You can enable the advertising of vendor specific elements in beacons that contain FortiAP information such as its name, model, and serial number. This enables administrators to easily identify the coverage areas using site surveys.

Consider the following scenarios that use this feature effectively.

• The administrator is able to gradually move away from the FortiAP while continuously sniffing the beacons to determine if they can still hear from the FortiAP.

• The FortiAP are easily identified during network troubleshooting.

Select to allow clients identified in the MAC address import list to connect to that SSID.

• Fail Through Mode. This mode is available if you select the Open authentication. If you select the Fail Through Mode, then the following applies:
  • If a client is not in the MAC address import list, then the client must pass captive-portal authentication to access the internet.
  • If a client is in the MAC address import list, then the client can bypass the captive-portal authentication and access the internet directly.

Only one AP (root AP) is connected to the wired network and all other APs (leaf APs) connect to this mesh root AP over the wireless backhaul SSID.

This is supported for WPA3 - SAE, WPA2 - Personal, and Open modes of authentication.

Simple Multiple PSKs can also be configured for Personal SSIDs, in which case stations will be able to connect to an SSID using either a common PSK or their own PSK. You can select the configured schedule profile for activating multiple PSKs. For more information, see Schedule Profile.

Note:A maximum of 128 multiple PSKs are allowed per SSID.

You can create multiple pre-shared key groups to associate with VLANs; up to 16000 keys are supported per network.

Adding MPSK Groups

• Click Add and enter a unique Group Name and VLAN ID to associate the MPSK group with and configure pre-shared keys.
• Click Import to import (.csv) and populate existing MPSK groups into the SSID profile.
• Click Export to export the existing MPSK groups into your local machine in .csv format.

Adding Pre-shared keys

• Click Add to create new pre-shared keys and update the following.
  1. A unique Name and Pre-shared Key (8 to 63 characters or 64 hexadecimal digits).
  2. The client MAC Address for which this key is used. This field takes precedence over the client limit.
  3. Select the Client Limit.
     Default - The maximum number of clients is determined by the default client limit which is set at the SSID level. If this is value not set, then an unlimited number of clients can connect to the key.
     Unlimited - An unlimited number of clients can connect to the key.
     Specify - The specified maximum number of clients can connect to the key.
  4. Select a configured Schedule Profile. See Schedule Profile.
  5. Enter User Name, User Email address, and Mobile number (prefixed with the country code). These credentials are used to send pre-shared keys to email addresses (Send Keys via Email) or via SMS (Send Keys via SMS) on the associated mobile number.
• Click Generate to auto-generate pre-shared keys and update the following.
  1. A unique Name Prefix (1 -32 alphanumeric characters) for the generated keys and the Number of Keys to generate (1 - 16383).
  2. The required Key Length (8 - 63 characters).
  3. Specify the Client Limit and the configured Schedule Profile. See Schedule Profile.
• Click Import to import (.csv) and populate existing pre-shared keys in the MPSK group.
• Click Export to export the existing pre-shared keys into your local machine in .csv format.

The FortiAP acts as a RADIUS client and sends accounting information to the configured RADIUS server.

This configuration parameter is applicable ONLY when the SSID operates in the OPEN security mode with external captive portal and RADIUS authentication and accounting parameters.

When RADIUS Authentication by is enabled, the FortiAP redirects clients to the configured external captive portal, collects credentials and performs RADIUS authentication and accounting. When disabled (default), the legacy functionality continues where the FortiAP redirects all clients to a centralized FortiLAN Cloud which then redirects them to the configured external captive portal.

When you enable RADIUS Authentication by, the following parameters become configurable.

• Secure HTTP - Secure HTTP is used to post credentials from the configured external captive portal web server to the FortiAP. This is disabled by default.
• Session Interval - The time interval after which the captive portal authentication session is invalidated and the user is required to log in again. The valid range for the session interval is 0 - 864000 seconds, 0 (default) indicates that the user is never logged out.

Note: This feature is supported on FAP-S and FAP-W2 models with firmware versions 6.2 and 6.4.

Select the RADIUS profile for accounting.

CoA is also supported and can be enabled in RADIUS Accounting profile.

Select Bridge or NAT. If you choose NAT, then complete the following:

• Local LAN: Select Allow or Deny.
• DHCP Lease Time: Default is 3600 seconds (or one hour).
• IP/Network Mask: Type the IP address and network mask of the SSID.
• DNS Status: You can push DNS configuration to a DHCP server running on the FortiAP. When creating an SSID, enable DNS Status and the wireless endpoints receive the configured DNS server IP addresses via DHCP when connecting the SSID. You can configure a maximum of 3 DNS server IP addresses (IPv4 only), in case of Enterprise SSIDs, the RADIUS server can assign/override these DNS servers.

If you want to apply a QoS profile that you have already created, select it from the list.