Fortinet black logo

Cookbook

Assigning WiFi users to VLANs dynamically

Copy Link
Copy Doc ID 598118ae-ea1f-11e9-8977-00505692583a:21355
Download PDF

Assigning WiFi users to VLANs dynamically

Virtual LANs (VLANs) are used to assign wireless users to different networks without requiring the use of multiple SSIDs. Each user's VLAN assignment is stored in the user database of the RADIUS server that authenticates the users.

This example creates dynamic VLANs for the Techdoc and Marketing departments. The RADIUS server is a FortiAuthenticator.

1. Configure the FortiAuthenticator

Go to Authentication > RADIUS Service > Clients to register the FortiGate as a client.

Enter a Secret (a password) and remember it. It will also be used in the FortiGate configuration.

Go to Authentication > User Management > Local Users and create local user accounts as needed.

For each user, add these RADIUS attributes which specify the VLAN information to be sent to the FortiGate.

Tunnel-Private-Group-Id specifies the VLAN ID.

In this example, jsmith is assigned VLAN 100 and twhite is assigned VLAN 200.

2. Add the RADIUS server to the FortiGate configuration

Go to User & Device > RADIUS Servers. Select Create New.

Enter the FortiAuthenticator IP address and the server secret that you entered on the FortiAuthenticator. Optionally, you can click Test Connectivity. Enter a RADIUS user's ID and password. The result should be “Successful”.

3. Create an SSID with dynamic VLAN assignment

Go to WiFi Controller > SSID. Create a new SSID.

Set up DHCP service.

Select WPA2 Enterprise security and select your RADIUS server for authentication.

Set the default VLAN ID to 10. This VLAN is used when RADIUS doesn't assign a VLAN.

Go to the Dashboard and use the CLI Console to enable dynamic VLANs on the SSID.

config wireless-controller vap
    edit example-wifi
        set dynamic-vlan enable
    next
end

4. Create the VLAN interfaces

Go to Network > Interfaces.

Create the VLAN interface for default VLAN-10 and set up DHCP service.

Create the VLAN interface for marketing-100 and set up DHCP service.

Create the VLAN interface for techdoc-200 and set up DHCP service.

5. Create security policies

Go to Policy & Objects > IPv4 Policy.

Create a policy that allows outbound traffic from marketing-100 to the Internet.

In Logging Options, enable logging for all sessions.

Create a policy that allows outbound traffic from techdoc-200 to the Internet.

For this policy too, in Logging Options enable logging for all sessions.

6. Create the FortiAP Profile

Go to WiFi Controller > FortiAP Profiles.

Create a new profile for your FortiAP model and select the new SSID for both Radio 1 and Radio 2.

7. Connect and authorize the FortiAP

Go to Network > Interfaces and choose an unused interface.

Set Addressing mode to Dedicated to Extension Device.

Connect the FortiAP unit to the this interface and apply power.

Go to WiFi Controller > Managed FortiAPs.

Right-click on the FortiAP unit. Select Authorize.

Right-click on the FortiAP unit again. Select Assign Profile and select the FortiAP profile that you created.

Results

The SSID will appear in the list of available wireless networks on the users' devices.

Both twhite and jsmith can connect to the SSID with their credentials and access the Internet (if a certificate warning message appears, accept the certificate).

Go to Log & Report > Forward Traffic.

Note that traffic for jsmith and twhite pass through different policies (the column selections were customized for clarity).

The security policies could be made different so that Marketing and Techdoc departments were allowed different access, but didn't think that was fair.

Assigning WiFi users to VLANs dynamically

Virtual LANs (VLANs) are used to assign wireless users to different networks without requiring the use of multiple SSIDs. Each user's VLAN assignment is stored in the user database of the RADIUS server that authenticates the users.

This example creates dynamic VLANs for the Techdoc and Marketing departments. The RADIUS server is a FortiAuthenticator.

1. Configure the FortiAuthenticator

Go to Authentication > RADIUS Service > Clients to register the FortiGate as a client.

Enter a Secret (a password) and remember it. It will also be used in the FortiGate configuration.

Go to Authentication > User Management > Local Users and create local user accounts as needed.

For each user, add these RADIUS attributes which specify the VLAN information to be sent to the FortiGate.

Tunnel-Private-Group-Id specifies the VLAN ID.

In this example, jsmith is assigned VLAN 100 and twhite is assigned VLAN 200.

2. Add the RADIUS server to the FortiGate configuration

Go to User & Device > RADIUS Servers. Select Create New.

Enter the FortiAuthenticator IP address and the server secret that you entered on the FortiAuthenticator. Optionally, you can click Test Connectivity. Enter a RADIUS user's ID and password. The result should be “Successful”.

3. Create an SSID with dynamic VLAN assignment

Go to WiFi Controller > SSID. Create a new SSID.

Set up DHCP service.

Select WPA2 Enterprise security and select your RADIUS server for authentication.

Set the default VLAN ID to 10. This VLAN is used when RADIUS doesn't assign a VLAN.

Go to the Dashboard and use the CLI Console to enable dynamic VLANs on the SSID.

config wireless-controller vap
    edit example-wifi
        set dynamic-vlan enable
    next
end

4. Create the VLAN interfaces

Go to Network > Interfaces.

Create the VLAN interface for default VLAN-10 and set up DHCP service.

Create the VLAN interface for marketing-100 and set up DHCP service.

Create the VLAN interface for techdoc-200 and set up DHCP service.

5. Create security policies

Go to Policy & Objects > IPv4 Policy.

Create a policy that allows outbound traffic from marketing-100 to the Internet.

In Logging Options, enable logging for all sessions.

Create a policy that allows outbound traffic from techdoc-200 to the Internet.

For this policy too, in Logging Options enable logging for all sessions.

6. Create the FortiAP Profile

Go to WiFi Controller > FortiAP Profiles.

Create a new profile for your FortiAP model and select the new SSID for both Radio 1 and Radio 2.

7. Connect and authorize the FortiAP

Go to Network > Interfaces and choose an unused interface.

Set Addressing mode to Dedicated to Extension Device.

Connect the FortiAP unit to the this interface and apply power.

Go to WiFi Controller > Managed FortiAPs.

Right-click on the FortiAP unit. Select Authorize.

Right-click on the FortiAP unit again. Select Assign Profile and select the FortiAP profile that you created.

Results

The SSID will appear in the list of available wireless networks on the users' devices.

Both twhite and jsmith can connect to the SSID with their credentials and access the Internet (if a certificate warning message appears, accept the certificate).

Go to Log & Report > Forward Traffic.

Note that traffic for jsmith and twhite pass through different policies (the column selections were customized for clarity).

The security policies could be made different so that Marketing and Techdoc departments were allowed different access, but didn't think that was fair.