NSE6 Part 9: FortiAP SSIDs, Wireless Security Modes, and RF Management
Once the APs are provisioned and connected to FortiGate, the work shifts to configuring what clients actually connect to: SSIDs, security modes, and ensuring the radio environment works efficiently. The FCA-FAP exam’s SSID and RF questions are scenario-heavy — knowing the config fields is necessary but the exam tests whether you understand why you’d choose WPA3-SAE over WPA2-Personal, or when bridge mode creates a problem that tunnel mode solves.
SSID / VAP Configuration
An SSID on FortiAP is configured as a VAP (Virtual Access Point) object on FortiGate and pushed to the APs.
WiFi & Switch Controller > SSIDs
Core SSID fields
| Field | Notes |
|---|---|
| SSID name | The network name clients see. Case-sensitive. |
| Broadcast SSID | Hidden if disabled. Clients must know the SSID name to connect. Hiding is not security — it just stops casual discovery. |
| Max clients | Per-VAP client cap. Useful in high-density to force clients to associate with less-loaded APs. |
| Intra-BSS traffic | Allow/block client-to-client traffic through the AP. Disable for guest networks. |
| BSS rate limit | Per-VAP bandwidth cap (download/upload in Kbps). Applied at the AP. |
| Per-STA rate limit | Per-client bandwidth cap. |
| DTIM interval | How often the AP buffers multicast/broadcast for power-save clients. Default 1 (every beacon). Higher values save battery on IoT. |
Tunnel mode vs bridge mode
Tunnel mode (default): All client frames are encapsulated in CAPWAP and sent to FortiGate. FortiGate decapsulates, applies UTM/firewall policy, then forwards to the destination. The SSID’s traffic appears on a FortiGate interface (the SSID’s VLAN interface), so you can write firewall policies against it.
Bridge mode: Client frames are bridged locally by the AP to its Ethernet uplink. No CAPWAP data plane to FortiGate. Client traffic appears directly on the switch port the AP is connected to. FortiGate doesn’t see individual frames — only control traffic.
Use bridge mode when:
- The AP site has a direct internet connection and CAPWAP tunnel latency is unacceptable.
- The data plane throughput exceeds what CAPWAP can carry (very dense Wi-Fi 6 deployments).
Limitation of bridge mode: You cannot apply FortiGate firewall policies per-SSID. All traffic on that AP port is subject only to the switch-port-level policies.
config wireless-controller vap
edit "Corp-WiFi"
set ssid "CorpNet"
set broadcast-ssid enable
set local-bridging disable # tunnel mode
set vlanid 100 # VLAN in tunnel mode
next
end
config wireless-controller vap
edit "Guest-WiFi"
set ssid "Guest"
set local-bridging enable # bridge mode
set vlanid 50 # VLAN the AP port is on
next
end
Wireless Security Modes
Open
No authentication, no encryption. Any device can connect. Used with captive portal — the captive portal is the authentication layer; 802.11 itself is open.
OWE (Opportunistic Wireless Encryption)
An 802.11ax enhancement. Looks open to the user (no password required) but negotiates an individual encrypted session per client. Protects against passive eavesdropping on “open” networks. Clients must support OWE (most Wi-Fi 6 clients do).
config wireless-controller vap
edit "Guest-OWE"
set security owe
next
end
WPA2-Personal (PSK)
Pre-shared key. All clients use the same passphrase. Simple but has weaknesses:
- If the PSK leaks, all past and future traffic is at risk (no forward secrecy).
- Offline dictionary attacks against the 4-way handshake.
WPA3-SAE (Simultaneous Authentication of Equals)
Replaces WPA2-PSK. Uses the Dragonfly key exchange:
- Each client negotiates a unique session key — forward secrecy (past traffic is not compromised even if the passphrase leaks later).
- Resistance to offline dictionary attacks — an attacker must interact with the AP for each guess, not capture handshakes to crack offline.
- PMF (Protected Management Frames) is mandatory — prevents deauthentication attacks.
config wireless-controller vap
edit "Corp-WPA3"
set security wpa3-sae
set passphrase "SecurePassphrase"
set pmf enable # mandatory for WPA3
next
end
WPA2/WPA3 Transition Mode
Allows WPA2-PSK and WPA3-SAE clients on the same SSID. WPA3-capable clients use SAE; older clients fall back to PSK. PMF is optional (not mandatory, to support legacy clients).
Use during migration from WPA2 to WPA3. Once all clients support WPA3, remove the transition mode and enforce SAE-only.
WPA2-Enterprise (802.1X)
Clients authenticate with individual credentials (username/password via PEAP, or certificates via EAP-TLS). Each client session uses a unique PMK — no shared secret. Requires a RADIUS server (FortiAuthenticator).
config wireless-controller vap
edit "Corp-Dot1x"
set security wpa2-only-enterprise
set auth radius
set radius-server "FAC-RADIUS"
set pmf optional
next
end
Exam note: WPA2-Enterprise requires a RADIUS server object defined on FortiGate that points to FortiAuthenticator. The RADIUS object is shared between FortiSwitch (wired 802.1X) and FortiAP (wireless 802.1X).
WPA3-Enterprise
192-bit security mode for government/financial sector requirements. Enforces CNSA (Commercial National Security Algorithm) suite: AES-256, SHA-384, RSA-3072 or ECC P-384 certificates. Clients must explicitly support WPA3-Enterprise 192-bit. PMF is mandatory.
Dynamic VLAN for Wireless
Exactly the same RADIUS attribute mechanism as wired 802.1X (Part 7), but applied to wireless clients after EAP authentication.
FortiAuthenticator returns in Access-Accept:
Tunnel-Type = 13 (VLAN)
Tunnel-Medium-Type = 6 (802)
Tunnel-Private-Group-ID = <vlan-id>
The FortiAP (via FortiGate WLC) places the client in the specified VLAN. The VLAN must exist on the FortiGate as a sub-interface of the SSID’s interface.
This allows one enterprise SSID (Corp-Dot1x) to dynamically segregate engineering staff into VLAN 100 and finance staff into VLAN 200 based on group membership in FortiAuthenticator.
Captive Portal
Captive portal presents a login page before granting network access. FortiAP supports two types:
Internal captive portal (hosted on FortiGate)
config wireless-controller vap
edit "Guest-Portal"
set security captive-portal
set captive-portal-ac-name "FortiGate-WLC"
set captive-portal-ip 10.0.0.1
next
end
Clients connect, get a DHCP lease, attempt any HTTP connection, and FortiGate intercepts and redirects to the login page at http://10.0.0.1/fgtauth.
External captive portal (FortiAuthenticator)
FortiGate redirects to FAC’s portal URL. FAC handles the login, user lookup, optional 2FA, and returns a success redirect to FortiGate to authorise the session.
config wireless-controller vap
edit "Guest-FAC"
set security captive-portal
set external-web "https://fac.corp.example.com/captive/"
set usergroup "Guest-Portal-Group"
next
end
The FSSO agent on FortiGate registers the client session after FAC confirms authentication (via FSSO or REST callback).
Captive portal exemptions
Some destinations (Bing for Microsoft device checks, Apple CNA server, etc.) must be accessible before portal authentication to avoid devices reporting “no internet” or refusing to associate:
config wireless-controller vap
edit "Guest-FAC"
set captive-portal-exemption-list "Microsoft-NCA Apple-CNA"
next
end
Band Steering
In a dual-band deployment, 2.4 GHz is congested and 5 GHz is underutilised. Band steering moves capable clients to 5 GHz.
config wireless-controller vap
edit "Corp-WiFi"
set band-steering enable
next
end
How it works: When a dual-band client probes on 2.4 GHz, the AP delays or suppresses the 2.4 GHz probe response, hoping the client will retry on 5 GHz instead. If the client only receives a 5 GHz response, it associates on 5 GHz.
Limitation: Some clients are aggressive about 2.4 GHz. If the 5 GHz signal is weak (the client is far from the AP), band steering backfires — the client gets a poor 5 GHz connection instead of a usable 2.4 GHz connection. Use band steering with signal-threshold to disable it for clients with weak 5 GHz RSSI:
config wireless-controller timers
set client-idle-timeout 300
end
Client load balancing
Prevents one AP from being overloaded when a cluster of clients are all within range of it:
config wireless-controller vap
edit "Corp-WiFi"
set max-clients 30 # hard cap per VAP per radio
next
end
When a new client tries to associate to an AP that’s at its max-clients limit, it receives a disassociation and must connect to a neighbouring AP.
RF Management
Auto Tx power control
FortiGate’s RF management daemon (wpad) monitors interference and adjusts AP transmit power automatically:
config wireless-controller timers
set ap-reboot-wait-interval1 10
end
config wireless-controller wtp-profile
edit "FAP-431F-profile"
config radio-1
set auto-power-level enable
set auto-power-low 10 # minimum dBm
set auto-power-high 17 # maximum dBm
end
next
end
Lower Tx power reduces co-channel interference (neighbouring APs on the same channel don’t hear each other as loudly), enabling more aggressive channel reuse.
Auto channel selection
FortiGate can assign channels to APs automatically based on a background RF scan:
config wireless-controller wtp-profile
edit "FAP-431F-profile"
config radio-1
set channel-bonding enable
set spectrum-analysis enable
set channel auto
end
next
end
DFS channels (5 GHz, channels 100–140 in the UK/Europe) require a Channel Availability Check (CAC) before use — the AP listens for radar signals for 60 seconds (or up to 10 minutes for some channels) before transmitting. If radar is detected mid-operation, the AP vacates the channel in <10 seconds (in-service monitoring).
Spectrum analysis mode
One radio can be dedicated to scanning the RF environment without serving clients:
config wireless-controller wtp-profile
edit "FAP-432F-profile"
config radio-3 # tri-radio AP, third radio for scanning
set mode monitor
end
next
end
The scan results are visible in WiFi & Switch Controller > RF Analysis.
Diagnostic Commands
# All SSIDs and their VAP config
diagnose wireless-controller wlac -d vap
# All connected clients and their SSID, VLAN, signal
diagnose wireless-controller wlac -d sta
# Radio stats — channel, Tx power, client count
diagnose wireless-controller wlac -d radio
# RF channel utilisation per AP
diagnose wireless-controller wlac -d chanutil
Common Exam Scenarios
Q: Corporate users on WPA2-Enterprise land in the default VLAN (VLAN 1) instead of their department VLAN.
A: Check that FortiAuthenticator is returning the three VLAN attributes in the Access-Accept. Use diagnose debug application authd 255 on FAC to confirm. Also verify the VLAN sub-interface exists on FortiGate for the SSID interface.
Q: Guest users on the captive portal SSID can’t reach the internet after authenticating. A: Check the firewall policy for the guest SSID interface — it must allow the authenticated client’s IP to reach the internet. Also check the captive portal IP is correct and FortiGate can reach FAC for FSSO session registration.
Q: A client near the AP boundary shows poor throughput even though signal strength appears adequate.
A: Check the retry rate with diagnose wireless-controller wlac -d sta. High retries indicate co-channel interference. Use spectrum analysis to identify channel congestion and reassign the AP to a less-used channel.
Q: WPA3-SAE is configured but legacy devices can’t connect.
A: Enable WPA2/WPA3 transition mode. Legacy clients use WPA2-PSK; WPA3-capable clients negotiate SAE. PMF must be set to optional in transition mode.