-group command.

portal-type {auth | auth+disclaimer | disclaimer | email-collect}

Note: This entry is only available when security is set to a captive portal type.

Captive portal type:

  • auth: A purely authentication portal (set by default).
  • auth+disclaimer: Authentication portal with a disclaimer.
  • disclaimer: Just a disclaimer.
  • email-collect: Portal for email collection.
  • auth-mac: Portal for authentication and MAC authentication.

selected-usergroups <groups>

Note: This entry is only available when security is set to a captive portal type.

Selective user groups that are permitted to authenticate.

security-exempt-list [name]

Note: This entry is only available when security is set to a captive portal type.

Optional security exempt list for captive portal authentication, as configured under the config user security-exempt-list command.

security-redirect-url [url]

Note: This entry is only available when security is set to a captive portal type.

Optional URL for user-redirection after user passes captive portal authentication.

encrypt {TKIP | AES | TKIP-AES}

Note: This entry is only available when security is set to a WPA type.

Encryption protocol to use:

  • TKIP: Temporal Key Integrity Protocol, used by the older WPA standard. It is a more secure encryption than WEP, (the original WLAN security protocol), however it too is now deprecated.
  • AES: Advanced Encryption Standard. This protocol is commonly used with the newer WPA2 standard (set by default).
  • TKIP-AES: Use both TKIP and AES protocols in order to provide backward compatibility for legacy devices. This option is not recommended, however, as attackers will only need to breach the weaker encryption of the two (TKIP).

passphrase <psk>

Note: This entry is only available when security is set to a WPA type.

Pre-shared key (PSK) for WPA. Set the hexadecimal value between 8-63 characters in length.

intra-vap-privacy {enable | disable}

Enable or disable (by default) blocking of communication between clients of the same AP.

schedule <name>

VAP schedule name.

ldpc

VAP low-density parity-check (LDPC) coding configuration.

mpsk {enable | disable}

Enable or disable (by default) multiple PSK support.

local-standalone {enable | disable}

Enable or disable (by default) AP local standalone.

local-bridging {enable | disable}

Enable or disable (by default) bridging of wireless and Ethernet interfaces on the FortiAP.

split-tunneling {enable | disable}

Enable or disable (by default) split tunneling. When enabled, split tunneling allows local traffic on the AP to remain local instead of being routed through the WiFi controller.

vlanid <id>

VLAN ID, if a VLAN will be used.

dynamic-vlan {enable | disable}

Enable or disable (by default) dynamic VLAN assignment for users based on RADIUS attributes.

multicast-rate <kbps>

Multicast rate in kbps: 0 (set by default), 6000, 12000, or 24000. Higher multicast rates mean that only close, strong signals are allowed. A high device environment will require a higher multicast rate so as to decrease the range between devices and the router.

multicast-enhance {enable | disable}

Enable or disable (by default) conversion of multicast to unicast to improve performance.

broadcast-suppression [suppression-type]

Optional suppression of broadcast message types:

  • dhcp-up: Uplink DHCP messages
  • dhcp-down: Downlink DHCP messages
  • dhcp-starvation: DHCP starvation req messages
  • arp-known: ARP for known messages
  • arp-unknown: ARP for unknown messages
  • arp-reply: ARP reply from wireless clients
  • arp-poison: ARP poison messages from wireless clients
  • arp-proxy: ARP requests for wireless clients as a proxy
  • netbios-ns: NetBIOS name services packets with UDP port 137
  • netbios-ds: NetBIOS datagram services packets with UDP port 138
  • ipv6: IPv6 packets
  • all-other-mc: All other multicast messages
  • all-other-bc: All other broadcast messages

me-disable-thresh <subscribers>

Multicast enhancement threshold. Set value between 2-256 subscribers. The default is set to 32.

probe-resp-suppression {enable | disable}

Enable or disable (by default) ignoring of weak signals. When enabled, use the probe-resp-threshold entry to define the minimum signal level required for AP response.

probe-resp-threshold <min-level>

Note: This entry is only available when probe-resp-suppression is set to enable.

Minimum signal level/threshold in dBm required for AP response to probe requests. Set the value between -95 to -20. The default is set to -80.

vlan-pooling {wtp-group | disable}

Enable or disable (by default) VLAN pooling, allowing you to group multiple wireless controller VLANs into VLAN pools. These pools are used to load-balance sessions evenly across multiple VLANs. When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group.

gtk-rekey {enable | disable}

Note: This entry is only available when security is set to a WPA type. Enable or disable (by default) WPA re-key interval option. When enabled, use the gtk-rekey-intv entry to set the re-key interval time.

gtk-rekey-intv <interval>

Note: This entry is only available when gtk-rekey is set to enable.

WPA re-key interval in seconds. Increase the value for those users who may require a longer time period. Set the value between 1800-864000 (or 30 minutes to 10 days).

rates-11a <data-rate>

Data rates permitted for 802.11a in Mbps.

rates-11bg <data-rate>

Data rates permitted for 802.11b/g in Mbps.

rates-11n-ss12 <data-rate>

Data rates permitted for 802.11n with 1 or 2 spatial streams.

rates-11n-ss34 <data-rate>

Data rates permitted for 802.11n with 3 or 4 spatial streams.

rates-11ac-ss12 <data-rate>

Data rates permitted for 802.11ac with 1 or 2 spatial streams.

rates-11ac-ss34 <data-rate>

Data rates permitted for 802.11ac with 3 or 4 spatial streams.