FortiWLC – WAPI Configuration

WAPI Configuration

The WLAN Authentication and Privacy Infrastructure (WAPI) is a Chinese national standard for WLANs. There are two authentication models used for WAPI functionality: certificatebased and PSK-based. For WAPI certificate configurations, the controller must have the IP and port communication details for the central Authentication Service Unit (ASU), which will verify that the wireless communication is permitted.

FortiWLC (SD) implements WAPI configurations in release 5.2 and later.

WAPI Configuration

Specifying WAPI Authentication Mode

As mentioned above, users can specify whether the deployment will use certificate-based or PSK-based WAPI authentication. This is done via the Security Profile configuration.

  1. From the WebUI, navigate to Configuration > Security > Profile.
  2. Create a new profile by clicking the Add button.
  3. In the L2 Modes Allowed section, specify the desired WAPI option:
    • WAI: for certificate-based models
    • WAI-PSK: for PSK models
  4. Make the remaining selections as desired. If using the PSK option, be sure to set an appropriate entry in the Pre-shared Key field.

If your deployment is making use of the WAI option (certificate-based), you will need to configure a WAPI server and import a WAPI certificate as well. Proceed to the following sections for these details.

Importing a WAPI Certificate

In order to properly authenticate WAPI communications, a certificate must be imported into the system. Follow the instructions below.

  1. From the WebUI, navigate to Configuration > Certificates > Controller Certificates.
  2. Click WAPI Cert Import.
  3. Browse to the location of the WAPI certificate and click Import. Note that the system only supports one WAPI certificate to be configured at any given time.
  4. After the certificate is imported, click the WebTerm link to open a CLI console.
  5. Log into the console and execute the reload-wapi command to reload WAPI service.
  6. Proceed to the next section in order to configure communication with the WAPI Authentication Service Unit.
Configuring a WAPI Server

The WAPI server needs to be configured only when using certificate-based WAI authentication. This configuration is used to authenticate the WAPI certificate after it has been imported into the system.

To configure the WAPI Server:

  1. From the WebUI, navigate to Configuration > Security > WAPI Server.

WAPI Configuration

  1. Enter the following information:
  • WAPI Server IP—The IP address for the Authentication Service Unit. WAPI Server Port—Enter the port number used for WAPI communication (default:


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos