FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 8 - Deploying Wireless Networks > Wireless network examples > Basic wireless network

Basic wireless network

This example uses automatic configuration to set up a basic wireless network.

To configure this wireless network, you must:

  • Configure authentication for wireless users
  • Configure the SSID (WiFi network interface)
  • Add the SSID to the FortiAP Profile
  • Configure the firewall policy
  • Configure and connect FortiAP units

Configuring authentication for wireless users

You need to configure user accounts and add the users to a user group. This example shows only one account, but multiple accounts can be added as user group members.

To configure a WiFi user - web-based manager
  1. Go to User & Device > User > User Definition and select Create New.
  2. Select Local User and then click Next.
  3. Enter a User Name and Password and then click Next.
  4. Click Next.
  5. Make sure that Enable is selected and then click Create.
To configure the WiFi user group - web-based manager
  1. Go to User & Device > User > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name wlan_users
Type Firewall
Members Add users.
To configure a WiFi user and the WiFi user group - CLI

config user user

edit "user01"

set type password

set passwd "asdf12ghjk"

end

config user group

edit "wlan_users"

set member "user01"

end

Configuring the SSID

First, establish the SSID (network interface) for the network. This is independent of the number of physical access points that will be deployed. The network assigns IP addresses using DHCP.

To configure the SSID - web-based manager
  1. Go to WiFi Controller > WiFi Network > SSID and select Create New.
  2. Enter the following information and select OK:
Interface Name example_wifi_if
Traffic Mode Tunnel to Wireless Controller
IP/Network Mask 10.10.110.1/24
Administrative Access Ping (to assist with testing)
DHCP Server Enable
  Address Range 10.10.110.2 - 10.10.110.199
Netmask 255.255.255.0
Default Gateway Same As Interface IP
DNS Server Same as System DNS
SSID example_wifi
Security Mode WPA2 Enterprise
Authentication Usergroup, select wlan_users.
Leave other settings at their default values.
To configure the SSID - CLI

config wireless-controller vap

edit example_wifi_if

set ssid "example_wifi"

set broadcast-ssid enable

set security wpa-enterprise

set auth usergroup

set usergroup wlan_users

end

config system interface

edit example_wifi_if

set ip 10.10.110.1 255.255.255.0

end

config system dhcp server

edit 0

set default-gateway 10.10.110.1

set dns-service default

set interface "example_wifi_if"

config ip-range

edit 1

set end-ip 10.10.110.199

set start-ip 10.10.110.2

end

set netmask 255.255.255.0

end

Adding the SSID to the FortiAP Profile

The radio portion of the FortiAP configuration is contained in the FortiAP Profile. By default, there is a profile for each platform (FortiAP model). You can create additional profiles if needed. The SSID needs to be specified in the profile.

To add the SSID to the FortiAP Profile - web-based manager
  1. Go to WiFi Controller > WiFi Network > FortiAP Profiles and edit the profile for your model of FortiAP unit.
  2. In Radio 1 and Radio 2, add example_wifi in SSID.
  3. Select OK.

Configuring firewall policies

A firewall policy is needed to enable WiFi users to access the Internet on port1. First you create firewall address for the WiFi network, then you create the example_wifi to port1 policy.

To create a firewall address for WiFi users - web-based manager
  1. Go to Policy & Objects > Objects > Addresses.
  2. Select Create New, enter the following information and select OK.
Name wlan_user_net
Type Subnet
Subnet / IP Range 10.10.110.0/24
Interface example_wifi_if
Visibility Enabled
To create a firewall address for WiFi users - CLI

config firewall address

edit "wlan_user_net"

set associated-interface "example_wifi_if"

set subnet 10.10.110.0 255.255.255.0

end

To create a firewall policy for WiFi users - web-based manager
  1. Go to Policy & Objects > Policy > IPv4and select Create New.
  2. Enter the following information and select OK:
Incoming Interface example_wifi_if
Source Address wlan_user_net
Outgoing Interface port1
Destination Address All
Schedule always
Service ALL
Action ACCEPT
NAT ON. Select Use Destination Interface Address (default).
Leave other settings at their default values.
To create a firewall policy for WiFi users - CLI

config firewall policy

edit 0

set srcintf "example_wifi"

set dstintf "port1"

set srcaddr "wlan_user_net"

set dstaddr "all"

set schedule always

set service ALL

set action accept

set nat enable

end

Connecting the FortiAP units

You need to connect each FortiAP unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

To configure the interface for the AP unit - web-based manager
  1. Go to System > Network > Interfaces and edit the port3 interface.
  2. Set the Addressing mode to Dedicate to Extension Device and set the IP/Network Mask to 192.168.8.1/255.255.255.0.
  3. Select OK.

This procedure automatically configures a DHCP server for the AP units. You can see this configuration in System > Network > DHCP Server.

To configure the interface for the AP unit - CLI

config system interface

edit port3

set mode static

set ip 192.168.8.1 255.255.255.0

end

To configure the DHCP server for AP units - CLI

config system dhcp server

edit 0

set interface port3

config exclude-range

edit 1

set end-ip 192.168.8.1

set start-ip 192.168.8.1

end

config ip-range

edit 1

set end-ip 192.168.8.254

set start-ip 192.168.8.2

end

set netmask 255.255.255.0

set vci-match enable

set vci-string "FortiAP"

end

To connect a FortiAP unit - web-based manager
  1. Go to WiFi Controller > Managed Devices > Managed FortiAPs.
  2. Connect the FortiAP unit to port 3.
  3. Periodically select Refresh while waiting for the FortiAP unit to be listed.
    Recognition of the FortiAP unit can take up to two minutes.
    If FortiAP units are connected but cannot be recognized, try disabling VCI-Match in the DHCP server settings.
  4. When the FortiAP unit is listed, select the entry to edit it.
    The Edit Managed Access Point window opens.
  5. In State, select Authorize.
  6. In FortiAP Profile, select the default profile for the FortiAP model.
    Override Settings should not be selected.
  7. Select OK.
  8. Repeat Steps 2 through 8 for each FortiAP unit.
To connect a FortiAP unit - CLI
  1. Connect the FortiAP unit to port 3.
  2. Enter

config wireless-controller wtp

 

  1. Wait 30 seconds, then enter get.
    Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22B3U10600118 ]

wtp-id: FAP22B3U10600118

 

  1. Edit the discovered FortiAP unit like this:

edit FAP22B3U10600118

set admin enable

end

 

  1. Repeat Steps 2 through 4 for each FortiAP unit.