Virtual LANs (VLANs) are used to assign wireless users to different networks without requiring the use of multiple SSIDs. Each user’s VLAN assignment is stored in the user database of the RADIUS server that authenticates the users.
This example creates dynamic VLANs for the Techdoc and Marketing departments. The RADIUS server is a FortiAuthenticator.
1. Configure the FortiAuthenticator |
|
| Go to Authentication > RADIUS Service > Clients to register the FortiGate as a client. Enter a Secret (a password) and remember it. It will also be used in the FortiGate configuration. |
Image may be NSFW. Clik here to view.  |
| Go to Authentication > User Management > Local Users and create local user accounts as needed. | Image may be NSFW. Clik here to view.  |
| For each user, add these RADIUS attributes which specify the VLAN information to be sent to the FortiGate. Tunnel-Private-Group-Id specifies the VLAN ID. In this example, jsmith is assigned VLAN 100 and twhite is assigned VLAN 200. |
Image may be NSFW. Clik here to view.  |
2. Add the RADIUS server to the FortiGate configuration |
|
|
Go to User & Device > RADIUS Servers. Select Create New. |
Image may be NSFW. Clik here to view.  |
3. Create an SSID with dynamic VLAN assignment |
|
| Go to WiFi Controller > SSID. Create a new SSID. | Image may be NSFW. Clik here to view.  |
| Set up DHCP service. | Image may be NSFW. Clik here to view.  |
| Select WPA2 Enterprise security and select your RADIUS server for authentication. Set the default VLAN ID to 10. This VLAN is used when RADIUS doesn’t assign a VLAN. |
Image may be NSFW. Clik here to view.  |
| Go to the Dashboard and use the CLI Console to enable dynamic VLANs on the SSID. | config wireless-controller vap edit example-wifi set dynamic-vlan enable end |
4. Create the VLAN interfaces |
|
|
Go to Network > Interfaces. Create the VLAN interface for default VLAN-10 and set up DHCP service. |
Image may be NSFW. Clik here to view.  |
|
Create the VLAN interface for marketing-100 and set up DHCP service. |
Image may be NSFW. Clik here to view.  |
| Create the VLAN interface for techdoc-200 and set up DHCP service. | Image may be NSFW. Clik here to view.  |
5. Create security policies |
|
| Go to Policy & Objects > IPv4 Policy. Create a policy that allows outbound traffic from marketing-100 to the Internet. |
Image may be NSFW. Clik here to view.  |
| In Logging Options, enable logging for all sessions. | Image may be NSFW. Clik here to view.  |
|
Create a policy that allows outbound traffic from techdoc-200 to the Internet. For this policy too, in Logging Options enable logging for all sessions. |
Image may be NSFW. Clik here to view.  |
6. Create the FortiAP Profile |
|
|
Go to WiFi Controller > FortiAP Profiles. Create a new profile for your FortiAP model and select the new SSID for both Radio 1 and Radio 2. |
Image may be NSFW. Clik here to view.  |
7. Connect and authorize the FortiAPGo to Network > Interfaces and choose an unused interface. |
|
| Go to WiFi Controller > Managed FortiAPs. Right-click on the FortiAP unit. Select Authorize. Right-click on the FortiAP unit again. Select Assign Profile and select the FortiAP profile that you created. |
Image may be NSFW. Clik here to view.  |
ResultsThe SSID will appear in the list of available wireless networks on the users’ devices. |
|
|
Go to Log & Report > Forward Traffic. Note that traffic for jsmith and twhite pass through (The column selections were customized for clarity.) The security policies could be made different so that Marketing and Techdoc departments were allowed different access, but didn’t think that was fair. |
Image may be NSFW. Clik here to view.  |
The post Assigning WiFi users to VLANs dynamically appeared first on Fortinet Cookbook.