Creating a FortiAP profile

A FortiAP profile defines radio settings for a particular platform (FortiAP model). The profile also selects which SSIDs (virtual APs) the APs will carry. FortiAP units contain two radio transceivers, making it possible, for example, to provide both 2.4GHz 802.11b/g/n and 5GHz 802.11a/n service from the same access point. The radios can also be used for monitoring, used for the Rogue AP detection feature.

You can modify existing FortiAP profiles or create new ones of your own.

To configure a FortiAP profile – web-based manager

1. Go to WiFi & Switch Controller > FortiAP Profiles and select Create New.
2. Enter a Name for the FortiAP Profile.
3. In Platform, select the FortiWiFi or FortiAP model to which this profile applies.
4. If split tunneling is used, in Split Tunneling Subnets, enter a comma-separated list all of the destination IP address ranges that should not be routed through the the FortiGate WiFi controller.
5. For each radio, enter:

Mode		Select the type of mode. Disable – radio disabled Access Point – the platform is an access point Dedicated Monitor – the platform is a dedicated monitor. See Wireless network monitoring on page 115.
WIDS Profile		Optionally, select a Wireless Intrusion Detection (WIDS) profile. See Protecting the WiFi network on page 109.
Radio Resource Provision		Select to enable the radio resource provision feature. This feature measures utilization and interference on the available channels and selects the clearest channel at each access point. The measurement can be repeated periodically to respond to changing conditions.
Client Load Balancing		Select Frequency Handoff or AP Handoff as needed. See Access point deployment on page 55.

Creating a FortiAP profile

Band	Select the wireless protocols that you want to support. The available choices depend on the radio’s capabilities. Where multiple protocols are supported, the letter suffixes are combined: “802.11g/b” means 802.11g and 802.11b. Note that on two-radio units such as the FortiAP-221C it is not possible to put both radios on the same band.
Channel Width	Select channel width for 802.11ac or 802.11n on 5GHz.
Short Guard Interval	Select to enable the short guard interval for 802.11ac or 802.11n on 5GHz.
Channels	Select the channel or channels to include. The available channels depend on which IEEE wireless protocol you selected in Band. By default, all available channels are enabled.
TX Power Control	Enable automatic or manual adjustment of transmit power, specifying either minimum and maximum power levelsin dBm or as a percentage.
TX Power	When TX Power Control is set to Auto, the TX Power is set by default to a range of 10-17 dBm. Set the range between 1-20 for both the lower and upper limits. When TX Power Control is set to Manual, the TX Power is set by default to 100% of the maximum power permitted in your region. To change the level, drag the slider.
SSIDs	Select between Auto or Manual. Selecting Auto eliminates the need to re-edit the profile when new SSIDs are created. However, you can still select SSIDs individually using Manual. Note that automatic assignment of SSIDs (Auto) is not available for FortiAPs in Local Bridge mode. The option is hidden on both the Managed FortiAP settings and the FortiAP Profile assigned to that AP.

Radio 1 settings are the same as Radio 2 settings except for the options for Channel.

Radio 2 settings are available only for FortiAP models with dual radios.

6. Select OK.

To configure a FortiAP profile – CLI

This example configures a FortiAP-220B to carry all SSIDs on Radio 1 but only SSID example_wlan on Radio 2.

config wireless-controller wtp-profile edit guest_prof config platform set type 220B

end config radio-1 set mode ap set band 802.11g set vap-all enable end

config radio-2 set mode ap set band 802.11g set vaps example_wlan

end

end

Defining a wireless network interface (SSID)

You begin configuring your wireless network by defining one or more SSIDs to which your users will connect. When you create an SSID, a virtual network interface is also created with the Name you specified in the SSID configuration. You can configure the settings of an existing SSID in either WiFi & Switch Controller > SSID or System > Network > Interfaces.

To create a new SSID

1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
2. Fill in the SSID fields as described below.

To configure the settings of an existing SSID

1. Either l Go to WiFi & Switch Controller > SSID.

or l Go to Network > Interfaces.

WiFi interfaces list the SSID beside the interface Name.

2. Edit a WiFi interface, modifying the SSID fields as needed.

SSID fields

Interface Name	Enter a name for the SSID interface.
Type	WiFi SSID.
Traffic Mode	Tunnel to Wireless Controller — Data for WLAN passes through WiFi Controller. This is the default. Local bridge with FortiAP’s Interface — FortiAP unit Ethernet and WiFi interfaces are bridged. Mesh Downlink — Radio receives data for WLAN from mesh backhaul SSID.

 

 

IP/Network Mask	Enter the IP address and netmask for the SSID.
IPv6 Address	Enter the IPv6 address. This is available only when IPv6 has been enabled on the unit.
Administrative Access	Select which types of administrative access are permitted on this SSID.
IPv6 Administrative Access	If you have IPv6 addresses, select the permitted IPv6 administrative access types for this SSID.
DHCP Server	To assign IP addresses to clients, enable DHCP server. You can define IP address ranges for a DHCP server on the FortiGate unit or relay DHCP requests to an external server. If the unit is in transparent mode, the DHCP server settings will be unavailable. For more information, see Configuring DHCP for WiFi clients on page 39.
Device Detection	Detect connected device type. Enabled by default.
Active Scanning	Enabled by default.
WiFi Settings
SSID	Enter the SSID. By default, this field contains fortinet.
Security Mode	Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. Additional security mode options are available in the CLI. For more information, see Configuring security on page 40.
	Captive Portal – authenticates users through a customizable web page.
	WPA2-Personal – WPA2 is WiFi Protected Access version 2. There is one pre-shared key (password) that all users use.
	WPA2-Personal with Captive Portal – The user will need to know the pre-shared key and will also be authenticated through the custom portal.
	WPA2-Enterprise – similar to WPA2-Personal, but is best used for enterprise networks. Each user is separately authenticated by user name and password.
Pre-shared Key	Available only when Security Mode is WPA2-Personal. Enter the encryption key that the clients must use.

 

Authentication	Available only when Security Mode is WPA2-Enterprise. Select one of the following: RADIUS Server — Select the RADIUS server that will authenticate the clients. Local – Select the user group(s) that can authenticate.
Portal Type	Available only when Security Mode is Captive Portal. Choose the captive portal type. Authentication is available with or without a usage policy disclaimer notice.
Authentication Portal	Local – portal hosted on the FortiGate unit External – enter FQDN or IP address of external portal
User Groups	Select permitted user groups for captive portal authentication.
Exempt List	Select exempt lists whose members will not be subject to captive portal authentication.
Customize Portal Messages	Click the listed portal pages to edit them.
Redirect after Captive Portal	Optionally, select Specific URL and enter a URL for user redirection after captive portal authentication. By default, users are redirected to the URL that they originally requested.
Allow New WiFi Client Connections When Controller Is Down	This option is available for local bridge SSIDs with WPA-Personal security. See Combining WiFi and wired networks with a software switch on page 90.
Broadcast SSID	Optionally, disable broadcast of SSID. By default, the SSID is broadcast. For more information, see Introduction to wireless networking on page 13.
Schedule	Select when the SSID is enabled. You can choose any schedule defined in Policy & Objects > Objects > Schedules.
Block Intra-SSID Traffic	Select to enable the unit to block intra-SSID traffic.
Maximum Clients	Select to limit the number of clients permitted to connect simultaneously. Enter the limit value.
Split Tunneling	Select to enable some subnets to remain local to the remote FortiAP. Traffic for these networks is not routed through the WiFi Controller. Specify split-tunnel networks in the FortAP Profile. See Split tunneling on page 97.
Optional VLAN ID	Enter the ID of the VLAN this SSID belongs to. Enter 0 for non-VLAN operation.
Enable Explicit Web Proxy	Select to enable explicit web proxy for the SSID.
Listen for RADIUS Accounting Messages	Enable if you are using RADIUS-based single sign-on (SSO).
Secondary IP Address	Optioanally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces.
Comments	Enter a description or comment for the SSID.

To configure a virtual access point (SSID) – CLI

The example below creates an access point with SSID “example” and WPA2-Personal security. The wireless interface is named example_wlan.

WiFi SSIDs include a schedule that determines when the WiFi network is available. The default schedule is

Always. You can choose any schedule (but not schedule group) that is defined in Policy & Objects > Objects > Schedules.

config wireless-controller vap edit example_wlan set ssid “example” set broadcast-ssid enable set security wpa2-only-personal set passphrase “hardtoguess” set schedule always set vdom root

end

config system interface edit example_wlan set ip 10.10.120.1 255.255.255.0

end

Configuring DHCP for WiFi clients

Wireless clients need to have IP addresses. If you use RADIUS authentication, each user’s IP address can be stored in the Framed-IP-Address attribute. Otherwise, you need to configure a DHCP server on the WLAN interface to assign IP addresses to wireless clients.

To configure a DHCP server for WiFi clients – web-based manager

1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
2. In DHCP Server select Enable.
3. In Address Range, select Create New.
4. In the Starting IP and End IP fields, enter the IP address range to assign.

By default an address range is created in the same subnet as the wireless interface IP address, but not including that address.

5. Set the Netmask to an appropriate value, such as 255.255.255.0.
6. Set the Default Gateway to Same as Interface IP.
7. Set the DNS Server to Same as System DNS.
8. If you want to restrict access to the wireless network by MAC address, see Adding a MAC filter on page 42.
9. Select OK.

To configure a DHCP server for WiFi clients – CLI

In this example, WiFi clients on the example_wlan interface are assigned addresses in the 10.10.120.2-9 range to connect with the WiFi access point on 10.10.120.1.

config system dhcp server edit 0 set default-gateway 10.10.120.1 set dns-service default set interface example_wlan set netmask 255.255.255.0 config ip-range edit 1 set end-ip 10.10.120.9 set start-ip 10.10.120.2

end

end

Configuring security

Using the web-based manager, you can configure captive portal security or WiFi Protected Access version 2 (WPA2) security modes WPA2-Personal and WPA2-Enterprise. Using the CLI, you can also choose WPA/WPA2 modes that support both WPA version 1 and WPA version 2.

WPA2 security with a pre-shared key for authentication is called WPA2-Personal. This can work well for one person or a small group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.

A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes possible Role-Based Access Control (RBAC).

By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP) . You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accomodate clients with either TKIP or AES, enter:

config wireless-controller vap edit example_wlan set security wpa-personal set passphrase “hardtoguess” set encrypt TKIP-AES

end

Captive portal security connects users to an open web portal defined in replacement messages. To navigate to any location beyond the web portal, the user must pass FortiGate user authentication.

WPA-Personal security

WPA2-Personal security setup requires only the preshared key that you will provide to your clients.

To configure WPA2-Personal security – web-based manager

1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
2. In Security Mode, select WPA2 Personal.
3. In Pre-shared Key, enter a key between 8 and 63 characters long.
4. Select OK.

To configure WPA2-Personal security – CLI

config wireless-controller vap edit example_wlan set security wpa2-personal set passphrase “hardtoguess”

end

WPA-Enterprise security

If you will use FortiOS user groups for authentication, go to User & Device > User > User Groups and create those groups first. The groups should be Firewall groups.

If you will use a RADIUS server to authenticate wireless clients, you must first configure the FortiGate unit to access the RADIUS server.

To configure FortiGate unit access to the RADIUS server – web-based manager

1. Go to User & Device > RADIUS Servers and select Create New.
2. Enter a Name for the server.
3. In Primary Server Name/IP, enter the network name or IP address for the server.
4. In Primary Server Secret, enter the shared secret used to access the server.
5. Optionally, enter the information for a secondary or backup RADIUS server.
6. Select OK.

To configure the FortiGate unit to access the RADIUS server – CLI

config user radius edit exampleRADIUS set auth-type auto set server 10.11.102.100 set secret aoewmntiasf

end