Dynamic VLAN assignment
You can assign each individual user to a VLAN based on information stored in the RADIUS authentication server. If the user’s RADIUS record does not specify a VLAN ID, the user is assigned to the default VLAN for the SSID.
The RADIUS user attributes used for the VLAN ID assignment are:
IETF 64 (Tunnel Type)—Set this to VLAN.
IETF 65 (Tunnel Medium Type)—Set this to 802
IETF 81 (Tunnel Private Group ID)—Set this to the VLAN ID.
To configure dynamic VLAN assignment, you need to:
1. Configure access to the RADIUS server.
2. Create the SSID and enable dynamic VLAN assignment.
3. Create a custom AP profile and add the local bridge mode SSID to it.
4. Create the VLAN interfaces and their DHCP servers.
5. Create security policies to allow communication from the VLAN interfaces to the Internet.
6. Authorize the FortiAP unit and assign the custom profile to it.
To configure access to the RADIUS server
1. Go to User & Device > Authentication > RADIUS Server and select Create New.
2. Enter a Name, the name or IP address in Primary Server Name/IP, and the server secret in Primary Server Secret.
To create the dynamic VLAN SSID
1. Go to WiFi Controller > WiFi Network > SSID, select Create New and enter:
Name | An identifier, such as dynamic_vlan_ssid. |
Traffic Mode | Local bridge or Tunnel, as needed. |
SSID | An identifier, such as DYNSSID. |
Security Mode | WPA/WPA2-Enterprise |
Authentication | RADIUS Server. Select the RADIUS server that you configured. |
2. Select OK.
3. Enable dynamic VLAN in the CLI. Optionally, you can also assign a VLAN ID to set the default VLAN for users without a VLAN assignment.
config wireless-controller vap
edit dynamic_vlan_ssid
set dynamic-vlan enable
set vlanid 10
end
To create the custom AP profile for the dynamic VLAN SSID
1. Go to WiFi Controller > WiFi Network > Custom AP Profile, select Create New and enter:
Name | A name for the profile, such as dyn_vlan_profile. |
Platform | The FortiAP model you are using. If you use more than one model of FortiAP, you will need a custom AP profile for each model. |
Radio 1 and Radio 2 |
SSID | In the Available column, select the SSID you created (example dynamic_vlan_ssid) and move it to the Selected column. There should be no other SSIDs in the Selected column. |
2. Adjust other radio settings as needed.
3. Select OK.
To create the VLAN interfaces
1. Go to System > Network > Interfaces and select Create New.
2. Enter:
Name | A name for the VLAN interface, such as VLAN100. |
Interface | The physical interface associated with the VLAN interface. |
VLAN ID | The numeric VLAN ID, for example 100. |
Addressing mode | Select Manual and enter the IP address / Network Mask for the virtual interface. |
DHCP Server | Enable and then select Create New to create an address range. |
| |
3. Select OK.
4. Repeat the preceding steps to create other VLANs as needed.
Security policies determine which VLANs can communicate with which other interfaces. These are the simple Firewall Address policy without authentication. Users are assigned to the appropriate VLAN when they authenticate.
To connect and authorize the FortiAP unit
1. Connect the FortiAP unit to the FortiGate unit.
2. Go to WiFi Controller > Managed Access Points > Managed AP.
3. When the FortiAP unit is listed, double-click the entry to edit it.
4. In AP Profile, select Change, then select the custom profile that you created. Select Apply.
5. Select Authorize.
6. Select OK.