Fortinet black logo

FortiLAN Cloud User Guide

Home FortiLAN Cloud 23.2.0 FortiLAN Cloud User Guide
23.2.0
24.1.0
23.4.0
23.3.0
23.2.0
23.1.0
22.4.0
22.3.0

Basic Settings

Basic Settings

Configure the following basic settings for an SSID assigned to your network.

Field

Description
SSID Type a name for this wireless network. Wireless clients use this name to find and connect to this wireless network.
Enabled Select to have the SSID active.
Broadcast SSID Select to advertise the SSID. All wireless clients within range can see the SSID when they scan for available networks.
MAC Access Control

Select to allow clients identified in the MAC address import list to connect to that SSID.

  • Fail Through Mode. This mode is available if you select the Open authentication. If you select the Fail Through Mode, then the following applies:
    • If a client is not in the MAC address import list, then the client must pass captive-portal authentication to access the internet.
    • If a client is in the MAC address import list, then the client can bypass the captive-portal authentication and access the internet directly.
Mesh Link Select to enable the mesh link.
A wireless mesh eliminates the need for Ethernet wiring by connecting Wi-Fi APs to each other by radio. AP networks can be configured in this way so that only one AP unit is connected to the wired network.
Data Encryption When either of the mixed mode authentication methods are enabled, select a data encryption protocol: AES, TKIP, or TKIP-AES.
Simple Multiple Pre-shared Keys (MPSK)

Simple Multiple PSKs can also be configured for Personal SSIDs, in which case stations will be able to connect to an SSID using either a common PSK or their own PSK. You can select the configured schedule profile for activating multiple PSKs. For more information, see Adding a Schedule Profile.

Note:A maximum of 128 multiple PSKs are allowed per SSID.

MPSK

You can create multiple pre-shared key groups to associate with VLANs; up to 16000 keys are supported per network.

Adding MPSK Groups

  • Click Add and enter a unique Group Name and VLAN ID to associate the MPSK group with and configure pre-shared keys.
  • Click Import to import (.csv) and populate existing MPSK groups into the SSID profile.
  • Click Export to export the existing MPSK groups into your local machine in .csv format.

Adding Pre-shared keys

  • Click Add to create new pre-shared keys and update the following.
    1. A unique Name and Pre-shared Key (8 to 63 characters or 64 hexadecimal digits).
    2. The client MAC Address for which this key is used. This field takes precedence over the client limit.
    3. Select the Client Limit.
      Default - The maximum number of clients is determined by the default client limit which is set at the SSID level. If this is value not set, then an unlimited number of clients can connect to the key.
      Unlimited - An unlimited number of clients can connect to the key.
      Specify - The specified maximum number of clients can connect to the key.
    4. Select a configured Schedule Profile. See Adding a Schedule Profile.
    5. Enter User Name, User Email address, and Mobile number (prefixed with the country code). These credentials are used to send pre-shared keys to email addresses (Send Keys via Email) or via SMS (Send Keys via SMS) on the associated mobile number.
  • Click Generate to auto-generate pre-shared keys and update the following.
    1. A unique Name Prefix (1 -32 alphanumeric characters) for the generated keys and the Number of Keys to generate (1 - 16383).
    2. The required Key Length (8 - 63 characters).
    3. Specify the Client Limit and the configured Schedule Profile. See Adding a Schedule Profile.
  • Click Import to import (.csv) and populate existing pre-shared keys in the MPSK group.
  • Click Export to export the existing pre-shared keys into your local machine in .csv format.

RADIUS Authentication by

The FortiAP acts as a RADIUS client and sends accounting information to the configured RADIUS server.

This configuration parameter is applicable ONLY when the SSID operates in the OPEN security mode with external captive portal and RADIUS authentication and accounting parameters.

When RADIUS Authentication by is enabled, the FortiAP redirects clients to the configured external captive portal, collects credentials and performs RADIUS authentication and accounting. When disabled (default), the legacy functionality continues where the FortiAP redirects all clients to a centralized FortiLAN Cloud which then redirects them to the configured external captive portal.

When you enable RADIUS Authentication by, the following parameters become configurable.

  • Secure HTTP - Secure HTTP is used to post credentials from the configured external captive portal web server to the FortiAP. This is disabled by default.
  • Session Interval - The time interval after which the captive portal authentication session is invalidated and the user is required to log in again. The valid range for the session interval is 0 - 864000 seconds, 0 (default) indicates that the user is never logged out.

Note: This feature is supported on FAP-S and FAP-W2 models with firmware versions 6.2 and 6.4.

RADIUS Acct Settings

Select the RADIUS profile for accounting.

CoA is also supported and can be enabled in RADIUS Accounting profile.
IP assignment

Select Bridge or NAT. If you choose NAT, then complete the following:

  • Local LAN: Select Allow or Deny.
  • DHCP Lease Time: Default is 3600 seconds (or one hour).
  • IP/Network Mask: Type the IP address and network mask of the SSID.

QoS Profile

If you want to apply a QoS profile that you have already created, select it from the list.

VLAN ID

If the IP assignment is Bridge, you can type the ID of the VLAN for your wireless network (SSID).
Default is 0 for non-VLAN operation.

To view the dynamic VLAN ID based on the FortiAP data, see Clients.
Previous
Next

Basic Settings

Configure the following basic settings for an SSID assigned to your network.

Field

Description
SSID Type a name for this wireless network. Wireless clients use this name to find and connect to this wireless network.
Enabled Select to have the SSID active.
Broadcast SSID Select to advertise the SSID. All wireless clients within range can see the SSID when they scan for available networks.
MAC Access Control

Select to allow clients identified in the MAC address import list to connect to that SSID.

  • Fail Through Mode. This mode is available if you select the Open authentication. If you select the Fail Through Mode, then the following applies:
    • If a client is not in the MAC address import list, then the client must pass captive-portal authentication to access the internet.
    • If a client is in the MAC address import list, then the client can bypass the captive-portal authentication and access the internet directly.
Mesh Link Select to enable the mesh link.
A wireless mesh eliminates the need for Ethernet wiring by connecting Wi-Fi APs to each other by radio. AP networks can be configured in this way so that only one AP unit is connected to the wired network.
Data Encryption When either of the mixed mode authentication methods are enabled, select a data encryption protocol: AES, TKIP, or TKIP-AES.
Simple Multiple Pre-shared Keys (MPSK)

Simple Multiple PSKs can also be configured for Personal SSIDs, in which case stations will be able to connect to an SSID using either a common PSK or their own PSK. You can select the configured schedule profile for activating multiple PSKs. For more information, see Adding a Schedule Profile.

Note:A maximum of 128 multiple PSKs are allowed per SSID.

MPSK

You can create multiple pre-shared key groups to associate with VLANs; up to 16000 keys are supported per network.

Adding MPSK Groups

  • Click Add and enter a unique Group Name and VLAN ID to associate the MPSK group with and configure pre-shared keys.
  • Click Import to import (.csv) and populate existing MPSK groups into the SSID profile.
  • Click Export to export the existing MPSK groups into your local machine in .csv format.

Adding Pre-shared keys

  • Click Add to create new pre-shared keys and update the following.
    1. A unique Name and Pre-shared Key (8 to 63 characters or 64 hexadecimal digits).
    2. The client MAC Address for which this key is used. This field takes precedence over the client limit.
    3. Select the Client Limit.
      Default - The maximum number of clients is determined by the default client limit which is set at the SSID level. If this is value not set, then an unlimited number of clients can connect to the key.
      Unlimited - An unlimited number of clients can connect to the key.
      Specify - The specified maximum number of clients can connect to the key.
    4. Select a configured Schedule Profile. See Adding a Schedule Profile.
    5. Enter User Name, User Email address, and Mobile number (prefixed with the country code). These credentials are used to send pre-shared keys to email addresses (Send Keys via Email) or via SMS (Send Keys via SMS) on the associated mobile number.
  • Click Generate to auto-generate pre-shared keys and update the following.
    1. A unique Name Prefix (1 -32 alphanumeric characters) for the generated keys and the Number of Keys to generate (1 - 16383).
    2. The required Key Length (8 - 63 characters).
    3. Specify the Client Limit and the configured Schedule Profile. See Adding a Schedule Profile.
  • Click Import to import (.csv) and populate existing pre-shared keys in the MPSK group.
  • Click Export to export the existing pre-shared keys into your local machine in .csv format.

RADIUS Authentication by

The FortiAP acts as a RADIUS client and sends accounting information to the configured RADIUS server.

This configuration parameter is applicable ONLY when the SSID operates in the OPEN security mode with external captive portal and RADIUS authentication and accounting parameters.

When RADIUS Authentication by is enabled, the FortiAP redirects clients to the configured external captive portal, collects credentials and performs RADIUS authentication and accounting. When disabled (default), the legacy functionality continues where the FortiAP redirects all clients to a centralized FortiLAN Cloud which then redirects them to the configured external captive portal.

When you enable RADIUS Authentication by, the following parameters become configurable.

  • Secure HTTP - Secure HTTP is used to post credentials from the configured external captive portal web server to the FortiAP. This is disabled by default.
  • Session Interval - The time interval after which the captive portal authentication session is invalidated and the user is required to log in again. The valid range for the session interval is 0 - 864000 seconds, 0 (default) indicates that the user is never logged out.

Note: This feature is supported on FAP-S and FAP-W2 models with firmware versions 6.2 and 6.4.

RADIUS Acct Settings

Select the RADIUS profile for accounting.

CoA is also supported and can be enabled in RADIUS Accounting profile.
IP assignment

Select Bridge or NAT. If you choose NAT, then complete the following:

  • Local LAN: Select Allow or Deny.
  • DHCP Lease Time: Default is 3600 seconds (or one hour).
  • IP/Network Mask: Type the IP address and network mask of the SSID.

QoS Profile

If you want to apply a QoS profile that you have already created, select it from the list.

VLAN ID

If the IP assignment is Bridge, you can type the ID of the VLAN for your wireless network (SSID).
Default is 0 for non-VLAN operation.

To view the dynamic VLAN ID based on the FortiAP data, see Clients.
Previous
Next