NSE6 Part 9: FortiAP SSIDs, Wireless Security Modes, and RF Management

Once the APs are provisioned and connected to FortiGate, the work shifts to configuring what clients actually connect to: SSIDs, security modes, and ensuring the radio environment works efficiently. The FCA-FAP exam’s SSID and RF questions are scenario-heavy — knowing the config fields is necessary but the exam tests whether you understand why you’d choose WPA3-SAE over WPA2-Personal, or when bridge mode creates a problem that tunnel mode solves.


SSID / VAP Configuration

An SSID on FortiAP is configured as a VAP (Virtual Access Point) object on FortiGate and pushed to the APs.

WiFi & Switch Controller > SSIDs

Core SSID fields

FieldNotes
SSID nameThe network name clients see. Case-sensitive.
Broadcast SSIDHidden if disabled. Clients must know the SSID name to connect. Hiding is not security — it just stops casual discovery.
Max clientsPer-VAP client cap. Useful in high-density to force clients to associate with less-loaded APs.
Intra-BSS trafficAllow/block client-to-client traffic through the AP. Disable for guest networks.
BSS rate limitPer-VAP bandwidth cap (download/upload in Kbps). Applied at the AP.
Per-STA rate limitPer-client bandwidth cap.
DTIM intervalHow often the AP buffers multicast/broadcast for power-save clients. Default 1 (every beacon). Higher values save battery on IoT.

Tunnel mode vs bridge mode

Tunnel mode (default): All client frames are encapsulated in CAPWAP and sent to FortiGate. FortiGate decapsulates, applies UTM/firewall policy, then forwards to the destination. The SSID’s traffic appears on a FortiGate interface (the SSID’s VLAN interface), so you can write firewall policies against it.

Bridge mode: Client frames are bridged locally by the AP to its Ethernet uplink. No CAPWAP data plane to FortiGate. Client traffic appears directly on the switch port the AP is connected to. FortiGate doesn’t see individual frames — only control traffic.

Use bridge mode when:

  • The AP site has a direct internet connection and CAPWAP tunnel latency is unacceptable.
  • The data plane throughput exceeds what CAPWAP can carry (very dense Wi-Fi 6 deployments).

Limitation of bridge mode: You cannot apply FortiGate firewall policies per-SSID. All traffic on that AP port is subject only to the switch-port-level policies.

config wireless-controller vap
  edit "Corp-WiFi"
    set ssid "CorpNet"
    set broadcast-ssid enable
    set local-bridging disable    # tunnel mode
    set vlanid 100                # VLAN in tunnel mode
  next
end
config wireless-controller vap
  edit "Guest-WiFi"
    set ssid "Guest"
    set local-bridging enable     # bridge mode
    set vlanid 50                 # VLAN the AP port is on
  next
end

Wireless Security Modes

Open

No authentication, no encryption. Any device can connect. Used with captive portal — the captive portal is the authentication layer; 802.11 itself is open.

OWE (Opportunistic Wireless Encryption)

An 802.11ax enhancement. Looks open to the user (no password required) but negotiates an individual encrypted session per client. Protects against passive eavesdropping on “open” networks. Clients must support OWE (most Wi-Fi 6 clients do).

config wireless-controller vap
  edit "Guest-OWE"
    set security owe
  next
end

WPA2-Personal (PSK)

Pre-shared key. All clients use the same passphrase. Simple but has weaknesses:

  • If the PSK leaks, all past and future traffic is at risk (no forward secrecy).
  • Offline dictionary attacks against the 4-way handshake.

WPA3-SAE (Simultaneous Authentication of Equals)

Replaces WPA2-PSK. Uses the Dragonfly key exchange:

  • Each client negotiates a unique session key — forward secrecy (past traffic is not compromised even if the passphrase leaks later).
  • Resistance to offline dictionary attacks — an attacker must interact with the AP for each guess, not capture handshakes to crack offline.
  • PMF (Protected Management Frames) is mandatory — prevents deauthentication attacks.
config wireless-controller vap
  edit "Corp-WPA3"
    set security wpa3-sae
    set passphrase "SecurePassphrase"
    set pmf enable   # mandatory for WPA3
  next
end

WPA2/WPA3 Transition Mode

Allows WPA2-PSK and WPA3-SAE clients on the same SSID. WPA3-capable clients use SAE; older clients fall back to PSK. PMF is optional (not mandatory, to support legacy clients).

Use during migration from WPA2 to WPA3. Once all clients support WPA3, remove the transition mode and enforce SAE-only.

WPA2-Enterprise (802.1X)

Clients authenticate with individual credentials (username/password via PEAP, or certificates via EAP-TLS). Each client session uses a unique PMK — no shared secret. Requires a RADIUS server (FortiAuthenticator).

config wireless-controller vap
  edit "Corp-Dot1x"
    set security wpa2-only-enterprise
    set auth radius
    set radius-server "FAC-RADIUS"
    set pmf optional
  next
end

Exam note: WPA2-Enterprise requires a RADIUS server object defined on FortiGate that points to FortiAuthenticator. The RADIUS object is shared between FortiSwitch (wired 802.1X) and FortiAP (wireless 802.1X).

WPA3-Enterprise

192-bit security mode for government/financial sector requirements. Enforces CNSA (Commercial National Security Algorithm) suite: AES-256, SHA-384, RSA-3072 or ECC P-384 certificates. Clients must explicitly support WPA3-Enterprise 192-bit. PMF is mandatory.


Dynamic VLAN for Wireless

Exactly the same RADIUS attribute mechanism as wired 802.1X (Part 7), but applied to wireless clients after EAP authentication.

FortiAuthenticator returns in Access-Accept:

Tunnel-Type = 13 (VLAN)
Tunnel-Medium-Type = 6 (802)
Tunnel-Private-Group-ID = <vlan-id>

The FortiAP (via FortiGate WLC) places the client in the specified VLAN. The VLAN must exist on the FortiGate as a sub-interface of the SSID’s interface.

This allows one enterprise SSID (Corp-Dot1x) to dynamically segregate engineering staff into VLAN 100 and finance staff into VLAN 200 based on group membership in FortiAuthenticator.


Captive Portal

Captive portal presents a login page before granting network access. FortiAP supports two types:

Internal captive portal (hosted on FortiGate)

config wireless-controller vap
  edit "Guest-Portal"
    set security captive-portal
    set captive-portal-ac-name "FortiGate-WLC"
    set captive-portal-ip 10.0.0.1
  next
end

Clients connect, get a DHCP lease, attempt any HTTP connection, and FortiGate intercepts and redirects to the login page at http://10.0.0.1/fgtauth.

External captive portal (FortiAuthenticator)

FortiGate redirects to FAC’s portal URL. FAC handles the login, user lookup, optional 2FA, and returns a success redirect to FortiGate to authorise the session.

config wireless-controller vap
  edit "Guest-FAC"
    set security captive-portal
    set external-web "https://fac.corp.example.com/captive/"
    set usergroup "Guest-Portal-Group"
  next
end

The FSSO agent on FortiGate registers the client session after FAC confirms authentication (via FSSO or REST callback).

Captive portal exemptions

Some destinations (Bing for Microsoft device checks, Apple CNA server, etc.) must be accessible before portal authentication to avoid devices reporting “no internet” or refusing to associate:

config wireless-controller vap
  edit "Guest-FAC"
    set captive-portal-exemption-list "Microsoft-NCA Apple-CNA"
  next
end

Band Steering

In a dual-band deployment, 2.4 GHz is congested and 5 GHz is underutilised. Band steering moves capable clients to 5 GHz.

config wireless-controller vap
  edit "Corp-WiFi"
    set band-steering enable
  next
end

How it works: When a dual-band client probes on 2.4 GHz, the AP delays or suppresses the 2.4 GHz probe response, hoping the client will retry on 5 GHz instead. If the client only receives a 5 GHz response, it associates on 5 GHz.

Limitation: Some clients are aggressive about 2.4 GHz. If the 5 GHz signal is weak (the client is far from the AP), band steering backfires — the client gets a poor 5 GHz connection instead of a usable 2.4 GHz connection. Use band steering with signal-threshold to disable it for clients with weak 5 GHz RSSI:

config wireless-controller timers
  set client-idle-timeout 300
end

Client load balancing

Prevents one AP from being overloaded when a cluster of clients are all within range of it:

config wireless-controller vap
  edit "Corp-WiFi"
    set max-clients 30    # hard cap per VAP per radio
  next
end

When a new client tries to associate to an AP that’s at its max-clients limit, it receives a disassociation and must connect to a neighbouring AP.


RF Management

Auto Tx power control

FortiGate’s RF management daemon (wpad) monitors interference and adjusts AP transmit power automatically:

config wireless-controller timers
  set ap-reboot-wait-interval1 10
end
config wireless-controller wtp-profile
  edit "FAP-431F-profile"
    config radio-1
      set auto-power-level enable
      set auto-power-low 10    # minimum dBm
      set auto-power-high 17   # maximum dBm
    end
  next
end

Lower Tx power reduces co-channel interference (neighbouring APs on the same channel don’t hear each other as loudly), enabling more aggressive channel reuse.

Auto channel selection

FortiGate can assign channels to APs automatically based on a background RF scan:

config wireless-controller wtp-profile
  edit "FAP-431F-profile"
    config radio-1
      set channel-bonding enable
      set spectrum-analysis enable
      set channel auto
    end
  next
end

DFS channels (5 GHz, channels 100–140 in the UK/Europe) require a Channel Availability Check (CAC) before use — the AP listens for radar signals for 60 seconds (or up to 10 minutes for some channels) before transmitting. If radar is detected mid-operation, the AP vacates the channel in <10 seconds (in-service monitoring).

Spectrum analysis mode

One radio can be dedicated to scanning the RF environment without serving clients:

config wireless-controller wtp-profile
  edit "FAP-432F-profile"
    config radio-3         # tri-radio AP, third radio for scanning
      set mode monitor
    end
  next
end

The scan results are visible in WiFi & Switch Controller > RF Analysis.


Diagnostic Commands

# All SSIDs and their VAP config
diagnose wireless-controller wlac -d vap

# All connected clients and their SSID, VLAN, signal
diagnose wireless-controller wlac -d sta

# Radio stats — channel, Tx power, client count
diagnose wireless-controller wlac -d radio

# RF channel utilisation per AP
diagnose wireless-controller wlac -d chanutil

Common Exam Scenarios

Q: Corporate users on WPA2-Enterprise land in the default VLAN (VLAN 1) instead of their department VLAN. A: Check that FortiAuthenticator is returning the three VLAN attributes in the Access-Accept. Use diagnose debug application authd 255 on FAC to confirm. Also verify the VLAN sub-interface exists on FortiGate for the SSID interface.

Q: Guest users on the captive portal SSID can’t reach the internet after authenticating. A: Check the firewall policy for the guest SSID interface — it must allow the authenticated client’s IP to reach the internet. Also check the captive portal IP is correct and FortiGate can reach FAC for FSSO session registration.

Q: A client near the AP boundary shows poor throughput even though signal strength appears adequate. A: Check the retry rate with diagnose wireless-controller wlac -d sta. High retries indicate co-channel interference. Use spectrum analysis to identify channel congestion and reassign the AP to a less-used channel.

Q: WPA3-SAE is configured but legacy devices can’t connect. A: Enable WPA2/WPA3 transition mode. Legacy clients use WPA2-PSK; WPA3-capable clients negotiate SAE. PMF must be set to optional in transition mode.