config wireless-controller vap

Configure Virtual Access Points (VAPs).

config wireless-controller vap

Description: Configure Virtual Access Points (VAPs).

edit <name>

set fast-roaming [enable|disable]

set external-fast-roaming [enable|disable]

set mesh-backhaul [enable|disable]

set atf-weight {integer}

set max-clients {integer}

set max-clients-ap {integer}

set ssid {string}

set broadcast-ssid [enable|disable]

set security [open|captive-portal|...]

set pmf [disable|enable|...]

set pmf-assoc-comeback-timeout {integer}

set pmf-sa-query-retry-timeout {integer}

set okc [disable|enable]

set voice-enterprise [disable|enable]

set fast-bss-transition [disable|enable]

set ft-mobility-domain {integer}

set ft-r0-key-lifetime {integer}

set ft-over-ds [disable|enable]

set sae-groups {option1}, {option2}, ...

set owe-groups {option1}, {option2}, ...

set owe-transition [disable|enable]

set owe-transition-ssid {string}

set eapol-key-retries [disable|enable]

set tkip-counter-measure [enable|disable]

set external-web {string}

set external-web-format [auto-detect|no-query-string|...]

set external-logout {string}

set mac-auth-bypass [enable|disable]

set radius-mac-auth [enable|disable]

set radius-mac-auth-server {string}

set radius-mac-auth-usergroups <name1>, <name2>, ...

set auth [psk|radius|...]

set encrypt [TKIP|AES|...]

set keyindex {integer}

set key {password}

set passphrase {password}

set sae-password {password}

set radius-server {string}

set local-standalone [enable|disable]

set local-standalone-nat [enable|disable]

set ip {ipv4-classnet-host}

set dhcp-lease-time {integer}

set local-bridging [enable|disable]

set local-lan [allow|deny]

set local-authentication [enable|disable]

set usergroup <name1>, <name2>, ...

set portal-message-override-group {string}

config portal-message-overrides

Description: Individual message overrides.

set auth-disclaimer-page {string}

set auth-reject-page {string}

set auth-login-page {string}

set auth-login-failed-page {string}

end

set portal-type [auth|auth+disclaimer|...]

set selected-usergroups <name1>, <name2>, ...

set security-exempt-list {string}

set security-redirect-url {string}

set intra-vap-privacy [enable|disable]

set schedule <name1>, <name2>, ...

set ldpc [disable|rx|...]

set high-efficiency [enable|disable]

set target-wake-time [enable|disable]

set port-macauth [disable|radius|...]

set port-macauth-timeout {integer}

set port-macauth-reauth-timeout {integer}

set bss-color-partial [enable|disable]

set mpsk-profile {string}

set split-tunneling [enable|disable]

set vlanid {integer}

set vlan-auto [enable|disable]

set dynamic-vlan [enable|disable]

set captive-portal-ac-name {string}

set captive-portal-auth-timeout {integer}

set multicast-rate [0|6000|...]

set multicast-enhance [enable|disable]

set igmp-snooping [enable|disable]

set broadcast-suppression {option1}, {option2}, ...

set ipv6-rules {option1}, {option2}, ...

set me-disable-thresh {integer}

set mu-mimo [enable|disable]

set probe-resp-suppression [enable|disable]

set probe-resp-threshold {string}

set radio-sensitivity [enable|disable]

set quarantine [enable|disable]

set radio-5g-threshold {string}

set radio-2g-threshold {string}

set vlan-pooling [wtp-group|round-robin|...]

config vlan-pool

Description: VLAN pool.

edit <id>

set wtp-group {string}

next

end

set dhcp-option43-insertion [enable|disable]

set dhcp-option82-insertion [enable|disable]

set dhcp-option82-circuit-id-insertion [style-1|style-2|...]

set dhcp-option82-remote-id-insertion [style-1|disable]

set ptk-rekey [enable|disable]

set ptk-rekey-intv {integer}

set gtk-rekey [enable|disable]

set gtk-rekey-intv {integer}

set eap-reauth [enable|disable]

set eap-reauth-intv {integer}

set qos-profile {string}

set hotspot20-profile {string}

set access-control-list {string}

set primary-wag-profile {string}

set secondary-wag-profile {string}

set tunnel-echo-interval {integer}

set tunnel-fallback-interval {integer}

set rates-11a {option1}, {option2}, ...

set rates-11bg {option1}, {option2}, ...

set rates-11n-ss12 {option1}, {option2}, ...

set rates-11n-ss34 {option1}, {option2}, ...

set rates-11ac-ss12 {option1}, {option2}, ...

set rates-11ac-ss34 {option1}, {option2}, ...

set utm-profile {string}

set address-group {string}

set mac-filter [enable|disable]

set mac-filter-policy-other [allow|deny]

config mac-filter-list

Description: Create a list of MAC addresses for MAC address filtering.

edit <id>

set mac {mac-address}

set mac-filter-policy [allow|deny]

next

end

set sticky-client-remove [enable|disable]

set sticky-client-threshold-5g {string}

set sticky-client-threshold-2g {string}

next

end

config wireless-controller vap

Parameter

Description

Type

Size

Default

fast-roaming

Enable/disable fast-roaming, or pre-authentication, where supported by clients .

option

-

enable

 

Option

Description

enable

Enable fast-roaming, or pre-authentication.

disable

Disable fast-roaming, or pre-authentication.

external-fast-roaming

Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate .

option

-

disable

 

Option

Description

enable

Enable fast roaming or pre-authentication with external APs.

disable

Disable fast roaming or pre-authentication with external APs.

mesh-backhaul

Enable/disable using this VAP as a WiFi mesh backhaul . This entry is only available when security is set to a WPA type or open.

option

-

disable

 

Option

Description

enable

Enable mesh backhaul.

disable

Disable mesh backhaul.

atf-weight

Airtime weight in percentage .

integer

Minimum value: 0 Maximum value: 100

20

max-clients

Maximum number of clients that can connect simultaneously to the VAP .

integer

Minimum value: 0 Maximum value: 4294967295

0

max-clients-ap

Maximum number of clients that can connect simultaneously to the VAP per AP radio .

integer

Minimum value: 0 Maximum value: 4294967295

0

ssid

IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name.

string

Not Specified

fortinet

broadcast-ssid

Enable/disable broadcasting the SSID .

option

-

enable

 

Option

Description

enable

Enable broadcasting the SSID.

disable

Disable broadcasting the SSID.

security

Security mode for the wireless interface .

option

-

wpa2-only-personal

 

Option

Description

open

Open.

captive-portal

Captive portal.

wep64

WEP 64-bit.

wep128

WEP 128-bit.

wpa-personal

WPA/WPA2 personal.

wpa-personal+captive-portal

WPA/WPA2 personal with captive portal.

wpa-enterprise

WPA/WPA2 enterprise.

wpa-only-personal

WPA personal.

wpa-only-personal+captive-portal

WPA personal with captive portal.

wpa-only-enterprise

WPA enterprise.

wpa2-only-personal

WPA2 personal.

wpa2-only-personal+captive-portal

WPA2 personal with captive portal.

wpa2-only-enterprise

WPA2 enterprise.

wpa3-enterprise

WPA3 enterprise.

wpa3-sae

WPA3 SAE.

wpa3-sae-transition

WPA3 SAE transition.

owe

Opportunistic wireless encryption.

osen

OSEN.

pmf

Protected Management Frames .

option

-

disable

 

Option

Description

disable

Disable PMF completely.

enable

Enable PMF but deny clients without PMF.

optional

Enable PMF and allow clients without PMF.

pmf-assoc-comeback-timeout

Protected Management Frames .

integer

Minimum value: 1 Maximum value: 20

1

pmf-sa-query-retry-timeout

Protected Management Frames .

integer

Minimum value: 1 Maximum value: 5

2

okc

Enable/disable Opportunistic Key Caching .

option

-

enable

 

Option

Description

disable

Disable Opportunistic Key Caching (OKC).

enable

Enable Opportunistic Key Caching (OKC).

voice-enterprise

Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming .

option

-

disable

 

Option

Description

disable

Disable 802.11k and 802.11v assisted Voice-Enterprise roaming.

enable

Enable 802.11k and 802.11v assisted Voice-Enterprise roaming.

fast-bss-transition

Enable/disable 802.11r Fast BSS Transition .

option

-

disable

 

Option

Description

disable

Disable 802.11r Fast BSS Transition (FT).

enable

Enable 802.11r Fast BSS Transition (FT).

ft-mobility-domain

Mobility domain identifier in FT .

integer

Minimum value: 1 Maximum value: 65535

1000

ft-r0-key-lifetime

Lifetime of the PMK-R0 key in FT, 1-65535 minutes.

integer

Minimum value: 1 Maximum value: 65535

480

ft-over-ds

Enable/disable FT over the Distribution System (DS).

option

-

enable

 

Option

Description

disable

Disable FT over the Distribution System (DS).

enable

Enable FT over the Distribution System (DS).

sae-groups

SAE-Groups.

option

-

 

Option

Description

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

owe-groups

OWE-Groups.

option

-

 

Option

Description

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

owe-transition

Enable/disable OWE transition mode support.

option

-

disable

 

Option

Description

disable

Disable OWE transition mode support.

enable

Enable OWE transition mode support.

owe-transition-ssid

OWE transition mode peer SSID.

string

Not Specified

eapol-key-retries

Enable/disable retransmission of EAPOL-Key frames .

option

-

enable

 

Option

Description

disable

Disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2).

enable

Enable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2).

tkip-counter-measure

Enable/disable TKIP counter measure.

option

-

enable

 

Option

Description

enable

Enable TKIP counter measure.

disable

Disable TKIP counter measure.

external-web

URL of external authentication web server.

string

Not Specified

external-web-format

URL query parameter detection .

option

-

auto-detect

 

Option

Description

auto-detect

Automatically detect if "external-web" URL has any query parameter.

no-query-string

"external-web" URL does not have any query parameter.

partial-query-string

"external-web" URL has some query parameters.

external-logout

URL of external authentication logout server.

string

Not Specified

mac-auth-bypass

Enable/disable MAC authentication bypass.

option

-

disable

 

Option

Description

enable

Enable MAC authentication bypass.

disable

Disable MAC authentication bypass.

radius-mac-auth

Enable/disable RADIUS-based MAC authentication of clients .

option

-

disable

 

Option

Description

enable

Enable RADIUS-based MAC authentication.

disable

Disable RADIUS-based MAC authentication.

radius-mac-auth-server

RADIUS-based MAC authentication server.

string

Not Specified

radius-mac-auth-usergroups <name>

Selective user groups that are permitted for RADIUS mac authentication.

User group name.

string

Maximum length: 79

auth

Authentication protocol.

option

-

psk

 

Option

Description

psk

Use a single Pre-shard Key (PSK) to authenticate all users.

radius

Use a RADIUS server to authenticate clients.

usergroup

Use a firewall usergroup to authenticate clients.

encrypt

Encryption protocol to use (only available when security is set to a WPA type).

option

-

AES

 

Option

Description

TKIP

Use TKIP encryption.

AES

Use AES encryption.

TKIP-AES

Use TKIP and AES encryption.

keyindex

WEP key index .

integer

Minimum value: 1 Maximum value: 4

1

key

WEP Key.

password

Not Specified

passphrase

WPA pre-shared key (PSK) to be used to authenticate WiFi users.

password

Not Specified

sae-password

WPA3 SAE password to be used to authenticate WiFi users.

password

Not Specified

radius-server

RADIUS server to be used to authenticate WiFi users.

string

Not Specified

local-standalone

Enable/disable AP local standalone .

option

-

disable

 

Option

Description

enable

Enable AP local standalone.

disable

Disable AP local standalone.

local-standalone-nat

Enable/disable AP local standalone NAT mode.

option

-

disable

 

Option

Description

enable

Enable AP local standalone NAT mode.

disable

Disable AP local standalone NAT mode.

ip

IP address and subnet mask for the local standalone NAT subnet.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

dhcp-lease-time

DHCP lease time in seconds for NAT IP address.

integer

Minimum value: 300 Maximum value: 8640000

2400

local-bridging

Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP .

option

-

disable

 

Option

Description

enable

Enable AP local VAP to Ethernet bridging.

disable

Disable AP local VAP to Ethernet bridging.

local-lan

Allow/deny traffic destined for a Class A, B, or C private IP address .

option

-

allow

 

Option

Description

allow

Allow traffic destined for a Class A, B, or C private IP address.

deny

Deny traffic destined for a Class A, B, or C private IP address.

local-authentication

Enable/disable AP local authentication.

option

-

disable

 

Option

Description

enable

Enable AP local authentication.

disable

Disable AP local authentication.

usergroup <name>

Firewall user group to be used to authenticate WiFi users.

User group name.

string

Maximum length: 79

portal-message-override-group

Replacement message group for this VAP (only available when security is set to a captive portal type).

string

Not Specified

portal-type

Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer.

option

-

auth

 

Option

Description

auth

Portal for authentication.

auth+disclaimer

Portal for authentication and disclaimer.

disclaimer

Portal for disclaimer.

email-collect

Portal for email collection.

cmcc

Portal for CMCC.

cmcc-macauth

Portal for CMCC and MAC authentication.

auth-mac

Portal for authentication and MAC authentication.

external-auth

Portal for external portal authentication.

selected-usergroups <name>

Selective user groups that are permitted to authenticate.

User group name.

string

Maximum length: 79

security-exempt-list

Optional security exempt list for captive portal authentication.

string

Not Specified

security-redirect-url

Optional URL for redirecting users after they pass captive portal authentication.

string

Not Specified

intra-vap-privacy

Enable/disable blocking communication between clients on the same SSID .

option

-

disable

 

Option

Description

enable

Enable intra-SSID privacy.

disable

Disable intra-SSID privacy.

schedule <name>

Firewall schedules for enabling this VAP on the FortiAP. This VAP will be enabled when at least one of the schedules is valid. Separate multiple schedule names with a space.

Schedule name.

string

Maximum length: 35

ldpc

VAP low-density parity-check (LDPC) coding configuration.

option

-

rxtx

 

Option

Description

disable

Disable LDPC.

rx

Enable LDPC when receiving traffic.

tx

Enable LDPC when transmitting traffic.

rxtx

Enable LDPC when both receiving and transmitting traffic.

high-efficiency

Enable/disable 802.11ax high efficiency .

option

-

enable

 

Option

Description

enable

Enable 802.11ax high efficiency.

disable

Disable 802.11ax high efficiency.

target-wake-time

Enable/disable 802.11ax target wake time .

option

-

enable

 

Option

Description

enable

Enable 802.11ax target wake time.

disable

Disable 802.11ax target wake time.

port-macauth

Enable/disable LAN port MAC authentication .

option

-

disable

 

Option

Description

disable

Disable LAN port MAC authentication.

radius

Enable LAN port RADIUS-based MAC authentication.

address-group

Enable LAN port address-group based MAC authentication.

port-macauth-timeout

LAN port MAC authentication idle timeout value .

integer

Minimum value: 60 Maximum value: 65535

600

port-macauth-reauth-timeout

LAN port MAC authentication re-authentication timeout value .

integer

Minimum value: 120 Maximum value: 65535

7200

bss-color-partial

Enable/disable 802.11ax partial BSS color .

option

-

enable

 

Option

Description

enable

Enable 802.11ax partial BSS color.

disable

Disable 802.11ax partial BSS color.

mpsk-profile

MPSK profile name.

string

Not Specified

split-tunneling

Enable/disable split tunneling .

option

-

disable