WPA2 WiFi access control

In this example, you will improve your WiFi security with WPA2 enterprise authentication.

In the Setting up WiFi with FortiAP recipe, you set up a WiFi network with a single pre-shared key. In this example, there is no longer a pre-shared key that could fall into the wrong hands, or that needs to be changed if someone leaves the company. Each user has an individual user account and password, and accounts can be added or removed later as needed.

This example shows how to authenticate local FortiGate users. You can also integrate WPA2 security with most 3rd party authentication solutions including RADIUS.

 1. Create user accounts 


Go to User & Device > User > User Definition and create a Local user.

Create additional users as needed. You can use any authentication method.


 2. Create a user group


Go to User & Device > User > User Groups.

Create a user group for employees and add the new user(s) to the group.


3. Create the SSID and enable the WiFi radio

Go to WiFi Controller > WiFi Network > SSID and configure your wireless network.  
Configure DHCP addressing for clients.  
Configure WPA2-Enterprise authentication using the employees user group.  

4. Create the security policy

Create an address for your SSID, using the same IP range that was set on the DHCP server.
Go to Policy & Objects > Policy > IPv4 and create a policy allowing WiFi users to connect to the Internet.   


Users who are members of the employees group can log on to the WiFi network using their username and password.

Go to WiFi Controller > Monitor > Client Monitor to see connected users.


For further reading, check out Deploying Wireless Networks in the FortiOS 5.2 Handbook.