Internet

FortiGate

FortiAP

wan 1

User twhite

RADIUS server192.168.1.114

User jsmith

Marketing network Techdoc network

1. Connecting the FortiAP unit

2. Creating an SSID with dynamic VLANs enabled

3. Creating and assigning a custom AP profile

4. Creating the VLAN interfaces

5. Creating security policies for both networks

6. Configuring a connection to the RADIUS server

7. Creating the RADIUS client

8. Creating network policies on the RADIUS client

9. Results

Assigning wireless users to different networks using dynamic VLANsDynamic virtual LANs (VLANs) are used to assign wireless users to different networks without requiring the use of multiple SSIDs. This example creates dynamic VLANs for the Techdoc and Marketing departments, with a RADIUS server used for authentication.

Connecting the FortiAP unitConnect the FortiAP to the internal interface. Go to WiFi Controller > Managed Access Points > Managed FortiAPs and right-click on the FortiAP unit. Select Authorize.

It may take a few minutes for the FortiAP unit to appear on the Managed FortiAP list.

Creating an SSID with dynamic VLANs enabledGo to WiFi Controller > WiFi Network > SSID.

Create a new SSID. Set Traffic Mode to Local bridge with FortiAP’s Interface.

Dynamic VLANs can also be used with a FortiAP in Tunnel Mode. The only difference in the configuration occurs when creating VLAN interfaces, as the initial creation must occur using the CLI.

Go to System > Dashboard > Status. Enable dynamic VLANs on the FortiAP and set the default VLAN ID (10 in the example) by entering the following in the CLI Console:

Creating and assigning a custom AP profileGo to WiFi Controller > WiFi Network > Custom AP profiles.

Create a new profile and select the new SSID for both Radio 1 and Radio 2.

Go to WiFi Controller > Managed Access Points > Managed FortiAPs.

Right-click on the FortiAP unit. Select Assign Profile and set it to the new AP profile.

config wireless-controller vap edit Dynamic_VLAN set vlanid 10 set dynamic-vlan enable end end

Creating the VLAN interfacesGo to System > Network > Interface.

Create the VLAN interface for marketing-100. Enable DHCP Server.

Create the VLAN interface for techdoc-200. Enable DHCP Server.

Creating security policies for both networksGo to Policy > Policy > Policy.

Create a policy that allows outbound traffic from marketing-100. Set Incoming Interface to marketing-100 and Outgoing Interface to the Internet-facing interface.

Create another new policy that allows outbound traffic from techdoc-200. Set Incoming Interface to techdoc-200 and Outgoing Interface to the Internet-facing interface.

Configuring a connection to the RADIUS server

This example uses NPS on Windows Server 2008. The RADIUS server has already been configured with the user group Techdoc, with member twhite, and the user group Marketing, with member jsmith.

Go to User & Device > Authentication > RADIUS Servers. Select Create New.

Configure the connection to your RADIUS server, setting both the Primary Sever Name/IP and the Primary Server Secret. Select Use Default Authentication Scheme.

Creating the RADIUS clientConnect to the RADIUS server.

Open the Server Manager and create a new RADIUS client.

Creating network policies on the RADIUS clientCreate a network policy for the TechDoc department that uses the techdoc-200 VLAN.

Set Tunnel-Pvt-Group to 200, the VLAN ID of techdoc-200, and Tunnel-Type to Virtual LANs (VLAN)

Repeat this procedure to create a network policy for the Marketing depart that uses the marketing-100 VLAN.

ResultsThe SSID will appear in a list of available wireless networks on the users’ devices. Both twhite and jsmith can connect to the SSID with their credentials.

If a certificate warning message appears, accept the certificate.

Go to WiFi Controller > Monitor > Client Monitor. Both users are shown using the same SSID.

Go to Log & Report > Traffic Log > Forward Traffic Log. Traffic flows through both policies, using the provided credentials.