Fortigate Wireless Controller and Dynamic VLANs


In a business environment it is common to see wireless configurations with a corporate/employee SSID with authentication against the domain controller and a Guest SSID which would not allow access to any internal resources. In some cases different security policies need to be applied to users connecting to the Employee SSID, with Dynamic VLANs employees will be assigned a VLAN by the radius server upon wireless authentication based on their group membership.

A radius server which will pass on the vlan information based on group membership needs to be configured. A FreeRadius example can be found here.

On the Fortigate there are two kinds of VAPs, tunnel mode and bridge mode. In tunnel mode all traffic between the FortiAP and the Fortigate controller is tunnelled via the capwap data channel. In bridge mode wireless authentication takes place then traffic is bridged to the FortiAP interface.

An example covering bridge mode can be found here and the tunnel mode example can be found here



Leave a Reply