Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

SSIDs

To view SSIDs and SSID groups, go to AP Manager > WiFi Profiles, and select SSID in the tree menu.

The following options are available in the toolbar and right-click menu:

Create New

Create a new SSID or SSID group.

Edit

Edit the selected SSID or group.

Delete

Delete the selected SSID or group.

Clone

Clone the selected SSID or group.

Import

Import SSIDs from a connected FortiGate (toolbar only).

When creating a new SSID, the available options will change depending on the selected traffic mode: Tunnel to Wireless Controller, Local bridge with FortiAP's Interface, or Mesh Downlink.

To create a new SSID:
  1. On the SSID pane, click Create New > SSID in the toolbar, or select it from the right-click menu. The Create New SSID Profile windows opens.

  2. Enter the following information, then click OK to create the new tunnel to wireless controller SSID:

    Interface Name

    Type a name for the SSID.

    Alias

    Set the alias for SSID.

    Traffic Mode

    Select the traffic mode: Tunnel, Bridge, or Mesh.

    WiFi Settings

     

    SSID

    Type the wireless service set identifier (SSID), or network name, for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.

     

    Security Mode

    Select a security mode:

    Captive Portal

    WPA Only Personal

    OPEN

    WPA Only Personal Captive Portal

    Osen

    WPA Personal

    WEP 128

    WPA Personal Captive Portal

    WEP 64

    WPA2 Only Personal

    WPA Enterprise

    WPA2 Only Enterprise

    WPA Only Enterprise

    WPA2 Only Personal Captive Portal

    Only WPA and WPA2 Personal modes are available when the traffic mode is Mesh.

     

    Pre-shared Key

    Enter the pre-shared key for the SSID.

    This option is only available when the security mode includes WPA or WPA2 personal.

     

    Local Standalone

    Enable/disable AP local standalone (default = disable).

    This option is only available when the traffic mode is Bridge.

     

    Local Authentication

    Enable/disable AP local authentication.

    This option is only available when the traffic mode is Bridge.

     

    Client Limit

    The maximum number of clients that can simultaneously connect to the AP (0 - 4294967295, default = 0, meaning no limitation).

     

    Client Limit per Radio

    The maximum number of clients that can simultaneously connect to each radio (0 - 4294967295, default = 0, meaning no limitation).

    This option is only available when Local Standalone is enabled.

     

    Multiple Pre-Shared Keys

    Enable/disable multiple pre-shared keys.

    In the table, click Create to create a new key. Enter the key name, value, client limit, and comments (optional), then click OK. Click Edit to edit the selected key. Click Delete to delete the selected key or keys.

    This option is only available when the security mode includes WPA or WPA2 personal and the traffic mode is not Mesh.

     

    Default Client Limit Per Key

    Enable/disable a maximum number of clients that can simultaneously connect using each pre-shared key, then enter the maximum number.

    This option is only available when the Multiple Pre-Shared Keys is enabled.

     

    Portal Type

    Select the portal type: Authentication (default), Disclaimer + Authentication, Disclaimer Only, or Email Collection.

    This option is only available when the security mode includes captive portal.

     

    Authentication Portal

    Select Local or External. If External is selected, enter the URL of the portal.

    This option is only available when the portal type includes authentication.

     

    User Groups

    Select the user group to add from the dropdown list. Select the plus symbol to add multiple groups.

    This option is only available when the portal type includes authentication.

     

    Exempt Sources

    Select exempt sources to add from the dropdown list.

    This option is only available when the portal type includes authentication.

     

    Devices

    Select exempt devices to add from the dropdown list.

    This option is only available when the portal type includes authentication.

     

    Exempt Destinations

    Select exempt destinations to add from the dropdown list.

    This option is only available when the portal type includes authentication.

     

    Exempt Services

    Select exempt services to add from the dropdown list.

    This option is only available when the portal type includes authentication.

     

    Customize Portal Messages

    Select to allow for customized portal messages. Portal messages cannot be customized until after the interface has been created.

    This option is only available when the portal type includes disclaimer, email collection, or CMCC without MAC authentication.

     

    Redirect after Captive Portal

    Select Original Request or Specific URL. If Specific URL is selected, enter the redirect URL.

    This option is only available when the security mode includes captive portal.

     

    Authentication

    Select the authentication method for the SSID, either Local or RADIUS Server, then select the requisite server or group from the dropdown list.

    This option is only available when the security mode is includes WPA or WPA2 enterprise.

     

    Broadcast SSID

    Enable/disable broadcasting the SSID (default = enable).

    Broadcasting enables clients to connect to the wireless network without first knowing the SSID. For better security, do not broadcast the SSID.

     

    Schedule

    Select a schedule to control the availability of the SSID. For information on creating a schedule object, see Create a new object.

     

    Block Intra-SSID Traffic

    Enable/disable blocking communication between clients of the same AP (default = disable).

     

    Broadcast Suppression

    Optional suppression of broadcast message types:

    • All other broadcast: All other broadcast messages
    • All other multicast: All other multicast messages
    • ARP poison: ARP poison messages from wireless clients
    • ARP proxy: ARP requests for wireless clients as a proxy
    • ARP replies: ARP replies from wireless clients
    • ARPs for known clients: ARP for known messages
    • ARPs for unknown clients: ARP for unknown messages
    • DHCP downlink: Downlink DHCP messages
    • DHCP starvation: DHCP starvation req messages
    • DHCP uplink: Uplink DHCP messages
    • IPv6: IPv6 packets
    • NetBIOS datagram service: NetBIOS datagram services packets

     

    Filter Clients by MAC Address

    Enable/disable using a RADIUS server to filter clients be MAC address, then select the server from the drop-down list. See RADIUS servers for information on adding a RADIUS server.

     

    VLAN Pooling

    Enable/disable VLAN pooling, allowing you to group multiple wireless controller VLANs into VLAN pools. These pools are used to load-balance sessions evenly across multiple VLANs.

    • Managed AP Group: Select devices to include in the group.
    • Round Robin
    • Hash

    This option is not available when the traffic mode is Mesh.

     

    Quarantine Host

    Enable/disable station quarantine (default = enable).

    This option is only available when the security mode includes WPA or WPA2.

     

    Encrypt

    Select the data encryption protocol:

    • TKIP: Temporal Key Integrity Protocol, used by the older WPA standard.
    • AES: Advanced Encryption Standard, commonly used with the newer WPA2 standard (default).
    • TKIP-AES: Use both protocols to provide backward compatibility for legacy devices. This option is not recommended, as attackers will only need to breach the weaker encryption of the two (TKIP).

    This option is only available when the security mode includes WPA or WPA2.

     

    QoS Profile

    Select the QoS profile from the drop-down list.

    Advanced Options

    Configure advanced options. For information, see the FortiOS CLI Reference: http://help.fortinet.com/cli/fos60hlp/60/index.htm.

To create a new SSID group:
  1. On the SSID pane, click Create New > SSID Group in the toolbar. The Create New SSID Group windows opens.
  2. Enter a name for the group in the Name field.
  3. Optionally, enter a brief description of the group in the Comment box.
  4. Optionally, add SSIDs to the group in the Members field.
  5. Click OK to create the SSID group.
To edit an SSID or groups:
  1. Either double-click on an SSID, select as SSID and then click Edit in the toolbar, or right-click then select Edit from the menu. The Edit SSIDor Edit SSID Group window opens.
  2. Edit the settings as required. The SSID name and traffic mode cannot be edited.
  3. Click OK to apply your changes.
To delete SSIDs or groups:
  1. Select the SSIDs and groups that you would like to delete.
  2. Either click Delete in the toolbar, or right-click and select Delete.
  3. Click OK in the confirmation dialog box to delete the selected SSIDs and groups.

    Deleting a group does not delete the SSIDs that are in the group.

To clone an SSID or group:
  1. Either select an SSID or group and click Clone in the toolbar, or right-click on the SSID or group name, and select Clone. The Clone SSID or Clone SSID Group dialog box opens.
  2. Edit the settings as required. An SSID's traffic mode cannot be edited.
  3. Click OK to clone the SSID.
To import an SSID:
  1. Click Import in the toolbar. The Import dialog box opens.
  2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM.
  3. Select the SSID or SSIDs to be imported from the Profile dropdown list.
  4. Click OK to import the SSID or SSIDs.

SSIDs

To view SSIDs and SSID groups, go to AP Manager > WiFi Profiles, and select SSID in the tree menu.

The following options are available in the toolbar and right-click menu:

Create New

Create a new SSID or SSID group.

Edit

Edit the selected SSID or group.

Delete

Delete the selected SSID or group.

Clone

Clone the selected SSID or group.

Import

Import SSIDs from a connected FortiGate (toolbar only).

When creating a new SSID, the available options will change depending on the selected traffic mode: Tunnel to Wireless Controller, Local bridge with FortiAP's Interface, or Mesh Downlink.

To create a new SSID:
  1. On the SSID pane, click Create New > SSID in the toolbar, or select it from the right-click menu. The Create New SSID Profile windows opens.

  2. Enter the following information, then click OK to create the new tunnel to wireless controller SSID:

    Interface Name

    Type a name for the SSID.

    Alias

    Set the alias for SSID.

    Traffic Mode

    Select the traffic mode: Tunnel, Bridge, or Mesh.

    WiFi Settings

     

    SSID

    Type the wireless service set identifier (SSID), or network name, for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.

     

    Security Mode

    Select a security mode:

    Captive Portal

    WPA Only Personal

    OPEN

    WPA Only Personal Captive Portal

    Osen

    WPA Personal

    WEP 128

    WPA Personal Captive Portal

    WEP 64

    WPA2 Only Personal

    WPA Enterprise

    WPA2 Only Enterprise

    WPA Only Enterprise

    WPA2 Only Personal Captive Portal

    Only WPA and WPA2 Personal modes are available when the traffic mode is Mesh.

     

    Pre-shared Key

    Enter the pre-shared key for the SSID.

    This option is only available when the security mode includes WPA or WPA2 personal.

     

    Local Standalone

    Enable/disable AP local standalone (default = disable).

    This option is only available when the traffic mode is Bridge.

     

    Local Authentication

    Enable/disable AP local authentication.

    This option is only available when the traffic mode is Bridge.

     

    Client Limit

    The maximum number of clients that can simultaneously connect to the AP (0 - 4294967295, default = 0, meaning no limitation).

     

    Client Limit per Radio

    The maximum number of clients that can simultaneously connect to each radio (0 - 4294967295, default = 0, meaning no limitation).

    This option is only available when Local Standalone is enabled.

     

    Multiple Pre-Shared Keys

    Enable/disable multiple pre-shared keys.

    In the table, click Create to create a new key. Enter the key name, value, client limit, and comments (optional), then click OK. Click Edit to edit the selected key. Click Delete to delete the selected key or keys.

    This option is only available when the security mode includes WPA or WPA2 personal and the traffic mode is not Mesh.

     

    Default Client Limit Per Key

    Enable/disable a maximum number of clients that can simultaneously connect using each pre-shared key, then enter the maximum number.

    This option is only available when the Multiple Pre-Shared Keys is enabled.

     

    Portal Type

    Select the portal type: Authentication (default), Disclaimer + Authentication, Disclaimer Only, or Email Collection.

    This option is only available when the security mode includes captive portal.

     

    Authentication Portal

    Select Local or External. If External is selected, enter the URL of the portal.

    This option is only available when the portal type includes authentication.

     

    User Groups

    Select the user group to add from the dropdown list. Select the plus symbol to add multiple groups.

    This option is only available when the portal type includes authentication.

     

    Exempt Sources

    Select exempt sources to add from the dropdown list.

    This option is only available when the portal type includes authentication.

     

    Devices

    Select exempt devices to add from the dropdown list.

    This option is only available when the portal type includes authentication.

     

    Exempt Destinations

    Select exempt destinations to add from the dropdown list.

    This option is only available when the portal type includes authentication.

     

    Exempt Services

    Select exempt services to add from the dropdown list.

    This option is only available when the portal type includes authentication.

     

    Customize Portal Messages

    Select to allow for customized portal messages. Portal messages cannot be customized until after the interface has been created.

    This option is only available when the portal type includes disclaimer, email collection, or CMCC without MAC authentication.

     

    Redirect after Captive Portal

    Select Original Request or Specific URL. If Specific URL is selected, enter the redirect URL.

    This option is only available when the security mode includes captive portal.

     

    Authentication

    Select the authentication method for the SSID, either Local or RADIUS Server, then select the requisite server or group from the dropdown list.

    This option is only available when the security mode is includes WPA or WPA2 enterprise.

     

    Broadcast SSID

    Enable/disable broadcasting the SSID (default = enable).

    Broadcasting enables clients to connect to the wireless network without first knowing the SSID. For better security, do not broadcast the SSID.

     

    Schedule

    Select a schedule to control the availability of the SSID. For information on creating a schedule object, see Create a new object.

     

    Block Intra-SSID Traffic

    Enable/disable blocking communication between clients of the same AP (default = disable).

     

    Broadcast Suppression

    Optional suppression of broadcast message types:

    • All other broadcast: All other broadcast messages
    • All other multicast: All other multicast messages
    • ARP poison: ARP poison messages from wireless clients
    • ARP proxy: ARP requests for wireless clients as a proxy
    • ARP replies: ARP replies from wireless clients
    • ARPs for known clients: ARP for known messages
    • ARPs for unknown clients: ARP for unknown messages
    • DHCP downlink: Downlink DHCP messages
    • DHCP starvation: DHCP starvation req messages
    • DHCP uplink: Uplink DHCP messages
    • IPv6: IPv6 packets
    • NetBIOS datagram service: NetBIOS datagram services packets

     

    Filter Clients by MAC Address

    Enable/disable using a RADIUS server to filter clients be MAC address, then select the server from the drop-down list. See RADIUS servers for information on adding a RADIUS server.

     

    VLAN Pooling

    Enable/disable VLAN pooling, allowing you to group multiple wireless controller VLANs into VLAN pools. These pools are used to load-balance sessions evenly across multiple VLANs.

    • Managed AP Group: Select devices to include in the group.
    • Round Robin
    • Hash

    This option is not available when the traffic mode is Mesh.

     

    Quarantine Host

    Enable/disable station quarantine (default = enable).

    This option is only available when the security mode includes WPA or WPA2.

     

    Encrypt

    Select the data encryption protocol:

    • TKIP: Temporal Key Integrity Protocol, used by the older WPA standard.
    • AES: Advanced Encryption Standard, commonly used with the newer WPA2 standard (default).
    • TKIP-AES: Use both protocols to provide backward compatibility for legacy devices. This option is not recommended, as attackers will only need to breach the weaker encryption of the two (TKIP).

    This option is only available when the security mode includes WPA or WPA2.

     

    QoS Profile

    Select the QoS profile from the drop-down list.

    Advanced Options

    Configure advanced options. For information, see the FortiOS CLI Reference: http://help.fortinet.com/cli/fos60hlp/60/index.htm.

To create a new SSID group:
  1. On the SSID pane, click Create New > SSID Group in the toolbar. The Create New SSID Group windows opens.
  2. Enter a name for the group in the Name field.
  3. Optionally, enter a brief description of the group in the Comment box.
  4. Optionally, add SSIDs to the group in the Members field.
  5. Click OK to create the SSID group.
To edit an SSID or groups:
  1. Either double-click on an SSID, select as SSID and then click Edit in the toolbar, or right-click then select Edit from the menu. The Edit SSIDor Edit SSID Group window opens.
  2. Edit the settings as required. The SSID name and traffic mode cannot be edited.
  3. Click OK to apply your changes.
To delete SSIDs or groups:
  1. Select the SSIDs and groups that you would like to delete.
  2. Either click Delete in the toolbar, or right-click and select Delete.
  3. Click OK in the confirmation dialog box to delete the selected SSIDs and groups.

    Deleting a group does not delete the SSIDs that are in the group.

To clone an SSID or group:
  1. Either select an SSID or group and click Clone in the toolbar, or right-click on the SSID or group name, and select Clone. The Clone SSID or Clone SSID Group dialog box opens.
  2. Edit the settings as required. An SSID's traffic mode cannot be edited.
  3. Click OK to clone the SSID.
To import an SSID:
  1. Click Import in the toolbar. The Import dialog box opens.
  2. Select a FortiGate from the dropdown list. The list will include all of the devices in the current ADOM.
  3. Select the SSID or SSIDs to be imported from the Profile dropdown list.
  4. Click OK to import the SSID or SSIDs.