fortigate dynamic vlan assignment

• Support Forum
• Customer Service
• FortiClient
• FortiAnalyzer
• FortiAuthenticator
• FortiBridge
• FortiCarrier
• FortiConnect
• FortiConverter
• FortiDeceptor
• FortiDevSec
• FortiDirector
• FortiExtender
• FortiGate Cloud
• FortiHypervisor
• FortiInsight
• FortiIsolator
• FortiManager
• FortiMonitor
• FortiNDR (on-premise)
• FortiNDRCloud
• FortiPortal
• FortiRecorder
• FortiSandbox
• FortiSwitch
• FortiTester
• Wireless Controller
• RMA Information and Announcements
• FortiCloud Products
• 4D Documents
• Engage Services
• The EPSP Platform
• The ETSP Platform
• Getting Started Resources
• Technical Learning
• Discussions
• Knowledge Base
• Idea Exchange
• Announcements
• Fortinet Community
• Technical Tip: Dynamic VLAN assignment for SSID cl...
• Subscribe to RSS Feed
• Mark as New
• Mark as Read
• Printer Friendly Page
• Report Inappropriate Content

Technical Tip: Dynamic VLAN assignment for SSID clients in bridge & tunnel mode using radius authentication via FortiAuthenticator

• WIDS profile

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

• Threat Research
• FortiGuard Labs
• Threat Briefs
• Security Fabric
• Certifications
• Industry Awards
• Social Responsibility
• News Releases
• News Articles

Copyright 2024 Fortinet, Inc. All Rights Reserved.

• Terms of Service
• Privacy Policy
• Cookie Settings

Linux, Fortinet, Life

Fortigate – Dynamic VLAN (bridge mode)

In this example we will create a wireless VAP in bridge mode with dynamic VLAN assignment via radius serverbased on group membership.

Next we create the vlans on the Fortigate interface upon which the FortiAPs are connected.

We have vlans v1000 and v2000 off the internal interface:

Next we’ll need firewall policies to allow traffic out to the internet for each vlan. This is where different security policies can be applies to each vlan.

Leave a Reply Cancel reply

You must be logged in to post a comment.

Fortinet GURU

Fortigate guides and more.

WIFI Dynamic user VLAN assignment

Dynamic user VLAN assignment

Clients connecting to the WiFi network can be assigned to a VLAN. You can do this with RADIUS attributes when the user authenticates or with VLAN pooling when the client associates with a particular FortiAP. You cannot use both of these methods at the same time.

VLAN assignment by RADIUS

You can assign each individual user to a VLAN based on information stored in the RADIUS authentication server. If the user’s RADIUS record does not specify a VLAN ID, the user is assigned to the default VLAN for the SSID.

The RADIUS user attributes used for the VLAN ID assignment are:

IETF 64 (Tunnel Type)—Set this to VLAN.

IETF 65 (Tunnel Medium Type)—Set this to 802

IETF 81 (Tunnel Private Group ID)—Set this to the VLAN ID.  To configure dynamic VLAN assignment, you need to:

• Configure access to the RADIUS server.
• Create the SSID and enable dynamic VLAN assignment.
• Create a FortiAP Profile and add the local bridge mode SSID to it.
• Create the VLAN interfaces and their DHCP servers.
• Create security policies to allow communication from the VLAN interfaces to the Internet.
• Authorize the FortiAP unit and assign the FortiAP Profile to it.

To configure access to the RADIUS server

• Go to User & Device > RADIUS Servers and select Create New .
• Enter a Name , the name or IP address in Primary Server IP/Name , and the server secret in Primary Server Secret .
• Select OK .

To create the dynamic VLAN SSID

• Go to WiFi & Switch Controller > SSID , select Create New > SSID and enter:
• Enable dynamic VLAN in the CLI. Optionally, you can also assign a VLAN ID to set the default VLAN for users without a VLAN assignment.

config wireless-controller vap edit dynamic_vlan_ssid set dynamic-vlan enable set vlanid 10

To create the FortiAP profile for the dynamic VLAN SSID

• Go to WiFi & Switch Controller > FortiAP Profiles , select Create New and enter:
• Adjust other radio settings as needed.

To create the VLAN interfaces

• Go to Network > Interfaces and select Create New > Interface .
• Repeat the preceding steps to create other VLANs as needed.

Security policies determine which VLANs can communicate with which other interfaces. These are the simple Firewall Address policy without authentication. Users are assigned to the appropriate VLAN when they authenticate.

To connect and authorize the FortiAP unit

• Connect the FortiAP unit to the FortiGate unit.
• Go to WiFi & Switch Controller > Managed FortiAPs .
• When the FortiAP unit is listed, double-click the entry to edit it.
• In FortiAP Profile , select the FortiAP Profile that you created.
• Select Authorize .

VLAN assignment by VLAN pool

In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN pool can

l assign a specific VLAN based on the AP’s FortiAP Group, usually for network configuration reasons, or l assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)

To assign a VLAN by FortiAP Group – CLI

In this example, VLAN 101, 102, or 103 is assigned depending on the AP’s FortiAP Group.

config wireless-controller vap edit wlan set vlan-pooling wtp-group config vlan-pool edit 101 set wtp-group wtpgrp1

next edit 102 set wtp-group wtpgrp2

next edit 101 set wtp-group wtpgrp3

Configuring user authentication

Load balancing

There are two VLAN pooling methods used for load balancing: The choice of VLAN can be based on any one of the following criteria:

l round-robin – from the VLAN pool, choose the VLAN with the smallest number of clients l hash – choose a VLAN from the VLAN pool based on a hash of the current number of SSID clients and the number of entries in the VLAN pool

If the VLAN pool contains no valid VLAN ID, the SSID’s static VLAN ID setting is used.

To assign a VLAN by round-robin selection – CLI

In this example, VLAN 101, 102, or 103 is assigned using the round-robin method:

config wireless-controller vap edit wlan set vlan-pooling round-robin config vlan-pool edit 101 next edit 102 next edit 103 end

To assign a VLAN by hash-based selection – CLI

In this example, VLAN 101, 102, or 103 is assigned using the hash method:

config wireless-controller vap edit wlan set vlan-pooling hash config vlan-pool edit 101 next edit 102 next edit 103 end

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on Tumblr (Opens in new window)
• Click to share on Reddit (Opens in new window)

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Meraki Community

• Community Platform Help
• Contact Community Team
• Meraki Documentation
• Meraki DevNet Developer Hub
• Meraki System Status
• Technical Forums

Dynamic VLAN Assignment on MR

• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page

• Mark as New
• Report Inappropriate Content

Solved! Go to solution.

View solution in original post

• All forum topics
• Previous Topic

• New May 13: Join us in some fun wordplay for National Limerick Day, hooray!
• May 7: Community Platform Update: Reducing space within content
• May 2: Recognizing the April 2024 Members of the Month
• Installation 207
• Interference 77
• RF Spectrum 96
• Community guidelines
• Cisco privacy
• Khoros privacy
• Terms of service