Fortinet black logo

Administration Guide

SSID configuration

Copy Link
Copy Doc ID 3c991e35-cb27-11ec-81de-fa163e15d75b:875108

SSID configuration

SSIDs on some wireless devices can be configured with VLAN/Role settings that are different than those of the parent device. This option allows you to provide different treatment for each SSID. For example, you can have an SSID that provides only Internet access for guests and a separate more secure SSID that requires authentication for staff.

Note

In an environment where there are multiple SSIDs that have the same name, FortiNAC cannot manage those SSIDs individually. Make sure that SSIDs do not have the same name.

  1. Click Network > Inventory.
  2. Expand the container where the wireless device is located.
  3. Select a device.
  4. In the right pane, select the SSID tab.
  5. Right-click on the SSID and select SSID Configuration. To modify multiple SSIDs simultaneously, see Modify multiple SSIDs.
  6. Use the table below to configure the SSID.
  7. Click OK to save.
Settings

Settings

Description

RADIUS

Use Inherited RADIUS Server
Definitions from Device

If enabled, the SSID inherits the RADIUS server settings of its parent device.

Use Custom Settings

If enabled, allows you to set the default primary and secondary RADIUS servers to the servers indicated in parentheses and set the RADIUS Secret.

Primary RADIUS Server

The RADIUS server used for authenticating users connecting to the network through this SSID.

See RADIUS for information on configuring your RADIUS servers.

Secondary RADIUS Server

If the primary RADIUS server fails to respond, this RADIUS server is used for authenticating users connecting to the network until the primary RADIUS server responds.

RADIUS Secret

The Secret used for RADIUS authentication.

Click the field to add or modify the RADIUS Secret.

Note

The RADIUS Secret used must be exactly the same on the wireless device, on the RADIUS server and in the FortiNAC software under RADIUS Settings and Model Configuration.

Show/Hide Button

Allows you to display or hide the RADIUS secret.

Enable RADIUS authentication for this device

When selected, FortiNAC will process RADIUS requests from the device.

Mode

The RADIUS Authentication Mode to be used when a RADIUS request is received from the modeled device.

Local: Use the Local RADIUS server. Enter the RADIUS Secret, and choose the attributes to be sent in the Accept packet.

Proxy: Use the RADIUS Proxy. Optionally choose to override the RADIUS server to proxy to and enter the RADIUS secret.

Default RADIUS Attribute Group (Local RADIUS Option)

The default RADIUS Attributes to be sent for all accepted requests from this device. Hover over the group name to see what attributes and values will be sent. FortiNAC has pre-built attribute groups that can be used for most devices.

Network access

Use Inherited Network Access Policy from Device

If enabled, the SSID inherits the network access or VLAN/role settings of its parent device.

Use Custom Settings

If enabled, allows you to customize the network access policy instead of using the inherited policy from the device.

Access Enforcement

When Use Custom Settings is enabled, this set of drop-down menus works in conjunction with the Host States listed below to determine treatment for hosts when no VLAN/Role value is supplied or when access control is being enforced. Options include:

  • Deny: Host will be denied access to the network when it is in this state. For example, if the host is not registered and Registration is set to Deny, the host connection will be rejected.

    Note

    Endpoints that have been denied access may continuously request access which can unnecessarily consume system resources.

  • Bypass: Host will be allowed access to the network when it is in this state. The host will be placed on the default VLAN/Role configured on the device for this port or SSID. For example, if Quarantine is set to Bypass, hosts that fail a scan and would normally be placed in Quarantine are placed in the default VLAN/Role on the device.
  • Enforce: Indicates that the host will be placed in the VLAN/Role specified in the Access Value column for this state.

Access Value

VLAN/Role where a host in this state should be placed when it connects to the network. If Enforce is selected in the Access Enforcement field you must enter a value in the Access Value field.

Dot1x Auto Registration

Enabled/Disabled per SSID (disabled by default). Automatic registration of a host based upon the user's 802.1x authentication with the RADIUS server. Upon successful 802.1x authentication, FortiNAC registers the host to the authenticated user prior to the network policy being determined.

Requirements:

  • FortiNAC version 8.5.2 or higher
  • RADIUS request from Controller/Access Point must contain RADIUS Attribute 30 and include the SSID value

Additional RADIUS Attribute Group (Local RADIUS option)

For each Logical Network, you can choose to either use the default values only, or to append and overwrite with another attribute group. Hover over the group name to see what attributes and values will be sent.

Host state

Default

The Default VLAN value is stored in the FortiNAC database and is used when the VLAN is not determined by another method, such as a network access policy.

Typically, if a VLAN is specified as the Default, it is the VLAN used for "normal" or "production" network access. It will be used for all the untagged (non-uplink) ports on the device.

Select None to use the default VLAN/Role configured on the device.

Dead End

The dead end VLAN for this SSID. Isolates disabled hosts with limited or no network connectivity from the production network.

Registration

The registration VLAN for this SSID. Isolates unregistered hosts from the production network during host registration.

Quarantine

The quarantine VLAN for this SSID. Isolates hosts from the production network who pose a security risk because they failed a scan defined in an endpoint compliance policy.

Authentication

The authentication VLAN for this device. Isolates registered hosts from the Production network during user authentication.

SSID configuration

SSIDs on some wireless devices can be configured with VLAN/Role settings that are different than those of the parent device. This option allows you to provide different treatment for each SSID. For example, you can have an SSID that provides only Internet access for guests and a separate more secure SSID that requires authentication for staff.

Note

In an environment where there are multiple SSIDs that have the same name, FortiNAC cannot manage those SSIDs individually. Make sure that SSIDs do not have the same name.

  1. Click Network > Inventory.
  2. Expand the container where the wireless device is located.
  3. Select a device.
  4. In the right pane, select the SSID tab.
  5. Right-click on the SSID and select SSID Configuration. To modify multiple SSIDs simultaneously, see Modify multiple SSIDs.
  6. Use the table below to configure the SSID.
  7. Click OK to save.
Settings

Settings

Description

RADIUS

Use Inherited RADIUS Server
Definitions from Device

If enabled, the SSID inherits the RADIUS server settings of its parent device.

Use Custom Settings

If enabled, allows you to set the default primary and secondary RADIUS servers to the servers indicated in parentheses and set the RADIUS Secret.

Primary RADIUS Server

The RADIUS server used for authenticating users connecting to the network through this SSID.

See RADIUS for information on configuring your RADIUS servers.

Secondary RADIUS Server

If the primary RADIUS server fails to respond, this RADIUS server is used for authenticating users connecting to the network until the primary RADIUS server responds.

RADIUS Secret

The Secret used for RADIUS authentication.

Click the field to add or modify the RADIUS Secret.

Note

The RADIUS Secret used must be exactly the same on the wireless device, on the RADIUS server and in the FortiNAC software under RADIUS Settings and Model Configuration.

Show/Hide Button

Allows you to display or hide the RADIUS secret.

Enable RADIUS authentication for this device

When selected, FortiNAC will process RADIUS requests from the device.

Mode

The RADIUS Authentication Mode to be used when a RADIUS request is received from the modeled device.

Local: Use the Local RADIUS server. Enter the RADIUS Secret, and choose the attributes to be sent in the Accept packet.

Proxy: Use the RADIUS Proxy. Optionally choose to override the RADIUS server to proxy to and enter the RADIUS secret.

Default RADIUS Attribute Group (Local RADIUS Option)

The default RADIUS Attributes to be sent for all accepted requests from this device. Hover over the group name to see what attributes and values will be sent. FortiNAC has pre-built attribute groups that can be used for most devices.

Network access

Use Inherited Network Access Policy from Device

If enabled, the SSID inherits the network access or VLAN/role settings of its parent device.

Use Custom Settings

If enabled, allows you to customize the network access policy instead of using the inherited policy from the device.

Access Enforcement

When Use Custom Settings is enabled, this set of drop-down menus works in conjunction with the Host States listed below to determine treatment for hosts when no VLAN/Role value is supplied or when access control is being enforced. Options include:

  • Deny: Host will be denied access to the network when it is in this state. For example, if the host is not registered and Registration is set to Deny, the host connection will be rejected.

    Note

    Endpoints that have been denied access may continuously request access which can unnecessarily consume system resources.

  • Bypass: Host will be allowed access to the network when it is in this state. The host will be placed on the default VLAN/Role configured on the device for this port or SSID. For example, if Quarantine is set to Bypass, hosts that fail a scan and would normally be placed in Quarantine are placed in the default VLAN/Role on the device.
  • Enforce: Indicates that the host will be placed in the VLAN/Role specified in the Access Value column for this state.

Access Value

VLAN/Role where a host in this state should be placed when it connects to the network. If Enforce is selected in the Access Enforcement field you must enter a value in the Access Value field.

Dot1x Auto Registration

Enabled/Disabled per SSID (disabled by default). Automatic registration of a host based upon the user's 802.1x authentication with the RADIUS server. Upon successful 802.1x authentication, FortiNAC registers the host to the authenticated user prior to the network policy being determined.

Requirements:

  • FortiNAC version 8.5.2 or higher
  • RADIUS request from Controller/Access Point must contain RADIUS Attribute 30 and include the SSID value

Additional RADIUS Attribute Group (Local RADIUS option)

For each Logical Network, you can choose to either use the default values only, or to append and overwrite with another attribute group. Hover over the group name to see what attributes and values will be sent.

Host state

Default

The Default VLAN value is stored in the FortiNAC database and is used when the VLAN is not determined by another method, such as a network access policy.

Typically, if a VLAN is specified as the Default, it is the VLAN used for "normal" or "production" network access. It will be used for all the untagged (non-uplink) ports on the device.

Select None to use the default VLAN/Role configured on the device.

Dead End

The dead end VLAN for this SSID. Isolates disabled hosts with limited or no network connectivity from the production network.

Registration

The registration VLAN for this SSID. Isolates unregistered hosts from the production network during host registration.

Quarantine

The quarantine VLAN for this SSID. Isolates hosts from the production network who pose a security risk because they failed a scan defined in an endpoint compliance policy.

Authentication

The authentication VLAN for this device. Isolates registered hosts from the Production network during user authentication.