Configuring the built-in access point on a FortiWiFi unit
Both FortiGate and FortiWiFi units have the WiFi controller feature. If you configure a WiFi network on a
FortiWiFi unit, you can also use the built-in wireless capabilities in your WiFi network as one of the access points.
If Virtual Domains are enabled, you must select the VDOM to which the built-in access point belongs. You do this in the CLI. For example:
config wireless-controller global set local-radio-vdom vdom1
end
To configure the FortiWiFi unit’s built-in WiFi access point
- Go to WiFi Controller > Local WiFi Radio.
- Make sure that Enable WiFi Radio is selected.
- In SSID, if you do not want this AP to carry all SSIDs, select Select SSIDs and then select the required SSIDs.
- Optionally, adjust the TX Power
If you have selected your location correctly (see Configuring the built-in access point on a FortiWiFi unit on page 53), the 100% setting corresponds to the maximum power allowed in your region.
- If you do not want the built-in WiFi radio to be used for rogue scanning, select Do not participate in Rogue AP scanning.
- Select OK.
If you want to connect external APs, such as FortiAP units, see the next chapter, Access point deployment.
Enforcing UTM policies on a local bridge SSID for managed smart APs
The config wireless-controller utm-profile command lets administrators configure UTM profiles in order to enforce UTM policies on a local bridge SSID when Smart AP’s are managed by FortiGate.
As a result, these UTM profiles can also be assigned under config wireless-controller vap.
Please note that this is only supported in Bridge-mode.
In addition, a new diagnose command has been introduced to determine the status of the cw_acd daemon, which handles the communication between FortiGate and APs.
Enforcing UTM policies on a local bridge SSID for managed smart APs
Note that the default utm-profile available (named wifi-default) has all applicable options within the command set to wifi-default.
Use “?” to view all available profiles to assign, for example, “set ips-sensor ?”.
Syntax:
config wireless-controller utm-profile edit <name> set comment <comment> set utm-log {enable | disable} set ips-sensor <name> set application-list <name> set antivirus-profile <name> set webfilter-profile <name> set firewall-policy <id>
set scan-botnet-connections {disable | block | monitor}
next
end
config wireless-controller vap edit <name> set utm-profile <name>
next
end
To debug the cw_acd_helper daemon, use the following diagnose command:
diagnose wireless-controller wlac_hlp
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Hi Mike,
Since I know by following your posts that you are really good the Fortinet in general, please allow me to ask you a question. In a Fortigate, FortiAP and Radius scenario, can I dynamically assign the VLAN to the WIFI users based on their device type? More specifically, I would like to move any iOS/Android to a different VLAN than a normal Windows Client would get. Thanks
You pass it by the 802.1x pass thru of the RADIUS authentication not the device.