Virtual LANs (VLANs) are used to assign wireless users to different networks without requiring the use of multiple SSIDs. Each user’s VLAN assignment is stored in the user database of the RADIUS server that authenticates the users.
This example creates dynamic VLANs for the Techdoc and Marketing departments. The RADIUS server is a FortiAuthenticator.
1. Configure the FortiAuthenticator |
|
| Go to Authentication > RADIUS Service > Clients to register the FortiGate as a client. Enter a Secret (a password) and remember it. It will also be used in the FortiGate configuration. |
 |
| Go to Authentication > User Management > Local Users and create local user accounts as needed. |  |
| For each user, add these RADIUS attributes which specify the VLAN information to be sent to the FortiGate. Tunnel-Private-Group-Id specifies the VLAN ID. In this example, jsmith is assigned VLAN 100 and twhite is assigned VLAN 200. |
 |
2. Add the RADIUS server to the FortiGate configuration |
|
|
Go to User & Device > RADIUS Servers. Select Create New. |
 |
3. Create an SSID with dynamic VLAN assignment |
|
| Go to WiFi Controller > SSID. Create a new SSID. |  |
| Set up DHCP service. |  |
| Select WPA2 Enterprise security and select your RADIUS server for authentication. Set the default VLAN ID to 10. This VLAN is used when RADIUS doesn’t assign a VLAN. |
 |
| Go to the Dashboard and use the CLI Console to enable dynamic VLANs on the SSID. | config wireless-controller vap edit example-wifi set dynamic-vlan enable end |
4. Create the VLAN interfaces |
|
|
Go to Network > Interfaces. Create the VLAN interface for default VLAN-10 and set up DHCP service. |
 |
|
Create the VLAN interface for marketing-100 and set up DHCP service. |
 |
| Create the VLAN interface for techdoc-200 and set up DHCP service. |  |
5. Create security policies |
|
| Go to Policy & Objects > IPv4 Policy. Create a policy that allows outbound traffic from marketing-100 to the Internet. |
 |
| In Logging Options, enable logging for all sessions. |  |
|
Create a policy that allows outbound traffic from techdoc-200 to the Internet. For this policy too, in Logging Options enable logging for all sessions. |
 |
6. Create the FortiAP Profile |
|
|
Go to WiFi Controller > FortiAP Profiles. Create a new profile for your FortiAP model and select the new SSID for both Radio 1 and Radio 2. |
 |
7. Connect and authorize the FortiAPGo to Network > Interfaces and choose an unused interface. |
|
| Go to WiFi Controller > Managed FortiAPs. Right-click on the FortiAP unit. Select Authorize. Right-click on the FortiAP unit again. Select Assign Profile and select the FortiAP profile that you created. |
 |
ResultsThe SSID will appear in the list of available wireless networks on the users’ devices. |
|
|
Go to Log & Report > Forward Traffic. Note that traffic for jsmith and twhite pass through (The column selections were customized for clarity.) The security policies could be made different so that Marketing and Techdoc departments were allowed different access, but didn’t think that was fair. |
 |
The post Assigning WiFi users to VLANs dynamically appeared first on Fortinet Cookbook.