Interface Name | Enter a name for the SSID interface. |
Type | WiFi SSID. |
Traffic Mode | Tunnel to Wireless Controller — Data for WLAN passes through WiFi Controller. This is the default. Local bridge with FortiAP’s Interface — FortiAP unit Ethernet and WiFi interfaces are bridged. Mesh Downlink — Radio receives data for WLAN from mesh backhaul SSID. |
IP/Network Mask | Enter the IP address and netmask for the SSID. |
IPv6 Address | Enter the IPv6 address. This is available only when IPv6 has been enabled on the unit. |
Administrative Access | Select which types of administrative access are permitted on this SSID. |
IPv6 Administrative Access | If you have IPv6 addresses, select the permitted IPv6 administrative access types for this SSID. |
DHCP Server | Select Enable to enable a DHCP server and define IP address ranges to assign to clients or to relay DHCP requests to another server. If the unit is in transparent mode, the DHCP server settings will be unavailable. For more information, see “Configuring DHCP for WiFi clients”. |
WiFi Settings | |
SSID | Enter the SSID. By default, this field contains fortinet. |
Security Mode | Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. Additional security mode options are available in the CLI. For more information, see “Configuring security”. |
Captive Portal – authenticates users through a customizable web page. | |
WPA2-Personal – WPA2 is WiFi Protected Access version 2. There is one pre-shared key (password) that all users use. | |
WPA2-Personal with Captive Portal – The user will need to know the pre-shared key and will also be authenticated through the custom portal. | |
WPA2-Enterprise – similar to WPA2-Personal, but is best used for enterprise networks. Each user is separately authenticated by user name and password. | |
Pre-shared Key | Available only when Security Mode is WPA2-Personal. Enter the encryption key that the clients must use. |
Authentication | Available only when Security Mode is WPA2-Enterprise. Select one of the following: RADIUS Server — Select the RADIUS server that will authenticate the clients. Usergroup – Select the user group(s) that can authenticate. |
Portal Type | Available only when Security Mode is Captive Portal. Choose the captive portal type. Authentication is available with or without a usage policy disclaimer notice. |
Authentication Portal | Local - portal hosted on the FortiGate unit Remote - enter FQDN or IP address of external portal |
User Groups | Select permitted user groups. |
Exempt List | Select exempt lists whose members will not be subject to captive portal authentication. |
Customize Portal Messages | Click the listed portal pages to edit them. |
User Groups | Available only when Security Mode is Captive Portal. Select the user groups that can authenticate. To select a user group, select the group in Available and then use the -> arrow to move that group to Selected. To remove a user group from Selected, select the group and then use the <- arrow to move the group back to Available. |
Redirect after Captive Portal | Optionally, select Specific URL and enter a URL for user redirection after captive portal authentication. By default, users are redirected to the URL that they originally requested. |
Allow New WiFi Client Connections When Controller Is Down | This option is available for local bridge SSIDs with WPA-Personal security. See “Continued FortiAP operation when WiFi controller connection is down”. |
Broadcast SSID | Optionally, disable broadcast of SSID. By default, the SSID is broadcast. For more information, see “Whether to broadcast SSID”. |
Block Intra-SSID Traffic | Select to enable the unit to block intra-SSID traffic. |
Maximum Clients | Select to limit the number of clients permitted to connect simultaneously. Enter the limit value. |
Optional VLAN ID | Enter the ID of the VLAN this SSID belongs to. Enter 0 for non-VLAN operation. |
Device Management | Select Detect and Identify Devices if you want to monitor the device types using this interface or create device identity policies involving this interface. See “Managing “bring your own device””. Optionally, enable Add New Devices to Vulnerability Scan List. |
Enable Explicit Web Proxy | Select to enable explicit web proxy for the SSID. |
Listen for RADIUS Accounting Messages | Enable if you are using RADIUS-based Single Sign-On (SSO). |
Secondary IP Address | Optioanally, enable and define secondary IP addresses. Administrative access can be enabled on secondary interfaces. |
Comments | Enter a description or comment for the SSID. |