Fortinet white logo
Fortinet white logo

Administration Guide

SSID mappings

SSID mappings

For supported wireless devices in the FortiNAC database you can configure Secure (802.1x) and Open SSIDs. The configuration is saved to the FortiNAC database. When configuring SSIDs, FortiNAC reads the existing configuration from the access point.

Supported wireless devices include: HP MSM Controllers, Ruckus Controllers and Xirrus Arrays.

The two primary functions for SSIDs configured through Wireless Security are to provide guest access and to allow network users to register devices on the network (Device Onboarding). Each of these functions can use either a Secure or an Open SSID and any given SSID can be used for more than one type of access.

Guest access

When Guest Management is selected, the Open SSID configuration includes access and isolation User Groups/VLANs, guest templates and the RADIUS secret. Existing Open SSIDs are read from the device by FortiNAC and they are displayed here.

The Secure SSID configuration for guest access includes access and isolation User Groups/VLANs, guest templates and RADIUS server information. These SSIDs are typically used by people with an 802.1x supplicant already installed on their wireless devices. Existing Secure SSIDs are read from the device by FortiNAC and they are displayed here. If a supplicant is required, this type of SSID may not be the best option for guests because the supplicant would need to be supplied separately.

Add or configure a Wireless Network (SSID) Mapping for each guest template. Guest templates control the SSIDs to which guests or users can connect. A guest account is created using a guest template. That association with the guest template remains on the guest account and a guest can ONLY connect to this SSID if the template on the account matches the template on the SSID Mapping. The same SSID can have multiple configuration records with different guest templates. Multiple SSID Mappings can have the same guest template.

Device onboarding

When Device Onboarding is selected, the Open SSID Mapping can limit access to the SSID based on the operating system of the connecting device. If you are authenticating through LDAP, only users who are in the selected directory group with one of the approved operating systems can connect to this SSID. The Mapping also includes access and isolation User Groups/VLANs selected from the configuration on the device. The Open SSID can be leveraged to serve a supplicant configuration to the connecting host for one of your Secure SSIDs.

The Secure SSID Mapping for Device Onboarding can limit access to the SSID based on the operating system of the connecting host. If you are authenticating through LDAP, the selected directory group also serves as criteria for connecting to this SSID. The Mapping includes RADIUS server information and access and isolation User Groups/VLANs selected from the configuration on the wireless device.

Supplicant configuration

Add or configure one or more Open SSIDs to serve supplicant configurations for Secure SSIDs, if needed. The supplicant configuration must be served via an Open SSID because it is the only SSID to which an unknown user can connect.

Note

Titles of windows and field names may vary depending on the brand of the device being configured. For example, HP devices use VSC to represent the record for the SSID and its configuration details. Screen shots and Settings were done using a Xirrus Wireless Array.

Settings

Field

Definition

SSID Name

Network name of the SSID configuration that includes all of the settings for the SSID, such as User Group.

SSID

Broadcast SSID Name Typically this is read from the array..

Mapping Type

Indicates whether this SSID Mapping is for Guest Management or Device Onboarding.

Guest Template

Guest template associated with this SSID. Only guests whose accounts were created with this guest template can access the network via this SSID.

Access User Group

Name or number of the network access identifier where a known host or device will be placed, such as, User Group, VLAN ID or VLAN Name.

Isolation User Group

Name or number of the network access identifier, such as, User Group, VLAN ID or VLAN Name, for the Isolation VLAN where an unknown host or device will be placed.

Operating Systems

Allows or denies access to an SSID based on the operating system of the connecting host. Options include:

  • Windows
  • macOS
  • iOS
  • Android
  • RIM
  • Windows Mobile

Directory Group

Allows or denies access to an SSID based on the directory group of the connecting user. If you are authenticating through RADIUS instead of LDAP, this option is hidden.

Supplicant Configuration

Name of the supplicant configuration that will be served to hosts that connect to the selected SSID. Only Open SSIDs used for Device Onboarding can serve supplicant configurations.

Portal Configuration

Name of the Portal that will be applied to hosts connecting via this SSID.

Primary RADIUS Server

RADIUS server that will be used by FortiNAC for authentication.

Secondary RADIUS Server

Secondary RADIUS server that will be used by FortiNAC for authentication if the primary RADIUS server cannot be reached.

RADIUS Secret

Encryption key used by the RADIUS server to send authentication information. The RADIUS secret must be the same in FortiNAC RADIUS settings, on the SSID configuration and on the access point itself.

Buttons

Apply To

Copies SSID Mappings to selected device models in the database based on matching SSID Names. Configure SSIDs in an environment where roaming is used and SSIDs must have the same configuration across multiple access points.

SSID mappings

SSID mappings

For supported wireless devices in the FortiNAC database you can configure Secure (802.1x) and Open SSIDs. The configuration is saved to the FortiNAC database. When configuring SSIDs, FortiNAC reads the existing configuration from the access point.

Supported wireless devices include: HP MSM Controllers, Ruckus Controllers and Xirrus Arrays.

The two primary functions for SSIDs configured through Wireless Security are to provide guest access and to allow network users to register devices on the network (Device Onboarding). Each of these functions can use either a Secure or an Open SSID and any given SSID can be used for more than one type of access.

Guest access

When Guest Management is selected, the Open SSID configuration includes access and isolation User Groups/VLANs, guest templates and the RADIUS secret. Existing Open SSIDs are read from the device by FortiNAC and they are displayed here.

The Secure SSID configuration for guest access includes access and isolation User Groups/VLANs, guest templates and RADIUS server information. These SSIDs are typically used by people with an 802.1x supplicant already installed on their wireless devices. Existing Secure SSIDs are read from the device by FortiNAC and they are displayed here. If a supplicant is required, this type of SSID may not be the best option for guests because the supplicant would need to be supplied separately.

Add or configure a Wireless Network (SSID) Mapping for each guest template. Guest templates control the SSIDs to which guests or users can connect. A guest account is created using a guest template. That association with the guest template remains on the guest account and a guest can ONLY connect to this SSID if the template on the account matches the template on the SSID Mapping. The same SSID can have multiple configuration records with different guest templates. Multiple SSID Mappings can have the same guest template.

Device onboarding

When Device Onboarding is selected, the Open SSID Mapping can limit access to the SSID based on the operating system of the connecting device. If you are authenticating through LDAP, only users who are in the selected directory group with one of the approved operating systems can connect to this SSID. The Mapping also includes access and isolation User Groups/VLANs selected from the configuration on the device. The Open SSID can be leveraged to serve a supplicant configuration to the connecting host for one of your Secure SSIDs.

The Secure SSID Mapping for Device Onboarding can limit access to the SSID based on the operating system of the connecting host. If you are authenticating through LDAP, the selected directory group also serves as criteria for connecting to this SSID. The Mapping includes RADIUS server information and access and isolation User Groups/VLANs selected from the configuration on the wireless device.

Supplicant configuration

Add or configure one or more Open SSIDs to serve supplicant configurations for Secure SSIDs, if needed. The supplicant configuration must be served via an Open SSID because it is the only SSID to which an unknown user can connect.

Note

Titles of windows and field names may vary depending on the brand of the device being configured. For example, HP devices use VSC to represent the record for the SSID and its configuration details. Screen shots and Settings were done using a Xirrus Wireless Array.

Settings

Field

Definition

SSID Name

Network name of the SSID configuration that includes all of the settings for the SSID, such as User Group.

SSID

Broadcast SSID Name Typically this is read from the array..

Mapping Type

Indicates whether this SSID Mapping is for Guest Management or Device Onboarding.

Guest Template

Guest template associated with this SSID. Only guests whose accounts were created with this guest template can access the network via this SSID.

Access User Group

Name or number of the network access identifier where a known host or device will be placed, such as, User Group, VLAN ID or VLAN Name.

Isolation User Group

Name or number of the network access identifier, such as, User Group, VLAN ID or VLAN Name, for the Isolation VLAN where an unknown host or device will be placed.

Operating Systems

Allows or denies access to an SSID based on the operating system of the connecting host. Options include:

  • Windows
  • macOS
  • iOS
  • Android
  • RIM
  • Windows Mobile

Directory Group

Allows or denies access to an SSID based on the directory group of the connecting user. If you are authenticating through RADIUS instead of LDAP, this option is hidden.

Supplicant Configuration

Name of the supplicant configuration that will be served to hosts that connect to the selected SSID. Only Open SSIDs used for Device Onboarding can serve supplicant configurations.

Portal Configuration

Name of the Portal that will be applied to hosts connecting via this SSID.

Primary RADIUS Server

RADIUS server that will be used by FortiNAC for authentication.

Secondary RADIUS Server

Secondary RADIUS server that will be used by FortiNAC for authentication if the primary RADIUS server cannot be reached.

RADIUS Secret

Encryption key used by the RADIUS server to send authentication information. The RADIUS secret must be the same in FortiNAC RADIUS settings, on the SSID configuration and on the access point itself.

Buttons

Apply To

Copies SSID Mappings to selected device models in the database based on matching SSID Names. Configure SSIDs in an environment where roaming is used and SSIDs must have the same configuration across multiple access points.