Assigning WiFi users to VLANs dynamically


Virtual LANs (VLANs) are used to assign wireless users to different networks without requiring the use of multiple SSIDs. Each user’s VLAN assignment is stored in the user database of the RADIUS server that authenticates the users.

This example creates dynamic VLANs for the Techdoc and Marketing departments. The RADIUS server is a FortiAuthenticator.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Configure the FortiAuthenticator

Go to Authentication > RADIUS Service > Clients to register the FortiGate as a client.
Enter a Secret (a password) and remember it. It will also be used in the FortiGate configuration.
Go to Authentication > User Management > Local Users and create local user accounts as needed.  fac-user

For each user, add these RADIUS attributes which specify the VLAN information to be sent to the FortiGate.
Tunnel-Private-Group-Id specifies the VLAN ID.

In this example, jsmith is assigned VLAN 100 and twhite is assigned VLAN 200.


2. Add the RADIUS server to the FortiGate configuration

Go to User & Device > Authentication > RADIUS Servers. Select Create New.
Enter the FortiAuthenticator IP address and the server secret that you entered on the FortiAuthenticator.
Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.

3. Create an SSID with dynamic VLAN assignment

Go to WiFi Controller > WiFi Network > SSID.
Create a new SSID and set up DHCP service.
Select WPA2 Enterprise security and select your RADIUS server for authentication.
Set the default VLAN ID to 10. This VLAN is used when RADIUS doesn’t assign a VLAN.
Go to System > Dashboard > Status and use the CLI Console to enable dynamic VLANs on the SSID. config wireless-controller vap
  edit Dynamic_VLAN
    set dynamic-vlan enable

4. Create the VLAN interfaces

Go to System > Network > Interfaces.

Create the VLAN interface for default VLAN-10 and set up DHCP service.

Create the VLAN interface for marketing-100 and set up DHCP service.
Create the VLAN interface for techdoc-200 and set up DHCP service.  vlan200

5. Create security policies

Go to Policy > Policy > IPv4.
Create a policy that allows outbound traffic from marketing-100 to the Internet.
In Logging Options, enable logging for all sessions.  log-options
Create a policy that allows outbound traffic from techdoc-200 to the Internet. For this policy too, in Logging Options enable logging for all sessions.  policy-200

6. Create the FortiAP Profile

Go to WiFi Controller > WiFi Network > FortiAP Profiles.
Create a new profile for your FortiAP model and select the new SSID for both Radio 1 and Radio 2.

7. Connect and authorize the FortiAP

Go to System > Network > Interfaces and choose an unused interface.
Set Addressing mode to Dedicated to Extension Device.
Connect the FortiAP unit to the this interface and apply power.

Go to WiFi Controller > Managed Devices > Managed FortiAPs.
Right-click on the FortiAP unit and select the FortiAP profile that you created. Right-click on the FortiAP unit again. Select Authorize.


The SSID will appear in the list of available wireless networks on the users’ devices.
Both twhite and jsmith can connect to the SSID with their credentials and access the Internet.
(If a certificate warning message appears, accept the certificate.)

Go to Log & Report > Traffic Log > Forward Traffic Log.

Note that traffic for jsmith and twhite pass through
different policies. The policy IDs correspond to the marketing-100 and techdoc-200 policies respectively.

The security policies could be made different so that Marketing and Techdoc departments are allowed different access, but we didn’t think that was fair.



Jonathan Coles

Jonathan Coles

Technical Writer at Fortinet
Jonathan Coles is part of the FortiOS Technical Documentation team in Ottawa. He has a B.A. in English from the University of Waterloo and an Electronics Technologist diploma from Conestoga College. Long ago at another company he convinced a documentation manager that he could write. After writing about telephone PBXs, text search software, cell tower planning software, and some less memorable things, he joined Fortinet around the time that FortiOS 3.0 was released.
Jonathan Coles

Latest posts by Jonathan Coles (see all)

  • Was this helpful?
  • Yes   No
  • Luc Paulin

    Hi, this is a great article, however I was wondering, is there a way to assign vlan to the user base is user got authentificated with EAP-TLS or PEAP. So corporate equipement will authenticate using a certificate and assign to the corp network, and user’s own equipement will be able to authenticate using peap, but will be assign to a “corp-guest” network

  • Ryan Tanjuakio


    Just have some questions, hope somebody already encountered this scenario.. 1.) What if I have a core switch (Cisco 3850) where all the VLANS are assigned? 2.) We want FortiAP to broadcast only 1 SSID, but specific users shall obtain per department VLAN assignments? Thanks in advance!

  • Facundo

    Hello, is it possible under this scenario that a wireless client locally manipulates his assigned VLAN ID (at his network adapter settings), or is this VLAN ID unknown to the client and solely managed by the infrastructure?
    Thanks for the clarification!

    • Keith Leroux


      VLAN assignment is done at the network level. The client only has the capability to change their L3 identity, such as their IP address. They do not have control over L2 parameters. The VLAN ID is unknown to the client and completely managed by the Fortigate. Dynamically assigned VLAN IDs will be unknown to the clients and solely managed by the infrastructure based on .1x credentials entered by users.

      Thanks for the question!

      • Facundo

        Thanks for the answer!

  • Jay Maree

    Hi there, is a FortiAuthenticator required? Or is a Microsoft RADIUS server enough?

    • Victoria Martin

      Hi Jay,

      Any RADIUS server that is compatible with a FortiGate can be used for this recipe, though obviously the steps for setting it up will be different.