Deploying WPA2-Enterprise SSID to FortiAP units
The guide provides simple configuration instructions for developing WPA2-Enterprise SSID with FortiAP. The steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.
The following shows a simple network topology for this recipe:
To deploy WPA2-Enterprise SSID to FortiAP units on the FortiOS GUI:
- Create an SSID as WPA2-Enterprise. Do one of the following:
- Create an SSID as WPA2-Enterprise with authentication from a RADIUS server:
- Create a RADIUS server:
- Go to User& Device > RADIUS Servers, then click Create New.
- Enter a server name. In the Primary Server> IP/Name field, enter the IP address or server name. iv. In the Primary Server> Secret field, enter the secret key.
- Click Test Connectivity to verify the connection with the RADIUS server.
- Click Test UserCredentials to verify that the user account can be authenticated with the RADIUS server.
- Click OK.
- Create a WPA2-Enterprise SSID:
- Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
- Enter the desired interface name. For Traffic mode, select Tunnel.
- In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
- In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
- In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step i.
- Click OK.
- Create an SSID as WPA2-Enterprise with authentication from a user group:
- Create a user group:
- Go to User& Device > UserGroups, then click Create New.
- Enter the desired group name. For Type, select Firewall.
- For Remote Groups, click the + button. In the dropdown list, select the desired RADIUS server. Click OK.
- Click OK.
- Create a WPA2-Enterprise SSID:
- Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
- Enter the desired interface name. For Traffic mode, select Tunnel.
- In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
- In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
- In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step i.
- Click OK.
- Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C. Do one of the following: Select the SSID by editing the FortiAP:
- Go to WiFi & Switch Controller> Managed FortiAPs. Select the FortiAP-320C and click Edit. ii. Ensure that Managed AP Status is Connected.
- Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
- To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
- To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
- Click OK.
- Select the SSID by editing the FortiAP profile:
- Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
- To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
- To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
- Click OK.
- Create the SSID-to-Internet firewall policy:
- Go to Policy & Objects > IPv4 Policy, then click Create New.
- Enter the desired policy name.
- From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
- From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
- In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
- Click OK.
To deploy WPA2-Enterprise SSID to FortiAP units using the FortiOS CLI:
- Create a RADIUS server:
config user radius edit “wifi-radius” set server “172.16.200.55” set secret fortinet
next
end
- Create a user group:
config user group edit “group-radius” set member “wifi-radius”
next
end
- Create a WPA2-Enterprise SSID:
- Create an SSID with authentication from the RADIUS server:
config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Ent-Radius” set security wpa2-only-enterprise set auth radius
set radius-server “wifi-radius”
next
end
- Create an SSID with authentication from the user group:
config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Ent-Radius” set security wpa2-only-enterprise set auth usergroup set usergroup “group-radius”
next
end
- Configure an IP address and enable DHCP:
config system interface edit “wifi-vap” set ip 10.10.80.1 255.255.255.0
next end config system dhcp server
edit 1 set dns-service default set default-gateway 10.10.80.1 set netmask 255.255.255.0 set interface “wifi-vap” config ip-range edit 1 set start-ip 10.10.80.2 set end-ip 10.10.80.254
next
end
set timezone-option default
next
end
- Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:
config wireless-controller wtp edit “FP320C3X14000640” set admin enable
set wtp-profile “FAP320C-default”
next
end
config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable set vaps “wifi-vap”
end config radio-2 set vap-all disable set vaps “wifi-vap”
end
next
end
- Create the SSID-to-Internet firewall policy: config firewall policy
edit 1 set name “WiFi to Internet” set srcintf “wifi-vap” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set fsso disable set nat enable
next end