Chapter 6 Deploying Wireless Networks for FortiOS 5.0 : Configuring a WiFi LAN : Defining a wireless network interface (SSID)
  
Defining a wireless network interface (SSID)
You begin configuring your wireless network by defining one or more SSIDs to which your users will connect. When you create an SSID, a virtual network interface is also created with the Name you specified in the SSID configuration. You can configure the settings of an existing SSID in either WiFi Controller > WiFi Network > SSID or System > Network > Interface.
To create a new SSID
1. Go to WiFi Controller > WiFi Network > SSID and select Create New.
2. Fill in the SSID fields as described below.
To configure the settings of an existing SSID
1. Either
Go to WiFi Controller > WiFi Network > SSID.
or
Go to System > Network > Interfaces.
WiFi interfaces list the SSID beside the interface Name.
2. Edit a WiFi interface, modifying the SSID fields as needed.
SSID fields
Name
Enter a name for the SSID interface.
Type
WiFi SSID.
Traffic Mode
Tunnel to Wireless Controller — Data for WLAN passes through WiFi Controller. This is the default.
Local bridge with FortiAP’s Interface — FortiAP unit Ethernet and WiFi interfaces are bridged.
Mesh Downlink — Radio receives data for WLAN from mesh backhaul SSID.
IP/Netmask
Enter the IP address and netmask for the SSID.
IPv6 Address
Enter the IPv6 address. This is available only when IPv6 has been enabled on the unit.
Administrative Access
Select which types of administrative access are permitted on this SSID.
IPv6 Administrative Access
If you have IPv6 addresses, select the permitted IPv6 administrative access types for this SSID.
DHCP Server
Select to enable a DHCP server and define IP address ranges to assign to clients or to relay DHCP requests to another server.
If the unit is in transparent mode, the DHCP server settings will be unavailable.
For more information, see “Configuring DHCP for WiFi clients”.
WiFi Settings
SSID
Enter the SSID. By default, this field contains fortinet.
Security Mode
Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. Additional security mode options are available in the CLI. For more information, see “Configuring security”.
 
WPA/WPA2-Personal – WPA or WPA2 security. WPA is WiFi protected access. WPA2 is WPA with additional security features. There is one shared key (password) that all users use.
 
WPA/WPA2-Enterprise – similar to WPA/WPA2-Personal, but is best used for enterprise networks. Each user is separately authenticated by user name and password.
 
Captive Portal – authenticates users through a customizable web page.
Pre-shared Key
Available only when Security Mode is WPA/WPA2-Personal.
Enter the encryption key that the clients must use.
Data Encryption
Available only when Security Mode is WPA/WPA2-Personal or WPA/WPA2-Enterprise.
Select TKIP or AES encryption as appropriate for the capabilities of your wireless clients. This is available for WPA/WPA2 security modes.
Authentication
Available only when Security Mode is WPA/WPA2-Enterprise.
Select one of the following:
RADIUS Server — Select the RADIUS server that will authenticate the clients.
Usergroup – Select the user group(s) that can authenticate.
Customize Portal Messages
Available only when Security Mode is Captive Portal. Select to customize the endpoint replacement messages. When you select Edit, the Edit Message window appears. Within the window, you can modify each one of the endpoint replacement messages.
User Groups
Available only when Security Mode is Captive Portal. Select the user groups that can authenticate.
To select a user group, select the group in Available and then use the -> arrow to move that group to Selected. To remove a user group from Selected, select the group and then use the <- arrow to move the group back to Available.
Block Intra-SSID Traffic
Select to enable the unit to block intra-SSID traffic.
Allow New WiFi Client Connections When Controller Is Down
This option is available for local bridge SSIDs with WPA-Personal security. See “Continued FortiAP operation when WiFi controller connection is down”.
Maximum Clients
Select to limit the number of clients permitted to connect simultaneously. Enter the limit value.
Device Management
Select Detect and Identify Devices if you want to monitor the device types using this interface or create device identity policies involving this interface. See “Managing “bring your own device””.
Optionally, enable Add New Devices to Vulnerability Scan List.
Enable Explicit Web Proxy
Select to enable explicit web proxy for the SSID.
Listen for RADIUS Accounting Messages
This is required to permit RADIUS SSO authentication on this WiFi inteface. See “SSO using RADIUS accounting records”.
Secondary IP Address
Optioanally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces.
Comments
Enter a description or comment for the SSID.
By default, the AP will broadcast its SSID. Optionally, you can disable SSID Broadcast in the CLI:
config wireless controller vap
edit vap_name
set broadcast-ssid disable
end
For more information, see “Whether to broadcast SSID”.
Each Virtual AP that you create is a wireless interface that establishes a wireless LAN. Go to System > Network > Interfaces to configure its IP address.
To configure a virtual access point (SSID) - CLI
This example creates an access point with SSID “example” and WPA2-Personal security. The wireless interface is named example_wlan.
config wireless-controller vap
edit example_wlan
set ssid "example"
set broadcast-ssid enable
set security wpa2-only-personal
set passphrase "hardtoguess”
set vdom root
end
config system interface
edit example_wlan
set ip 10.10.120.1 255.255.255.0
end