FortiWLC – Multiple ESSID Mapping

Multiple ESSID Mapping

The following configuration example shows how to create three ESSIDs and map them to three different VLANs to separate guest users, corporate users, and retail traffic.

The first ESSID, guest-users, is mapped to a VLAN named guest. This ESSID is configured to use the default security profile, which requires no authentication method or encryption method. The VLAN IP address is 10.1.1.2/24 with a default gateway of 10.1.1.1. The DHCP server IP address is 10.1.1.254. This ESSID is configured so that it is added to each access point automatically and is also part of a Virtual Cell. (All access points on the same channel with this ESSID share the same BSSID.)

The second ESSID, corp-users, is mapped to a VLAN named corp. This ESSID is configured to use a security profile called corp-access, which requires 64-bit WEP for an  authentication/ encryption method. The static WEP key is set to corp1. The VLAN IP address is 10.1.2.2/24 with a default gateway of 10.1.2.1. The DHCP server IP address is 10.1.2.254. This ESSID is configured so that it is added to each AP automatically and is also part of a Virtual Cell.

The third ESSID, retail-users, is mapped to a VLAN named retail. This ESSID is configured to use a security profile called retail-access, which requires 802.1X as an authentication method.

Multiple ESSID Mapping

 

The 802.1X rekey period is set to 1000 seconds. The primary RADIUS server IP address is set to 10.1.3.200, the primary RADIUS port is set to 1812, and the primary RADIUS secret is set to secure-retail. The VLAN IP address is set to 10.1.3.2/24 with a default gateway of 10.1.3.1. The DHCP server IP address is 10.1.3.254. This ESSID is configured so that it is added to the access point with node id 1 only. Also, the broadcasting of this ESSID value in the beacons from the access point is disabled, and the ESS is given a BSSID of 00:0c:e6:02:7c:84.

Use the show vlan command to verify the VLAN configuration:

controller# show vlan

VLAN Configuration

VLAN Name   Tag  IP Address      NetMask          Default Gateway guest       1    10.1.1.2        255.255.255.0    10.1.1.1        corp        2    10.1.2.2        255.255.255.0    10.1.2.1        retail      3    10.1.3.2        255.255.255.0    10.1.3.1

Now that the VLANs and security profiles have been created, the new ESSIDs can be created and configured.

controller# configure terminal controller(config)# essid guest-users controller(config‐essid)# security-profile default controller(config‐essid)# vlan guest controller(config‐essid)# exit controller(config)# essid corp-users

controller(config‐essid)# security-profile corp-access controller(config‐essid)# vlan corp controller(config‐essid)# exit controller(config)# essid retail-users

controller(config‐essid)# security-profile retail-access controller(config‐essid)# vlan retail controller(config‐essid)# no ap-discovery join-ess controller(config‐essid)# no publish-essid controller(config‐essid)# ess-ap 1 1 controller(config‐essid‐ess‐ap)# bssid 00:0c:e6:03:f9:a4 controller(config‐essid‐ess‐ap)# exit controller(config‐essid)# exit controller(config)# exit controller#

To verify the creation of the new ESSIDs, use the show essid command.

To view detailed configuration for each of the new ESSIDs, use the show essid essid-name command.

Multiple ESSID Mapping

To verify that the guest-users and corp-users ESSIDs were automatically joined to both access points connected to the controller and that the retail-users ESSID was only joined to

AP 1, use the show ess-ap ap ap-node-id or the show ess-ap essid essid-name commands.

controller# show ess-ap ap 1

ESS‐AP Configuration

AP ID: 1

ESSID                   AP Name        Channel  BSSID guest‐users             AP‐1            6       00:0c:e6:01:d5:c1 corp‐users              AP‐1            6       00:0c:e6:02:eb:b5 retail‐users            AP‐1            6       00:0c:e6:03:f9:a4

controller# show ess-ap ap 2

ESS‐AP Configuration

AP ID: 2

ESSID                   AP Name        Channel  BSSID guest‐users             AP‐2            6       00:0c:e6:01:d5:c1 corp‐users              AP‐2            6       00:0c:e6:02:eb:b5 controller# show ess-ap essid retail-users

ESS‐AP Configuration

ESSID: retail‐users

AP ID   AP Name        Channel  BSSID

1       AP‐1            6       00:0c:e6:03:f9:a4 controller# show ess-ap essid corp-users

ESS‐AP Configuration

ESSID: corp‐users

AP ID   AP Name        Channel  BSSID

  • AP‐1 6       00:0c:e6:02:eb:b5
  • AP‐2 6       00:0c:e6:02:eb:b5

Bridged AP300 in a Remote Location

When bridged mode is configured in an ESSID, an AP using that ESSID can be installed and managed at a location separated from the controller by a WAN or ISP, for example at a satellite office. The controller monitors remote APs with a keep‐alive signal. Remote APs exchange control information, including authentication and accounting information, with the controller but cannot exchange data. Remote APs exchange data with other APs within their subnet.

Because Remote APs cannot exchange data-plane traffic (including DHCP) with the controller, certain Fortinet Wireless LAN features are not available for remote AP configurations. These include:

  • QoS
  • Captive Portal
  • L3 mobility

The features that are available are:

Multiple ESSID Mapping

  • VLAN
  • Virtual Cell
  • 1X authentication
  • High user density
  • Multiple ESSIDs
  • Dataplane encryption for backhoe on L3 tunnel
Configure Bridged Mode with the Web UI

Configure bridged mode when you add or modify an ESS with the Web UI; for directions, see “Add an ESS with the Web UI” on page 137.

Configure Bridged Mode with the CLI

This example creates the ESSID abcjk, sets its mode to bridged, assigns a tag, and then gives top priority to abcjk.

test (config‐essid)# test# configure terminal test (config)# essid abcjk

test (config‐essid)# dataplane bridged test (config‐essid)# ap‐vlan‐tag 11 test (config‐essid)# ap‐vlan‐priority test (config‐essid)# end

For details of the commands used here, see the Command Reference Guide.

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.