wireless-controller vap (5.4)

Use this command to configure Virtual Access Points (VAPs).

The following entries have append options, whereby you can add values without needing to retype the whole list of values:

  • selected-usergroups
  • broadcast-suppression
  • rates-11a
  • rates-11bg
  • rates-11n-ss12
  • rates-11n-ss34
  • rates-11ac-ss12
  • rates-11ac-ss34

vdom <name>

Name of the VLAN ID, if a VLAN will be used.


fast-roaming {enable | disable}

Enable (by default) or disable fast-roaming, or pre-authentication, where supported by clients.


external-fast-roaming {enable | disable}

Enable or disable (by default) pre-authentication with external non-managed AP.


mesh-backhaul {enable | disable}

Note: This entry is only available when security is set to a WPA type or open.

Enable or disable (by default) to use this VAP as a WiFi mesh backhaul. WiFi clients cannot connect directly to this SSID.


max-clients <number>

Maximum number of clients that can connect simultaneously. The default is set to 0, meaning no limitation.


max-clients-ap <number>

Maximum number of clients that can connect simultaneously per AP radio. The default is set to 0, meaning no limitation.


ssid <name>

IEEE 802.11 service set identifier, or network name, for the wireless interface. Users who wish to use the wireless network must configure their computers with this network name.


broadcast-ssid {enable | disable}

Enable (by default) or disable broadcasting of the SSID.

Broadcasting enables clients to connect to the wireless network without first knowing the SSID. For better security, however, it is best to not broadcast the SSID.


security {open | captive-portal | wpa-personal | wpa-personal+captive-portal | wpa-enterprise | wpa2-only-personal | wpa2-only-personal+captive-portal | wpa2-only-enterprise}

Security mode for the wireless interface. Wireless users must use the same security mode to connect to the same wireless interface.

  • open: No security; any wireless user can connect to the network (not recommended).
  • captive-portal: Users are authenticated through a captive web portal.
  • wpa-personal: WPA-Personal security, WPA or WPA2.
  • wpa-personal+captive-portal: WPA-Personal security, WPA only, with captive portal.
  • wpa-enterprise: WPA-Enterprise security, WPA or WPA2.
  • wpa2-only-personal: WPA-Personal security, WPA2 only (set by default).
  • wpa2-only-personal+captive-portal: WPA-Personal security, WPA2 only, with captive portal.
  • wpa2-only-enterprise: WPA-Enterprise security, WPA2 only.

pmf {enable | disable}

Enable or disable (by default) Protected Management Frames (PMF) support.

PMF works by adding a Message Integrity Check (MIC) to control packets being sent between a computer and an AP. If a control packet is being spoofed by a malicious device, the MIC check will fail, and discard the frame. This protects users from malicious attackers attempting to exchange encrypted traffic.


okc {enable | disable}

`

Enable or disable Opportunistic Key Caching (OKC) …


radius-mac-auth {enable | disable}

Enable or disable (by default) MAC address authentication of clients. Once enabled, use the radius-mac-auth-server entry to specify the server (see entry below).


radius-mac-auth-server <server>

Note: This entry is only available when radius-mac-auth is set to enable.

RADIUS-based MAC authentication server.


auth {radius | usergroup}

`


portal-message-override-group <name>

Note: This entry is only available when security is set to a captive portal type.

Replacement message group for this VAP. For this entry to be configured, the replacement message must have already been configured using the config system replacemsg-group command.


portal-type {auth | auth+disclaimer | disclaimer | email-collect}

Note: This entry is only available when security is set to a captive portal type.

Captive portal type:

  • auth: A purely authentication portal (set by default).
  • auth+disclaimer: Authentication portal with a disclaimer.
  • disclaimer: Just a disclaimer.
  • email-collect: Portal for email collection.

selected-usergroups <groups>

Note: This entry is only available when security is set to a captive portal type.

Selective user groups that are permitted to authenticate.


security-exempt-list [name]

Note: This entry is only available when security is set to a captive portal type.

Optional security exempt list for captive portal authentication, as configured under the config user security-exempt-list command.


security-redirect-url [url]

Note: This entry is only available when security is set to a captive portal type.

Optional URL for user-redirection after user passes captive portal authentication.


encrypt {TKIP | AES | TKIP-AES}

Note: This entry is only available when security is set to a WPA type.

Encryption protocol to use:

  • TKIP: Temporal Key Integrity Protocol, used by the older WPA standard. It is a more secure encryption than WEP, (the original WLAN security protocol), however it too is now deprecated.
  • AES: Advanced Encryption Standard. This protocol is commonly used with the newer WPA2 standard (set by default).
  • TKIP-AES: Use both TKIP and AES protocols in order to provide backward compatibility for legacy devices. This option is not recommended, however, as attackers will only need to breach the weaker encryption of the two (TKIP).

acct-interim-interval <seconds>

`


passphrase <psk>

Note: This entry is only available when security is set to a WPA type.

Pre-shared key (PSK) for WPA. Set the hexadecimal value between 8-63 characters in length.


intra-vap-privacy {enable | disable}

Enable or disable (by default) blocking of communication between clients of the same AP.


schedule <name>

VAP schedule name.


local-standalone {enable | disable}

Enable or disable (by default) AP local standalone.


local-bridging {enable | disable}

Enable or disable (by default) bridging of wireless and Ethernet interfaces on the FortiAP.


split-tunneling {enable | disable}

Enable or disable (by default) split tunneling. When enabled, split tunneling allows local traffic on the AP to remain local instead of being routed through the WiFi controller.


vlanid <id>

VLAN ID, if a VLAN will be used.


dynamic-vlan {enable | disable}

Enable or disable (by default) dynamic VLAN assignment for users based on RADIUS attributes.


multicast-rate <kbps>

Multicast rate in kbps: 0 (set by default), 6000, 12000, or 24000.

Higher multicast rates mean that only close, strong signals are allowed. A high device environment will require a higher multicast rate so as to decrease the range between devices and the router.


multicast-enhance {enable | disable}

Enable or disable (by default) conversion of multicast to unicast to improve performance.


broadcast-suppression [suppression-type]

Optional suppression of broadcast message types:

  • dhcp-up: Uplink DHCP messages
  • dhcp-down: Downlink DHCP messages
  • dhcp-starvation: DHCP starvation req messages
  • arp-known: ARP for known messages
  • arp-unknown: ARP for unknown messages
  • arp-reply: ARP reply from wireless clients
  • arp-poison: ARP poison messages from wireless clients
  • arp-proxy: ARP requests for wireless clients as a proxy
  • netbios-ns: NetBIOS name services packets with UDP port 137
  • netbios-ds: NetBIOS datagram services packets with UDP port 138
  • ipv6: IPv6 packets
  • all-other-mc: All other multicast messages
  • all-other-bc: All other broadcast messages

me-disable-thresh <subscribers>

Multicast enhancement threshold. Set value between 2-256 subscribers. The default is set to 32.


probe-resp-suppression {enable | disable}

Enable or disable (by default) ignoring of weak signals. When enabled, use the probe-resp-threshold entry to define the minimum signal level required for AP response.


probe-resp-threshold <min-level>

Note: This entry is only available when probe-resp-suppression is set to enable.

Minimum signal level/threshold in dBm required for AP response to probe requests. Set the value between -95 to -20. The default is set to -80.


vlan-pooling {wtp-group | disable}

Enable or disable (by default) VLAN pooling, allowing you to group multiple wireless controller VLANs into VLAN pools. These pools are used to load-balance sessions evenly across multiple VLANs.

When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group.


gtk-rekey {enable | disable}

Note: This entry is only available when security is set to a WPA type.

Enable or disable (by default) WPA re-key interval option. When enabled, use the gtk-rekey-intv entry to set the re-key interval time.


gtk-rekey-intv <interval>

Note: This entry is only available when gtk-rekey is set to enable.

WPA re-key interval in seconds. Increase the value for those users who may require a longer time period. Set the value between 1800-864000 (or 30 minutes to 10 days).


eap-reauth {enable | disable}

`


rates-11a <data-rate>

Data rates permitted for 802.11a in Mbps:

6: 6 Mbps supported rate 24: 24 Mbps supported rate
6-basic: 6 Mbps BSS basic rate 24-basic: 24 Mbps BSS basic rate
9: 9 Mbps supported rate 36: 36 Mbps supported rate
9-basic: 9 Mbps BSS basic rate 36-basic: 36 Mbps BSS basic rate
12: 12 Mbps supported rate 48: 48 Mbps supported rate
12-basic: 12 Mbps BSS basic rate 48-basic: 48 Mbps BSS basic rate
18: 18 Mbps supported rate 54: 54 Mbps supported rate
18-basic: 18 Mbps BSS basic rate 54-basic: 54 Mbps BSS basic rate

rates-11bg <data-rate>

Data rates permitted for 802.11b/g in Mbps:

1: 1 Mbps supported rate 12: 12 Mbps supported rate
1-basic: 1 Mbps BSS basic rate 12-basic: 12 Mbps BSS basic rate
2: 2 Mbps supported rate 18: 18 Mbps supported rate
2-basic: 2 Mbps BSS basic rate 18-basic: 18 Mbps BSS basic rate
5.5: 5.5 Mbps supported rate 24: 24 Mbps supported rate
5.5-basic: 5.5 Mbps BSS basic rate 24-basic: 24 Mbps BSS basic rate
11: 11 Mbps supported rate 36: 36 Mbps supported rate
11-basic: 11 Mbps BSS basic rate 36-basic: 36 Mbps BSS basic rate
6: 6 Mbps supported rate 48: 48 Mbps supported rate
6-basic: 6 Mbps BSS basic rate 48-basic: 48 Mbps BSS basic rate
9: 9 Mbps supported rate 54: 54 Mbps supported rate
9-basic: 9 Mbps BSS basic rate 54-basic: 54 Mbps BSS basic rate

rates-11n-ss12 <data-rate>

Data rates permitted for 802.11n with 1 or 2 spatial streams:

mcs0/1: MCS index 0 with 1 spatial stream mcs8/2: MCS index 8 with 1 spatial streams
mcs1/1: MCS index 1 with 1 spatial stream mcs9/2: MCS index 9 with 1 spatial streams
mcs2/1: MCS index 2 with 1 spatial stream mcs10/2: MCS index 10 with 2 spatial streams
mcs3/1: MCS index 3 with 1 spatial stream mcs11/2: MCS index 11 with 2 spatial streams
mcs4/1: MCS index 4 with 1 spatial stream mcs12/2: MCS index 12 with 2 spatial streams
mcs5/1: MCS index 5 with 1 spatial stream mcs13/2: MCS index 13 with 2 spatial streams
mcs6/1: MCS index 6 with 1 spatial stream mcs14/2: MCS index 14 with 2 spatial streams
mcs7/1: MCS index 7 with 1 spatial stream mcs15/2: MCS index 15 with 2 spatial streams

rates-11n-ss34 <data-rate>

Data rates permitted for 802.11n with 3 or 4 spatial streams:

mcs16/3: MCS index 16 with 3 spatial streams mcs24/4: MCS index 24 with 4 spatial streams
mcs17/3: MCS index 17 with 3 spatial streams mcs25/4: MCS index 25 with 4 spatial streams
mcs18/3: MCS index 18 with 3 spatial streams mcs26/4: MCS index 26 with 4 spatial streams
mcs19/3: MCS index 19 with 3 spatial streams mcs27/4: MCS index 27 with 4 spatial streams
mcs20/3: MCS index 20 with 3 spatial streams mcs28/4: MCS index 28 with 4 spatial streams
mcs21/3: MCS index 21 with 3 spatial streams mcs29/4: MCS index 29 with 4 spatial streams
mcs22/3: MCS index 22 with 3 spatial streams mcs30/4: MCS index 30 with 4 spatial streams
mcs23/3: MCS index 23 with 3 spatial streams mcs31/4: MCS index 31 with 4 spatial streams

rates-11ac-ss12 <data-rate>

Data rates permitted for 802.11ac with 1 or 2 spatial streams:

mcs0/1: MCS index 0 with 1 spatial stream mcs0/2: MCS index 0 with 2 spatial streams
mcs1/1: MCS index 1 with 1 spatial stream mcs1/2: MCS index 2 with 2 spatial streams
mcs2/1: MCS index 2 with 1 spatial stream mcs2/2: MCS index 2 with 2 spatial streams
mcs3/1: MCS index 3 with 1 spatial stream mcs3/2: MCS index 3 with 2 spatial streams
mcs4/1: MCS index 4 with 1 spatial stream mcs4/2: MCS index 4 with 2 spatial streams
mcs5/1: MCS index 5 with 1 spatial stream mcs5/2: MCS index 5 with 2 spatial streams
mcs6/1: MCS index 6 with 1 spatial stream mcs6/2: MCS index 6 with 2 spatial streams
mcs7/1: MCS index 7 with 1 spatial stream mcs7/2: MCS index 7 with 2 spatial streams
mcs8/1: MCS index 8 with 1 spatial stream mcs8/2: MCS index 8 with 2 spatial streams
mcs9/1: MCS index 9 with 1 spatial stream mcs9/2: MCS index 9 with 2 spatial streams

rates-11ac-ss34 <data-rate>

Data rates permitted for 802.11ac with 3 or 4 spatial streams:

mcs0/3: MCS index 0 with 3 spatial streams mcs0/4: MCS index 0 with 3 spatial streams
mcs1/3: MCS index 1 with 3 spatial streams mcs1/4: MCS index 1 with 3 spatial streams
mcs2/3: MCS index 2 with 3 spatial streams mcs2/4: MCS index 2 with 3 spatial streams
mcs3/3: MCS index 3 with 3 spatial streams mcs3/4: MCS index 3 with 3 spatial streams
mcs4/3: MCS index 4 with 3 spatial streams mcs4/4: MCS index 4 with 3 spatial streams
mcs5/3: MCS index 5 with 3 spatial streams mcs5/4: MCS index 5 with 3 spatial streams
mcs6/3: MCS index 6 with 3 spatial streams mcs6/4: MCS index 6 with 3 spatial streams
mcs7/3: MCS index 7 with 3 spatial streams mcs7/4: MCS index 7 with 3 spatial streams
mcs8/3: MCS index 8 with 3 spatial streams mcs8/4: MCS index 8 with 3 spatial streams
mcs9/3: MCS index 9 with 3 spatial streams mcs9/4: MCS index 9 with 3 spatial streams
Share this page:
Facebooktwittergoogle_pluslinkedinmail

Leave a Reply

Be the First to Comment!

avatar
wpDiscuz