Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiNAC-F 7.2.0 Administration Guide
    7.2.0
    7.6.0
    7.4.0
    7.2.0

    SSID configuration

    SSID configuration

    SSIDs on some wireless devices can be configured with VLAN/Role settings that are different than those of the parent device. This option allows you to provide different treatment for each SSID. For example, you can have an SSID that provides only Internet access for guests and a separate more secure SSID that requires authentication for staff.

    Note

    In an environment where there are multiple SSIDs that have the same name, FortiNAC cannot manage those SSIDs individually. Make sure that SSIDs do not have the same name.

    1. Click Network > Inventory.
    2. Expand the container where the wireless device is located.
    3. Select a device.
    4. In the right pane, select the SSID tab.
    5. Right-click on the SSID and select SSID Configuration. To modify multiple SSIDs simultaneously, see Modify multiple SSIDs.
    6. Use the table below to configure the SSID.
    7. Click OK to save.
    Settings

    Settings

    Description

    RADIUS

    Use Inherited RADIUS Server
    Definitions from Device

    If enabled, the SSID inherits the RADIUS server settings of its parent device.

    Use Custom Settings

    If enabled, allows you to set the default primary and secondary RADIUS servers to the servers indicated in parentheses and set the RADIUS Secret.

    Primary RADIUS Server

    The RADIUS server used for authenticating users connecting to the network through this SSID.

    See RADIUS for information on configuring your RADIUS servers.

    Secondary RADIUS Server

    If the primary RADIUS server fails to respond, this RADIUS server is used for authenticating users connecting to the network until the primary RADIUS server responds.

    RADIUS Secret

    The Secret used for RADIUS authentication.

    Click the field to add or modify the RADIUS Secret.

    Note

    The RADIUS Secret used must be exactly the same on the wireless device, on the RADIUS server and in the FortiNAC software under RADIUS Settings and Model Configuration.

    Show/Hide Button

    Allows you to display or hide the RADIUS secret.

    Enable RADIUS authentication for this device

    When selected, FortiNAC will process RADIUS requests from the device.

    Mode

    The RADIUS Authentication Mode to be used when a RADIUS request is received from the modeled device.

    Local: Use the Local RADIUS server. Enter the RADIUS Secret, and choose the attributes to be sent in the Accept packet.

    Proxy: Use the RADIUS Proxy. Optionally choose to override the RADIUS server to proxy to and enter the RADIUS secret.

    Default RADIUS Attribute Group (Local RADIUS Option)

    The default RADIUS Attributes to be sent for all accepted requests from this device. Hover over the group name to see what attributes and values will be sent. FortiNAC has pre-built attribute groups that can be used for most devices.

    Network access

    Use Inherited Network Access Policy from Device

    If enabled, the SSID inherits the network access or VLAN/role settings of its parent device.

    Use Custom Settings

    If enabled, allows you to customize the network access policy instead of using the inherited policy from the device.

    Access Enforcement

    When Use Custom Settings is enabled, this set of drop-down menus works in conjunction with the Host States listed below to determine treatment for hosts when no VLAN/Role value is supplied or when access control is being enforced. Options include:

    • Deny: Host will be denied access to the network when it is in this state. For example, if the host is not registered and Registration is set to Deny, the host connection will be rejected.

      Note

      Endpoints that have been denied access may continuously request access which can unnecessarily consume system resources.
    • Bypass: Host will be allowed access to the network when it is in this state. The host will be placed on the default VLAN/Role configured on the device for this port or SSID. For example, if Quarantine is set to Bypass, hosts that fail a scan and would normally be placed in Quarantine are placed in the default VLAN/Role on the device.
    • Enforce: Indicates that the host will be placed in the VLAN/Role specified in the Access Value column for this state.

    Access Value

    VLAN/Role where a host in this state should be placed when it connects to the network. If Enforce is selected in the Access Enforcement field you must enter a value in the Access Value field.

    Dot1x Auto Registration

    Enabled/Disabled per SSID (disabled by default). Automatic registration of a host based upon the user's 802.1x authentication with the RADIUS server. Upon successful 802.1x authentication, FortiNAC registers the host to the authenticated user prior to the network policy being determined.

    Requirements:

    • FortiNAC version 8.5.2 or higher
    • RADIUS request from Controller/Access Point must contain RADIUS Attribute 30 and include the SSID value

    Additional RADIUS Attribute Group (Local RADIUS option)

    For each Logical Network, you can choose to either use the default values only, or to append and overwrite with another attribute group. Hover over the group name to see what attributes and values will be sent.

    Host state

    Default

    The Default VLAN value is stored in the FortiNAC database and is used when the VLAN is not determined by another method, such as a network access policy.

    Typically, if a VLAN is specified as the Default, it is the VLAN used for "normal" or "production" network access. It will be used for all the untagged (non-uplink) ports on the device.

    Select None to use the default VLAN/Role configured on the device.

    Dead End

    The dead end VLAN for this SSID. Isolates disabled hosts with limited or no network connectivity from the production network.

    Registration

    The registration VLAN for this SSID. Isolates unregistered hosts from the production network during host registration.

    Quarantine

    The quarantine VLAN for this SSID. Isolates hosts from the production network who pose a security risk because they failed a scan defined in an endpoint compliance policy.

    Authentication

    The authentication VLAN for this device. Isolates registered hosts from the Production network during user authentication.
    Previous
    Next

    SSID configuration

    SSID configuration

    SSIDs on some wireless devices can be configured with VLAN/Role settings that are different than those of the parent device. This option allows you to provide different treatment for each SSID. For example, you can have an SSID that provides only Internet access for guests and a separate more secure SSID that requires authentication for staff.

    Note

    In an environment where there are multiple SSIDs that have the same name, FortiNAC cannot manage those SSIDs individually. Make sure that SSIDs do not have the same name.

    1. Click Network > Inventory.
    2. Expand the container where the wireless device is located.
    3. Select a device.
    4. In the right pane, select the SSID tab.
    5. Right-click on the SSID and select SSID Configuration. To modify multiple SSIDs simultaneously, see Modify multiple SSIDs.
    6. Use the table below to configure the SSID.
    7. Click OK to save.
    Settings

    Settings

    Description

    RADIUS

    Use Inherited RADIUS Server
    Definitions from Device

    If enabled, the SSID inherits the RADIUS server settings of its parent device.

    Use Custom Settings

    If enabled, allows you to set the default primary and secondary RADIUS servers to the servers indicated in parentheses and set the RADIUS Secret.

    Primary RADIUS Server

    The RADIUS server used for authenticating users connecting to the network through this SSID.

    See RADIUS for information on configuring your RADIUS servers.

    Secondary RADIUS Server

    If the primary RADIUS server fails to respond, this RADIUS server is used for authenticating users connecting to the network until the primary RADIUS server responds.

    RADIUS Secret

    The Secret used for RADIUS authentication.

    Click the field to add or modify the RADIUS Secret.

    Note

    The RADIUS Secret used must be exactly the same on the wireless device, on the RADIUS server and in the FortiNAC software under RADIUS Settings and Model Configuration.

    Show/Hide Button

    Allows you to display or hide the RADIUS secret.

    Enable RADIUS authentication for this device

    When selected, FortiNAC will process RADIUS requests from the device.

    Mode

    The RADIUS Authentication Mode to be used when a RADIUS request is received from the modeled device.

    Local: Use the Local RADIUS server. Enter the RADIUS Secret, and choose the attributes to be sent in the Accept packet.

    Proxy: Use the RADIUS Proxy. Optionally choose to override the RADIUS server to proxy to and enter the RADIUS secret.

    Default RADIUS Attribute Group (Local RADIUS Option)

    The default RADIUS Attributes to be sent for all accepted requests from this device. Hover over the group name to see what attributes and values will be sent. FortiNAC has pre-built attribute groups that can be used for most devices.

    Network access

    Use Inherited Network Access Policy from Device

    If enabled, the SSID inherits the network access or VLAN/role settings of its parent device.

    Use Custom Settings

    If enabled, allows you to customize the network access policy instead of using the inherited policy from the device.

    Access Enforcement

    When Use Custom Settings is enabled, this set of drop-down menus works in conjunction with the Host States listed below to determine treatment for hosts when no VLAN/Role value is supplied or when access control is being enforced. Options include:

    • Deny: Host will be denied access to the network when it is in this state. For example, if the host is not registered and Registration is set to Deny, the host connection will be rejected.

      Note

      Endpoints that have been denied access may continuously request access which can unnecessarily consume system resources.
    • Bypass: Host will be allowed access to the network when it is in this state. The host will be placed on the default VLAN/Role configured on the device for this port or SSID. For example, if Quarantine is set to Bypass, hosts that fail a scan and would normally be placed in Quarantine are placed in the default VLAN/Role on the device.
    • Enforce: Indicates that the host will be placed in the VLAN/Role specified in the Access Value column for this state.

    Access Value

    VLAN/Role where a host in this state should be placed when it connects to the network. If Enforce is selected in the Access Enforcement field you must enter a value in the Access Value field.

    Dot1x Auto Registration

    Enabled/Disabled per SSID (disabled by default). Automatic registration of a host based upon the user's 802.1x authentication with the RADIUS server. Upon successful 802.1x authentication, FortiNAC registers the host to the authenticated user prior to the network policy being determined.

    Requirements:

    • FortiNAC version 8.5.2 or higher
    • RADIUS request from Controller/Access Point must contain RADIUS Attribute 30 and include the SSID value

    Additional RADIUS Attribute Group (Local RADIUS option)

    For each Logical Network, you can choose to either use the default values only, or to append and overwrite with another attribute group. Hover over the group name to see what attributes and values will be sent.

    Host state

    Default

    The Default VLAN value is stored in the FortiNAC database and is used when the VLAN is not determined by another method, such as a network access policy.

    Typically, if a VLAN is specified as the Default, it is the VLAN used for "normal" or "production" network access. It will be used for all the untagged (non-uplink) ports on the device.

    Select None to use the default VLAN/Role configured on the device.

    Dead End

    The dead end VLAN for this SSID. Isolates disabled hosts with limited or no network connectivity from the production network.

    Registration

    The registration VLAN for this SSID. Isolates unregistered hosts from the production network during host registration.

    Quarantine

    The quarantine VLAN for this SSID. Isolates hosts from the production network who pose a security risk because they failed a scan defined in an endpoint compliance policy.

    Authentication

    The authentication VLAN for this device. Isolates registered hosts from the Production network during user authentication.
    Previous
    Next