Creating SSIDs
When creating a new SSID, the available options will change depending on the selected traffic mode: Tunnel , Bridge, or Mesh.
To create a new SSID:
- On the SSID pane, click Create New > SSID in the toolbar, or select it from the right-click menu. The Create New SSID Profile windows opens.
- Enter the following information, then click OK to create the new tunnel to wireless controller SSID:
Interface Name
Type a name for the SSID.
Alias
Set the alias for SSID.
Traffic Mode
Select the traffic mode: Tunnel, Bridge, or Mesh.
Address
These options are only available when Traffic Mode is Tunnel.
IP/Network Mask
Enter the IP address and netmask.
IPv6 Address
Enter the IPv6 address.
Administrative Access
Select the allowed administrative service protocols from: AUTO-IPSEC, CAPWAP, FGFM, HTTP, HTTPS, PING, PROBE-RESPONSE, RADIUS-ACCT, SNMP, SSH, and TELNET.
IPv6 Administrative Access
Select the allowed administrative service protocols from: ANY, CAPWAP, FGFM, HTTP, HTTPS, PING, SNMP, SSH, and TELNET.
DHCP Server
Turn the DHCP server on or off.
WiFi Settings
SSID
Type the wireless service set identifier (SSID), or network name, for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.
Security Mode
Select a security mode:
Captive Portal
WPA Only Personal
OPEN
WPA Only Personal Captive Portal
Osen
OWE
WPA Personal WEP 128
WPA Personal Captive Portal
WEP 64
WPA2 Only Enterprise WPA Enterprise
WPA2 Only Personal
WPA Only Enterprise
WPA2 Only Personal Captive Portal WPA3 Enterprise WPA3 SAE WPA3 SAE Transition Only WPA and WPA2 Personal modes are available when the traffic mode is Mesh.
Pre-shared Key
Enter the pre-shared key for the SSID.
This option is only available when the security mode includes WPA or WPA2 personal.
Local Standalone
Enable/disable AP local standalone (default = disable).
This option is only available when the traffic mode is Bridge.
Local Authentication
Enable/disable AP local authentication.
This option is only available when the traffic mode is Bridge.
Client Limit
The maximum number of clients that can simultaneously connect to the AP (0 - 4294967295, default = 0, meaning no limitation).
Client Limit per Radio
The maximum number of clients that can simultaneously connect to each radio (0 - 4294967295, default = 0, meaning no limitation).
This option is only available when Local Standalone is enabled.
Multiple Pre-Shared Keys
Enable/disable multiple pre-shared keys.
In the table, click Create to create a new key. Enter the key name, value, client limit, and comments (optional), then click OK. Click Edit to edit the selected key. Click Delete to delete the selected key or keys.
This option is only available when the security mode includes WPA or WPA2 personal and the traffic mode is not Mesh.
Default Client Limit Per Key
Enable/disable a maximum number of clients that can simultaneously connect using each pre-shared key, then enter the maximum number.
This option is only available when the Multiple Pre-Shared Keys is enabled.
Portal Type
Select the portal type: Authentication (default), Disclaimer + Authentication, Disclaimer Only, or Email Collection.
This option is only available when the security mode includes captive portal.
Authentication Portal
Select Local or External. If External is selected, enter the URL of the portal.
This option is only available when the portal type includes authentication.
User Groups
Select the user group to add from the dropdown list. Select the plus symbol to add multiple groups.
This option is only available when the portal type includes authentication.
Exempt Sources
Select exempt sources to add from the dropdown list.
This option is only available when the portal type includes authentication.
Devices
Select exempt devices to add from the dropdown list.
This option is only available when the portal type includes authentication.
Exempt Destinations
Select exempt destinations to add from the dropdown list.
This option is only available when the portal type includes authentication.
Exempt Services
Select exempt services to add from the dropdown list.
This option is only available when the portal type includes authentication.
Customize Portal Messages
Select to allow for customized portal messages. Portal messages cannot be customized until after the interface has been created.
This option is only available when the portal type includes disclaimer, email collection, or CMCC without MAC authentication.
Redirect after Captive Portal
Select Original Request or Specific URL. If Specific URL is selected, enter the redirect URL.
This option is only available when the security mode includes captive portal.
Authentication
Select the authentication method for the SSID, either Local or RADIUS Server, then select the requisite server or group from the dropdown list.
This option is only available when the security mode is includes WPA or WPA2 enterprise.
Broadcast SSID
Enable/disable broadcasting the SSID (default = enable).
Broadcasting enables clients to connect to the wireless network without first knowing the SSID. For better security, do not broadcast the SSID.
Schedule
Select a schedule to control the availability of the SSID. For information on creating a schedule object, see Create a new object.
Block Intra-SSID Traffic
Enable/disable blocking communication between clients of the same AP (default = disable).
Broadcast Suppression
Optional suppression of broadcast message types:
- All other broadcast: All other broadcast messages
- All other multicast: All other multicast messages
- ARP poison: ARP poison messages from wireless clients
- ARP proxy: ARP requests for wireless clients as a proxy
- ARP replies: ARP replies from wireless clients
- ARPs for known clients: ARP for known messages
- ARPs for unknown clients: ARP for unknown messages
- DHCP downlink: Downlink DHCP messages
- DHCP starvation: DHCP starvation req messages
- DHCP uplink: Uplink DHCP messages
- IPv6: IPv6 packets
- NetBIOS datagram service: NetBIOS datagram services packets
- NetBIOS name service: NetBIOS name services packets
Filter Clients by MAC Address
Enable/disable using a RADIUS server to filter clients be MAC address, then select the server from the drop-down list. See RADIUS servers for information on adding a RADIUS server.
VLAN Pooling
Enable/disable VLAN pooling, allowing you to group multiple wireless controller VLANs into VLAN pools. These pools are used to load-balance sessions evenly across multiple VLANs.
- Managed AP Group: Select devices to include in the group.
- Round Robin
- Hash
This option is not available when the traffic mode is Mesh.
Quarantine Host
Enable/disable station quarantine (default = enable).
This option is only available when the security mode includes WPA or WPA2.
Encrypt
Select the data encryption protocol:
- TKIP: Temporal Key Integrity Protocol, used by the older WPA standard.
- AES: Advanced Encryption Standard, commonly used with the newer WPA2 standard (default).
- TKIP-AES: Use both protocols to provide backward compatibility for legacy devices. This option is not recommended, as attackers will only need to breach the weaker encryption of the two (TKIP).
This option is only available when the security mode includes WPA or WPA2.
QoS Profile
Select the QoS profile from the drop-down list.
Advanced Options
Configure advanced options. For information, see the FortiOS CLI Reference: https://help.fortinet.com/cli/fos60hlp/60/index.htm.
Per-Device Mapping
Enable per-device mapping to override the SSID profile settings for selected devices. See To add SSID per-device mapping:.
If you select WPA Enterprise, WPA Only Enterprise, or WPA2 Only Enterprise, you can add a different RADIUS server using per-device mapping. See To add SSID per-device mapping:. |
To add SSID per-device mapping:
- Click Create New in the per-device mapping toolbar. The Per-Device Mapping dialog-box opens. Configure the following settings and click OK.
Mapped Device |
Select the device to be mapped from the drop-down. |
|
Mapped IP/NetMask |
Specify the Mapped IP/NetMask. |
|
Mapped DHCP Server |
Set the DHCP Server to ON if you want to map a DHCP Server to this device. |
|
|
Address Range |
Configure address ranges for DHCP. Click Create to create a new range. Ranges can also be edited and deleted as required. This option is only available when DHCP Server is ON and Mode is Server. |
|
Netmask |
Enter the netmask. This option is only available when DHCP Server is ON and Mode is Server. |
|
Default Gateway |
Configure the default gateway: Same as Interface IP, or Specify. If set to Specify, enter the gateway IP address in the field. This option is only available when DHCP Server is ON and Mode is Server. |
|
DNS Server |
Configure the DNS server: Same as System DNS, Same as Interface IP, or Specify. This option is only available when DHCP Server is ON and Mode is Server. |
|
Mode |
Select the DHCP mode: Server or Relay. This option is only available when DHCP Server is ON. |
|
NTP Server |
Configure the NTP server: Local, Same as System NTP, or Specify. If set to Specify, enter the NTP server IP address in the field. This option is only available when DHCP Server is ON and Mode is Server. |
|
Time Zone |
Configure the timezone: Disable, Same as System, or Specify. If set to Specify, select the timezone from the dropdown list. This option is only available when DHCP Server is ON and Mode is Server. |
|
Next Bootstrap Server |
Enter the IP address of the next bootstrap server. This option is only available when DHCP Server is ON and Mode is Server. |
|
Additional DHCP Options |
In the Lease Time field, enter the lease time, in seconds (default = 604800 (7 days)). Add DHCP options to the table. See To add additional DHCP options: for details. Options can also be edited and deleted as required. This option is only available when DHCP Server is ON and Mode is Server. |
|
MAC Reservation + Access Control |
Select the action to take with unknown MAC addresses: assign or block. Add MAC address actions to the table. See To add a MAC address reservation: for details. Reservations can also be edited and deleted as required. This option is only available when DHCP Server is ON and Mode is Server. |
|
DHCP Server IP |
Enter the DHCP server IP address. This option is only available when DHCP Server is ON and Mode is Relay. |
|
Type |
Select the type: Regular, or IPsec. This option is only available when DHCP Server is ON. |
To add additional DHCP options:
- Click Create in the Additional DHCP Options table toolbar. The Additional DHCP Options dialog box opens.
- Enter the Option Code.
- Select the Type: hex, ip, or string.
- Enter the corresponding value.
- Click OK to create the option.
To add a MAC address reservation:
- Click Create in the MAC Reservation + Access Control table toolbar. The MAC Reservation + Access Control dialog box opens.
- Enter the MAC Address.
- Select the End IP: Assign IP, Block, or Reserve IP. If reserving the IP address, enter it in the field.
- Optionally, enter a description.
- Click OK to create the reservation.