config wireless-controller vap

Configure Virtual Access Points (VAPs).

config wireless-controller vap

Description: Configure Virtual Access Points (VAPs).

edit <name>

set fast-roaming [enable|disable]

set external-fast-roaming [enable|disable]

set mesh-backhaul [enable|disable]

set atf-weight {integer}

set max-clients {integer}

set max-clients-ap {integer}

set ssid {string}

set broadcast-ssid [enable|disable]

set security [open|captive-portal|...]

set pmf [disable|enable|...]

set pmf-assoc-comeback-timeout {integer}

set pmf-sa-query-retry-timeout {integer}

set okc [disable|enable]

set voice-enterprise [disable|enable]

set fast-bss-transition [disable|enable]

set ft-mobility-domain {integer}

set ft-r0-key-lifetime {integer}

set ft-over-ds [disable|enable]

set sae-groups {option1}, {option2}, ...

set owe-groups {option1}, {option2}, ...

set owe-transition [disable|enable]

set owe-transition-ssid {string}

set eapol-key-retries [disable|enable]

set tkip-counter-measure [enable|disable]

set external-web {string}

set external-web-format [auto-detect|no-query-string|...]

set external-logout {string}

set mac-auth-bypass [enable|disable]

set radius-mac-auth [enable|disable]

set radius-mac-auth-server {string}

set radius-mac-auth-usergroups <name1>, <name2>, ...

set auth [psk|radius|...]

set encrypt [TKIP|AES|...]

set keyindex {integer}

set key {password}

set passphrase {password}

set sae-password {password}

set radius-server {string}

set acct-interim-interval {integer}

set local-standalone [enable|disable]

set local-standalone-nat [enable|disable]

set ip {ipv4-classnet-host}

set dhcp-lease-time {integer}

set local-bridging [enable|disable]

set local-lan [allow|deny]

set local-authentication [enable|disable]

set usergroup <name1>, <name2>, ...

set portal-message-override-group {string}

config portal-message-overrides

Description: Individual message overrides.

set auth-disclaimer-page {string}

set auth-reject-page {string}

set auth-login-page {string}

set auth-login-failed-page {string}

end

set portal-type [auth|auth+disclaimer|...]

set selected-usergroups <name1>, <name2>, ...

set security-exempt-list {string}

set security-redirect-url {string}

set intra-vap-privacy [enable|disable]

set schedule <name1>, <name2>, ...

set ldpc [disable|rx|...]

set high-efficiency [enable|disable]

set target-wake-time [enable|disable]

set mpsk [enable|disable]

set mpsk-concurrent-clients {integer}

config mpsk-key

Description: List of multiple PSK entries.

edit <key-name>

set passphrase {password}

set concurrent-clients {string}

set comment {var-string}

set mpsk-schedules <name1>, <name2>, ...

next

end

set split-tunneling [enable|disable]

set vlanid {integer}

set vlan-auto [enable|disable]

set dynamic-vlan [enable|disable]

set captive-portal-radius-server {string}

set captive-portal-radius-secret {password}

set captive-portal-macauth-radius-server {string}

set captive-portal-macauth-radius-secret {password}

set captive-portal-ac-name {string}

set captive-portal-session-timeout-interval {integer}

set multicast-rate [0|6000|...]

set multicast-enhance [enable|disable]

set broadcast-suppression {option1}, {option2}, ...

set me-disable-thresh {integer}

set mu-mimo [enable|disable]

set probe-resp-suppression [enable|disable]

set probe-resp-threshold {string}

set radio-sensitivity [enable|disable]

set quarantine [enable|disable]

set radio-5g-threshold {string}

set radio-2g-threshold {string}

set vlan-pooling [wtp-group|round-robin|...]

config vlan-pool

Description: VLAN pool.

edit <id>

set wtp-group {string}

next

end

set dhcp-option82-insertion [enable|disable]

set dhcp-option82-circuit-id-insertion [style-1|style-2|...]

set dhcp-option82-remote-id-insertion [style-1|disable]

set ptk-rekey [enable|disable]

set ptk-rekey-intv {integer}

set gtk-rekey [enable|disable]

set gtk-rekey-intv {integer}

set eap-reauth [enable|disable]

set eap-reauth-intv {integer}

set qos-profile {string}

set hotspot20-profile {string}

set primary-wag-profile {string}

set secondary-wag-profile {string}

set tunnel-echo-interval {integer}

set tunnel-fallback-interval {integer}

set rates-11a {option1}, {option2}, ...

set rates-11bg {option1}, {option2}, ...

set rates-11n-ss12 {option1}, {option2}, ...

set rates-11n-ss34 {option1}, {option2}, ...

set rates-11ac-ss12 {option1}, {option2}, ...

set rates-11ac-ss34 {option1}, {option2}, ...

set utm-profile {string}

set address-group {string}

set mac-filter [enable|disable]

set mac-filter-policy-other [allow|deny]

config mac-filter-list

Description: Create a list of MAC addresses for MAC address filtering.

edit <id>

set mac {mac-address}

set mac-filter-policy [allow|deny]

next

end

next

end

config wireless-controller vap

Parameter name

Description

Type

Size

fast-roaming

Enable/disable fast-roaming, or pre-authentication, where supported by clients (default = disable).

option

-

 

Option

Description

enable

Enable fast-roaming, or pre-authentication.

disable

Disable fast-roaming, or pre-authentication.

external-fast-roaming

Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate (default = disable).

option

-

 

Option

Description

enable

Enable fast roaming or pre-authentication with external APs.

disable

Disable fast roaming or pre-authentication with external APs.

mesh-backhaul

Enable/disable using this VAP as a WiFi mesh backhaul (default = disable). This entry is only available when security is set to a WPA type or open.

option

-

 

Option

Description

enable

Enable mesh backhaul.

disable

Disable mesh backhaul.

atf-weight

Airtime weight in percentage (default = 20).

integer

Minimum value: 0 Maximum value: 100

max-clients

Maximum number of clients that can connect simultaneously to the VAP (default = 0, meaning no limitation).

integer

Minimum value: 0 Maximum value: 4294967295

max-clients-ap

Maximum number of clients that can connect simultaneously to the VAP per AP radio (default = 0, meaning no limitation).

integer

Minimum value: 0 Maximum value: 4294967295

ssid

IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name.

string

Maximum length: 32

broadcast-ssid

Enable/disable broadcasting the SSID (default = enable).

option

-

 

Option

Description

enable

Enable broadcasting the SSID.

disable

Disable broadcasting the SSID.

security

Security mode for the wireless interface (default = wpa2-only-personal).

option

-

 

Option

Description

open

Open.

captive-portal

Captive portal.

wep64

WEP 64-bit.

wep128

WEP 128-bit.

wpa-personal

WPA/WPA2 personal.

wpa-personal+captive-portal

WPA/WPA2 personal with captive portal.

wpa-enterprise

WPA/WPA2 enterprise.

wpa-only-personal

WPA personal.

wpa-only-personal+captive-portal

WPA personal with captive portal.

wpa-only-enterprise

WPA enterprise.

wpa2-only-personal

WPA2 personal.

wpa2-only-personal+captive-portal

WPA2 personal with captive portal.

wpa2-only-enterprise

WPA2 enterprise.

wpa3-enterprise

WPA3 enterprise.

wpa3-sae

WPA3 SAE.

wpa3-sae-transition

WPA3 SAE transition.

owe

Opportunistic wireless encryption.

osen

OSEN.

pmf

Protected Management Frames (PMF) support (default = disable).

option

-

 

Option

Description

disable

Disable PMF completely.

enable

Enable PMF but deny clients without PMF.

optional

Enable PMF and allow clients without PMF.

pmf-assoc-comeback-timeout

Protected Management Frames (PMF) comeback maximum timeout (1-20 sec).

integer

Minimum value: 1 Maximum value: 20

pmf-sa-query-retry-timeout

Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec).

integer

Minimum value: 1 Maximum value: 5

okc

Enable/disable Opportunistic Key Caching (OKC) (default = enable).

option

-

 

Option

Description

disable

Disable Opportunistic Key Caching (OKC).

enable

Enable Opportunistic Key Caching (OKC).

voice-enterprise

Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming (default = disable).

option

-

 

Option

Description

disable

Disable 802.11k and 802.11v assisted Voice-Enterprise roaming.

enable

Enable 802.11k and 802.11v assisted Voice-Enterprise roaming.

fast-bss-transition

Enable/disable 802.11r Fast BSS Transition (FT) (default = disable).

option

-

 

Option

Description

disable

Disable 802.11r Fast BSS Transition (FT).

enable

Enable 802.11r Fast BSS Transition (FT).

ft-mobility-domain

Mobility domain identifier in FT (1 - 65535, default = 1000).

integer

Minimum value: 1 Maximum value: 65535

ft-r0-key-lifetime

Lifetime of the PMK-R0 key in FT, 1-65535 minutes.

integer

Minimum value: 1 Maximum value: 65535

ft-over-ds

Enable/disable FT over the Distribution System (DS).

option

-

 

Option

Description

disable

Disable FT over the Distribution System (DS).

enable

Enable FT over the Distribution System (DS).

sae-groups

SAE-Groups.

option

-

 

Option

Description

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

owe-groups

OWE-Groups.

option

-

 

Option

Description

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

owe-transition

Enable/disable OWE transition mode support.

option

-

 

Option

Description

disable

Disable OWE transition mode support.

enable

Enable OWE transition mode support.

owe-transition-ssid

OWE transition mode peer SSID.

string

Maximum length: 32

eapol-key-retries

Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) (default = enable).

option

-

 

Option

Description

disable

Disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2).

enable

Enable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2).

tkip-counter-measure

Enable/disable TKIP counter measure.

option

-

 

Option

Description

enable

Enable TKIP counter measure.

disable

Disable TKIP counter measure.

external-web

URL of external authentication web server.

string

Maximum length: 127

external-web-format

URL query parameter detection (default = auto-detect).

option

-

 

Option

Description

auto-detect

Automatically detect if "external-web" URL has any query parameter.

no-query-string

"external-web" URL does not have any query parameter.

partial-query-string

"external-web" URL has some query parameters.

external-logout

URL of external authentication logout server.

string

Maximum length: 127

mac-auth-bypass

Enable/disable MAC authentication bypass.

option

-

 

Option

Description

enable

Enable MAC authentication bypass.

disable

Disable MAC authentication bypass.

radius-mac-auth

Enable/disable RADIUS-based MAC authentication of clients (default = disable).

option

-

 

Option

Description

enable

Enable RADIUS-based MAC authentication.

disable

Disable RADIUS-based MAC authentication.

radius-mac-auth-server

RADIUS-based MAC authentication server.

string

Maximum length: 35

radius-mac-auth-usergroups <name>

Selective user groups that are permitted for RADIUS mac authentication.

User group name.

string

Maximum length: 79

auth

Authentication protocol.

option

-

 

Option

Description

psk

Use a single Pre-shard Key (PSK) to authenticate all users.

radius

Use a RADIUS server to authenticate clients.

usergroup

Use a firewall usergroup to authenticate clients.

encrypt

Encryption protocol to use (only available when security is set to a WPA type).

option

-

 

Option

Description

TKIP

Use TKIP encryption.

AES

Use AES encryption.

TKIP-AES

Use TKIP and AES encryption.

keyindex

WEP key index (1 - 4).

integer

Minimum value: 1 Maximum value: 4

key

WEP Key.

password

Not Specified

passphrase

WPA pre-shared key (PSK) to be used to authenticate WiFi users.

password

Not Specified

sae-password

WPA3 SAE password to be used to authenticate WiFi users.

password

Not Specified

radius-server

RADIUS server to be used to authenticate WiFi users.

string

Maximum length: 35

acct-interim-interval

WiFi RADIUS accounting interim interval (60 - 86400 sec, default = 0).

integer

Minimum value: 60 Maximum value: 86400

local-standalone

Enable/disable AP local standalone (default = disable).

option

-

 

Option

Description

enable

Enable AP local standalone.

disable

Disable AP local standalone.

local-standalone-nat

Enable/disable AP local standalone NAT mode.

option

-

 

Option

Description

enable

Enable AP local standalone NAT mode.

disable

Disable AP local standalone NAT mode.

ip

IP address and subnet mask for the local standalone NAT subnet.

ipv4-classnet-host

Not Specified

dhcp-lease-time

DHCP lease time in seconds for NAT IP address.

integer

Minimum value: 300 Maximum value: 8640000

local-bridging

Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP (default = disable).

option

-

 

Option

Description

enable

Enable AP local VAP to Ethernet bridging.

disable

Disable AP local VAP to Ethernet bridging.

local-lan

Allow/deny traffic destined for a Class A, B, or C private IP address (default = allow).

option

-

 

Option

Description

allow

Allow traffic destined for a Class A, B, or C private IP address.

deny

Deny traffic destined for a Class A, B, or C private IP address.

local-authentication

Enable/disable AP local authentication.

option

-

 

Option

Description

enable

Enable AP local authentication.

disable

Disable AP local authentication.

usergroup <name>

Firewall user group to be used to authenticate WiFi users.

User group name.

string

Maximum length: 79

portal-message-override-group

Replacement message group for this VAP (only available when security is set to a captive portal type).

string

Maximum length: 35

portal-type

Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer.

option

-

 

Option

Description

auth

Portal for authentication.

auth+disclaimer

Portal for authentication and disclaimer.

disclaimer

Portal for disclaimer.

email-collect

Portal for email collection.

cmcc

Portal for CMCC.

cmcc-macauth

Portal for CMCC and MAC authentication.

auth-mac

Portal for authentication and MAC authentication.

external-auth

Portal for external portal authentication.

selected-usergroups <name>

Selective user groups that are permitted to authenticate.

User group name.

string

Maximum length: 79

security-exempt-list

Optional security exempt list for captive portal authentication.

string

Maximum length: 35

security-redirect-url

Optional URL for redirecting users after they pass captive portal authentication.

string

Maximum length: 127

intra-vap-privacy

Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable).

option

-

 

Option

Description

enable

Enable intra-SSID privacy.

disable

Disable intra-SSID privacy.

schedule <name>

Firewall schedules for enabling this VAP on the FortiAP. This VAP will be enabled when at least one of the schedules is valid. Separate multiple schedule names with a space.

Schedule name.

string

Maximum length: 35

ldpc

VAP low-density parity-check (LDPC) coding configuration.

option

-

 

Option

Description

disable

Disable LDPC.

rx

Enable LDPC when receiving traffic.

tx

Enable LDPC when transmitting traffic.

rxtx

Enable LDPC when both receiving and transmitting traffic.

high-efficiency

Enable/disable 802.11ax high efficiency (default = enable).

option

-

 

Option

Description

enable

Enable 802.11ax high efficiency.

disable

Disable 802.11ax high efficiency.

target-wake-time

Enable/disable 802.11ax target wake time (default = enable).

option

-

 

Option

Description

enable

Enable 802.11ax target wake time.

disable

Disable 802.11ax target wake time.

mpsk

Enable/disable multiple PSK authentication.

option

-

 

Option

Description

enable

Enable multiple PSK authentication

disable

Disable multiple PSK authentication

mpsk-concurrent-clients

Maximum number of concurrent clients that connect using the same passphrase in multiple PSK authentication (0 - 65535, default = 0, meaning no limitation).

integer

Minimum value: 0 Maximum value: 65535

split-tunneling

Enable/disable split tunneling (default = disable).

option

-

 

Option

Description

enable

Enable split tunneling.

disable

Disable split tunneling.

vlanid

Optional VLAN ID.

integer

Minimum value: 0 Maximum value: 4094

vlan-auto

Enable/disable automatic management of SSID VLAN interface.

option

-

 

Option

Description

enable

Enable automatic management of SSID VLAN interface.

disable

Disable automatic management of SSID VLAN interface.

dynamic-vlan

Enable/disable dynamic VLAN assignment.

option

-

 

Option

Description

enable

Enable dynamic VLAN assignment.

disable

Disable dynamic VLAN assignment.

captive-portal-radius-server

Captive portal RADIUS server domain name or IP address.

string

Maximum length: 63

captive-portal-radius-secret

Secret key to access the RADIUS server.

password

Not Specified

captive-portal-macauth-radius-server

Captive portal external RADIUS server domain name or IP address.

string

Maximum length: 63

captive-portal-macauth-radius-secret

Secret key to access the macauth RADIUS server.

password

Not Specified

captive-portal-ac-name

Local-bridging captive portal ac-name.

string

Maximum length: 35

captive-portal-session-timeout-interval

Session timeout interval (0 - 864000 sec, default = 0).

integer

Minimum value: 0 Maximum value: 864000

multicast-rate

Multicast rate (0, 6000, 12000, or 24000 kbps, default = 0).

option

-

 

Option

Description

0

Use the default multicast rate.

6000

6 Mbps.

12000

12 Mbps.

24000

24 Mbps.

multicast-enhance

Enable/disable converting multicast to unicast to improve performance (default = disable).

option

-

 

Option

Description

enable

Enable multicast enhancement.

disable

Disable multicast enhancement.

broadcast-suppression

Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network.

option

-

 

Option

Description

dhcp-up

Suppress broadcast uplink DHCP messages.

dhcp-down

Suppress broadcast downlink DHCP messages.

dhcp-starvation

Suppress broadcast DHCP starvation req messages.

dhcp-ucast

Convert downlink broadcast DHCP messages to unicast messages.

arp-known

Suppress broadcast ARP for known wireless clients.

arp-unknown

Suppress broadcast ARP for unknown wireless clients.

arp-reply

Suppress broadcast ARP reply from wireless clients.

arp-poison

Suppress ARP poison messages from wireless clients.

arp-proxy

Reply ARP requests for wireless clients as a proxy.

netbios-ns

Suppress NetBIOS name services packets with UDP port 137.

netbios-ds

Suppress NetBIOS datagram services packets with UDP port 138.

ipv6

Suppress IPv6 packets.

all-other-mc

Suppress all other multicast messages.

all-other-bc

Suppress all other broadcast messages.

me-disable-thresh

Disable multicast enhancement when this many clients are receiving multicast traffic.

integer

Minimum value: 2 Maximum value: 256

mu-mimo

Enable/disable Multi-user MIMO (default = enable).

option

-

 

Option

Description

enable

Enable Multi-user MIMO.

disable

Disable Multi-user MIMO.

probe-resp-suppression

Enable/disable probe response suppression (to ignore weak signals) (default = disable).

option

-

 

Option

Description

enable

Enable probe response suppression.

disable

Disable probe response suppression.

probe-resp-threshold

Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20, default = -80).

string

Maximum length: 7

radio-sensitivity

Enable/disable software radio sensitivity (to ignore weak signals) (default = disable).

option

-

 

Option

Description

enable

Enable software radio sensitivity.

disable

Disable software radio sensitivity.

quarantine

Enable/disable station quarantine (default = enable).

option

-

 

Option

Description

enable

Enable station quarantine.

disable

Disable station quarantine.

radio-5g-threshold

Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20, default = -76).

string

Maximum length: 7

radio-2g-threshold

Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20, default = -79).

string

Maximum length: 7

vlan-pooling

Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools (default = disable). When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group.

option

-

 

Option

Description

wtp-group

Enable VLAN pooling with VLAN assignment by wtp-group.

round-robin

Enable VLAN pooling with round-robin VLAN assignment.

hash

Enable VLAN pooling with hash-based VLAN assignment.

disable

Disable VLAN pooling.

dhcp-option82-insertion

Enable/disable DHCP option 82 insert (default = disable).

option

-

 

Option

Description

enable

Enable DHCP option 82 insert.

disable

Disable DHCP option 82 insert.

dhcp-option82-circuit-id-insertion

Enable/disable DHCP option 82 circuit-id insert (default = disable).

option

-

 

Option

Description

style-1

ASCII string composed of AP-MAC;SSID;SSID-TYPE. For example, "xx:xx:xx:xx:xx:xx;wifi;s".

style-2

ASCII string composed of AP-MAC. For example, "xx:xx:xx:xx:xx:xx".

disable

Disable DHCP option 82 circuit-id insert.

dhcp-option82-remote-id-insertion

Enable/disable DHCP option 82 remote-id insert (default = disable).

option

-

 

Option

Description

style-1

ASCII string in the format "xx:xx:xx:xx:xx:xx" containing MAC address of client device.