Fortigate – Dynamic VLAN (tunnel mode)

In this example we will create a wireless VAP in tunnel mode with dynamic VLAN assignment via radius server based on group membership.

First we create a new SSID, traffic mode is “Tunnel to wireless controller”, an IP address doesn’t need to be configured here unless some users/groups won’t be assigned a VLAN.


Next we turn on dynamic vlan via cli:

config wireless controller-vap
edit dvlantunnel
set dynamic-vlan enable

Now we create a new VLAN (or several depending on the number of required groups), at the time of this writing it is not possible to associate a VLAN with a VAP interface in the GUI so this must be done via CLI:

config system interface
edit vlan101
set vdom root
set ip
set interface dvlantunnel
set vlanid 101

Edit the newly created VLAN in the GUI to enable the DHCP server:


Next create a new firewall policy for the VLAN with appropriate webfilter:

Now we’re ready to test dynamic VLAN assignment with a wireless client.

Leave a Reply