wireless-controller : vap
Use this command to configure Virtual Access Points.
config wireless-controller vap
edit <vap_name>
set acct-interim-interval <sec>
set auth {usergroup | radius}
set broadcast-suppression {arp‑known arp‑unknown arp‑reply dhcp‑up dhcp‑down netbios‑ns netbios‑ds ipv6}
set broadcast-ssid {enable | disable}
set dynamic-vlan {enable | disable}
set encrypt {AES | TKIP |  TKIP‑AES}
set external-fast-roaming {enable | disable}
set external-web <url>
set fast-roaming {enable | disable}
set gtk-rekey-intv <secs>
set intra-vap-privacy {enable | disable}
set key <key_str>
set keyindex {1 | 2 | 3 | 4}
set local-authentication {enable | disable}
set local-bridging {enable | disable}
set local-switching {enable | disable}
set max-clients <int>
set mesh-backhaul {enable | disable}
set me-disable-thresh <limit_int>
set multicast-enhance {enable | disable}
set multicast-rate {0 | 6000 | 12000 | 24000}
set passphrase <hex_str>
set portal-message-override-group <repl‑msg‑group_name>
set portal-type {auth | auth+disclaimer | email‑collect}
set probe-resp-suppression {enable | disable}
set probe-resp-threshold <level_int>
set ptk-rekey-intv <secs>
set radius-server <server_name>
set radius-mac-auth {enable | disable}
set radius-mac-auth-server <srv_str>
set security <sec_mode>
set security-exempt-list <exempt_list_name>
set security-redirect-url <url_str>
set selected-usergroups <groups_str>
set split-tunneling {enable | disable}
set ssid <string>
set usergroup <group_name>
set vdom <vdom_name>
set vlanid <vlan_int>
set vlan-auto {enable | disable}
acct-interim-interval <sec>
Set interval for sending RADIUS accounting information. Range 60 - 86 400 seconds. Set to 0 to not send information.
auth {usergroup | radius}
Select whether WPA-Enterprise authentication uses FortiGate user groups or a RADIUS server.
broadcast-suppression {arp‑known arp‑unknown arp‑reply dhcp‑up dhcp‑down netbios‑ns netbios‑ds ipv6}
Select optional suppression of broadcast message types:
arp-known - ARP for known clients
arp-unknown - ARP for unknown clients
arp-reply - ARP reply from clients
dhcp-up - uplink DHCP
dhcp-down - downlink DHCP
netbios‑ns - NETBIOS for UDP port 137
netbios‑ds - NETBIOS for UDP port 138
ipv6 - IPv6 packets
dhcp‑up arp‑known
broadcast-ssid {enable | disable}
Enable broadcast of the SSID. Broadcasting the SSID enables clients to connect to your wireless network without first knowing the SSID. For better security, do not broadcast the SSID.
dynamic-vlan {enable | disable}
Enable dynamic VLAN assignment for users based RADIUS attribute.
encrypt {AES | TKIP |  TKIP‑AES}
Select whether VAP uses AES or TKIP encryption, or accepts both. This is available if security is a WPA type.
external-fast-roaming {enable | disable}
Enable or disable pre-authentication with external non-managed AP.
external-web <url>
Enter the URL of an external authentication web server. This is available when security is captive-portal.
No default.
fast-roaming {enable | disable}
Enabling fast-roaming enables pre-authentication where supported by clients.
gtk-rekey-intv <secs>
Set the WPA re-key interval. Some clients may require a longer interval. For WPA-RADIUS SSID, use ptk-rekey-intv. Range 60 to 864 000 seconds.
intra-vap-privacy {enable | disable}
Enable to block communication between clients of the same AP.
key <key_str>
Enter the encryption key that the clients must use. For WEP64, enter 10 hexadecimal digits. For WEP128, enter 26 hexadecimal digits.
This is available when security is a WEP type.
No default.
keyindex {1 | 2 | 3 | 4}
Many wireless clients can configure up to four WEP keys. Select which key clients must use.with this access point. This is available when security is a WEP type.
local-authentication {enable | disable}
Enable authentication of clients by the FortiAP unit if the wireless controller is unavailable. This applies only if security is a WPA-Personal mode and local-bridging is enabled.
local-bridging {enable | disable}
Enable or disable bridging of wireless and Ethernet interfaces on the FortiAP unit. local‑bridging is disabled if intra-vap-privacy is enabled.
local-switching {enable | disable}
Enable or disable local switching of traffic on the FortiAP, not sending it to the WiFi controller. local‑switching is disabled if intra-vap-privacy is enabled.
max-clients <int>
Enter the maximum number of clients permitted to connect simultaneously. Enter 0 for no limit.
mesh-backhaul {enable | disable}
Enable to use this Virtual Access Point as a WiFi mesh backhaul. WiFi clients cannot connect directly to this SSID.
me-disable-thresh <limit_int>
Set the multicast enhancement threshold. Range 2 to 256 subscribers.
multicast-enhance {enable | disable}
Enable conversion of multicast to unicast to improve performance.
multicast-rate {0 | 6000 | 12000 | 24000}
Set multicast rate. 0 sets default rate. 6000, 12000, or 24000 are rates in kbps.
passphrase <hex_str>
Enter the encryption passphrase of 8 to 63 characters. This is available when security is a WPA type and auth is PSK.
No default.
portal-message-override-group <repl‑msg‑group_name>
Enter the replacement message group for this virtual access point. The replacement message group must already exist in system replacemsg-group and its group-type must be captive‑portal.
This field is available when security is captive-portal.
portal-type {auth | auth+disclaimer | email‑collect}
Choose whether the portal is for authentication, authentication and disclaimer, or email collection. Available when security is captive-portal.
probe-resp-suppression {enable | disable}
Enable or disable ignoring of weak signals, defined in probe-resp-threshold.
probe-resp-threshold <level_int>
Set the minimum signal level required for AP response. Range -95 to -20 dBm.
ptk-rekey-intv <secs>
Set the WPA-RADIUS re-key interval. Some clients may require a longer interval. Range 60 to 864 000 seconds.
radius-server <server_name>
Enter the RADIUS server used to authenticate users. This is available when auth is radius.
No default.
radius-mac-auth {enable | disable}
Enable if you want MAC address authentication of clients. This is independent of other authentication protocols. You will also have to specify radius‑mac‑auth‑server.
radius-mac-auth-server <srv_str>
Specify the RADIUS server to use for MAC address authentication. This is available if radius‑mac‑auth is enabled.
security <sec_mode>
Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface.
captive‑portal — users are authenticated through a captive web portal.
open — has no security. Any wireless user can connect to the wireless network.
wep128 — 128-bit WEP. To use WEP128 you must enter a Key containing 26 hexadecimal digits (0-9 a-f) and inform wireless users of the key.
wep64 — 64-bit web equivalent privacy (WEP). To use WEP64 you must enter a Key containing 10 hexadecimal digits (0-9 a-f) and inform wireless users of the key.
wpa-enterprise — WPA-Enterprise security, WPA or WPA2.
wpa-only-enterprise — WPA-Enterprise security, WPA only.
wpa-only-personal — WPA-Personal security, WPA only.
wpa-only-personal+captive-portal — WPA-Personal security, WPA only, with captive portal.
wpa-personal — WPA-Personal security, WPA or WPA2.
wpa-personal+captive-portal — WPA-Personal security, WPA or WPA2, with captive portal.
wpa2-only-enterprise — WPA-Enterprise security, WPA2 only.
wpa2-only-personal — WPA-Personal security, WPA2 only.
wpa2-only-personal+captive-portal — WPA-Personal security, WPA2 only, with captive portal.
security-exempt-list <exempt_list_name>
Optionally, specify a security exempt list for captive portal authentication. See also user security-exempt-list.
No default.
security-redirect-url <url_str>
Optionally, enter the URL for user redirection after user passes captive portal authentication.
No default.
selected-usergroups <groups_str>
Select the user groups that can authenticate. This is available when security is captive-portal.
No default.
split-tunneling {enable | disable}
Enable or disable split tunneling. Split tunneling allows local traffic on the AP to remain local instead of being routed through the WiFi controller.
ssid <string>
Enter the wireless service set identifier (SSID) or network name for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.
usergroup <group_name>
Enter the usergroup for WPA-Enterprise authentication when auth is usergroup.
No default.
Enter a name for this Virtual Access Point.
No default.
vdom <vdom_name>
Enter the name of the VDOM to which this VAP belongs.
No default.
vlanid <vlan_int>
Enter the VLAN ID, if a VLAN will be used. 0 means no VLAN.
vlan-auto {enable | disable}
Enable or disable automatic VLAN assignment for authenticated users of this SSID. This is available if security is WPA Enterprise or captive portal and vlanid is not 0. vlanid must be unique.