Defining a wireless network interface (SSID)

Defining a wireless network interface (SSID)

You begin configuring your wireless network by defining one or more SSIDs to which your users will connect. When you create an SSID, a virtual network interface is also created with the Name you specified in the SSID configuration. You can configure the settings of an existing SSID in either WiFi Controller > WiFi Network > SSID or System > Network > Interface.

To create a new SSID

  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Fill in the SSID fields as described below.

To configure the settings of an existing SSID

  1. Either l Go to WiFi & Switch Controller > SSID.

or l Go to Network > Interfaces.

WiFi interfaces list the SSID beside the interface Name.

  1. Edit a WiFi interface, modifying the SSID fields as needed.

 

SSID fields

Interface Name Enter a name for the SSID interface.
Type WiFi SSID.
Traffic Mode Tunnel to Wireless Controller — Data for WLAN passes through WiFi Controller. This is the default.

Local bridge with FortiAP’s Interface — FortiAP unit Ethernet and WiFi interfaces are bridged.

Mesh Downlink — Radio receives data for WLAN from mesh backhaul SSID.

IP/Network Mask Enter the IP address and netmask for the SSID.
IPv6 Address Enter the IPv6 address. This is available only when IPv6 has been enabled on the unit.
Administrative Access Select which types of administrative access are permitted on this SSID.
IPv6

Administrative

Access

If you have IPv6 addresses, select the permitted IPv6 administrative access types for this SSID.
DHCP Server To assign IP addresses to clients, enable DHCP server. You can define IP address ranges for a DHCP server on the FortiGate unit or relay DHCP requests to an external server.

If the unit is in transparent mode, the DHCP server settings will be unavailable.

For more information, see Configuring DHCP for WiFi clients on page 48.

Device Detection Detect connected device type. Enabled by default.
Active Scanning Enabled by default.
WiFi Settings
SSID Enter the SSID. By default, this field contains fortinet.
Security Mode Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. Additional security mode options are available in the CLI. For more information, see Configuring security on page 49.
Captive Portal – authenticates users through a customizable web page.
WPA2-Personal – WPA2 is WiFi Protected Access version 2. There is one pre-shared key (password) that all users use.

 

WPA2-Personal with Captive Portal – The user will need to know the pre-shared key and will also be authenticated through the custom portal.
WPA2-Enterprise – similar to WPA2-Personal, but is best used for enterprise networks. Each user is separately authenticated by user name and password.
Pre-shared Key Available only when Security Mode is WPA2-Personal. Enter the encryption key that the clients must use.
Authentication Available only when Security Mode is WPA2-Enterprise.

Select one of the following:

RADIUS Server — Select the RADIUS server that will authenticate the clients.

Local – Select the user group(s) that can authenticate.

Portal Type Available only when Security Mode is Captive Portal. Choose the captive portal type. Authentication is available with or without a usage policy disclaimer notice.
Authentication Portal Local – portal hosted on the FortiGate unit

External – enter FQDN or IP address of external portal

User Groups Select permitted user groups for captive portal authentication.
Exempt List Select exempt lists whose members will not be subject to captive portal authentication.
Customize Portal Messages Click the listed portal pages to edit them.
Redirect after Captive Portal Optionally, select Specific URL and enter a URL for user redirection after captive portal authentication. By default, users are redirected to the URL that they originally requested.
Allow New WiFi

Client

Connections

When Controller

Is Down

This option is available for local bridge SSIDs with WPA-Personal security. See Combining WiFi and wired networks with a software switch on page 93.
Broadcast SSID Optionally, disable broadcast of SSID. By default, the SSID is broadcast. For more information, see Introduction to wireless networking on page 22.
Schedule Select when the SSID is enabled. You can choose any schedule defined in Policy & Objects > Objects > Schedules.
Block Intra-SSID

Traffic

Select to enable the unit to block intra-SSID traffic.
Maximum Clients Select to limit the number of clients permitted to connect simultaneously. Enter the limit value.
Split Tunneling Select to enable some subnets to remain local to the remote FortiAP. Traffic for these networks is not routed through the WiFi Controller. Specify split-tunnel networks in the FortAP Profile. See Split tunneling on page 100.
Optional VLAN ID Enter the ID of the VLAN this SSID belongs to. Enter 0 for non-VLAN operation.
Enable Explicit

Web Proxy

Select to enable explicit web proxy for the SSID.
Listen for

RADIUS

Accounting

Messages

Enable if you are using RADIUS-based Single Sign-On (SSO).
Secondary IP Address Optioanally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces.
Comments Enter a description or comment for the SSID.

To configure a virtual access point (SSID) – CLI

The example below creates an access point with SSID “example” and WPA2-Personal security. The wireless interface is named example_wlan.

WiFi SSIDs include a schedule that determines when the WiFi network is available. The default schedule is

Always. You can choose any schedule (but not schedule group) that is defined in Policy & Objects > Objects > Schedules.

config wireless-controller vap edit example_wlan set ssid “example” set broadcast-ssid enable set security wpa2-only-personal set passphrase “hardtoguess” set schedule always set vdom root

end

config system interface edit example_wlan set ip 10.10.120.1 255.255.255.0

end

This entry was posted in Administration Guides, FortiAP on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.