Overview of WiFi controller configuration
The FortiGate WiFi controller configuration is composed of three types of object, the SSID, the AP Profile and the physical Access Point.
l An SSID defines a virtual wireless network interface, including security settings. One SSID is sufficient for a wireless network, regardless how many physical access points are provided. You might, however, want to create multiple SSIDs to provide different services or privileges to different groups of users. Each SSID has separate firewall policies and authentication. Each radio in an access point can support up to 8 SSIDs.
A more common use of the term SSID is for the identifier that clients must use to connect to the wireless network.
Each SSID (wireless interface) that you configure will have an SSID field for this identifier. In Managed Access Point configurations you choose wireless networks by SSID values. In firewall policies you choose wireless interfaces by their SSID name.
- An AP Profile defines the radio settings, such as band (802.11g for example) and channel selection. The AP Profile names the SSIDs to which it applies. Managed APs can use automatic profile settings or you can create AP profiles.
- Managed Access Points represent local wireless APs on FortiWiFi units and FortiAP units that the FortiGate unit has discovered. There is one managed access point definition for each AP device. An access point definition can use automatic AP profile settings or select a FortiAP Profile. When automatic profile settings are used, the managed AP definition also selects the SSIDs to be carried on the AP.
Conceptual view of FortiGate WiFi controller configuration
About SSIDs on FortiWiFi units
FortiWiFi units have a default SSID (wireless interface) named wlan. You can modify or delete this SSID as needed. As with external APs, the built-in wireless AP can be configured to carry any SSID.
The AP settings for the built-in wireless access point are located at WiFi Controller > Local WiFi Radio. The available operational settings are the same as those for external access points which are configured at WiFi Controller > Managed FortiAPs.
Process to create a wireless network
To set up your wireless network, you will need to perform the following steps:
- Make sure the FortiGate wireless controller is configured for your geographic location. This ensures that the available radio channels and radio power are in compliance with the regulations in your region.
- Optionally, if you don’t want to use automatic AP profile settings, configure a FortiAP profile, specifying the radio settings and the SSIDs to which they apply.
- Configure one or more SSIDs for your wireless network. The SSID configuration includes DHCP and DNS settings. l Configure the user group and users for authentication on the WLAN.
Setting your geographic location
- Configure the firewall policy for the WLAN. l Optionally, customize the captive portal.
- Configure access points.
Configuration of the built-in AP on FortiWiFi units is described in this chapter. Connection and configuration of FortiAP units is described in the next chapter, see Access point deployment on page 55.
Setting your geographic location
The maximum allowed transmitter power and permitted radio channels for WiFi networks depend on the region in which the network is located. By default, the WiFi controller is configured for the United States. If you are located in any other region, you need to set your location before you begin configuring wireless networks.
To change the location setting – CLI
To change the country to France, for example, enter
config wireless-controller setting set country FR
end
To see the list of country codes, enter a question mark (‘?’) instead of a country code.
View all country and regcodes/regulatory domains
The following CLI command can be entered to view a list of the country and regcodes/regulatory Domains supported by Fortinet:
cw_diag -c all-countries
Below is a table showing a sample of the list displayed by entering this command:
Country-code Region-code | Domain | ISO-name Name |
0 A | FCC3 & FCCA | NA NO_COUNTRY_SET |
8 W | NULL1 & WORLD | AL ALBANIA |
12 W | NULL1 & WORLD | DZ ALGERIA |
16 A | FCC3 & FCCA | AS AMERICAN SAMOA |
… … | … | … … |
Hi Mike,
Since I know by following your posts that you are really good the Fortinet in general, please allow me to ask you a question. In a Fortigate, FortiAP and Radius scenario, can I dynamically assign the VLAN to the WIFI users based on their device type? More specifically, I would like to move any iOS/Android to a different VLAN than a normal Windows Client would get. Thanks
You pass it by the 802.1x pass thru of the RADIUS authentication not the device.