Tag Archives: connected utm – fortigate/fortiwifi-30 series

Configuring a WiFi LAN

Configuring a WiFi LAN

When working with a FortiGate WiFi controller, you can configure your wireless network before you install any access points. If you are working with a standalone FortiWiFi unit, the access point hardware is already present but the configuration is quite similar. Both are covered in this section.

  • Overview of WiFi controller configuration
  • Setting your geographic location
  • Creating a FortiAP Profile
  • Defining a wireless network interface (SSID) Defining SSID Groups
  • Dynamic user VLAN assignment Configuring user authentication Configuring firewall policies for the SSID
  • Configuring the built-in access point on a FortiWiFi unit

 

On FortiGate model 30D, web-based manager configuration of the WiFi controller is disabled by default. To enable it, enter the following CLI commands:

config system global

set gui-wireless-controller enable end

 

If you want to connect and authorize external APs, such as FortiAP units, see the next chapter, Access point deployment.

 

 

Overview of WiFi controller configuration

The FortiGate WiFi controller configuration is composed of three types of object, the SSID, the AP Profile and the physical Access Point.

  • An SSID defines a virtual wireless network interface, including security settings. One SSID is sufficient for a wireless network, regardless how many physical access points are provided. You might, however, want to create multiple SSIDs to provide different services or privileges to different groups of users. Each SSID has separate firewall policies and authentication. Each radio in an access point can support up to 8 SSIDs.

A more common use of the term SSID is for the identifier that clients must use to connect to the wireless network. Each SSID (wireless interface) that you configure will have an SSID field for this identifier. In Managed Access Point configurations you choose wireless networks by SSID values. In firewall policies you choose wireless interfaces by their SSID name.

  • An AP Profile defines the radio settings, such as band (802.11g for example) and channel selection. The

AP Profile names the SSIDs to which it applies. Managed APs can use automatic profile settings or you can create

AP profiles.

  • Managed Access Points represent local wireless APs on FortiWiFi units and FortiAP units that the FortiGate unit has discovered. There is one managed access point definition for each AP device. An access point definition can use automatic AP profile settings or select a FortiAP Profile. When automatic profile settings are used, the managed AP definition also selects the SSIDs to be carried on the AP.

 

Conceptual view of FortiGate WiFi controller configuration

 

About SSIDs on FortiWiFi units

FortiWiFi units have a default SSID (wireless interface) named wlan. You can modify or delete this SSID as needed. As with external APs, the built-in wireless AP can be configured to carry any SSID.

The AP settings for the built-in wireless access point are located at WiFi Controller > Local WiFi Radio. The available operational settings are the same as those for external access points which are configured at

WiFi Controller > Managed FortiAPs.

 

Process to create a wireless network

To set up your wireless network, you will need to perform the following steps:

  • Make sure the FortiGate wireless controller is configured for your geographic location. This ensures that the available radio channels and radio power are in compliance with the regulations in your region.
  • Optionally, if you don’t want to use automatic AP profile settings, configure a FortiAP profile, specifying the radio settings and the SSIDs to which they apply.
  • Configure one or more SSIDs for your wireless network. The SSID configuration includes DHCP and DNS settings.
  • Configure the user group and users for authentication on the WLAN.
  • Configure the firewall policy for the WLAN.
  • Optionally, customize the captive portal.
  • Configure access points.

Configuration of the built-in AP on FortiWiFi units is described in this chapter. Connection and configuration of

FortiAP units is described in the next chapter, see Access point deployment on page 850.

 

 

Setting your geographic location

The maximum allowed transmitter power and permitted radio channels for WiFi networks depend on the region in which the network is located. By default, the WiFi controller is configured for the United States. If you are located in any other region, you need to set your location before you begin configuring wireless networks.

 

To change the location setting – CLI

To change the country to France, for example, enter

config wireless-controller setting set country FR

end

To see the list of country codes, enter a question mark (‘?’) instead of a country code.

Before changing the country setting, you must remove all FortiAP Profiles. To do this, go to WiFi & Switch Controller > FortiAP Profiles.

View all Country & Regcodes/Regulatory Domains

The following CLI command can be entered to view a list of the Country & Regcodes/Regulatory Domains supported by Fortinet:

cw_diag -c all-countries

Below is a table showing a sample of the list displayed by entering this command:

 

Country-code Region-code Domain ISOname Name
 

0

 

A

 

FCC3 & FCCA

 

NA

 

NO_COUNTRY_SET

 

8

 

W

 

NULL1 & WORLD

 

AL

 

ALBANIA

 

12

 

W

 

NULL1 & WORLD

 

DZ

 

ALGERIA

 

16

 

A

 

FCC3 & FCCA

 

AS

 

AMERICAN SAMOA

 

...

 

...

 

...

 

...

 

...