Allow New WiFi Client Con- nections When Controller Is Down

This option is available for local bridge SSIDs with WPA-Personal security. See Com- bining WiFi and wired networks with a software switch on page 877.

Broadcast SSID       Optionally, disable broadcast of SSID. By default, the SSID is broadcast. For more information, see Introduction to wireless networking on page 822.

Schedule                  Select when the SSID is enabled. You can choose any schedule defined in Policy & Objects > Objects > Schedules.

Block Intra-SSID Traffic

Select to enable the unit to block intra-SSID traffic.

Maximum Clients    Select to limit the number of clients permitted to connect simultaneously. Enter the limit value.

Split Tunneling        Select to enable some subnets to remain local to the remote FortiAP. Traffic for these networks is not routed through the WiFi Controller. Specify split-tunnel networks in the FortAP Profile. See Split tunneling on page 883.

Optional VLAN ID    Enter the ID of the VLAN this SSID belongs to. Enter 0 for non-VLAN operation.

Enable Explicit

Web Proxy

Select to enable explicit web proxy for the SSID.

Listen for

RADIUS Account- ing Messages

Enable if you are using RADIUS-based Single Sign-On (SSO).

Secondary IP Address

Optioanally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces.

Comments                Enter a description or comment for the SSID.

 

 

To configure a virtual access point (SSID) – CLI

This example creates an access point with SSID “example” and WPA2-Personal security. The wireless interface is named example_wlan.

config wireless-controller vap edit example_wlan

set ssid “example”

set broadcast-ssid enable

set security wpa2-only-personal set passphrase “hardtoguess”

set schedule always set vdom root

end

config system interface edit example_wlan

set ip 10.10.120.1 255.255.255.0 end

 

Configuring DHCP for WiFi clients

Wireless clients need to have IP addresses. If you use RADIUS authentication, each user’s IP address can be stored in the Framed-IP-Address attribute. Otherwise, you need to configure a DHCP server on the WLAN interface to assign IP addresses to wireless clients.

 

To configure a DHCP server for WiFi clients – web-based manager

1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.

2. In DHCP Server select Enable.

3. In Address Range, select Create New.

4. In the Starting IP and End IP fields, enter the IP address range to assign.

By default an address range is created in the same subnet as the wireless interface IP address, but not including that address.

5. Set the Netmask to an appropriate value, such as 255.255.255.0.

6. Set the Default Gateway to Same as Interface IP.

7. Set the DNS Server to Same as System DNS.

8. If you want to restrict access to the wireless network by MAC address, see Adding a MAC filter on page 838.

9. Select OK.

 

 

To configure a DHCP server for WiFi clients – CLI

In this example, WiFi clients on the example_wlan interface are assigned addresses in the 10.10.120.2-9 range to connect with the WiFi access point on 10.10.120.1.

config system dhcp server edit 0

set default-gateway 10.10.120.1 set dns-service default

set interface example_wlan set netmask 255.255.255.0 config ip-range

edit 1

set end-ip 10.10.120.9 set start-ip 10.10.120.2

end end

You cannot delete an SSID (wireless interface) that has DHCP enabled on it.

 

 

Configuring security

Using the web-based manager, you can configure Captive Portal security or WiFi Protected Access version 2 (WPA2) security modes WPA2-Personal and WPA2-Enterprise. Using the CLI, you can also choose WPA/WPA2 modes that support both WPA version 1 and WPA version 2.

WPA2 security with a pre-shared key for authentication is called WPA2-Personal. This can work well for one person or a small group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.

A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users

through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes possible Role-Based Access Control (RBAC).

By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP) . You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accomodate clients with either TKIP or AES, enter:

config wireless-controller vap edit example_wlan

set security wpa-personal

set passphrase “hardtoguess” set encrypt TKIP-AES

end

Captive Portal security connects users to an open web portal defined in replacement messages. To navigate to any location beyond the web portal, the user must pass FortiGate user authentication.

 

WPA–Personal security

WPA2-Personal security setup requires only the preshared key that you will provide to your clients.

 

To configure WPA2-Personal security – web-based manager

1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.

2. In Security Mode, select WPA2 Personal.

3. In Pre–shared Key, enter a key between 8 and 63 characters long.

4. Select OK.

 

To configure WPA2-Personal security – CLI

config wireless-controller vap edit example_wlan

set security wpa2-personal set passphrase “hardtoguess”

end

 

WPA–Enterprise security

If you will use FortiOS user groups for authentication, go to User & Device > User > User Groups and create those groups first. The groups should be Firewall groups.

If you will use a RADIUS server to authenticate wireless clients, you must first configure the FortiGate unit to access the RADIUS server.

 

To configure FortiGate unit access to the RADIUS server – web-based manager

1. Go to User & Device > RADIUS Servers and select Create New.

2. Enter a Name for the server.

3. In Primary Server Name/IP, enter the network name or IP address for the server.

4. In Primary Server Secret, enter the shared secret used to access the server.

5. Optionally, enter the information for a secondary or backup RADIUS server.

6. Select OK.

 

To configure the FortiGate unit to access the RADIUS server – CLI

config user radius edit exampleRADIUS

set auth-type auto

set server 10.11.102.100 set secret aoewmntiasf

end

 

To configure WPA-Enterprise security – web-based manager

1. Go to WiFi & Switch Controller > SSIDand edit your SSID entry.

2. In Security Mode, select WPA2 Enterprise.

3. In Authentication, do one of the following:

• If you will use a RADIUS server for authentication, select RADIUS Server and then select the RADIUS server.
• If you will use a local user group for authentication, select Local and then select the user group(s) permitted to use the wireless network.

4. Select OK.