Chapter 1 What’s New for FortiOS 5.0 : New features in FortiOS 5.0 Patch 4 : Dynamic VLANs for SSIDs
  
Dynamic VLANs for SSIDs
Dynamic VLANs can now be used to divide a single SSID into several VLANs. In Patch 4, Dynamic VLANs are supported for both tunnel and bridge mode SSIDs.
VLAN assignment is based on the credentials supplied by the user. Dynamic VLANs allow individual users to be assigned different VLANs resulting in different levels of access even though all users are connecting to the same SSID.
The task of assigning users to a specific VLAN is handled by a RADIUS authentication server. When a client attempts to associate to a FortiAP registered with a controller, the FortiAP passes the credentials of the user to the RADIUS server for validation. Once the authentication is successful, the RADIUS server passes certain Internet Engineering Task Force (IETF) attributes to the user. These RADIUS attributes include the VLAN ID that should be assigned to the wireless client.
Dynamic VLANs are configured by doing the following:
1. Go to User & Device > Authentication > RADIUS Servers and create a new RADIUS server.
2. Go to WiFi Controller > WiFi Network > SSID and create a new SSID.
3. Enable Dynamic VLAN in the CLI, using the following command:
config wireless-controller vap
edit <name>
set dynamic-vlan enable
end
4. Go to WiFi Controller > WiFi Network > Custom AP and create a new radio 1 and radio 2 that use the new SSID.
5. Go to System > Network > Interfaces and create two or more VLAN interfaces that have DHCP server enabled.
6. Go to Policy > Policy > Policy and create policies that allow outbound traffic from the new VLANs.
7. Configure a policy on the RADIUS server for each VLAN.
When users scan for available SSIDs, they can connect to the new SSID and be assigned to one of the VLANs based on their credentials.
See http://docs.fortinet.com/supplement.html for some Dynamic VLAN examples.