config wireless-controller vap

Configure Virtual Access Points (VAPs).

config wireless-controller vap

Description: Configure Virtual Access Points (VAPs).

edit <name>

set fast-roaming [enable|disable]

set external-fast-roaming [enable|disable]

set mesh-backhaul [enable|disable]

set atf-weight {integer}

set max-clients {integer}

set max-clients-ap {integer}

set ssid {string}

set broadcast-ssid [enable|disable]

set security [open|captive-portal|...]

set pmf [disable|enable|...]

set pmf-assoc-comeback-timeout {integer}

set pmf-sa-query-retry-timeout {integer}

set okc [disable|enable]

set mbo [disable|enable]

set gas-comeback-delay {integer}

set gas-fragmentation-limit {integer}

set mbo-cell-data-conn-pref [excluded|prefer-not|...]

set voice-enterprise [disable|enable]

set neighbor-report-dual-band [disable|enable]

set fast-bss-transition [disable|enable]

set ft-mobility-domain {integer}

set ft-r0-key-lifetime {integer}

set ft-over-ds [disable|enable]

set sae-groups {option1}, {option2}, ...

set owe-groups {option1}, {option2}, ...

set owe-transition [disable|enable]

set owe-transition-ssid {string}

set additional-akms {option1}, {option2}, ...

set eapol-key-retries [disable|enable]

set tkip-counter-measure [enable|disable]

set external-web {var-string}

set external-web-format [auto-detect|no-query-string|...]

set external-logout {string}

set mac-username-delimiter [hyphen|single-hyphen|...]

set mac-password-delimiter [hyphen|single-hyphen|...]

set mac-calling-station-delimiter [hyphen|single-hyphen|...]

set mac-called-station-delimiter [hyphen|single-hyphen|...]

set mac-case [uppercase|lowercase]

set mac-auth-bypass [enable|disable]

set radius-mac-auth [enable|disable]

set radius-mac-auth-server {string}

set radius-mac-mpsk-auth [enable|disable]

set radius-mac-mpsk-timeout {integer}

set radius-mac-auth-usergroups <name1>, <name2>, ...

set auth [psk|radius|...]

set encrypt [TKIP|AES|...]

set keyindex {integer}

set key {password}

set passphrase {password}

set sae-password {password}

set radius-server {string}

set local-standalone [enable|disable]

set local-standalone-nat [enable|disable]

set ip {ipv4-classnet-host}

set dhcp-lease-time {integer}

set local-standalone-dns [enable|disable]

set local-standalone-dns-ip {ipv4-address}

set local-bridging [enable|disable]

set local-lan [allow|deny]

set local-authentication [enable|disable]

set usergroup <name1>, <name2>, ...

set portal-message-override-group {string}

config portal-message-overrides

Description: Individual message overrides.

set auth-disclaimer-page {string}

set auth-reject-page {string}

set auth-login-page {string}

set auth-login-failed-page {string}

end

set portal-type [auth|auth+disclaimer|...]

set selected-usergroups <name1>, <name2>, ...

set security-exempt-list {string}

set security-redirect-url {var-string}

set auth-cert {string}

set auth-portal-addr {string}

set intra-vap-privacy [enable|disable]

set schedule <name1>, <name2>, ...

set ldpc [disable|rx|...]

set high-efficiency [enable|disable]

set target-wake-time [enable|disable]

set port-macauth [disable|radius|...]

set port-macauth-timeout {integer}

set port-macauth-reauth-timeout {integer}

set bss-color-partial [enable|disable]

set mpsk-profile {string}

set split-tunneling [enable|disable]

set nac [enable|disable]

set nac-profile {string}

set vlanid {integer}

set vlan-auto [enable|disable]

set dynamic-vlan [enable|disable]

set captive-portal-ac-name {string}

set captive-portal-auth-timeout {integer}

set multicast-rate [0|6000|...]

set multicast-enhance [enable|disable]

set igmp-snooping [enable|disable]

set dhcp-address-enforcement [enable|disable]

set broadcast-suppression {option1}, {option2}, ...

set ipv6-rules {option1}, {option2}, ...

set me-disable-thresh {integer}

set mu-mimo [enable|disable]

set probe-resp-suppression [enable|disable]

set probe-resp-threshold {string}

set radio-sensitivity [enable|disable]

set quarantine [enable|disable]

set radio-5g-threshold {string}

set radio-2g-threshold {string}

config vlan-name

Description: Table for mapping VLAN name to VLAN ID.

edit <name>

set vlan-id {integer}

next

end

set vlan-pooling [wtp-group|round-robin|...]

config vlan-pool

Description: VLAN pool.

edit <id>

set wtp-group {string}

next

end

set dhcp-option43-insertion [enable|disable]

set dhcp-option82-insertion [enable|disable]

set dhcp-option82-circuit-id-insertion [style-1|style-2|...]

set dhcp-option82-remote-id-insertion [style-1|disable]

set ptk-rekey [enable|disable]

set ptk-rekey-intv {integer}

set gtk-rekey [enable|disable]

set gtk-rekey-intv {integer}

set eap-reauth [enable|disable]

set eap-reauth-intv {integer}

set qos-profile {string}

set hotspot20-profile {string}

set access-control-list {string}

set primary-wag-profile {string}

set secondary-wag-profile {string}

set tunnel-echo-interval {integer}

set tunnel-fallback-interval {integer}

set rates-11a {option1}, {option2}, ...

set rates-11bg {option1}, {option2}, ...

set rates-11n-ss12 {option1}, {option2}, ...

set rates-11n-ss34 {option1}, {option2}, ...

set rates-11ac-ss12 {option1}, {option2}, ...

set rates-11ac-ss34 {option1}, {option2}, ...

set rates-11ax-ss12 {option1}, {option2}, ...

set rates-11ax-ss34 {option1}, {option2}, ...

set utm-profile {string}

set utm-status [enable|disable]

set utm-log [enable|disable]

set ips-sensor {string}

set application-list {string}

set antivirus-profile {string}

set webfilter-profile {string}

set scan-botnet-connections [disable|monitor|...]

set address-group {string}

set address-group-policy [disable|allow|...]

set mac-filter [enable|disable]

set mac-filter-policy-other [allow|deny]

config mac-filter-list

Description: Create a list of MAC addresses for MAC address filtering.

edit <id>

set mac {mac-address}

set mac-filter-policy [allow|deny]

next

end

set sticky-client-remove [enable|disable]

set sticky-client-threshold-5g {string}

set sticky-client-threshold-2g {string}

set bstm-rssi-disassoc-timer {integer}

set bstm-load-balancing-disassoc-timer {integer}

set bstm-disassociation-imminent [enable|disable]

set beacon-advertising {option1}, {option2}, ...

set osen [enable|disable]

set application-detection-engine [enable|disable]

set application-report-intv {integer}

set l3-roaming [enable|disable]

next

end

config wireless-controller vap

Parameter

Description

Type

Size

Default

fast-roaming

Enable/disable fast-roaming, or pre-authentication, where supported by clients .

option

-

enable

Option

Description

enable

Enable fast-roaming, or pre-authentication.

disable

Disable fast-roaming, or pre-authentication.

external-fast-roaming

Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate .

option

-

disable

Option

Description

enable

Enable fast roaming or pre-authentication with external APs.

disable

Disable fast roaming or pre-authentication with external APs.

mesh-backhaul

Enable/disable using this VAP as a WiFi mesh backhaul . This entry is only available when security is set to a WPA type or open.

option

-

disable

Option

Description

enable

Enable mesh backhaul.

disable

Disable mesh backhaul.

atf-weight

Airtime weight in percentage .

integer

Minimum value: 0 Maximum value: 100

20

max-clients

Maximum number of clients that can connect simultaneously to the VAP .

integer

Minimum value: 0 Maximum value: 4294967295

0

max-clients-ap

Maximum number of clients that can connect simultaneously to the VAP per AP radio .

integer

Minimum value: 0 Maximum value: 4294967295

0

ssid

IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name.

string

Maximum length: 32

fortinet

broadcast-ssid

Enable/disable broadcasting the SSID .

option

-

enable

Option

Description

enable

Enable broadcasting the SSID.

disable

Disable broadcasting the SSID.

security

Security mode for the wireless interface .

option

-

wpa2-only-personal

Option

Description

open

Open.

captive-portal

Captive portal.

wep64

WEP 64-bit.

wep128

WEP 128-bit.

wpa-personal

WPA/WPA2 personal.

wpa-personal+captive-portal

WPA/WPA2 personal with captive portal.

wpa-enterprise

WPA/WPA2 enterprise.

wpa-only-personal

WPA personal.

wpa-only-personal+captive-portal

WPA personal with captive portal.

wpa-only-enterprise

WPA enterprise.

wpa2-only-personal

WPA2 personal.

wpa2-only-personal+captive-portal

WPA2 personal with captive portal.

wpa2-only-enterprise

WPA2 enterprise.

wpa3-enterprise

WPA3 enterprise with 192-bit encryption and PMF mandatory.

wpa3-only-enterprise

WPA3 enterprise with PMF mandatory.

wpa3-enterprise-transition

WPA3 enterprise with PMF optional.

wpa3-sae

WPA3 SAE.

wpa3-sae-transition

WPA3 SAE transition.

owe

Opportunistic wireless encryption.

osen

OSEN.

pmf

Protected Management Frames .

option

-

disable

Option

Description

disable

Disable PMF completely.

enable

Enable PMF but deny clients without PMF.

optional

Enable PMF and allow clients without PMF.

pmf-assoc-comeback-timeout

Protected Management Frames .

integer

Minimum value: 1 Maximum value: 20

1

pmf-sa-query-retry-timeout

Protected Management Frames .

integer

Minimum value: 1 Maximum value: 5

2

okc

Enable/disable Opportunistic Key Caching .

option

-

enable

Option

Description

disable

Disable Opportunistic Key Caching (OKC).

enable

Enable Opportunistic Key Caching (OKC).

mbo

Enable/disable Multiband Operation .

option

-

disable

Option

Description

disable

Disable Multiband Operation (MBO).

enable

Enable Multiband Operation (MBO).

gas-comeback-delay

GAS comeback delay .

integer

Minimum value: 100 Maximum value: 10000

500

gas-fragmentation-limit

GAS fragmentation limit .

integer

Minimum value: 512 Maximum value: 4096

1024

mbo-cell-data-conn-pref

MBO cell data connection preference .

option

-

prefer-not

Option

Description

excluded

Wi-Fi Agile Multiband AP does not want the Wi-Fi Agile Multiband STA to use the cellular data connection.

prefer-not

Wi-Fi Agile Multiband AP prefers the Wi-Fi Agile Multiband STA should not use cellular data connection.

prefer-use

Wi-Fi Agile Multiband AP prefers the Wi-Fi Agile Multiband STA should use cellular data connection.

voice-enterprise

Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming .

option

-

disable

Option

Description

disable

Disable 802.11k and 802.11v assisted Voice-Enterprise roaming.

enable

Enable 802.11k and 802.11v assisted Voice-Enterprise roaming.

neighbor-report-dual-band

Enable/disable dual-band neighbor report .

option

-

disable

Option

Description

disable

Disable dual-band neighbor report.

enable

Enable dual-band neighbor report.

fast-bss-transition

Enable/disable 802.11r Fast BSS Transition .

option

-

disable

Option

Description

disable

Disable 802.11r Fast BSS Transition (FT).

enable

Enable 802.11r Fast BSS Transition (FT).

ft-mobility-domain

Mobility domain identifier in FT .

integer

Minimum value: 1 Maximum value: 65535

1000

ft-r0-key-lifetime

Lifetime of the PMK-R0 key in FT, 1-65535 minutes.

integer

Minimum value: 1 Maximum value: 65535

480

ft-over-ds

Enable/disable FT over the Distribution System (DS).

option

-

disable

Option

Description

disable

Disable FT over the Distribution System (DS).

enable

Enable FT over the Distribution System (DS).

sae-groups

SAE-Groups.

option

-

Option

Description

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

owe-groups

OWE-Groups.

option

-

Option

Description

19

DH Group 19.

20

DH Group 20.

21

DH Group 21.

owe-transition

Enable/disable OWE transition mode support.

option

-

disable

Option

Description

disable

Disable OWE transition mode support.

enable

Enable OWE transition mode support.

owe-transition-ssid

OWE transition mode peer SSID.

string

Maximum length: 32

additional-akms

Additional AKMs.

option

-

Option

Description

akm6

Use AKM suite employing PSK_SHA256.

eapol-key-retries

Enable/disable retransmission of EAPOL-Key frames .

option

-

enable

Option

Description

disable

Disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2).

enable

Enable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2).

tkip-counter-measure

Enable/disable TKIP counter measure.

option

-

enable

Option

Description

enable

Enable TKIP counter measure.

disable

Disable TKIP counter measure.

external-web

URL of external authentication web server.

var-string

Maximum length: 1023

external-web-format

URL query parameter detection .

option

-

auto-detect

Option

Description

auto-detect

Automatically detect if "external-web" URL has any query parameter.

no-query-string

"external-web" URL does not have any query parameter.

partial-query-string

"external-web" URL has some query parameters.

external-logout

URL of external authentication logout server.

string

Maximum length: 127

mac-username-delimiter

MAC authentication username delimiter .

option

-

hyphen

Option

Description

hyphen

Use hyphen as delimiter for MAC auth username.

single-hyphen

Use single hyphen as delimiter for MAC auth username.

colon

Use colon as delimiter for MAC auth username.

none

No delimiter for MAC auth username.

mac-password-delimiter

MAC authentication password delimiter .

option

-

hyphen

Option

Description

hyphen

Use hyphen as delimiter for MAC auth password.

single-hyphen

Use single hyphen as delimiter for MAC auth password.

colon

Use colon as delimiter for MAC auth password.

none

No delimiter for MAC auth password.

mac-calling-station-delimiter

MAC calling station delimiter .

option

-

hyphen

Option

Description

hyphen

Use hyphen as delimiter for calling station.

single-hyphen

Use single hyphen as delimiter for calling station.

colon

Use colon as delimiter for calling station.

none

No delimiter for calling station.

mac-called-station-delimiter

MAC called station delimiter .

option

-

hyphen

Option

Description

hyphen

Use hyphen as delimiter for called station.

single-hyphen

Use single hyphen as delimiter for called station.

colon

Use colon as delimiter for called station.

none

No delimiter for called station.

mac-case

MAC case .

option

-

uppercase

Option

Description

uppercase

Use uppercase MAC.

lowercase

Use lowercase MAC.

mac-auth-bypass

Enable/disable MAC authentication bypass.

option

-

disable

Option

Description

enable

Enable MAC authentication bypass.

disable

Disable MAC authentication bypass.

radius-mac-auth

Enable/disable RADIUS-based MAC authentication of clients .

option

-

disable

Option

Description

enable

Enable RADIUS-based MAC authentication.

disable

Disable RADIUS-based MAC authentication.

radius-mac-auth-server

RADIUS-based MAC authentication server.

string

Maximum length: 35

radius-mac-mpsk-auth

Enable/disable RADIUS-based MAC authentication of clients for MPSK authentication .

option

-

disable