Chapter 6 Deploying Wireless Networks : Configuring a WiFi LAN : Defining a wireless network interface (SSID)
  
Defining a wireless network interface (SSID)
You begin configuring your wireless network by defining one or more SSIDs to which your users will connect. When you create an SSID, a virtual network interface is also created with the Name you specified in the SSID configuration. You can configure the settings of an existing SSID in either WiFi Controller > WiFi Network > SSID or System > Network > Interface.
To create a new SSID
1. Go to WiFi Controller > WiFi Network > SSID and select Create New.
2. Fill in the SSID fields as described below.
To configure the settings of an existing SSID
1. Either
Go to WiFi Controller > WiFi Network > SSID.
or
Go to System > Network > Interfaces.
WiFi interfaces list the SSID beside the interface Name.
2. Edit a WiFi interface, modifying the SSID fields as needed.
SSID fields
Interface Name
Enter a name for the SSID interface.
Type
WiFi SSID.
Traffic Mode
Tunnel to Wireless Controller — Data for WLAN passes through WiFi Controller. This is the default.
Local bridge with FortiAP’s Interface — FortiAP unit Ethernet and WiFi interfaces are bridged.
Mesh Downlink — Radio receives data for WLAN from mesh backhaul SSID.
IP/Network Mask
Enter the IP address and netmask for the SSID.
IPv6 Address
Enter the IPv6 address. This is available only when IPv6 has been enabled on the unit.
Administrative Access
Select which types of administrative access are permitted on this SSID.
IPv6 Administrative Access
If you have IPv6 addresses, select the permitted IPv6 administrative access types for this SSID.
DHCP Server
Select Enable to enable a DHCP server and define IP address ranges to assign to clients or to relay DHCP requests to another server.
If the unit is in transparent mode, the DHCP server settings will be unavailable.
For more information, see “Configuring DHCP for WiFi clients”.
WiFi Settings
SSID
Enter the SSID. By default, this field contains fortinet.
Security Mode
Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. Additional security mode options are available in the CLI. For more information, see “Configuring security”.
 
Captive Portal – authenticates users through a customizable web page.
 
WPA2-Personal – WPA2 is WiFi Protected Access version 2. There is one pre-shared key (password) that all users use.
 
WPA2-Personal with Captive Portal – The user will need to know the pre-shared key and will also be authenticated through the custom portal.
 
WPA2-Enterprise – similar to WPA2-Personal, but is best used for enterprise networks. Each user is separately authenticated by user name and password.
Pre-shared Key
Available only when Security Mode is WPA2-Personal.
Enter the encryption key that the clients must use.
Authentication
Available only when Security Mode is WPA2-Enterprise.
Select one of the following:
RADIUS Server — Select the RADIUS server that will authenticate the clients.
Usergroup – Select the user group(s) that can authenticate.
Portal Type
Available only when Security Mode is Captive Portal. Choose the captive portal type. Authentication is available with or without a usage policy disclaimer notice.
Authentication Portal
Local - portal hosted on the FortiGate unit
Remote - enter FQDN or IP address of external portal
User Groups
Select permitted user groups.
Exempt List
Select exempt lists whose members will not be subject to captive portal authentication.
Customize Portal Messages
Click the listed portal pages to edit them.
User Groups
Available only when Security Mode is Captive Portal. Select the user groups that can authenticate.
To select a user group, select the group in Available and then use the -> arrow to move that group to Selected. To remove a user group from Selected, select the group and then use the <- arrow to move the group back to Available.
Redirect after Captive Portal
Optionally, select Specific URL and enter a URL for user redirection after captive portal authentication. By default, users are redirected to the URL that they originally requested.
Allow New WiFi Client Connections When Controller Is Down
This option is available for local bridge SSIDs with WPA-Personal security. See “Continued FortiAP operation when WiFi controller connection is down”.
Broadcast SSID
Optionally, disable broadcast of SSID. By default, the SSID is broadcast. For more information, see “Whether to broadcast SSID”.
Block Intra-SSID Traffic
Select to enable the unit to block intra-SSID traffic.
Maximum Clients
Select to limit the number of clients permitted to connect simultaneously. Enter the limit value.
Optional VLAN ID
Enter the ID of the VLAN this SSID belongs to. Enter 0 for non-VLAN operation.
Device Management
Select Detect and Identify Devices if you want to monitor the device types using this interface or create device identity policies involving this interface. See “Managing “bring your own device””.
Optionally, enable Add New Devices to Vulnerability Scan List.
Enable Explicit Web Proxy
Select to enable explicit web proxy for the SSID.
Listen for RADIUS Accounting Messages
Enable if you are using RADIUS-based Single Sign-On (SSO).
Secondary IP Address
Optioanally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces.
Comments
Enter a description or comment for the SSID.
To configure a virtual access point (SSID) - CLI
This example creates an access point with SSID “example” and WPA2-Personal security. The wireless interface is named example_wlan.
config wireless-controller vap
edit example_wlan
set ssid "example"
set broadcast-ssid enable
set security wpa2-only-personal
set passphrase "hardtoguess”
set vdom root
end
config system interface
edit example_wlan
set ip 10.10.120.1 255.255.255.0
end