Fortinet black logo

Handbook

Defining a wireless network interface (SSID)

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:307228
Download PDF

Defining a wireless network interface (SSID)

You begin configuring your wireless network by defining one or more SSIDs to which your users will connect. When you create an SSID, a virtual network interface is also created with the Name you specified in the SSID configuration. You can configure the settings of an existing SSID in either WiFi & Switch Controller > SSID or (Undefined variable: FortiOSGUIVariables.System > Network > Interfaces).

note icon

If a software switch interface contains an SSID (but only one), the WiFi SSID settings are available in the switch interface settings.

To create a new SSID
  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Fill in the SSID fields as described below.
To configure the settings of an existing SSID
  1. Either
    • Go to WiFi & Switch Controller > SSID.

      or

    • Go to Network > Interfaces.

      WiFi interfaces list the SSID beside the interface Name.

  2. Edit a WiFi interface, modifying the SSID fields as needed.
SSID fields

Interface Name

Enter a name for the SSID interface.

Type

WiFi SSID.

Traffic Mode

Tunnel to Wireless Controller — Data for WLAN passes through WiFi Controller. This is the default.

Local bridge with FortiAP’s Interface — FortiAP unit Ethernet and WiFi interfaces are bridged.

Mesh Downlink — Radio receives data for WLAN from mesh backhaul SSID.

IP/Network Mask

Enter the IP address and netmask for the SSID.

IPv6 Address

Enter the IPv6 address. This is available only when IPv6 has been enabled on the unit.

Administrative Access

Select which types of administrative access are permitted on this SSID.

IPv6 Administrative Access

If you have IPv6 addresses, select the permitted IPv6 administrative access types for this SSID.

DHCP Server

To assign IP addresses to clients, enable DHCP server. You can define IP address ranges for a DHCP server on the FortiGate unit or relay DHCP requests to an external server.

If the unit is in transparent mode, the DHCP server settings will be unavailable.

For more information, see Configuring DHCP for WiFi clients.

Device Detection

Detect connected device type. Enabled by default.

Active Scanning

Enabled by default.

WiFi Settings

SSID

Enter the SSID. By default, this field contains fortinet.

Security Mode

Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. Additional security mode options are available in the CLI. For more information, see Configuring security.

Captive Portal – authenticates users through a customizable web page.

WPA2-Personal – WPA2 is WiFi Protected Access version 2. There is one pre-shared key (password) that all users use.

WPA2-Personal with Captive Portal – The user will need to know the pre-shared key and will also be authenticated through the custom portal.

WPA2-Enterprise – similar to WPA2-Personal, but is best used for enterprise networks. Each user is separately authenticated by user name and password.

Pre-shared Key

Available only when Security Mode is WPA2-Personal. Enter the encryption key that the clients must use.

Authentication

Available only when Security Mode is WPA2-Enterprise.

Select one of the following:

RADIUS Server — Select the RADIUS server that will authenticate the clients.
Local – Select the user group(s) that can authenticate.

Portal Type

Available only when Security Mode is Captive Portal. Choose the captive portal type. Authentication is available with or without a usage policy disclaimer notice.

Authentication Portal

Local - portal hosted on the FortiGate unit
External - enter FQDN or IP address of external portal

User Groups

Select permitted user groups for captive portal authentication.

Exempt List

Select exempt lists whose members will not be subject to captive portal authentication.

Customize Portal Messages

Click the listed portal pages to edit them.

Redirect after Captive Portal

Optionally, select Specific URL and enter a URL for user redirection after captive portal authentication. By default, users are redirected to the URL that they originally requested.

Allow New WiFi Client Connections When Controller Is Down

This option is available for local bridge SSIDs with WPA-Personal security. See Combining WiFi and wired networks with a software switch.

Broadcast SSID

Optionally, disable broadcast of SSID. By default, the SSID is broadcast. For more information, see Introduction to wireless networking.

Schedule

Select when the SSID is enabled. You can choose any schedule defined in Policy & Objects > Objects > Schedules.

Block Intra-SSID Traffic

Select to enable the unit to block intra-SSID traffic.

Maximum Clients

Select to limit the number of clients permitted to connect simultaneously. Enter the limit value.

Split Tunneling

Select to enable some subnets to remain local to the remote FortiAP. Traffic for these networks is not routed through the WiFi Controller. Specify split-tunnel networks in the FortAP Profile. See Split tunneling.

Optional VLAN ID

Enter the ID of the VLAN this SSID belongs to. Enter 0 for non-VLAN operation.

Enable Explicit Web Proxy

Select to enable explicit web proxy for the SSID.

Listen for RADIUS Accounting Messages

Enable if you are using RADIUS-based single sign-on (SSO).

Secondary IP Address

Optioanally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces.

Comments

Enter a description or comment for the SSID.

To configure a virtual access point (SSID) - CLI

The example below creates an access point with SSID “example” and WPA2-Personal security. The wireless interface is named example_wlan.

WiFi SSIDs include a schedule that determines when the WiFi network is available. The default schedule is Always. You can choose any schedule (but not schedule group) that is defined in Policy & Objects > Objects > Schedules.

config wireless-controller vap

edit example_wlan

set ssid "example"

set broadcast-ssid enable

set security wpa2-only-personal

set passphrase "hardtoguess”

set schedule always

set vdom root

end

config system interface

edit example_wlan

set ip 10.10.120.1 255.255.255.0

end

Configuring DHCP for WiFi clients

Wireless clients need to have IP addresses. If you use RADIUS authentication, each user’s IP address can be stored in the Framed-IP-Address attribute. Otherwise, you need to configure a DHCP server on the WLAN interface to assign IP addresses to wireless clients.

To configure a DHCP server for WiFi clients - GUI
  1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
  2. In DHCP Server select Enable.
  3. In Address Range, select Create New.
  4. In the Starting IP and End IP fields, enter the IP address range to assign.
    By default an address range is created in the same subnet as the wireless interface IP address, but not including that address.
  5. Set the Netmask to an appropriate value, such as 255.255.255.0.
  6. Set the Default Gateway to Same as Interface IP.
  7. Set the DNS Server to Same as System DNS.
  8. If you want to restrict access to the wireless network by MAC address, see Adding a MAC filter.
  9. Select OK.
To configure a DHCP server for WiFi clients - CLI

In this example, WiFi clients on the example_wlan interface are assigned addresses in the 10.10.120.2-9 range to connect with the WiFi access point on 10.10.120.1.

config system dhcp server

edit 0

set default-gateway 10.10.120.1

set dns-service default

set interface example_wlan

set netmask 255.255.255.0

config ip-range

edit 1

set end-ip 10.10.120.9

set start-ip 10.10.120.2

end

end

note icon

You cannot delete an SSID (wireless interface) that has DHCP enabled on it.

Configuring security

Using the GUI, you can configure captive portal security or WiFi Protected Access version 2 (WPA2) security modes WPA2-Personal and WPA2-Enterprise. Using the CLI, you can also choose WPA/WPA2 modes that support both WPA version 1 and WPA version 2.

WPA2 security with a pre-shared key for authentication is called WPA2-Personal. This can work well for one person or a small group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.

A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes possible Role-Based Access Control (RBAC).

By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP) . You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accomodate clients with either TKIP or AES, enter:

config wireless-controller vap

edit example_wlan

set security wpa-personal

set passphrase "hardtoguess"

set encrypt TKIP-AES

end

Captive portal security connects users to an open web portal defined in replacement messages. To navigate to any location beyond the web portal, the user must pass FortiGate user authentication.

WPA-Personal security

WPA2-Personal security setup requires only the preshared key that you will provide to your clients.

To configure WPA2-Personal security - GUI
  1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
  2. In Security Mode, select WPA2 Personal.
  3. In Pre-shared Key, enter a key between 8 and 63 characters long.
  4. Select OK.
To configure WPA2-Personal security - CLI

config wireless-controller vap

edit example_wlan

set security wpa2-personal

set passphrase "hardtoguess"

end

WPA-Enterprise security

If you will use FortiOS user groups for authentication, go to User & Device > User > User Groups and create those groups first. The groups should be Firewall groups.

If you will use a RADIUS server to authenticate wireless clients, you must first configure the FortiGate unit to access the RADIUS server.

To configure FortiGate unit access to the RADIUS server - GUI
  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter a Name for the server.
  3. In Primary Server Name/IP, enter the network name or IP address for the server.
  4. In Primary Server Secret, enter the shared secret used to access the server.
  5. Optionally, enter the information for a secondary or backup RADIUS server.
  6. Select OK.
To configure the FortiGate unit to access the RADIUS server - CLI

config user radius

edit exampleRADIUS

set auth-type auto

set server 10.11.102.100

set secret aoewmntiasf

end

RADIUS Change of Authorization (CoA) support

The CoA feature enables the FortiGate to receive a client disconnect message from the RADIUS server. This is used to disconnect clients when their time, credit or bandwidth had been used up. Enable this on the RADIUS server using the CLI:

config user radius

edit <name>

set radius-coa enable

end

To configure WPA-Enterprise security - GUI
  1. Go to WiFi & Switch Controller > SSIDand edit your SSID entry.
  2. In Security Mode, select WPA2 Enterprise.
  3. In Authentication, do one of the following:
    • If you will use a RADIUS server for authentication, select RADIUS Server and then select the RADIUS server.
    • If you will use a local user group for authentication, select Local and then select the user group(s) permitted to use the wireless network.
  4. Select OK.
To configure WPA-Enterprise security - CLI

config wireless-controller vap

edit example_wlan

set security wpa2-enterprise

set auth radius

set radius-server exampleRADIUS

end

Captive portal security

Captive portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

The captive portal can be hosted on the FortiGate unit, or externally. For details see

Configuring WiFi captive portal security - FortiGate captive portal

Configuring WiFi captive portal security - external server

For general information about captive portals, see the Captive Portal chapter of the Authentication Guide.

Adding a MAC filter

On each SSID, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

This is actually not as secure as it appears. Someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

To configure a MAC filter - GUI
  1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
  2. In the DHCP Server section, expand Advanced.
  3. In MAC Reservation + Access Control, double-click in the Unknown MAC Addresses line and select Assign IP or Block, as needed.
    By default, unlisted MAC addresses are assigned an IP address automatically.
  4. In MAC Reservation + Access Control, select Create New.
  5. Enter a MAC address In the MAC field.
  6. In IP or Action, select one of:
    • Reserve IP — enter the IP address that is always assigned to this MAC address.
    • Assign IP — an IP address is assigned to this MAC address automatically.
    • Block — This MAC address will not be assigned an IP address.
  7. Repeat steps 4 through 6 for each additional MAC address that you want to add.
  8. Select OK.
To configure a MAC filter - CLI
  1. Enter

    config system dhcp server

    show

  2. Find the entry where interface is your WiFi interface. Edit that entry and configure the MAC filter. In this example, the MAC address 11:11:11:11:11:11 will be excluded. Unlisted MAC addresses will be assigned an IP address automatically.

    edit 3

    config reserved-address

    edit 1

    set action block

    set mac 11:11:11:11:11:11

    end

    set mac-acl-default-action assign

    end

Limiting the number of clients

You might want to prevent overloading of your access point by limiting the number of clients who can associate with it at the same time. Limits can be applied per SSID, per AP, or per radio.

To limit the number of clients per SSID - GUI
  1. Go to WiFi & Switch Controller > SSID and edit your SSID.
  2. Turn on Maximum Clients and enter the maximum number of clients in Limit Concurrent WiFi Clients.
To limit the number of clients per AP- CLI

Edit the wtp-profile (FortiAP profile), like this:

config wireless-controller wtp-profile

edit "FAP221C-default"

set max-clients 30

end

To limit the number of clients per radio - CLI

Edit the wtp-profile (FortiAP profile), like this:

config wireless-controller wtp-profile

edit "FAP221C-default"

config radio-1

set max-clients 10

end

config radio-2

set max-clients 30

end

end

Multicast enhancement

FortiOS can translate multicast traffic into unicast traffic to send to clients, maintaining its own multicast client through IGMP snooping. You can configure this in the CLI:

config wireless-controller vap

edit example_wlan

set multicast-enhance enable

set me-disable-thresh 32

end

If the number of clients on the SSID is larger than me-disable-thresh, multicast enhancement is disabled.

Configuring WiFi captive portal security - FortiGate captive portal

The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.

To configure a WiFi Captive Portal - GUI:
  1. Go to WiFi & Switch Controller > SSID and create your SSID.
    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
  2. In Security Mode, select Captive Portal.
  3. Enter
  4. Portal Type

    The portal can provide authentication and/or disclaimer, or perform user email address collection. See Defining a wireless network interface (SSID).

    Authentication Portal

    Local

    User Groups

    Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

    Exempt List

    Select exempt lists whose members will not be subject to captive portal authentication.

    Customize Portal Messages

    Click the link of the portal page that you want to modify. For more information see the Captive Portal chapter of the Authentication Guide.

  5. Select OK.

Configuring WiFi captive portal security - external server

An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.

On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data
magic=session_id&username=<username>&password=<password>.
(The magic value was provided in the initial FortiGate request to the web server.)

To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

config user setting

set auth-secure-http enable

end

To configure use of an external WiFi Captive Portal - GUI:
  1. Go to WiFi & Switch Controller > SSIDand create your SSID.
    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
  2. In Security Mode, select Captive Portal.
  3. Enter
  4. Portal Type

    The portal can provide authentication and/or disclaimer, or perform user email address collection.

    Authentication Portal

    External - enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.

    User Groups

    Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

    Exempt List

    Select exempt lists whose members will not be subject to captive portal authentication.

    Redirect after Captive Portal

    Original Request

    Specific URL - enter URL

  5. Select OK.

Defining a wireless network interface (SSID)

You begin configuring your wireless network by defining one or more SSIDs to which your users will connect. When you create an SSID, a virtual network interface is also created with the Name you specified in the SSID configuration. You can configure the settings of an existing SSID in either WiFi & Switch Controller > SSID or (Undefined variable: FortiOSGUIVariables.System > Network > Interfaces).

note icon

If a software switch interface contains an SSID (but only one), the WiFi SSID settings are available in the switch interface settings.

To create a new SSID
  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Fill in the SSID fields as described below.
To configure the settings of an existing SSID
  1. Either
    • Go to WiFi & Switch Controller > SSID.

      or

    • Go to Network > Interfaces.

      WiFi interfaces list the SSID beside the interface Name.

  2. Edit a WiFi interface, modifying the SSID fields as needed.
SSID fields

Interface Name

Enter a name for the SSID interface.

Type

WiFi SSID.

Traffic Mode

Tunnel to Wireless Controller — Data for WLAN passes through WiFi Controller. This is the default.

Local bridge with FortiAP’s Interface — FortiAP unit Ethernet and WiFi interfaces are bridged.

Mesh Downlink — Radio receives data for WLAN from mesh backhaul SSID.

IP/Network Mask

Enter the IP address and netmask for the SSID.

IPv6 Address

Enter the IPv6 address. This is available only when IPv6 has been enabled on the unit.

Administrative Access

Select which types of administrative access are permitted on this SSID.

IPv6 Administrative Access

If you have IPv6 addresses, select the permitted IPv6 administrative access types for this SSID.

DHCP Server

To assign IP addresses to clients, enable DHCP server. You can define IP address ranges for a DHCP server on the FortiGate unit or relay DHCP requests to an external server.

If the unit is in transparent mode, the DHCP server settings will be unavailable.

For more information, see Configuring DHCP for WiFi clients.

Device Detection

Detect connected device type. Enabled by default.

Active Scanning

Enabled by default.

WiFi Settings

SSID

Enter the SSID. By default, this field contains fortinet.

Security Mode

Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. Additional security mode options are available in the CLI. For more information, see Configuring security.

Captive Portal – authenticates users through a customizable web page.

WPA2-Personal – WPA2 is WiFi Protected Access version 2. There is one pre-shared key (password) that all users use.

WPA2-Personal with Captive Portal – The user will need to know the pre-shared key and will also be authenticated through the custom portal.

WPA2-Enterprise – similar to WPA2-Personal, but is best used for enterprise networks. Each user is separately authenticated by user name and password.

Pre-shared Key

Available only when Security Mode is WPA2-Personal. Enter the encryption key that the clients must use.

Authentication

Available only when Security Mode is WPA2-Enterprise.

Select one of the following:

RADIUS Server — Select the RADIUS server that will authenticate the clients.
Local – Select the user group(s) that can authenticate.

Portal Type

Available only when Security Mode is Captive Portal. Choose the captive portal type. Authentication is available with or without a usage policy disclaimer notice.

Authentication Portal

Local - portal hosted on the FortiGate unit
External - enter FQDN or IP address of external portal

User Groups

Select permitted user groups for captive portal authentication.

Exempt List

Select exempt lists whose members will not be subject to captive portal authentication.

Customize Portal Messages

Click the listed portal pages to edit them.

Redirect after Captive Portal

Optionally, select Specific URL and enter a URL for user redirection after captive portal authentication. By default, users are redirected to the URL that they originally requested.

Allow New WiFi Client Connections When Controller Is Down

This option is available for local bridge SSIDs with WPA-Personal security. See Combining WiFi and wired networks with a software switch.

Broadcast SSID

Optionally, disable broadcast of SSID. By default, the SSID is broadcast. For more information, see Introduction to wireless networking.

Schedule

Select when the SSID is enabled. You can choose any schedule defined in Policy & Objects > Objects > Schedules.

Block Intra-SSID Traffic

Select to enable the unit to block intra-SSID traffic.

Maximum Clients

Select to limit the number of clients permitted to connect simultaneously. Enter the limit value.

Split Tunneling

Select to enable some subnets to remain local to the remote FortiAP. Traffic for these networks is not routed through the WiFi Controller. Specify split-tunnel networks in the FortAP Profile. See Split tunneling.

Optional VLAN ID

Enter the ID of the VLAN this SSID belongs to. Enter 0 for non-VLAN operation.

Enable Explicit Web Proxy

Select to enable explicit web proxy for the SSID.

Listen for RADIUS Accounting Messages

Enable if you are using RADIUS-based single sign-on (SSO).

Secondary IP Address

Optioanally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces.

Comments

Enter a description or comment for the SSID.

To configure a virtual access point (SSID) - CLI

The example below creates an access point with SSID “example” and WPA2-Personal security. The wireless interface is named example_wlan.

WiFi SSIDs include a schedule that determines when the WiFi network is available. The default schedule is Always. You can choose any schedule (but not schedule group) that is defined in Policy & Objects > Objects > Schedules.

config wireless-controller vap

edit example_wlan

set ssid "example"

set broadcast-ssid enable

set security wpa2-only-personal

set passphrase "hardtoguess”

set schedule always

set vdom root

end

config system interface

edit example_wlan

set ip 10.10.120.1 255.255.255.0

end

Configuring DHCP for WiFi clients

Wireless clients need to have IP addresses. If you use RADIUS authentication, each user’s IP address can be stored in the Framed-IP-Address attribute. Otherwise, you need to configure a DHCP server on the WLAN interface to assign IP addresses to wireless clients.

To configure a DHCP server for WiFi clients - GUI
  1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
  2. In DHCP Server select Enable.
  3. In Address Range, select Create New.
  4. In the Starting IP and End IP fields, enter the IP address range to assign.
    By default an address range is created in the same subnet as the wireless interface IP address, but not including that address.
  5. Set the Netmask to an appropriate value, such as 255.255.255.0.
  6. Set the Default Gateway to Same as Interface IP.
  7. Set the DNS Server to Same as System DNS.
  8. If you want to restrict access to the wireless network by MAC address, see Adding a MAC filter.
  9. Select OK.
To configure a DHCP server for WiFi clients - CLI

In this example, WiFi clients on the example_wlan interface are assigned addresses in the 10.10.120.2-9 range to connect with the WiFi access point on 10.10.120.1.

config system dhcp server

edit 0

set default-gateway 10.10.120.1

set dns-service default

set interface example_wlan

set netmask 255.255.255.0

config ip-range

edit 1

set end-ip 10.10.120.9

set start-ip 10.10.120.2

end

end

note icon

You cannot delete an SSID (wireless interface) that has DHCP enabled on it.

Configuring security

Using the GUI, you can configure captive portal security or WiFi Protected Access version 2 (WPA2) security modes WPA2-Personal and WPA2-Enterprise. Using the CLI, you can also choose WPA/WPA2 modes that support both WPA version 1 and WPA version 2.

WPA2 security with a pre-shared key for authentication is called WPA2-Personal. This can work well for one person or a small group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.

A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes possible Role-Based Access Control (RBAC).

By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP) . You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accomodate clients with either TKIP or AES, enter:

config wireless-controller vap

edit example_wlan

set security wpa-personal

set passphrase "hardtoguess"

set encrypt TKIP-AES

end

Captive portal security connects users to an open web portal defined in replacement messages. To navigate to any location beyond the web portal, the user must pass FortiGate user authentication.

WPA-Personal security

WPA2-Personal security setup requires only the preshared key that you will provide to your clients.

To configure WPA2-Personal security - GUI
  1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
  2. In Security Mode, select WPA2 Personal.
  3. In Pre-shared Key, enter a key between 8 and 63 characters long.
  4. Select OK.
To configure WPA2-Personal security - CLI

config wireless-controller vap

edit example_wlan

set security wpa2-personal

set passphrase "hardtoguess"

end

WPA-Enterprise security

If you will use FortiOS user groups for authentication, go to User & Device > User > User Groups and create those groups first. The groups should be Firewall groups.

If you will use a RADIUS server to authenticate wireless clients, you must first configure the FortiGate unit to access the RADIUS server.

To configure FortiGate unit access to the RADIUS server - GUI
  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter a Name for the server.
  3. In Primary Server Name/IP, enter the network name or IP address for the server.
  4. In Primary Server Secret, enter the shared secret used to access the server.
  5. Optionally, enter the information for a secondary or backup RADIUS server.
  6. Select OK.
To configure the FortiGate unit to access the RADIUS server - CLI

config user radius

edit exampleRADIUS

set auth-type auto

set server 10.11.102.100

set secret aoewmntiasf

end

RADIUS Change of Authorization (CoA) support

The CoA feature enables the FortiGate to receive a client disconnect message from the RADIUS server. This is used to disconnect clients when their time, credit or bandwidth had been used up. Enable this on the RADIUS server using the CLI:

config user radius

edit <name>

set radius-coa enable

end

To configure WPA-Enterprise security - GUI
  1. Go to WiFi & Switch Controller > SSIDand edit your SSID entry.
  2. In Security Mode, select WPA2 Enterprise.
  3. In Authentication, do one of the following:
    • If you will use a RADIUS server for authentication, select RADIUS Server and then select the RADIUS server.
    • If you will use a local user group for authentication, select Local and then select the user group(s) permitted to use the wireless network.
  4. Select OK.
To configure WPA-Enterprise security - CLI

config wireless-controller vap

edit example_wlan

set security wpa2-enterprise

set auth radius

set radius-server exampleRADIUS

end

Captive portal security

Captive portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

The captive portal can be hosted on the FortiGate unit, or externally. For details see

Configuring WiFi captive portal security - FortiGate captive portal

Configuring WiFi captive portal security - external server

For general information about captive portals, see the Captive Portal chapter of the Authentication Guide.

Adding a MAC filter

On each SSID, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

This is actually not as secure as it appears. Someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

To configure a MAC filter - GUI
  1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
  2. In the DHCP Server section, expand Advanced.
  3. In MAC Reservation + Access Control, double-click in the Unknown MAC Addresses line and select Assign IP or Block, as needed.
    By default, unlisted MAC addresses are assigned an IP address automatically.
  4. In MAC Reservation + Access Control, select Create New.
  5. Enter a MAC address In the MAC field.
  6. In IP or Action, select one of:
    • Reserve IP — enter the IP address that is always assigned to this MAC address.
    • Assign IP — an IP address is assigned to this MAC address automatically.
    • Block — This MAC address will not be assigned an IP address.
  7. Repeat steps 4 through 6 for each additional MAC address that you want to add.
  8. Select OK.
To configure a MAC filter - CLI
  1. Enter

    config system dhcp server

    show

  2. Find the entry where interface is your WiFi interface. Edit that entry and configure the MAC filter. In this example, the MAC address 11:11:11:11:11:11 will be excluded. Unlisted MAC addresses will be assigned an IP address automatically.

    edit 3

    config reserved-address

    edit 1

    set action block

    set mac 11:11:11:11:11:11

    end

    set mac-acl-default-action assign

    end

Limiting the number of clients

You might want to prevent overloading of your access point by limiting the number of clients who can associate with it at the same time. Limits can be applied per SSID, per AP, or per radio.

To limit the number of clients per SSID - GUI
  1. Go to WiFi & Switch Controller > SSID and edit your SSID.
  2. Turn on Maximum Clients and enter the maximum number of clients in Limit Concurrent WiFi Clients.
To limit the number of clients per AP- CLI

Edit the wtp-profile (FortiAP profile), like this:

config wireless-controller wtp-profile

edit "FAP221C-default"

set max-clients 30

end

To limit the number of clients per radio - CLI

Edit the wtp-profile (FortiAP profile), like this:

config wireless-controller wtp-profile

edit "FAP221C-default"

config radio-1

set max-clients 10

end

config radio-2

set max-clients 30

end

end

Multicast enhancement

FortiOS can translate multicast traffic into unicast traffic to send to clients, maintaining its own multicast client through IGMP snooping. You can configure this in the CLI:

config wireless-controller vap

edit example_wlan

set multicast-enhance enable

set me-disable-thresh 32

end

If the number of clients on the SSID is larger than me-disable-thresh, multicast enhancement is disabled.

Configuring WiFi captive portal security - FortiGate captive portal

The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.

To configure a WiFi Captive Portal - GUI:
  1. Go to WiFi & Switch Controller > SSID and create your SSID.
    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
  2. In Security Mode, select Captive Portal.
  3. Enter
  4. Portal Type

    The portal can provide authentication and/or disclaimer, or perform user email address collection. See Defining a wireless network interface (SSID).

    Authentication Portal

    Local

    User Groups

    Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

    Exempt List

    Select exempt lists whose members will not be subject to captive portal authentication.

    Customize Portal Messages

    Click the link of the portal page that you want to modify. For more information see the Captive Portal chapter of the Authentication Guide.

  5. Select OK.

Configuring WiFi captive portal security - external server

An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.

On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data
magic=session_id&username=<username>&password=<password>.
(The magic value was provided in the initial FortiGate request to the web server.)

To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

config user setting

set auth-secure-http enable

end

To configure use of an external WiFi Captive Portal - GUI:
  1. Go to WiFi & Switch Controller > SSIDand create your SSID.
    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
  2. In Security Mode, select Captive Portal.
  3. Enter
  4. Portal Type

    The portal can provide authentication and/or disclaimer, or perform user email address collection.

    Authentication Portal

    External - enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.

    User Groups

    Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

    Exempt List

    Select exempt lists whose members will not be subject to captive portal authentication.

    Redirect after Captive Portal

    Original Request

    Specific URL - enter URL

  5. Select OK.