config wireless-controller vap
Description: Configure Virtual Access Points (VAPs).
edit <name>
set fast-roaming [enable|disable]
set external-fast-roaming [enable|disable]
set mesh-backhaul [enable|disable]
set atf-weight {integer}
set max-clients {integer}
set max-clients-ap {integer}
set ssid {string}
set broadcast-ssid [enable|disable]
set security [open|captive-portal|...]
set pmf [disable|enable|...]
set pmf-assoc-comeback-timeout {integer}
set pmf-sa-query-retry-timeout {integer}
set okc [disable|enable]
set voice-enterprise [disable|enable]
set fast-bss-transition [disable|enable]
set ft-mobility-domain {integer}
set ft-r0-key-lifetime {integer}
set ft-over-ds [disable|enable]
set sae-groups {option1}, {option2}, ...
set owe-groups {option1}, {option2}, ...
set owe-transition [disable|enable]
set owe-transition-ssid {string}
set eapol-key-retries [disable|enable]
set tkip-counter-measure [enable|disable]
set external-web {string}
set external-web-format [auto-detect|no-query-string|...]
set external-logout {string}
set mac-auth-bypass [enable|disable]
set radius-mac-auth [enable|disable]
set radius-mac-auth-server {string}
set radius-mac-auth-usergroups <name1>, <name2>, ...
set auth [psk|radius|...]
set encrypt [TKIP|AES|...]
set keyindex {integer}
set key {password}
set passphrase {password}
set sae-password {password}
set radius-server {string}
set local-standalone [enable|disable]
set local-standalone-nat [enable|disable]
set ip {ipv4-classnet-host}
set dhcp-lease-time {integer}
set local-bridging [enable|disable]
set local-lan [allow|deny]
set local-authentication [enable|disable]
set usergroup <name1>, <name2>, ...
set portal-message-override-group {string}
config portal-message-overrides
Description: Individual message overrides.
set auth-disclaimer-page {string}
set auth-reject-page {string}
set auth-login-page {string}
set auth-login-failed-page {string}
end
set portal-type [auth|auth+disclaimer|...]
set selected-usergroups <name1>, <name2>, ...
set security-exempt-list {string}
set security-redirect-url {string}
set intra-vap-privacy [enable|disable]
set schedule <name1>, <name2>, ...
set ldpc [disable|rx|...]
set high-efficiency [enable|disable]
set target-wake-time [enable|disable]
set mpsk [enable|disable]
set mpsk-concurrent-clients {integer}
config mpsk-key
Description: List of multiple PSK entries.
edit <key-name>
set passphrase {password}
set concurrent-clients {string}
set comment {var-string}
set mpsk-schedules <name1>, <name2>, ...
next
end
set split-tunneling [enable|disable]
set vlanid {integer}
set vlan-auto [enable|disable]
set dynamic-vlan [enable|disable]
set captive-portal-ac-name {string}
set captive-portal-auth-timeout {integer}
set multicast-rate [0|6000|...]
set multicast-enhance [enable|disable]
set broadcast-suppression {option1}, {option2}, ...
set ipv6-rules {option1}, {option2}, ...
set me-disable-thresh {integer}
set mu-mimo [enable|disable]
set probe-resp-suppression [enable|disable]
set probe-resp-threshold {string}
set radio-sensitivity [enable|disable]
set quarantine [enable|disable]
set radio-5g-threshold {string}
set radio-2g-threshold {string}
set vlan-pooling [wtp-group|round-robin|...]
config vlan-pool
Description: VLAN pool.
edit <id>
set wtp-group {string}
next
end
set dhcp-option43-insertion [enable|disable]
set dhcp-option82-insertion [enable|disable]
set dhcp-option82-circuit-id-insertion [style-1|style-2|...]
set dhcp-option82-remote-id-insertion [style-1|disable]
set ptk-rekey [enable|disable]
set ptk-rekey-intv {integer}
set gtk-rekey [enable|disable]
set gtk-rekey-intv {integer}
set eap-reauth [enable|disable]
set eap-reauth-intv {integer}
set qos-profile {string}
set hotspot20-profile {string}
set access-control-list {string}
set primary-wag-profile {string}
set secondary-wag-profile {string}
set tunnel-echo-interval {integer}
set tunnel-fallback-interval {integer}
set rates-11a {option1}, {option2}, ...
set rates-11bg {option1}, {option2}, ...
set rates-11n-ss12 {option1}, {option2}, ...
set rates-11n-ss34 {option1}, {option2}, ...
set rates-11ac-ss12 {option1}, {option2}, ...
set rates-11ac-ss34 {option1}, {option2}, ...
set utm-profile {string}
set address-group {string}
set mac-filter [enable|disable]
set mac-filter-policy-other [allow|deny]
config mac-filter-list
Description: Create a list of MAC addresses for MAC address filtering.
edit <id>
set mac {mac-address}
set mac-filter-policy [allow|deny]
next
end
set sticky-client-remove [enable|disable]
set sticky-client-threshold-5g {string}
set sticky-client-threshold-2g {string}
next
end| Parameter Name | Description | Type | Size |
|---|---|---|---|
| fast-roaming | Enable/disable fast-roaming, or pre-authentication, where supported by clients (default = disable). enable: Enable fast-roaming, or pre-authentication. disable: Disable fast-roaming, or pre-authentication. |
option | - |
| external-fast-roaming | Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate (default = disable). enable: Enable fast roaming or pre-authentication with external APs. disable: Disable fast roaming or pre-authentication with external APs. |
option | - |
| mesh-backhaul | Enable/disable using this VAP as a WiFi mesh backhaul (default = disable). This entry is only available when security is set to a WPA type or open. enable: Enable mesh backhaul. disable: Disable mesh backhaul. |
option | - |
| atf-weight | Airtime weight in percentage (default = 20). | integer | Minimum value: 0 Maximum value: 100 |
| max-clients | Maximum number of clients that can connect simultaneously to the VAP (default = 0, meaning no limitation). | integer | Minimum value: 0 Maximum value: 4294967295 |
| max-clients-ap | Maximum number of clients that can connect simultaneously to the VAP per AP radio (default = 0, meaning no limitation). | integer | Minimum value: 0 Maximum value: 4294967295 |
| ssid | IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name. | string | Maximum length: 32 |
| broadcast-ssid | Enable/disable broadcasting the SSID (default = enable). enable: Enable broadcasting the SSID. disable: Disable broadcasting the SSID. |
option | - |
| security | Security mode for the wireless interface (default = wpa2-only-personal). open: Open. captive-portal: Captive portal. wep64: WEP 64-bit. wep128: WEP 128-bit. wpa-personal: WPA/WPA2 personal. wpa-personal+captive-portal: WPA/WPA2 personal with captive portal. wpa-enterprise: WPA/WPA2 enterprise. wpa-only-personal: WPA personal. wpa-only-personal+captive-portal: WPA personal with captive portal. wpa-only-enterprise: WPA enterprise. wpa2-only-personal: WPA2 personal. wpa2-only-personal+captive-portal: WPA2 personal with captive portal. wpa2-only-enterprise: WPA2 enterprise. wpa3-enterprise: WPA3 enterprise. wpa3-sae: WPA3 SAE. wpa3-sae-transition: WPA3 SAE transition. owe: Opportunistic wireless encryption. osen: OSEN. |
option | - |
| pmf | Protected Management Frames (PMF) support (default = disable). disable: Disable PMF completely. enable: Enable PMF but deny clients without PMF. optional: Enable PMF and allow clients without PMF. |
option | - |
| pmf-assoc-comeback-timeout | Protected Management Frames (PMF) comeback maximum timeout (1-20 sec). | integer | Minimum value: 1 Maximum value: 20 |
| pmf-sa-query-retry-timeout | Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec). | integer | Minimum value: 1 Maximum value: 5 |
| okc | Enable/disable Opportunistic Key Caching (OKC) (default = enable). disable: Disable Opportunistic Key Caching (OKC). enable: Enable Opportunistic Key Caching (OKC). |
option | - |
| voice-enterprise | Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming (default = disable). disable: Disable 802.11k and 802.11v assisted Voice-Enterprise roaming. enable: Enable 802.11k and 802.11v assisted Voice-Enterprise roaming. |
option | - |
| fast-bss-transition | Enable/disable 802.11r Fast BSS Transition (FT) (default = disable). disable: Disable 802.11r Fast BSS Transition (FT). enable: Enable 802.11r Fast BSS Transition (FT). |
option | - |
| ft-mobility-domain | Mobility domain identifier in FT (1 - 65535, default = 1000). | integer | Minimum value: 1 Maximum value: 65535 |
| ft-r0-key-lifetime | Lifetime of the PMK-R0 key in FT, 1-65535 minutes. | integer | Minimum value: 1 Maximum value: 65535 |
| ft-over-ds | Enable/disable FT over the Distribution System (DS). disable: Disable FT over the Distribution System (DS). enable: Enable FT over the Distribution System (DS). |
option | - |
| sae-groups | SAE-Groups. 19: DH Group 19. 20: DH Group 20. 21: DH Group 21. |
option | - |
| owe-groups | OWE-Groups. 19: DH Group 19. 20: DH Group 20. 21: DH Group 21. |
option | - |
| owe-transition | Enable/disable OWE transition mode support. disable: Disable OWE transition mode support. enable: Enable OWE transition mode support. |
option | - |
| owe-transition-ssid | OWE transition mode peer SSID. | string | Maximum length: 32 |
| eapol-key-retries | Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) (default = enable). disable: Disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2). enable: Enable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2). |
option | - |
| tkip-counter-measure | Enable/disable TKIP counter measure. enable: Enable TKIP counter measure. disable: Disable TKIP counter measure. |
option | - |
| external-web | URL of external authentication web server. | string | Maximum length: 127 |
| external-web-format | URL query parameter detection (default = auto-detect). auto-detect: Automatically detect if "external-web" URL has any query parameter. no-query-string: "external-web" URL does not have any query parameter. partial-query-string: "external-web" URL has some query parameters. |
option | - |
| external-logout | URL of external authentication logout server. | string | Maximum length: 127 |
| mac-auth-bypass | Enable/disable MAC authentication bypass. enable: Enable MAC authentication bypass. disable: Disable MAC authentication bypass. |
option | - |
| radius-mac-auth | Enable/disable RADIUS-based MAC authentication of clients (default = disable). enable: Enable RADIUS-based MAC authentication. disable: Disable RADIUS-based MAC authentication. |
option | - |
| radius-mac-auth-server | RADIUS-based MAC authentication server. | string | Maximum length: 35 |
radius-mac-auth-usergroups <name> |
Selective user groups that are permitted for RADIUS mac authentication. User group name. |
string | Maximum length: 79 |
| auth | Authentication protocol. psk: Use a single Pre-shard Key (PSK) to authenticate all users. radius: Use a RADIUS server to authenticate clients. usergroup: Use a firewall usergroup to authenticate clients. |
option | - |
| encrypt | Encryption protocol to use (only available when security is set to a WPA type). TKIP: Use TKIP encryption. AES: Use AES encryption. TKIP-AES: Use TKIP and AES encryption. |
option | - |
| keyindex | WEP key index (1 - 4). | integer | Minimum value: 1 Maximum value: 4 |
| key | WEP Key. | password | Not Specified |
| passphrase | WPA pre-shared key (PSK) to be used to authenticate WiFi users. | password | Not Specified |
| sae-password | WPA3 SAE password to be used to authenticate WiFi users. | password | Not Specified |
| radius-server | RADIUS server to be used to authenticate WiFi users. | string | Maximum length: 35 |
| local-standalone | Enable/disable AP local standalone (default = disable). enable: Enable AP local standalone. disable: Disable AP local standalone. |
option | - |
| local-standalone-nat | Enable/disable AP local standalone NAT mode. enable: Enable AP local standalone NAT mode. disable: Disable AP local standalone NAT mode. |
option | - |
| ip | IP address and subnet mask for the local standalone NAT subnet. | ipv4-classnet-host | Not Specified |
| dhcp-lease-time | DHCP lease time in seconds for NAT IP address. | integer | Minimum value: 300 Maximum value: 8640000 |
| local-bridging | Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP (default = disable). enable: Enable AP local VAP to Ethernet bridging. disable: Disable AP local VAP to Ethernet bridging. |
option | - |
| local-lan | Allow/deny traffic destined for a Class A, B, or C private IP address (default = allow). allow: Allow traffic destined for a Class A, B, or C private IP address. deny: Deny traffic destined for a Class A, B, or C private IP address. |
option | - |
| local-authentication | Enable/disable AP local authentication. enable: Enable AP local authentication. disable: Disable AP local authentication. |
option | - |
usergroup <name> |
Firewall user group to be used to authenticate WiFi users. User group name. |
string | Maximum length: 79 |
| portal-message-override-group | Replacement message group for this VAP (only available when security is set to a captive portal type). | string | Maximum length: 35 |
| portal-type | Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer. auth: Portal for authentication. auth+disclaimer: Portal for authentication and disclaimer. disclaimer: Portal for disclaimer. email-collect: Portal for email collection. cmcc: Portal for CMCC. cmcc-macauth: Portal for CMCC and MAC authentication. auth-mac: Portal for authentication and MAC authentication. external-auth: Portal for external portal authentication. |
option | - |
selected-usergroups <name> |
Selective user groups that are permitted to authenticate. User group name. |
string | Maximum length: 79 |
| security-exempt-list | Optional security exempt list for captive portal authentication. | string | Maximum length: 35 |
| security-redirect-url | Optional URL for redirecting users after they pass captive portal authentication. | string | Maximum length: 127 |
| intra-vap-privacy | Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable). enable: Enable intra-SSID privacy. disable: Disable intra-SSID privacy. |
option | - |
schedule <name> |
Firewall schedules for enabling this VAP on the FortiAP. This VAP will be enabled when at least one of the schedules is valid. Separate multiple schedule names with a space. Schedule name. |
string | Maximum length: 35 |
| ldpc | VAP low-density parity-check (LDPC) coding configuration. disable: Disable LDPC. rx: Enable LDPC when receiving traffic. tx: Enable LDPC when transmitting traffic. rxtx: Enable LDPC when both receiving and transmitting traffic. |
option | - |
| high-efficiency | Enable/disable 802.11ax high efficiency (default = enable). enable: Enable 802.11ax high efficiency. disable: Disable 802.11ax high efficiency. |
option | - |
| target-wake-time | Enable/disable 802.11ax target wake time (default = enable). enable: Enable 802.11ax target wake time. disable: Disable 802.11ax target wake time. |
option | - |
| mpsk | Enable/disable multiple PSK authentication. enable: Enable multiple PSK authentication disable: Disable multiple PSK authentication |
option | - |
| mpsk-concurrent-clients | Maximum number of concurrent clients that connect using the same passphrase in multiple PSK authentication (0 - 65535, default = 0, meaning no limitation). | integer | Minimum value: 0 Maximum value: 65535 |
| split-tunneling | Enable/disable split tunneling (default = disable). enable: Enable split tunneling. disable: Disable split tunneling. |
option | - |
| vlanid | Optional VLAN ID. | integer | Minimum value: 0 Maximum value: 4094 |
| vlan-auto | Enable/disable automatic management of SSID VLAN interface. enable: Enable automatic management of SSID VLAN interface. disable: Disable automatic management of SSID VLAN interface. |
option | - |
| dynamic-vlan | Enable/disable dynamic VLAN assignment. enable: Enable dynamic VLAN assignment. disable: Disable dynamic VLAN assignment. |
option | - |
| captive-portal-ac-name | Local-bridging captive portal ac-name. | string | Maximum length: 35 |
| captive-portal-auth-timeout | Hard timeout - AP will always clear the session after timeout regardless of traffic (0 - 864000 sec, default = 0). | integer | Minimum value: 0 Maximum value: 864000 |
| multicast-rate | Multicast rate (0, 6000, 12000, or 24000 kbps, default = 0). 0: Use the default multicast rate. 6000: 6 Mbps. 12000: 12 Mbps. 24000: 24 Mbps. |
option | - |
| multicast-enhance | Enable/disable converting multicast to unicast to improve performance (default = disable). enable: Enable multicast enhancement. disable: Disable multicast enhancement. |
option | - |
| broadcast-suppression | Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network. dhcp-up: Suppress broadcast uplink DHCP messages. dhcp-down: Suppress broadcast downlink DHCP messages. dhcp-starvation: Suppress broadcast DHCP starvation req messages. dhcp-ucast: Convert downlink broadcast DHCP messages to unicast messages. arp-known: Suppress broadcast ARP for known wireless clients. arp-unknown: Suppress broadcast ARP for unknown wireless clients. arp-reply: Suppress broadcast ARP reply from wireless clients. arp-poison: Suppress ARP poison messages from wireless clients. arp-proxy: Reply ARP requests for wireless clients as a proxy. netbios-ns: Suppress NetBIOS name services packets with UDP port 137. netbios-ds: Suppress NetBIOS datagram services packets with UDP port 138. ipv6: Suppress IPv6 packets. all-other-mc: Suppress all other multicast messages. all-other-bc: Suppress all other broadcast messages. |
option | - |
| ipv6-rules | Optional rules of IPv6 packets. For example, you can keep RA, RS and so on off of the wireless network. drop-icmp6ra: Drop ICMP6 Router Advertisement (RA) packets that originate from wireless clients. drop-icmp6rs: Drop ICMP6 Router Solicitation (RS) packets to be sent to wireless clients. drop-llmnr6: Drop Link-Local Multicast Name Resolution (LLMNR) packets drop-icmp6mld2: Drop ICMP6 Multicast Listener Report V2 (MLD2) packets drop-dhcp6s: Drop DHCP6 server generated packets that originate from wireless clients. drop-dhcp6c: Drop DHCP6 client generated packets to be sent to wireless clients. ndp-proxy: Enable IPv6 ndp proxy - send back na on behalf of the client and drop the ns. drop-ns-dad: Drop ICMP6 NS-DAD when target address is not found in ndp proxy cache. drop-ns-nondad: Drop ICMP6 NS-NonDAD when target address is not found in ndp proxy cache. |
option | - |
| me-disable-thresh | Disable multicast enhancement when this many clients are receiving multicast traffic. | integer | Minimum value: 2 Maximum value: 256 |
| mu-mimo | Enable/disable Multi-user MIMO (default = enable). enable: Enable Multi-user MIMO. disable: Disable Multi-user MIMO. |
option | - |
| probe-resp-suppression | Enable/disable probe response suppression (to ignore weak signals) (default = disable). enable: Enable probe response suppression. disable: Disable probe response suppression. |
option | - |
| probe-resp-threshold | Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20, default = -80). | string | Maximum length: 7 |
| radio-sensitivity | Enable/disable software radio sensitivity (to ignore weak signals) (default = disable). enable: Enable software radio sensitivity. disable: Disable software radio sensitivity. |
option | - |
| quarantine | Enable/disable station quarantine (default = enable). enable: Enable station quarantine. disable: Disable station quarantine. |
option | - |
| radio-5g-threshold | Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20, default = -76). | string | Maximum length: 7 |
| radio-2g-threshold | Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20, default = -79). | string | Maximum length: 7 |
| vlan-pooling | Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools (default = disable). When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group. wtp-group: Enable VLAN pooling with VLAN assignment by wtp-group. round-robin: Enable VLAN pooling with round-robin VLAN assignment. hash: Enable VLAN pooling with hash-based VLAN assignment. disable: Disable VLAN pooling. |
option | - |
| dhcp-option43-insertion | Enable/disable insertion of DHCP option 43 (default = enable). enable: Enable insertion of DHCP option 43. disable: Disable insertion of DHCP option 43. |
option | - |
| dhcp-option82-insertion | Enable/disable DHCP option 82 insert (default = disable). enable: Enable DHCP option 82 insert. disable: Disable DHCP option 82 insert. |
option | - |
| dhcp-option82-circuit-id-insertion | Enable/disable DHCP option 82 circuit-id insert (default = disable). style-1: ASCII string composed of AP-MAC;SSID;SSID-TYPE. For example, "xx:xx:xx:xx:xx:xx;wifi;s". style-2: ASCII string composed of AP-MAC. For example, "xx:xx:xx:xx:xx:xx". style-3: ASCII string composed of NETWORK-TYPE:WTPPROF-NAME:VLAN:SSID:AP-MODEL:AP-HOSTNAME:AP-MAC. For example,"WLAN:FAPS221E-default:100:wifi:PS221E:FortiAP-S221E:xx:xx:xx:xx:xx:xx". disable: Disable DHCP option 82 circuit-id insert. |
option | - |
| dhcp-option82-remote-id-insertion | Enable/disable DHCP option 82 remote-id insert (default = disable). style-1: ASCII string in the format "xx:xx:xx:xx:xx:xx" containing MAC address of client device. disable: Disable DHCP option 82 remote-id insert. |
option | - |
| ptk-rekey | Enable/disable PTK rekey for WPA-Enterprise security. enable: Enable PTK rekey for WPA-Enterprise security. disable: Disable PTK rekey for WPA-Enterprise security. |
option | - |
| ptk-rekey-intv | PTK rekey interval (1800 - 864000 sec, default = 86400). | integer | Minimum value: 1800 Maximum value: 864000 |
| gtk-rekey | Enable/disable GTK rekey for WPA security. enable: Enable GTK rekey for WPA security. disable: Disable GTK rekey for WPA security. |
option | - |
| gtk-rekey-intv | GTK rekey interval (1800 - 864000 sec, default = 86400). | integer | Minimum value: 1800 Maximum value: 864000 |
| eap-reauth | Enable/disable EAP re-authentication for WPA-Enterprise security. enable: Enable EAP re-authentication for WPA-Enterprise security. disable: Disable EAP re-authentication for WPA-Enterprise security. |
option | - |
| eap-reauth-intv | EAP re-authentication interval (1800 - 864000 sec, default = 86400). | integer | Minimum value: 1800 Maximum value: 864000 |
| qos-profile | Quality of service profile name. | string | Maximum length: 35 |
| hotspot20-profile | Hotspot 2.0 profile name. | string | Maximum length: 35 |
| access-control-list | access-control-list profile name. | string | Maximum length: 35 |
| primary-wag-profile | Primary wireless access gateway profile name. | string | Maximum length: 35 |
| secondary-wag-profile | Secondary wireless access gateway profile name. | string | Maximum length: 35 |
| tunnel-echo-interval | The time interval to send echo to both primary and secondary tunnel peers (1 - 65535 sec, default = 300). | integer | Minimum value: 1 Maximum value: 65535 |
| tunnel-fallback-interval | The time interval for secondary tunnel to fall back to primary tunnel (0 - 65535 sec, default = 7200). | integer | Minimum value: 0 Maximum value: 65535 |
| rates-11a | Allowed data rates for 802.11a. 1: 1 Mbps supported rate. 1-basic: 1 Mbps BSS basic rate. 2: 2 Mbps supported rate. 2-basic: 2 Mbps BSS basic rate. 5.5: 5.5 Mbps supported rate. 5.5-basic: 5.5 Mbps BSS basic rate. 11: 11 Mbps supported rate. 11-basic: 11 Mbps BSS basic rate. 6: 6 Mbps supported rate. 6-basic: 6 Mbps BSS basic rate. 9: 9 Mbps supported rate. 9-basic: 9 Mbps BSS basic rate. 12: 12 Mbps supported rate. 12-basic: 12 Mbps BSS basic rate. 18: 18 Mbps supported rate. 18-basic: 18 Mbps BSS basic rate. 24: 24 Mbps supported rate. 24-basic: 24 Mbps BSS basic rate. 36: 36 Mbps supported rate. 36-basic: 36 Mbps BSS basic rate. 48: 48 Mbps supported rate. 48-basic: 48 Mbps BSS basic rate. 54: 54 Mbps supported rate. 54-basic: 54 Mbps BSS basic rate. |
option | - |
| rates-11bg | Allowed data rates for 802.11b/g. 1: 1 Mbps supported rate. 1-basic: 1 Mbps BSS basic rate. 2: 2 Mbps supported rate. 2-basic: 2 Mbps BSS basic rate. 5.5: 5.5 Mbps supported rate. 5.5-basic: 5.5 Mbps BSS basic rate. 11: 11 Mbps supported rate. 11-basic: 11 Mbps BSS basic rate. 6: 6 Mbps supported rate. 6-basic: 6 Mbps BSS basic rate. 9: 9 Mbps supported rate. 9-basic: 9 Mbps BSS basic rate. 12: 12 Mbps supported rate. 12-basic: 12 Mbps BSS basic rate. 18: 18 Mbps supported rate. 18-basic: 18 Mbps BSS basic rate. 24: 24 Mbps supported rate. 24-basic: 24 Mbps BSS basic rate. 36: 36 Mbps supported rate. 36-basic: 36 Mbps BSS basic rate. 48: 48 Mbps supported rate. 48-basic: 48 Mbps BSS basic rate. 54: 54 Mbps supported rate. 54-basic: 54 Mbps BSS basic rate. |
option | - |
| rates-11n-ss12 | Allowed data rates for 802.11n with 1 or 2 spatial streams. mcs0/1: Data rate for MCS index 0 with 1 spatial stream. mcs1/1: Data rate for MCS index 1 with 1 spatial stream. mcs2/1: Data rate for MCS index 2 with 1 spatial stream. mcs3/1: Data rate for MCS index 3 with 1 spatial stream. mcs4/1: Data rate for MCS index 4 with 1 spatial stream. mcs5/1: Data rate for MCS index 5 with 1 spatial stream. mcs6/1: Data rate for MCS index 6 with 1 spatial stream. mcs7/1: Data rate for MCS index 7 with 1 spatial stream. mcs8/2: Data rate for MCS index 8 with 2 spatial streams. mcs9/2: Data rate for MCS index 9 with 2 spatial streams. mcs10/2: Data rate for MCS index 10 with 2 spatial streams. mcs11/2: Data rate for MCS index 11 with 2 spatial streams. mcs12/2: Data rate for MCS index 12 with 2 spatial streams. mcs13/2: Data rate for MCS index 13 with 2 spatial streams. mcs14/2: Data rate for MCS index 14 with 2 spatial streams. mcs15/2: Data rate for MCS index 15 with 2 spatial streams. |
option | - |
| rates-11n-ss34 | Allowed data rates for 802.11n with 3 or 4 spatial streams. mcs16/3: Data rate for MCS index 16 with 3 spatial streams. mcs17/3: Data rate for MCS index 17 with 3 spatial streams. mcs18/3: Data rate for MCS index 18 with 3 spatial streams. mcs19/3: Data rate for MCS index 19 with 3 spatial streams. mcs20/3: Data rate for MCS index 20 with 3 spatial streams. mcs21/3: Data rate for MCS index 21 with 3 spatial streams. mcs22/3: Data rate for MCS index 22 with 3 spatial streams. mcs23/3: Data rate for MCS index 23 with 3 spatial streams. mcs24/4: Data rate for MCS index 24 with 4 spatial streams. mcs25/4: Data rate for MCS index 25 with 4 spatial streams. mcs26/4: Data rate for MCS index 26 with 4 spatial streams. mcs27/4: Data rate for MCS index 27 with 4 spatial streams. mcs28/4: Data rate for MCS index 28 with 4 spatial streams. mcs29/4: Data rate for MCS index 29 with 4 spatial streams. mcs30/4: Data rate for MCS index 30 with 4 spatial streams. mcs31/4: Data rate for MCS index 31 with 4 spatial streams. |
option | - |
| rates-11ac-ss12 | Allowed data rates for 802.11ac/ax with 1 or 2 spatial streams. mcs0/1: Data rate for MCS index 0 with 1 spatial stream. mcs1/1: Data rate for MCS index 1 with 1 spatial stream. mcs2/1: Data rate for MCS index 2 with 1 spatial stream. mcs3/1: Data rate for MCS index 3 with 1 spatial stream. mcs4/1: Data rate for MCS index 4 with 1 spatial stream. mcs5/1: Data rate for MCS index 5 with 1 spatial stream. mcs6/1: Data rate for MCS index 6 with 1 spatial stream. mcs7/1: Data rate for MCS index 7 with 1 spatial stream. mcs8/1: Data rate for MCS index 8 with 1 spatial stream. mcs9/1: Data rate for MCS index 9 with 1 spatial stream. mcs10/1: Data rate for MCS index 10 with 1 spatial stream. mcs11/1: Data rate for MCS index 11 with 1 spatial stream. mcs0/2: Data rate for MCS index 0 with 2 spatial streams. mcs1/2: Data rate for MCS index 1 with 2 spatial streams. mcs2/2: Data rate for MCS index 2 with 2 spatial streams. mcs3/2: Data rate for MCS index 3 with 2 spatial streams. mcs4/2: Data rate for MCS index 4 with 2 spatial streams. mcs5/2: Data rate for MCS index 5 with 2 spatial streams. mcs6/2: Data rate for MCS index 6 with 2 spatial streams. mcs7/2: Data rate for MCS index 7 with 2 spatial streams. mcs8/2: Data rate for MCS index 8 with 2 spatial streams. mcs9/2: Data rate for MCS index 9 with 2 spatial streams. mcs10/2: Data rate for MCS index 10 with 2 spatial streams. mcs11/2: Data rate for MCS index 11 with 2 spatial streams. |
option | - |
| rates-11ac-ss34 | Allowed data rates for 802.11ac/ax with 3 or 4 spatial streams. mcs0/3: Data rate for MCS index 0 with 3 spatial streams. mcs1/3: Data rate for MCS index 1 with 3 spatial streams. mcs2/3: Data rate for MCS index 2 with 3 spatial streams. mcs3/3: Data rate for MCS index 3 with 3 spatial streams. mcs4/3: Data rate for MCS index 4 with 3 spatial streams. mcs5/3: Data rate for MCS index 5 with 3 spatial streams. mcs6/3: Data rate for MCS index 6 with 3 spatial streams. mcs7/3: Data rate for MCS index 7 with 3 spatial streams. mcs8/3: Data rate for MCS index 8 with 3 spatial streams. mcs9/3: Data rate for MCS index 9 with 3 spatial streams. mcs10/3: Data rate for MCS index 10 with 3 spatial streams. mcs11/3: Data rate for MCS index 11 with 3 spatial streams. mcs0/4: Data rate for MCS index 0 with 4 spatial streams. mcs1/4: Data rate for MCS index 1 with 4 spatial streams. mcs2/4: Data rate for MCS index 2 with 4 spatial streams. mcs3/4: Data rate for MCS index 3 with 4 spatial streams. mcs4/4: Data rate for MCS index 4 with 4 spatial streams. mcs5/4: Data rate for MCS index 5 with 4 spatial streams. mcs6/4: Data rate for MCS index 6 with 4 spatial streams. mcs7/4: Data rate for MCS index 7 with 4 spatial streams. mcs8/4: Data rate for MCS index 8 with 4 spatial streams. mcs9/4: Data rate for MCS index 9 with 4 spatial streams. mcs10/4: Data rate for MCS index 10 with 4 spatial streams. mcs11/4: Data rate for MCS index 11 with 4 spatial streams. |
option | - |
| utm-profile | UTM profile name. | string | Maximum length: 35 |
| address-group | Address group ID. | string | Maximum length: 35 |
| mac-filter | Enable/disable MAC filtering to block wireless clients by mac address. enable: Enable MAC filtering. disable: Disable MAC filtering. |
option | - |
| mac-filter-policy-other | Allow or block clients with MAC addresses that are not in the filter list. allow: Allow clients with MAC addresses that are not in the filter list. deny: Block clients with MAC addresses that are not in the filter list. |
option | - |
| sticky-client-remove | Enable/disable sticky client remove to maintain good signal level clients in SSID. (default = disable). enable: Enable Sticky Client Remove. disable: Disable Sticky Client Remove. |
option | - |
| sticky-client-threshold-5g | Minimum signal level/threshold in dBm required for the 5G client to be serviced by the AP (-95 to -20, default = -76). | string | Maximum length: 7 |
| sticky-client-threshold-2g | Minimum signal level/threshold in dBm required for the 2G client to be serviced by the AP (-95 to -20, default = -79). | string | Maximum length: 7 |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| auth-disclaimer-page | Override auth-disclaimer-page message with message from portal-message-overrides group. | string | Maximum length: 35 |
| auth-reject-page | Override auth-reject-page message with message from portal-message-overrides group. | string | Maximum length: 35 |
| auth-login-page | Override auth-login-page message with message from portal-message-overrides group. | string | Maximum length: 35 |
| auth-login-failed-page | Override auth-login-failed-page message with message from portal-message-overrides group. | string | Maximum length: 35 |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| passphrase | WPA Pre-shared key. | password | Not Specified |
| concurrent-clients | Number of clients that can connect using this pre-shared key. | string | Maximum length: 15 |
| comment | Comment. | var-string | Maximum length: 255 |
mpsk-schedules <name> |
Firewall schedule for MPSK passphrase. The passphrase will be effective only when at least one schedule is valid. Schedule name. |
string | Maximum length: 35 |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| wtp-group | WTP group name. | string | Maximum length: 35 |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| mac | MAC address. | mac-address | Not Specified |
| mac-filter-policy | Deny or allow the client with this MAC address. allow: Allow the client with this MAC address. deny: Block the client with this MAC address. |
option | - |
config wireless-controller vap
Description: Configure Virtual Access Points (VAPs).
edit <name>
set fast-roaming [enable|disable]
set external-fast-roaming [enable|disable]
set mesh-backhaul [enable|disable]
set atf-weight {integer}
set max-clients {integer}
set max-clients-ap {integer}
set ssid {string}
set broadcast-ssid [enable|disable]
set security [open|captive-portal|...]
set pmf [disable|enable|...]
set pmf-assoc-comeback-timeout {integer}
set pmf-sa-query-retry-timeout {integer}
set okc [disable|enable]
set voice-enterprise [disable|enable]
set fast-bss-transition [disable|enable]
set ft-mobility-domain {integer}
set ft-r0-key-lifetime {integer}
set ft-over-ds [disable|enable]
set sae-groups {option1}, {option2}, ...
set owe-groups {option1}, {option2}, ...
set owe-transition [disable|enable]
set owe-transition-ssid {string}
set eapol-key-retries [disable|enable]
set tkip-counter-measure [enable|disable]
set external-web {string}
set external-web-format [auto-detect|no-query-string|...]
set external-logout {string}
set mac-auth-bypass [enable|disable]
set radius-mac-auth [enable|disable]
set radius-mac-auth-server {string}
set radius-mac-auth-usergroups <name1>, <name2>, ...
set auth [psk|radius|...]
set encrypt [TKIP|AES|...]
set keyindex {integer}
set key {password}
set passphrase {password}
set sae-password {password}
set radius-server {string}
set local-standalone [enable|disable]
set local-standalone-nat [enable|disable]
set ip {ipv4-classnet-host}
set dhcp-lease-time {integer}
set local-bridging [enable|disable]
set local-lan [allow|deny]
set local-authentication [enable|disable]
set usergroup <name1>, <name2>, ...
set portal-message-override-group {string}
config portal-message-overrides
Description: Individual message overrides.
set auth-disclaimer-page {string}
set auth-reject-page {string}
set auth-login-page {string}
set auth-login-failed-page {string}
end
set portal-type [auth|auth+disclaimer|...]
set selected-usergroups <name1>, <name2>, ...
set security-exempt-list {string}
set security-redirect-url {string}
set intra-vap-privacy [enable|disable]
set schedule <name1>, <name2>, ...
set ldpc [disable|rx|...]
set high-efficiency [enable|disable]
set target-wake-time [enable|disable]
set mpsk [enable|disable]
set mpsk-concurrent-clients {integer}
config mpsk-key
Description: List of multiple PSK entries.
edit <key-name>
set passphrase {password}
set concurrent-clients {string}
set comment {var-string}
set mpsk-schedules <name1>, <name2>, ...
next
end
set split-tunneling [enable|disable]
set vlanid {integer}
set vlan-auto [enable|disable]
set dynamic-vlan [enable|disable]
set captive-portal-ac-name {string}
set captive-portal-auth-timeout {integer}
set multicast-rate [0|6000|...]
set multicast-enhance [enable|disable]
set broadcast-suppression {option1}, {option2}, ...
set ipv6-rules {option1}, {option2}, ...
set me-disable-thresh {integer}
set mu-mimo [enable|disable]
set probe-resp-suppression [enable|disable]
set probe-resp-threshold {string}
set radio-sensitivity [enable|disable]
set quarantine [enable|disable]
set radio-5g-threshold {string}
set radio-2g-threshold {string}
set vlan-pooling [wtp-group|round-robin|...]
config vlan-pool
Description: VLAN pool.
edit <id>
set wtp-group {string}
next
end
set dhcp-option43-insertion [enable|disable]
set dhcp-option82-insertion [enable|disable]
set dhcp-option82-circuit-id-insertion [style-1|style-2|...]
set dhcp-option82-remote-id-insertion [style-1|disable]
set ptk-rekey [enable|disable]
set ptk-rekey-intv {integer}
set gtk-rekey [enable|disable]
set gtk-rekey-intv {integer}
set eap-reauth [enable|disable]
set eap-reauth-intv {integer}
set qos-profile {string}
set hotspot20-profile {string}
set access-control-list {string}
set primary-wag-profile {string}
set secondary-wag-profile {string}
set tunnel-echo-interval {integer}
set tunnel-fallback-interval {integer}
set rates-11a {option1}, {option2}, ...
set rates-11bg {option1}, {option2}, ...
set rates-11n-ss12 {option1}, {option2}, ...
set rates-11n-ss34 {option1}, {option2}, ...
set rates-11ac-ss12 {option1}, {option2}, ...
set rates-11ac-ss34 {option1}, {option2}, ...
set utm-profile {string}
set address-group {string}
set mac-filter [enable|disable]
set mac-filter-policy-other [allow|deny]
config mac-filter-list
Description: Create a list of MAC addresses for MAC address filtering.
edit <id>
set mac {mac-address}
set mac-filter-policy [allow|deny]
next
end
set sticky-client-remove [enable|disable]
set sticky-client-threshold-5g {string}
set sticky-client-threshold-2g {string}
next
end| Parameter Name | Description | Type | Size |
|---|---|---|---|
| fast-roaming | Enable/disable fast-roaming, or pre-authentication, where supported by clients (default = disable). enable: Enable fast-roaming, or pre-authentication. disable: Disable fast-roaming, or pre-authentication. |
option | - |
| external-fast-roaming | Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate (default = disable). enable: Enable fast roaming or pre-authentication with external APs. disable: Disable fast roaming or pre-authentication with external APs. |
option | - |
| mesh-backhaul | Enable/disable using this VAP as a WiFi mesh backhaul (default = disable). This entry is only available when security is set to a WPA type or open. enable: Enable mesh backhaul. disable: Disable mesh backhaul. |
option | - |
| atf-weight | Airtime weight in percentage (default = 20). | integer | Minimum value: 0 Maximum value: 100 |
| max-clients | Maximum number of clients that can connect simultaneously to the VAP (default = 0, meaning no limitation). | integer | Minimum value: 0 Maximum value: 4294967295 |
| max-clients-ap | Maximum number of clients that can connect simultaneously to the VAP per AP radio (default = 0, meaning no limitation). | integer | Minimum value: 0 Maximum value: 4294967295 |
| ssid | IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name. | string | Maximum length: 32 |
| broadcast-ssid | Enable/disable broadcasting the SSID (default = enable). enable: Enable broadcasting the SSID. disable: Disable broadcasting the SSID. |
option | - |
| security | Security mode for the wireless interface (default = wpa2-only-personal). open: Open. captive-portal: Captive portal. wep64: WEP 64-bit. wep128: WEP 128-bit. wpa-personal: WPA/WPA2 personal. wpa-personal+captive-portal: WPA/WPA2 personal with captive portal. wpa-enterprise: WPA/WPA2 enterprise. wpa-only-personal: WPA personal. wpa-only-personal+captive-portal: WPA personal with captive portal. wpa-only-enterprise: WPA enterprise. wpa2-only-personal: WPA2 personal. wpa2-only-personal+captive-portal: WPA2 personal with captive portal. wpa2-only-enterprise: WPA2 enterprise. wpa3-enterprise: WPA3 enterprise. wpa3-sae: WPA3 SAE. wpa3-sae-transition: WPA3 SAE transition. owe: Opportunistic wireless encryption. osen: OSEN. |
option | - |
| pmf | Protected Management Frames (PMF) support (default = disable). disable: Disable PMF completely. enable: Enable PMF but deny clients without PMF. optional: Enable PMF and allow clients without PMF. |
option | - |
| pmf-assoc-comeback-timeout | Protected Management Frames (PMF) comeback maximum timeout (1-20 sec). | integer | Minimum value: 1 Maximum value: 20 |
| pmf-sa-query-retry-timeout | Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec). | integer | Minimum value: 1 Maximum value: 5 |
| okc | Enable/disable Opportunistic Key Caching (OKC) (default = enable). disable: Disable Opportunistic Key Caching (OKC). enable: Enable Opportunistic Key Caching (OKC). |
option | - |
| voice-enterprise | Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming (default = disable). disable: Disable 802.11k and 802.11v assisted Voice-Enterprise roaming. enable: Enable 802.11k and 802.11v assisted Voice-Enterprise roaming. |
option | - |
| fast-bss-transition | Enable/disable 802.11r Fast BSS Transition (FT) (default = disable). disable: Disable 802.11r Fast BSS Transition (FT). enable: Enable 802.11r Fast BSS Transition (FT). |
option | - |
| ft-mobility-domain | Mobility domain identifier in FT (1 - 65535, default = 1000). | integer | Minimum value: 1 Maximum value: 65535 |
| ft-r0-key-lifetime | Lifetime of the PMK-R0 key in FT, 1-65535 minutes. | integer | Minimum value: 1 Maximum value: 65535 |
| ft-over-ds | Enable/disable FT over the Distribution System (DS). disable: Disable FT over the Distribution System (DS). enable: Enable FT over the Distribution System (DS). |
option | - |
| sae-groups | SAE-Groups. 19: DH Group 19. 20: DH Group 20. 21: DH Group 21. |
option | - |
| owe-groups | OWE-Groups. 19: DH Group 19. 20: DH Group 20. 21: DH Group 21. |
option | - |
| owe-transition | Enable/disable OWE transition mode support. disable: Disable OWE transition mode support. enable: Enable OWE transition mode support. |
option | - |
| owe-transition-ssid | OWE transition mode peer SSID. | string | Maximum length: 32 |
| eapol-key-retries | Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) (default = enable). disable: Disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2). enable: Enable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2). |
option | - |
| tkip-counter-measure | Enable/disable TKIP counter measure. enable: Enable TKIP counter measure. disable: Disable TKIP counter measure. |
option | - |
| external-web | URL of external authentication web server. | string | Maximum length: 127 |
| external-web-format | URL query parameter detection (default = auto-detect). auto-detect: Automatically detect if "external-web" URL has any query parameter. no-query-string: "external-web" URL does not have any query parameter. partial-query-string: "external-web" URL has some query parameters. |
option | - |
| external-logout | URL of external authentication logout server. | string | Maximum length: 127 |
| mac-auth-bypass | Enable/disable MAC authentication bypass. enable: Enable MAC authentication bypass. disable: Disable MAC authentication bypass. |
option | - |
| radius-mac-auth | Enable/disable RADIUS-based MAC authentication of clients (default = disable). enable: Enable RADIUS-based MAC authentication. disable: Disable RADIUS-based MAC authentication. |
option | - |
| radius-mac-auth-server | RADIUS-based MAC authentication server. | string | Maximum length: 35 |
radius-mac-auth-usergroups <name> |
Selective user groups that are permitted for RADIUS mac authentication. User group name. |
string | Maximum length: 79 |
| auth | Authentication protocol. psk: Use a single Pre-shard Key (PSK) to authenticate all users. radius: Use a RADIUS server to authenticate clients. usergroup: Use a firewall usergroup to authenticate clients. |
option | - |
| encrypt | Encryption protocol to use (only available when security is set to a WPA type). TKIP: Use TKIP encryption. AES: Use AES encryption. TKIP-AES: Use TKIP and AES encryption. |
option | - |
| keyindex | WEP key index (1 - 4). | integer | Minimum value: 1 Maximum value: 4 |
| key | WEP Key. | password | Not Specified |
| passphrase | WPA pre-shared key (PSK) to be used to authenticate WiFi users. | password | Not Specified |
| sae-password | WPA3 SAE password to be used to authenticate WiFi users. | password | Not Specified |
| radius-server | RADIUS server to be used to authenticate WiFi users. | string | Maximum length: 35 |
| local-standalone | Enable/disable AP local standalone (default = disable). enable: Enable AP local standalone. disable: Disable AP local standalone. |
option | - |
| local-standalone-nat | Enable/disable AP local standalone NAT mode. enable: Enable AP local standalone NAT mode. disable: Disable AP local standalone NAT mode. |
option | - |
| ip | IP address and subnet mask for the local standalone NAT subnet. | ipv4-classnet-host | Not Specified |
| dhcp-lease-time | DHCP lease time in seconds for NAT IP address. | integer | Minimum value: 300 Maximum value: 8640000 |
| local-bridging | Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP (default = disable). enable: Enable AP local VAP to Ethernet bridging. disable: Disable AP local VAP to Ethernet bridging. |
option | - |
| local-lan | Allow/deny traffic destined for a Class A, B, or C private IP address (default = allow). allow: Allow traffic destined for a Class A, B, or C private IP address. deny: Deny traffic destined for a Class A, B, or C private IP address. |
option | - |
| local-authentication | Enable/disable AP local authentication. enable: Enable AP local authentication. disable: Disable AP local authentication. |
option | - |
usergroup <name> |
Firewall user group to be used to authenticate WiFi users. User group name. |
string | Maximum length: 79 |
| portal-message-override-group | Replacement message group for this VAP (only available when security is set to a captive portal type). | string | Maximum length: 35 |
| portal-type | Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer. auth: Portal for authentication. auth+disclaimer: Portal for authentication and disclaimer. disclaimer: Portal for disclaimer. email-collect: Portal for email collection. cmcc: Portal for CMCC. cmcc-macauth: Portal for CMCC and MAC authentication. auth-mac: Portal for authentication and MAC authentication. external-auth: Portal for external portal authentication. |
option | - |
selected-usergroups <name> |
Selective user groups that are permitted to authenticate. User group name. |
string | Maximum length: 79 |
| security-exempt-list | Optional security exempt list for captive portal authentication. | string | Maximum length: 35 |
| security-redirect-url | Optional URL for redirecting users after they pass captive portal authentication. | string | Maximum length: 127 |
| intra-vap-privacy | Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable). enable: Enable intra-SSID privacy. disable: Disable intra-SSID privacy. |
option | - |
schedule <name> |
Firewall schedules for enabling this VAP on the FortiAP. This VAP will be enabled when at least one of the schedules is valid. Separate multiple schedule names with a space. Schedule name. |
string | Maximum length: 35 |
| ldpc | VAP low-density parity-check (LDPC) coding configuration. disable: Disable LDPC. rx: Enable LDPC when receiving traffic. tx: Enable LDPC when transmitting traffic. rxtx: Enable LDPC when both receiving and transmitting traffic. |
option | - |
| high-efficiency | Enable/disable 802.11ax high efficiency (default = enable). enable: Enable 802.11ax high efficiency. disable: Disable 802.11ax high efficiency. |
option | - |
| target-wake-time | Enable/disable 802.11ax target wake time (default = enable). enable: Enable 802.11ax target wake time. disable: Disable 802.11ax target wake time. |
option | - |
| mpsk | Enable/disable multiple PSK authentication. enable: Enable multiple PSK authentication disable: Disable multiple PSK authentication |
option | - |
| mpsk-concurrent-clients | Maximum number of concurrent clients that connect using the same passphrase in multiple PSK authentication (0 - 65535, default = 0, meaning no limitation). | integer | Minimum value: 0 Maximum value: 65535 |
| split-tunneling | Enable/disable split tunneling (default = disable). enable: Enable split tunneling. disable: Disable split tunneling. |
option | - |
| vlanid | Optional VLAN ID. | integer | Minimum value: 0 Maximum value: 4094 |
| vlan-auto | Enable/disable automatic management of SSID VLAN interface. enable: Enable automatic management of SSID VLAN interface. disable: Disable automatic management of SSID VLAN interface. |
option | - |
| dynamic-vlan | Enable/disable dynamic VLAN assignment. enable: Enable dynamic VLAN assignment. disable: Disable dynamic VLAN assignment. |
option | - |
| captive-portal-ac-name | Local-bridging captive portal ac-name. | string | Maximum length: 35 |
| captive-portal-auth-timeout | Hard timeout - AP will always clear the session after timeout regardless of traffic (0 - 864000 sec, default = 0). | integer | Minimum value: 0 Maximum value: 864000 |
| multicast-rate | Multicast rate (0, 6000, 12000, or 24000 kbps, default = 0). 0: Use the default multicast rate. 6000: 6 Mbps. 12000: 12 Mbps. 24000: 24 Mbps. |
option | - |
| multicast-enhance | Enable/disable converting multicast to unicast to improve performance (default = disable). enable: Enable multicast enhancement. disable: Disable multicast enhancement. |
option | - |
| broadcast-suppression | Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network. dhcp-up: Suppress broadcast uplink DHCP messages. dhcp-down: Suppress broadcast downlink DHCP messages. dhcp-starvation: Suppress broadcast DHCP starvation req messages. dhcp-ucast: Convert downlink broadcast DHCP messages to unicast messages. arp-known: Suppress broadcast ARP for known wireless clients. arp-unknown: Suppress broadcast ARP for unknown wireless clients. arp-reply: Suppress broadcast ARP reply from wireless clients. arp-poison: Suppress ARP poison messages from wireless clients. arp-proxy: Reply ARP requests for wireless clients as a proxy. netbios-ns: Suppress NetBIOS name services packets with UDP port 137. netbios-ds: Suppress NetBIOS datagram services packets with UDP port 138. ipv6: Suppress IPv6 packets. all-other-mc: Suppress all other multicast messages. all-other-bc: Suppress all other broadcast messages. |
option | - |
| ipv6-rules | Optional rules of IPv6 packets. For example, you can keep RA, RS and so on off of the wireless network. drop-icmp6ra: Drop ICMP6 Router Advertisement (RA) packets that originate from wireless clients. drop-icmp6rs: Drop ICMP6 Router Solicitation (RS) packets to be sent to wireless clients. drop-llmnr6: Drop Link-Local Multicast Name Resolution (LLMNR) packets drop-icmp6mld2: Drop ICMP6 Multicast Listener Report V2 (MLD2) packets drop-dhcp6s: Drop DHCP6 server generated packets that originate from wireless clients. drop-dhcp6c: Drop DHCP6 client generated packets to be sent to wireless clients. ndp-proxy: Enable IPv6 ndp proxy - send back na on behalf of the client and drop the ns. drop-ns-dad: Drop ICMP6 NS-DAD when target address is not found in ndp proxy cache. drop-ns-nondad: Drop ICMP6 NS-NonDAD when target address is not found in ndp proxy cache. |
option | - |
| me-disable-thresh | Disable multicast enhancement when this many clients are receiving multicast traffic. | integer | Minimum value: 2 Maximum value: 256 |
| mu-mimo | Enable/disable Multi-user MIMO (default = enable). enable: Enable Multi-user MIMO. disable: Disable Multi-user MIMO. |
option | - |
| probe-resp-suppression | Enable/disable probe response suppression (to ignore weak signals) (default = disable). enable: Enable probe response suppression. disable: Disable probe response suppression. |
option | - |
| probe-resp-threshold | Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20, default = -80). | string | Maximum length: 7 |
| radio-sensitivity | Enable/disable software radio sensitivity (to ignore weak signals) (default = disable). enable: Enable software radio sensitivity. disable: Disable software radio sensitivity. |
option | - |
| quarantine | Enable/disable station quarantine (default = enable). enable: Enable station quarantine. disable: Disable station quarantine. |
option | - |
| radio-5g-threshold | Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20, default = -76). | string | Maximum length: 7 |
| radio-2g-threshold | Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20, default = -79). | string | Maximum length: 7 |
| vlan-pooling | Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools (default = disable). When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group. wtp-group: Enable VLAN pooling with VLAN assignment by wtp-group. round-robin: Enable VLAN pooling with round-robin VLAN assignment. hash: Enable VLAN pooling with hash-based VLAN assignment. disable: Disable VLAN pooling. |
option | - |
| dhcp-option43-insertion | Enable/disable insertion of DHCP option 43 (default = enable). enable: Enable insertion of DHCP option 43. disable: Disable insertion of DHCP option 43. |
option | - |
| dhcp-option82-insertion | Enable/disable DHCP option 82 insert (default = disable). enable: Enable DHCP option 82 insert. disable: Disable DHCP option 82 insert. |
option | - |
| dhcp-option82-circuit-id-insertion | Enable/disable DHCP option 82 circuit-id insert (default = disable). style-1: ASCII string composed of AP-MAC;SSID;SSID-TYPE. For example, "xx:xx:xx:xx:xx:xx;wifi;s". style-2: ASCII string composed of AP-MAC. For example, "xx:xx:xx:xx:xx:xx". style-3: ASCII string composed of NETWORK-TYPE:WTPPROF-NAME:VLAN:SSID:AP-MODEL:AP-HOSTNAME:AP-MAC. For example,"WLAN:FAPS221E-default:100:wifi:PS221E:FortiAP-S221E:xx:xx:xx:xx:xx:xx". disable: Disable DHCP option 82 circuit-id insert. |
option | - |
| dhcp-option82-remote-id-insertion | Enable/disable DHCP option 82 remote-id insert (default = disable). style-1: ASCII string in the format "xx:xx:xx:xx:xx:xx" containing MAC address of client device. disable: Disable DHCP option 82 remote-id insert. |
option | - |
| ptk-rekey | Enable/disable PTK rekey for WPA-Enterprise security. enable: Enable PTK rekey for WPA-Enterprise security. disable: Disable PTK rekey for WPA-Enterprise security. |
option | - |
| ptk-rekey-intv | PTK rekey interval (1800 - 864000 sec, default = 86400). | integer | Minimum value: 1800 Maximum value: 864000 |
| gtk-rekey | Enable/disable GTK rekey for WPA security. enable: Enable GTK rekey for WPA security. disable: Disable GTK rekey for WPA security. |
option | - |
| gtk-rekey-intv | GTK rekey interval (1800 - 864000 sec, default = 86400). | integer | Minimum value: 1800 Maximum value: 864000 |
| eap-reauth | Enable/disable EAP re-authentication for WPA-Enterprise security. enable: Enable EAP re-authentication for WPA-Enterprise security. disable: Disable EAP re-authentication for WPA-Enterprise security. |
option | - |
| eap-reauth-intv | EAP re-authentication interval (1800 - 864000 sec, default = 86400). | integer | Minimum value: 1800 Maximum value: 864000 |
| qos-profile | Quality of service profile name. | string | Maximum length: 35 |
| hotspot20-profile | Hotspot 2.0 profile name. | string | Maximum length: 35 |
| access-control-list | access-control-list profile name. | string | Maximum length: 35 |
| primary-wag-profile | Primary wireless access gateway profile name. | string | Maximum length: 35 |
| secondary-wag-profile | Secondary wireless access gateway profile name. | string | Maximum length: 35 |
| tunnel-echo-interval | The time interval to send echo to both primary and secondary tunnel peers (1 - 65535 sec, default = 300). | integer | Minimum value: 1 Maximum value: 65535 |
| tunnel-fallback-interval | The time interval for secondary tunnel to fall back to primary tunnel (0 - 65535 sec, default = 7200). | integer | Minimum value: 0 Maximum value: 65535 |
| rates-11a | Allowed data rates for 802.11a. 1: 1 Mbps supported rate. 1-basic: 1 Mbps BSS basic rate. 2: 2 Mbps supported rate. 2-basic: 2 Mbps BSS basic rate. 5.5: 5.5 Mbps supported rate. 5.5-basic: 5.5 Mbps BSS basic rate. 11: 11 Mbps supported rate. 11-basic: 11 Mbps BSS basic rate. 6: 6 Mbps supported rate. 6-basic: 6 Mbps BSS basic rate. 9: 9 Mbps supported rate. 9-basic: 9 Mbps BSS basic rate. 12: 12 Mbps supported rate. 12-basic: 12 Mbps BSS basic rate. 18: 18 Mbps supported rate. 18-basic: 18 Mbps BSS basic rate. 24: 24 Mbps supported rate. 24-basic: 24 Mbps BSS basic rate. 36: 36 Mbps supported rate. 36-basic: 36 Mbps BSS basic rate. 48: 48 Mbps supported rate. 48-basic: 48 Mbps BSS basic rate. 54: 54 Mbps supported rate. 54-basic: 54 Mbps BSS basic rate. |
option | - |
| rates-11bg | Allowed data rates for 802.11b/g. 1: 1 Mbps supported rate. 1-basic: 1 Mbps BSS basic rate. 2: 2 Mbps supported rate. 2-basic: 2 Mbps BSS basic rate. 5.5: 5.5 Mbps supported rate. 5.5-basic: 5.5 Mbps BSS basic rate. 11: 11 Mbps supported rate. 11-basic: 11 Mbps BSS basic rate. 6: 6 Mbps supported rate. 6-basic: 6 Mbps BSS basic rate. 9: 9 Mbps supported rate. 9-basic: 9 Mbps BSS basic rate. 12: 12 Mbps supported rate. 12-basic: 12 Mbps BSS basic rate. 18: 18 Mbps supported rate. 18-basic: 18 Mbps BSS basic rate. 24: 24 Mbps supported rate. 24-basic: 24 Mbps BSS basic rate. 36: 36 Mbps supported rate. 36-basic: 36 Mbps BSS basic rate. 48: 48 Mbps supported rate. 48-basic: 48 Mbps BSS basic rate. 54: 54 Mbps supported rate. 54-basic: 54 Mbps BSS basic rate. |
option | - |
| rates-11n-ss12 | Allowed data rates for 802.11n with 1 or 2 spatial streams. mcs0/1: Data rate for MCS index 0 with 1 spatial stream. mcs1/1: Data rate for MCS index 1 with 1 spatial stream. mcs2/1: Data rate for MCS index 2 with 1 spatial stream. mcs3/1: Data rate for MCS index 3 with 1 spatial stream. mcs4/1: Data rate for MCS index 4 with 1 spatial stream. mcs5/1: Data rate for MCS index 5 with 1 spatial stream. mcs6/1: Data rate for MCS index 6 with 1 spatial stream. mcs7/1: Data rate for MCS index 7 with 1 spatial stream. mcs8/2: Data rate for MCS index 8 with 2 spatial streams. mcs9/2: Data rate for MCS index 9 with 2 spatial streams. mcs10/2: Data rate for MCS index 10 with 2 spatial streams. mcs11/2: Data rate for MCS index 11 with 2 spatial streams. mcs12/2: Data rate for MCS index 12 with 2 spatial streams. mcs13/2: Data rate for MCS index 13 with 2 spatial streams. mcs14/2: Data rate for MCS index 14 with 2 spatial streams. mcs15/2: Data rate for MCS index 15 with 2 spatial streams. |
option | - |
| rates-11n-ss34 | Allowed data rates for 802.11n with 3 or 4 spatial streams. mcs16/3: Data rate for MCS index 16 with 3 spatial streams. mcs17/3: Data rate for MCS index 17 with 3 spatial streams. mcs18/3: Data rate for MCS index 18 with 3 spatial streams. mcs19/3: Data rate for MCS index 19 with 3 spatial streams. mcs20/3: Data rate for MCS index 20 with 3 spatial streams. mcs21/3: Data rate for MCS index 21 with 3 spatial streams. mcs22/3: Data rate for MCS index 22 with 3 spatial streams. mcs23/3: Data rate for MCS index 23 with 3 spatial streams. mcs24/4: Data rate for MCS index 24 with 4 spatial streams. mcs25/4: Data rate for MCS index 25 with 4 spatial streams. mcs26/4: Data rate for MCS index 26 with 4 spatial streams. mcs27/4: Data rate for MCS index 27 with 4 spatial streams. mcs28/4: Data rate for MCS index 28 with 4 spatial streams. mcs29/4: Data rate for MCS index 29 with 4 spatial streams. mcs30/4: Data rate for MCS index 30 with 4 spatial streams. mcs31/4: Data rate for MCS index 31 with 4 spatial streams. |
option | - |
| rates-11ac-ss12 | Allowed data rates for 802.11ac/ax with 1 or 2 spatial streams. mcs0/1: Data rate for MCS index 0 with 1 spatial stream. mcs1/1: Data rate for MCS index 1 with 1 spatial stream. mcs2/1: Data rate for MCS index 2 with 1 spatial stream. mcs3/1: Data rate for MCS index 3 with 1 spatial stream. mcs4/1: Data rate for MCS index 4 with 1 spatial stream. mcs5/1: Data rate for MCS index 5 with 1 spatial stream. mcs6/1: Data rate for MCS index 6 with 1 spatial stream. mcs7/1: Data rate for MCS index 7 with 1 spatial stream. mcs8/1: Data rate for MCS index 8 with 1 spatial stream. mcs9/1: Data rate for MCS index 9 with 1 spatial stream. mcs10/1: Data rate for MCS index 10 with 1 spatial stream. mcs11/1: Data rate for MCS index 11 with 1 spatial stream. mcs0/2: Data rate for MCS index 0 with 2 spatial streams. mcs1/2: Data rate for MCS index 1 with 2 spatial streams. mcs2/2: Data rate for MCS index 2 with 2 spatial streams. mcs3/2: Data rate for MCS index 3 with 2 spatial streams. mcs4/2: Data rate for MCS index 4 with 2 spatial streams. mcs5/2: Data rate for MCS index 5 with 2 spatial streams. mcs6/2: Data rate for MCS index 6 with 2 spatial streams. mcs7/2: Data rate for MCS index 7 with 2 spatial streams. mcs8/2: Data rate for MCS index 8 with 2 spatial streams. mcs9/2: Data rate for MCS index 9 with 2 spatial streams. mcs10/2: Data rate for MCS index 10 with 2 spatial streams. mcs11/2: Data rate for MCS index 11 with 2 spatial streams. |
option | - |
| rates-11ac-ss34 | Allowed data rates for 802.11ac/ax with 3 or 4 spatial streams. mcs0/3: Data rate for MCS index 0 with 3 spatial streams. mcs1/3: Data rate for MCS index 1 with 3 spatial streams. mcs2/3: Data rate for MCS index 2 with 3 spatial streams. mcs3/3: Data rate for MCS index 3 with 3 spatial streams. mcs4/3: Data rate for MCS index 4 with 3 spatial streams. mcs5/3: Data rate for MCS index 5 with 3 spatial streams. mcs6/3: Data rate for MCS index 6 with 3 spatial streams. mcs7/3: Data rate for MCS index 7 with 3 spatial streams. mcs8/3: Data rate for MCS index 8 with 3 spatial streams. mcs9/3: Data rate for MCS index 9 with 3 spatial streams. mcs10/3: Data rate for MCS index 10 with 3 spatial streams. mcs11/3: Data rate for MCS index 11 with 3 spatial streams. mcs0/4: Data rate for MCS index 0 with 4 spatial streams. mcs1/4: Data rate for MCS index 1 with 4 spatial streams. mcs2/4: Data rate for MCS index 2 with 4 spatial streams. mcs3/4: Data rate for MCS index 3 with 4 spatial streams. mcs4/4: Data rate for MCS index 4 with 4 spatial streams. mcs5/4: Data rate for MCS index 5 with 4 spatial streams. mcs6/4: Data rate for MCS index 6 with 4 spatial streams. mcs7/4: Data rate for MCS index 7 with 4 spatial streams. mcs8/4: Data rate for MCS index 8 with 4 spatial streams. mcs9/4: Data rate for MCS index 9 with 4 spatial streams. mcs10/4: Data rate for MCS index 10 with 4 spatial streams. mcs11/4: Data rate for MCS index 11 with 4 spatial streams. |
option | - |
| utm-profile | UTM profile name. | string | Maximum length: 35 |
| address-group | Address group ID. | string | Maximum length: 35 |
| mac-filter | Enable/disable MAC filtering to block wireless clients by mac address. enable: Enable MAC filtering. disable: Disable MAC filtering. |
option | - |
| mac-filter-policy-other | Allow or block clients with MAC addresses that are not in the filter list. allow: Allow clients with MAC addresses that are not in the filter list. deny: Block clients with MAC addresses that are not in the filter list. |
option | - |
| sticky-client-remove | Enable/disable sticky client remove to maintain good signal level clients in SSID. (default = disable). enable: Enable Sticky Client Remove. disable: Disable Sticky Client Remove. |
option | - |
| sticky-client-threshold-5g | Minimum signal level/threshold in dBm required for the 5G client to be serviced by the AP (-95 to -20, default = -76). | string | Maximum length: 7 |
| sticky-client-threshold-2g | Minimum signal level/threshold in dBm required for the 2G client to be serviced by the AP (-95 to -20, default = -79). | string | Maximum length: 7 |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| auth-disclaimer-page | Override auth-disclaimer-page message with message from portal-message-overrides group. | string | Maximum length: 35 |
| auth-reject-page | Override auth-reject-page message with message from portal-message-overrides group. | string | Maximum length: 35 |
| auth-login-page | Override auth-login-page message with message from portal-message-overrides group. | string | Maximum length: 35 |
| auth-login-failed-page | Override auth-login-failed-page message with message from portal-message-overrides group. | string | Maximum length: 35 |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| passphrase | WPA Pre-shared key. | password | Not Specified |
| concurrent-clients | Number of clients that can connect using this pre-shared key. | string | Maximum length: 15 |
| comment | Comment. | var-string | Maximum length: 255 |
mpsk-schedules <name> |
Firewall schedule for MPSK passphrase. The passphrase will be effective only when at least one schedule is valid. Schedule name. |
string | Maximum length: 35 |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| wtp-group | WTP group name. | string | Maximum length: 35 |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| mac | MAC address. | mac-address | Not Specified |
| mac-filter-policy | Deny or allow the client with this MAC address. allow: Allow the client with this MAC address. deny: Block the client with this MAC address. |
option | - |