Fortinet white logo
Fortinet white logo

Administration Guide

Creating SSIDs

Creating SSIDs

When creating a new SSID, the available options will change depending on the selected traffic mode: Tunnel , Bridge, or Mesh.

To create a new SSID:
  1. On the SSID pane, click Create New > SSID in the toolbar, or select it from the right-click menu. The Create New SSID Profile windows opens.

  2. Enter the following information, then click OK to create the new tunnel to wireless controller SSID:

    Interface Name

    Type a name for the SSID.

    Alias

    Set the alias for SSID.

    Traffic Mode

    Select the traffic mode: Tunnel, Bridge, or Mesh.

    Address

    These options are only available when Traffic Mode is Tunnel.

    IP/Network Mask

    Enter the IP address and netmask.

    IPv6 Address

    Enter the IPv6 address.

    Administrative Access

    Select the allowed administrative service protocols from: AUTO-IPSEC, CAPWAP, FGFM, HTTP, HTTPS, PING, PROBE-RESPONSE, RADIUS-ACCT, SNMP, SSH, and TELNET.

    IPv6 Administrative Access

    Select the allowed administrative service protocols from: ANY, CAPWAP, FGFM, HTTP, HTTPS, PING, SNMP, SSH, and TELNET.

    DHCP Server

    Turn the DHCP server on or off.

    WiFi Settings

    SSID

    Type the wireless service set identifier (SSID), or network name, for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.

    Security Mode

    Select a security mode:

    Captive Portal

    WPA Only Personal

    OPEN

    WPA Only Personal Captive Portal

    Osen

    OWE

    WPA Personal

    WEP 128

    WPA Personal Captive Portal

    WEP 64

    WPA2 Only Enterprise

    WPA Enterprise

    WPA2 Only Personal

    WPA Only Enterprise

    WPA2 Only Personal Captive PortalWPA3 Enterprise
    WPA3 SAEWPA3 SAE Transition

    Only WPA and WPA2 Personal modes are available when the traffic mode is Mesh.

    Pre-shared Key

    Enter the pre-shared key for the SSID.

    This option is only available when the security mode includes WPA or WPA2 personal.

    Local Standalone

    Enable/disable AP local standalone (default = disable).

    This option is only available when the traffic mode is Bridge.

    Local Authentication

    Enable/disable AP local authentication.

    This option is only available when the traffic mode is Bridge.

    Client Limit

    The maximum number of clients that can simultaneously connect to the AP (0 - 4294967295, default = 0, meaning no limitation).

    Client Limit per Radio

    The maximum number of clients that can simultaneously connect to each radio (0 - 4294967295, default = 0, meaning no limitation).

    This option is only available when Local Standalone is enabled.

    Multiple Pre-Shared Keys

    Enable/disable multiple pre-shared keys.

    In the table, click Create to create a new key. Enter the key name, value, client limit, and comments (optional), then click OK. Click Edit to edit the selected key. Click Delete to delete the selected key or keys.

    This option is only available when the security mode includes WPA or WPA2 personal and the traffic mode is not Mesh.

    Default Client Limit Per Key

    Enable/disable a maximum number of clients that can simultaneously connect using each pre-shared key, then enter the maximum number.

    This option is only available when the Multiple Pre-Shared Keys is enabled.

    Portal Type

    Select the portal type: Authentication (default), Disclaimer + Authentication, Disclaimer Only, or Email Collection.

    This option is only available when the security mode includes captive portal.

    Authentication Portal

    Select Local or External. If External is selected, enter the URL of the portal.

    This option is only available when the portal type includes authentication.

    User Groups

    Select the user group to add from the dropdown list. Select the plus symbol to add multiple groups.

    This option is only available when the portal type includes authentication.

    Exempt Sources

    Select exempt sources to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Devices

    Select exempt devices to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Exempt Destinations

    Select exempt destinations to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Exempt Services

    Select exempt services to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Customize Portal Messages

    Select to allow for customized portal messages. Portal messages cannot be customized until after the interface has been created.

    This option is only available when the portal type includes disclaimer, email collection, or CMCC without MAC authentication.

    Redirect after Captive Portal

    Select Original Request or Specific URL. If Specific URL is selected, enter the redirect URL.

    This option is only available when the security mode includes captive portal.

    Authentication

    Select the authentication method for the SSID, either Local or RADIUS Server, then select the requisite server or group from the dropdown list.

    This option is only available when the security mode is includes WPA or WPA2 enterprise.

    Broadcast SSID

    Enable/disable broadcasting the SSID (default = enable).

    Broadcasting enables clients to connect to the wireless network without first knowing the SSID. For better security, do not broadcast the SSID.

    Schedule

    Select a schedule to control the availability of the SSID. For information on creating a schedule object, see Create a new object.

    Block Intra-SSID Traffic

    Enable/disable blocking communication between clients of the same AP (default = disable).

    Broadcast Suppression

    Optional suppression of broadcast message types:

    • All other broadcast: All other broadcast messages
    • All other multicast: All other multicast messages
    • ARP poison: ARP poison messages from wireless clients
    • ARP proxy: ARP requests for wireless clients as a proxy
    • ARP replies: ARP replies from wireless clients
    • ARPs for known clients: ARP for known messages
    • ARPs for unknown clients: ARP for unknown messages
    • DHCP downlink: Downlink DHCP messages
    • DHCP starvation: DHCP starvation req messages
    • DHCP uplink: Uplink DHCP messages
    • IPv6: IPv6 packets
    • NetBIOS datagram service: NetBIOS datagram services packets
    • NetBIOS name service: NetBIOS name services packets

    Filter Clients by MAC Address

    Enable/disable using a RADIUS server to filter clients be MAC address, then select the server from the drop-down list. See RADIUS servers for information on adding a RADIUS server.

    VLAN Pooling

    Enable/disable VLAN pooling, allowing you to group multiple wireless controller VLANs into VLAN pools. These pools are used to load-balance sessions evenly across multiple VLANs.

    • Managed AP Group: Select devices to include in the group.
    • Round Robin
    • Hash

    This option is not available when the traffic mode is Mesh.

    Quarantine Host

    Enable/disable station quarantine (default = enable).

    This option is only available when the security mode includes WPA or WPA2.

    Encrypt

    Select the data encryption protocol:

    • TKIP: Temporal Key Integrity Protocol, used by the older WPA standard.
    • AES: Advanced Encryption Standard, commonly used with the newer WPA2 standard (default).
    • TKIP-AES: Use both protocols to provide backward compatibility for legacy devices. This option is not recommended, as attackers will only need to breach the weaker encryption of the two (TKIP).

    This option is only available when the security mode includes WPA or WPA2.

    QoS Profile

    Select the QoS profile from the drop-down list.

    Advanced Options

    Configure advanced options. For information, see the FortiOS CLI Reference: https://help.fortinet.com/cli/fos60hlp/60/index.htm.

    Per-Device Mapping

    Enable per-device mapping to override the SSID profile settings for selected devices. See To add SSID per-device mapping:.

note icon

If you select WPA Enterprise, WPA Only Enterprise, or WPA2 Only Enterprise, you can add a different RADIUS server using per-device mapping. See To add SSID per-device mapping:.

To add SSID per-device mapping:
  1. Click Create New in the per-device mapping toolbar. The Per-Device Mapping dialog-box opens. Configure the following settings and click OK.

  2. Mapped Device

    Select the device to be mapped from the drop-down.

    Mapped IP/NetMask

    Specify the Mapped IP/NetMask.

    Mapped DHCP Server

    Set the DHCP Server to ON if you want to map a DHCP Server to this device.

    Address Range

    Configure address ranges for DHCP. Click Create to create a new range. Ranges can also be edited and deleted as required.

    This option is only available when DHCP Server is ON and Mode is Server.

    Netmask

    Enter the netmask.

    This option is only available when DHCP Server is ON and Mode is Server.

    Default Gateway

    Configure the default gateway: Same as Interface IP, or Specify. If set to Specify, enter the gateway IP address in the field.

    This option is only available when DHCP Server is ON and Mode is Server.

    DNS Server

    Configure the DNS server: Same as System DNS, Same as Interface IP, or Specify.

    This option is only available when DHCP Server is ON and Mode is Server.

    Mode

    Select the DHCP mode: Server or Relay.

    This option is only available when DHCP Server is ON.

    NTP Server

    Configure the NTP server: Local, Same as System NTP, or Specify. If set to Specify, enter the NTP server IP address in the field.

    This option is only available when DHCP Server is ON and Mode is Server.

    Time Zone

    Configure the timezone: Disable, Same as System, or Specify. If set to Specify, select the timezone from the dropdown list.

    This option is only available when DHCP Server is ON and Mode is Server.

    Next Bootstrap Server

    Enter the IP address of the next bootstrap server.

    This option is only available when DHCP Server is ON and Mode is Server.

    Additional DHCP Options

    In the Lease Time field, enter the lease time, in seconds (default = 604800 (7 days)).

    Add DHCP options to the table. See To add additional DHCP options: for details. Options can also be edited and deleted as required.

    This option is only available when DHCP Server is ON and Mode is Server.

    MAC Reservation + Access Control

    Select the action to take with unknown MAC addresses: assign or block.

    Add MAC address actions to the table. See To add a MAC address reservation: for details. Reservations can also be edited and deleted as required.

    This option is only available when DHCP Server is ON and Mode is Server.

    DHCP Server IP

    Enter the DHCP server IP address.

    This option is only available when DHCP Server is ON and Mode is Relay.

    Type

    Select the type: Regular, or IPsec.

    This option is only available when DHCP Server is ON.

To add additional DHCP options:
  1. Click Create in the Additional DHCP Options table toolbar. The Additional DHCP Options dialog box opens.

  2. Enter the Option Code.
  3. Select the Type: hex, ip, or string.
  4. Enter the corresponding value.
  5. Click OK to create the option.
To add a MAC address reservation:
  1. Click Create in the MAC Reservation + Access Control table toolbar. The MAC Reservation + Access Control dialog box opens.

  2. Enter the MAC Address.
  3. Select the End IP: Assign IP, Block, or Reserve IP. If reserving the IP address, enter it in the field.
  4. Optionally, enter a description.
  5. Click OK to create the reservation.

Creating SSIDs

Creating SSIDs

When creating a new SSID, the available options will change depending on the selected traffic mode: Tunnel , Bridge, or Mesh.

To create a new SSID:
  1. On the SSID pane, click Create New > SSID in the toolbar, or select it from the right-click menu. The Create New SSID Profile windows opens.

  2. Enter the following information, then click OK to create the new tunnel to wireless controller SSID:

    Interface Name

    Type a name for the SSID.

    Alias

    Set the alias for SSID.

    Traffic Mode

    Select the traffic mode: Tunnel, Bridge, or Mesh.

    Address

    These options are only available when Traffic Mode is Tunnel.

    IP/Network Mask

    Enter the IP address and netmask.

    IPv6 Address

    Enter the IPv6 address.

    Administrative Access

    Select the allowed administrative service protocols from: AUTO-IPSEC, CAPWAP, FGFM, HTTP, HTTPS, PING, PROBE-RESPONSE, RADIUS-ACCT, SNMP, SSH, and TELNET.

    IPv6 Administrative Access

    Select the allowed administrative service protocols from: ANY, CAPWAP, FGFM, HTTP, HTTPS, PING, SNMP, SSH, and TELNET.

    DHCP Server

    Turn the DHCP server on or off.

    WiFi Settings

    SSID

    Type the wireless service set identifier (SSID), or network name, for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.

    Security Mode

    Select a security mode:

    Captive Portal

    WPA Only Personal

    OPEN

    WPA Only Personal Captive Portal

    Osen

    OWE

    WPA Personal

    WEP 128

    WPA Personal Captive Portal

    WEP 64

    WPA2 Only Enterprise

    WPA Enterprise

    WPA2 Only Personal

    WPA Only Enterprise

    WPA2 Only Personal Captive PortalWPA3 Enterprise
    WPA3 SAEWPA3 SAE Transition

    Only WPA and WPA2 Personal modes are available when the traffic mode is Mesh.

    Pre-shared Key

    Enter the pre-shared key for the SSID.

    This option is only available when the security mode includes WPA or WPA2 personal.

    Local Standalone

    Enable/disable AP local standalone (default = disable).

    This option is only available when the traffic mode is Bridge.

    Local Authentication

    Enable/disable AP local authentication.

    This option is only available when the traffic mode is Bridge.

    Client Limit

    The maximum number of clients that can simultaneously connect to the AP (0 - 4294967295, default = 0, meaning no limitation).

    Client Limit per Radio

    The maximum number of clients that can simultaneously connect to each radio (0 - 4294967295, default = 0, meaning no limitation).

    This option is only available when Local Standalone is enabled.

    Multiple Pre-Shared Keys

    Enable/disable multiple pre-shared keys.

    In the table, click Create to create a new key. Enter the key name, value, client limit, and comments (optional), then click OK. Click Edit to edit the selected key. Click Delete to delete the selected key or keys.

    This option is only available when the security mode includes WPA or WPA2 personal and the traffic mode is not Mesh.

    Default Client Limit Per Key

    Enable/disable a maximum number of clients that can simultaneously connect using each pre-shared key, then enter the maximum number.

    This option is only available when the Multiple Pre-Shared Keys is enabled.

    Portal Type

    Select the portal type: Authentication (default), Disclaimer + Authentication, Disclaimer Only, or Email Collection.

    This option is only available when the security mode includes captive portal.

    Authentication Portal

    Select Local or External. If External is selected, enter the URL of the portal.

    This option is only available when the portal type includes authentication.

    User Groups

    Select the user group to add from the dropdown list. Select the plus symbol to add multiple groups.

    This option is only available when the portal type includes authentication.

    Exempt Sources

    Select exempt sources to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Devices

    Select exempt devices to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Exempt Destinations

    Select exempt destinations to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Exempt Services

    Select exempt services to add from the dropdown list.

    This option is only available when the portal type includes authentication.

    Customize Portal Messages

    Select to allow for customized portal messages. Portal messages cannot be customized until after the interface has been created.

    This option is only available when the portal type includes disclaimer, email collection, or CMCC without MAC authentication.

    Redirect after Captive Portal

    Select Original Request or Specific URL. If Specific URL is selected, enter the redirect URL.

    This option is only available when the security mode includes captive portal.

    Authentication

    Select the authentication method for the SSID, either Local or RADIUS Server, then select the requisite server or group from the dropdown list.

    This option is only available when the security mode is includes WPA or WPA2 enterprise.

    Broadcast SSID

    Enable/disable broadcasting the SSID (default = enable).

    Broadcasting enables clients to connect to the wireless network without first knowing the SSID. For better security, do not broadcast the SSID.

    Schedule

    Select a schedule to control the availability of the SSID. For information on creating a schedule object, see Create a new object.

    Block Intra-SSID Traffic

    Enable/disable blocking communication between clients of the same AP (default = disable).

    Broadcast Suppression

    Optional suppression of broadcast message types:

    • All other broadcast: All other broadcast messages
    • All other multicast: All other multicast messages
    • ARP poison: ARP poison messages from wireless clients
    • ARP proxy: ARP requests for wireless clients as a proxy
    • ARP replies: ARP replies from wireless clients
    • ARPs for known clients: ARP for known messages
    • ARPs for unknown clients: ARP for unknown messages
    • DHCP downlink: Downlink DHCP messages
    • DHCP starvation: DHCP starvation req messages
    • DHCP uplink: Uplink DHCP messages
    • IPv6: IPv6 packets
    • NetBIOS datagram service: NetBIOS datagram services packets
    • NetBIOS name service: NetBIOS name services packets

    Filter Clients by MAC Address

    Enable/disable using a RADIUS server to filter clients be MAC address, then select the server from the drop-down list. See RADIUS servers for information on adding a RADIUS server.

    VLAN Pooling

    Enable/disable VLAN pooling, allowing you to group multiple wireless controller VLANs into VLAN pools. These pools are used to load-balance sessions evenly across multiple VLANs.

    • Managed AP Group: Select devices to include in the group.
    • Round Robin
    • Hash

    This option is not available when the traffic mode is Mesh.

    Quarantine Host

    Enable/disable station quarantine (default = enable).

    This option is only available when the security mode includes WPA or WPA2.

    Encrypt

    Select the data encryption protocol:

    • TKIP: Temporal Key Integrity Protocol, used by the older WPA standard.
    • AES: Advanced Encryption Standard, commonly used with the newer WPA2 standard (default).
    • TKIP-AES: Use both protocols to provide backward compatibility for legacy devices. This option is not recommended, as attackers will only need to breach the weaker encryption of the two (TKIP).

    This option is only available when the security mode includes WPA or WPA2.

    QoS Profile

    Select the QoS profile from the drop-down list.

    Advanced Options

    Configure advanced options. For information, see the FortiOS CLI Reference: https://help.fortinet.com/cli/fos60hlp/60/index.htm.

    Per-Device Mapping

    Enable per-device mapping to override the SSID profile settings for selected devices. See To add SSID per-device mapping:.

note icon

If you select WPA Enterprise, WPA Only Enterprise, or WPA2 Only Enterprise, you can add a different RADIUS server using per-device mapping. See To add SSID per-device mapping:.

To add SSID per-device mapping:
  1. Click Create New in the per-device mapping toolbar. The Per-Device Mapping dialog-box opens. Configure the following settings and click OK.

  2. Mapped Device

    Select the device to be mapped from the drop-down.

    Mapped IP/NetMask

    Specify the Mapped IP/NetMask.

    Mapped DHCP Server

    Set the DHCP Server to ON if you want to map a DHCP Server to this device.

    Address Range

    Configure address ranges for DHCP. Click Create to create a new range. Ranges can also be edited and deleted as required.

    This option is only available when DHCP Server is ON and Mode is Server.

    Netmask

    Enter the netmask.

    This option is only available when DHCP Server is ON and Mode is Server.

    Default Gateway

    Configure the default gateway: Same as Interface IP, or Specify. If set to Specify, enter the gateway IP address in the field.

    This option is only available when DHCP Server is ON and Mode is Server.

    DNS Server

    Configure the DNS server: Same as System DNS, Same as Interface IP, or Specify.

    This option is only available when DHCP Server is ON and Mode is Server.

    Mode

    Select the DHCP mode: Server or Relay.

    This option is only available when DHCP Server is ON.

    NTP Server

    Configure the NTP server: Local, Same as System NTP, or Specify. If set to Specify, enter the NTP server IP address in the field.

    This option is only available when DHCP Server is ON and Mode is Server.

    Time Zone

    Configure the timezone: Disable, Same as System, or Specify. If set to Specify, select the timezone from the dropdown list.

    This option is only available when DHCP Server is ON and Mode is Server.

    Next Bootstrap Server

    Enter the IP address of the next bootstrap server.

    This option is only available when DHCP Server is ON and Mode is Server.

    Additional DHCP Options

    In the Lease Time field, enter the lease time, in seconds (default = 604800 (7 days)).

    Add DHCP options to the table. See To add additional DHCP options: for details. Options can also be edited and deleted as required.

    This option is only available when DHCP Server is ON and Mode is Server.

    MAC Reservation + Access Control

    Select the action to take with unknown MAC addresses: assign or block.

    Add MAC address actions to the table. See To add a MAC address reservation: for details. Reservations can also be edited and deleted as required.

    This option is only available when DHCP Server is ON and Mode is Server.

    DHCP Server IP

    Enter the DHCP server IP address.

    This option is only available when DHCP Server is ON and Mode is Relay.

    Type

    Select the type: Regular, or IPsec.

    This option is only available when DHCP Server is ON.

To add additional DHCP options:
  1. Click Create in the Additional DHCP Options table toolbar. The Additional DHCP Options dialog box opens.

  2. Enter the Option Code.
  3. Select the Type: hex, ip, or string.
  4. Enter the corresponding value.
  5. Click OK to create the option.
To add a MAC address reservation:
  1. Click Create in the MAC Reservation + Access Control table toolbar. The MAC Reservation + Access Control dialog box opens.

  2. Enter the MAC Address.
  3. Select the End IP: Assign IP, Block, or Reserve IP. If reserving the IP address, enter it in the field.
  4. Optionally, enter a description.
  5. Click OK to create the reservation.