Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 6.4.2 Administration Guide

MPSK groups

6.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Copy Link
Copy Doc ID 4dcf9363-d124-11ea-8b7d-00505692583a:997400
Download PDF

MPSK groups

Users can batch generate or import MPSK keys, export MPSK keys to a CSV file, dynamically assign VLANs based on used MPSK, and apply an MPSK schedule in the GUI.

In the GUI, MPSK key entries are organized in different MPSK groups. An MPSK group can be created manually or imported. When MPSK is enabled, the previous single passphrase is dropped and a dynamic VLAN is automatically enabled.

In the CLI, an mpsk-profile is assigned in the VAP settings and MPSK is enabled. The dynamic VLAN is automatically enabled. Only one MPSK profile can be assigned to one VAP at a time.

To use an MPSK group in the GUI:
  1. Go to WiFi & Switch Controller > SSIDs and click Create New > SSID.
  2. Enter a name and ensure the Security mode is set to WPA2 Personal.
  3. In the Pre-shared Key section, select a Mode (Multiple is used in this example).
  4. In the table, click Add > Create Group.

  5. Enter a group name and VLAN ID.
  6. Configure the pre-shared key settings:
    1. In the table, click Add > Generate Keys.

    2. Configure the settings as needed and click OK.

  7. Click OK to close the Pre-shared Key Group window.
  8. Click OK.
  9. Go to WiFi & Switch Controller > WiFi Clients to view the MPSK name in the Pre-shared Key column.

To use an MPSK profile in the CLI:
  1. Configure the MPSK profile:
    config wireless-controller mpsk-profile
    edit "wifi-mpsk"
        config mpsk-group
            edit "group-a"
                set vlan-type fixed-vlan
                set vlan-id 10
                config mpsk-key
                    edit "key-a-1"
                        set passphrase ENC
                        set mpsk-schedules "always"
                    next
                end
            next
            edit "group-b"
                set vlan-type fixed-vlan
                set vlan-id 20
                config mpsk-key
                    edit "key-b-1"
                        set passphrase ENC
                        set concurrent-client-limit-type unlimited
                        set mpsk-schedules "always"
                    next
                end
            next
        end
    next
end
  2. Configure the VAP settings:
    config wireless-controller vap
    edit "wifi-mpsk"
        set ssid "wifi-mpsk"
        set local-bridging enable
        set schedule "always"
        set mpsk-profile "wifi-mpsk"
        set dynamic-vlan enable
    next
end
  3. Verify the event log after the WiFi client is connected:
    1: date=2020-07-10 time=16:57:20 logid="0104043573" type="event" subtype="wireless" level="notice" vd="root" eventtime=1594425440439070726 tz="-0700" logdesc="Wireless client authenticated" sn="FP423E3X16000320" ap="FP423E3X16000320" vap="wifi-mpsk" ssid="wifi-mpsk" radioid=2 user="N/A" group="N/A" stamac="3c:2e:ff:83:91:33" srcip=10.0.10.2 channel=144 radioband="802.11ac" signal=-52 snr=50 security="WPA2 Personal" encryption="AES" action="client-authentication" reason="Reserved 0" mpsk="key-a-1" msg="Client 3c:2e:ff:83:91:33 authenticated."
Previous
Next

MPSK groups

Users can batch generate or import MPSK keys, export MPSK keys to a CSV file, dynamically assign VLANs based on used MPSK, and apply an MPSK schedule in the GUI.

In the GUI, MPSK key entries are organized in different MPSK groups. An MPSK group can be created manually or imported. When MPSK is enabled, the previous single passphrase is dropped and a dynamic VLAN is automatically enabled.

In the CLI, an mpsk-profile is assigned in the VAP settings and MPSK is enabled. The dynamic VLAN is automatically enabled. Only one MPSK profile can be assigned to one VAP at a time.

To use an MPSK group in the GUI:
  1. Go to WiFi & Switch Controller > SSIDs and click Create New > SSID.
  2. Enter a name and ensure the Security mode is set to WPA2 Personal.
  3. In the Pre-shared Key section, select a Mode (Multiple is used in this example).
  4. In the table, click Add > Create Group.

  5. Enter a group name and VLAN ID.
  6. Configure the pre-shared key settings:
    1. In the table, click Add > Generate Keys.

    2. Configure the settings as needed and click OK.

  7. Click OK to close the Pre-shared Key Group window.
  8. Click OK.
  9. Go to WiFi & Switch Controller > WiFi Clients to view the MPSK name in the Pre-shared Key column.

To use an MPSK profile in the CLI:
  1. Configure the MPSK profile:
    config wireless-controller mpsk-profile
    edit "wifi-mpsk"
        config mpsk-group
            edit "group-a"
                set vlan-type fixed-vlan
                set vlan-id 10
                config mpsk-key
                    edit "key-a-1"
                        set passphrase ENC
                        set mpsk-schedules "always"
                    next
                end
            next
            edit "group-b"
                set vlan-type fixed-vlan
                set vlan-id 20
                config mpsk-key
                    edit "key-b-1"
                        set passphrase ENC
                        set concurrent-client-limit-type unlimited
                        set mpsk-schedules "always"
                    next
                end
            next
        end
    next
end
  2. Configure the VAP settings:
    config wireless-controller vap
    edit "wifi-mpsk"
        set ssid "wifi-mpsk"
        set local-bridging enable
        set schedule "always"
        set mpsk-profile "wifi-mpsk"
        set dynamic-vlan enable
    next
end
  3. Verify the event log after the WiFi client is connected:
    1: date=2020-07-10 time=16:57:20 logid="0104043573" type="event" subtype="wireless" level="notice" vd="root" eventtime=1594425440439070726 tz="-0700" logdesc="Wireless client authenticated" sn="FP423E3X16000320" ap="FP423E3X16000320" vap="wifi-mpsk" ssid="wifi-mpsk" radioid=2 user="N/A" group="N/A" stamac="3c:2e:ff:83:91:33" srcip=10.0.10.2 channel=144 radioband="802.11ac" signal=-52 snr=50 security="WPA2 Personal" encryption="AES" action="client-authentication" reason="Reserved 0" mpsk="key-a-1" msg="Client 3c:2e:ff:83:91:33 authenticated."
Previous
Next