Fortinet white logo
Fortinet white logo

Administration Guide

MPSK groups

MPSK groups

Users can batch generate or import MPSK keys, export MPSK keys to a CSV file, dynamically assign VLANs based on used MPSK, and apply an MPSK schedule in the GUI.

In the GUI, MPSK key entries are organized in different MPSK groups. An MPSK group can be created manually or imported. When MPSK is enabled, the previous single passphrase is dropped and a dynamic VLAN is automatically enabled.

In the CLI, an mpsk-profile is assigned in the VAP settings and MPSK is enabled. The dynamic VLAN is automatically enabled. Only one MPSK profile can be assigned to one VAP at a time.

To use an MPSK group in the GUI:
  1. Go to WiFi & Switch Controller > SSIDs and click Create New > SSID.
  2. Enter a name and ensure the Security mode is set to WPA2 Personal.
  3. In the Pre-shared Key section, select a Mode (Multiple is used in this example).
  4. In the table, click Add > Create Group.

  5. Enter a group name and VLAN ID.
  6. Configure the pre-shared key settings:
    1. In the table, click Add > Generate Keys.

    2. Configure the settings as needed and click OK.

  7. Click OK to close the Pre-shared Key Group window.
  8. Click OK.
  9. Go to WiFi & Switch Controller > WiFi Clients to view the MPSK name in the Pre-shared Key column.

To use an MPSK profile in the CLI:
  1. Configure the MPSK profile:
    config wireless-controller mpsk-profile
        edit "wifi-mpsk"
            config mpsk-group
                edit "group-a"
                    set vlan-type fixed-vlan
                    set vlan-id 10
                    config mpsk-key
                        edit "key-a-1"
                            set passphrase ENC
                            set mpsk-schedules "always"
                        next
                    end
                next
                edit "group-b"
                    set vlan-type fixed-vlan
                    set vlan-id 20
                    config mpsk-key
                        edit "key-b-1"
                            set passphrase ENC
                            set concurrent-client-limit-type unlimited
                            set mpsk-schedules "always"
                        next
                    end
                next
            end
        next
    end
  2. Configure the VAP settings:
    config wireless-controller vap
        edit "wifi-mpsk"
            set ssid "wifi-mpsk"
            set local-bridging enable
            set schedule "always"
            set mpsk-profile "wifi-mpsk"
            set dynamic-vlan enable
        next
    end
  3. Verify the event log after the WiFi client is connected:
    1: date=2020-07-10 time=16:57:20 logid="0104043573" type="event" subtype="wireless" level="notice" vd="root" eventtime=1594425440439070726 tz="-0700" logdesc="Wireless client authenticated" sn="FP423E3X16000320" ap="FP423E3X16000320" vap="wifi-mpsk" ssid="wifi-mpsk" radioid=2 user="N/A" group="N/A" stamac="3c:2e:ff:83:91:33" srcip=10.0.10.2 channel=144 radioband="802.11ac" signal=-52 snr=50 security="WPA2 Personal" encryption="AES" action="client-authentication" reason="Reserved 0" mpsk="key-a-1" msg="Client 3c:2e:ff:83:91:33 authenticated."

MPSK groups

MPSK groups

Users can batch generate or import MPSK keys, export MPSK keys to a CSV file, dynamically assign VLANs based on used MPSK, and apply an MPSK schedule in the GUI.

In the GUI, MPSK key entries are organized in different MPSK groups. An MPSK group can be created manually or imported. When MPSK is enabled, the previous single passphrase is dropped and a dynamic VLAN is automatically enabled.

In the CLI, an mpsk-profile is assigned in the VAP settings and MPSK is enabled. The dynamic VLAN is automatically enabled. Only one MPSK profile can be assigned to one VAP at a time.

To use an MPSK group in the GUI:
  1. Go to WiFi & Switch Controller > SSIDs and click Create New > SSID.
  2. Enter a name and ensure the Security mode is set to WPA2 Personal.
  3. In the Pre-shared Key section, select a Mode (Multiple is used in this example).
  4. In the table, click Add > Create Group.

  5. Enter a group name and VLAN ID.
  6. Configure the pre-shared key settings:
    1. In the table, click Add > Generate Keys.

    2. Configure the settings as needed and click OK.

  7. Click OK to close the Pre-shared Key Group window.
  8. Click OK.
  9. Go to WiFi & Switch Controller > WiFi Clients to view the MPSK name in the Pre-shared Key column.

To use an MPSK profile in the CLI:
  1. Configure the MPSK profile:
    config wireless-controller mpsk-profile
        edit "wifi-mpsk"
            config mpsk-group
                edit "group-a"
                    set vlan-type fixed-vlan
                    set vlan-id 10
                    config mpsk-key
                        edit "key-a-1"
                            set passphrase ENC
                            set mpsk-schedules "always"
                        next
                    end
                next
                edit "group-b"
                    set vlan-type fixed-vlan
                    set vlan-id 20
                    config mpsk-key
                        edit "key-b-1"
                            set passphrase ENC
                            set concurrent-client-limit-type unlimited
                            set mpsk-schedules "always"
                        next
                    end
                next
            end
        next
    end
  2. Configure the VAP settings:
    config wireless-controller vap
        edit "wifi-mpsk"
            set ssid "wifi-mpsk"
            set local-bridging enable
            set schedule "always"
            set mpsk-profile "wifi-mpsk"
            set dynamic-vlan enable
        next
    end
  3. Verify the event log after the WiFi client is connected:
    1: date=2020-07-10 time=16:57:20 logid="0104043573" type="event" subtype="wireless" level="notice" vd="root" eventtime=1594425440439070726 tz="-0700" logdesc="Wireless client authenticated" sn="FP423E3X16000320" ap="FP423E3X16000320" vap="wifi-mpsk" ssid="wifi-mpsk" radioid=2 user="N/A" group="N/A" stamac="3c:2e:ff:83:91:33" srcip=10.0.10.2 channel=144 radioband="802.11ac" signal=-52 snr=50 security="WPA2 Personal" encryption="AES" action="client-authentication" reason="Reserved 0" mpsk="key-a-1" msg="Client 3c:2e:ff:83:91:33 authenticated."