Create an SSID (Wireless Network)

An SSID is a wireless network's broadcast name. Each FortiAP can broadcast multiple SSIDs (typically 4-8) — useful for separating Corporate, Guest, IoT, etc. on different VLANs.

Before You Start

• A FortiAP authorized and online (see Add a FortiAP).
• A VLAN to put SSID traffic on (separate VLAN per SSID is best practice).
• Authentication method decided (PSK / WPA2-Enterprise via RADIUS / Open + captive portal).

Steps

Create the SSID

1. WiFi & Switch Controller → SSIDs → + Create New → SSID.
2. Fill in:
   • Name — internal name (e.g. corp-wifi-ssid).
   • Alias — friendly label.
   • Type — Bridge (clients get IP from your DHCP) or Tunnel (FortiGate hosts the DHCP). Bridge is more common.
   • Traffic Mode — Tunnel to Wireless Controller for centralized inspection; Local Bridge for direct switch path.
   • VLAN ID — VLAN to tag client traffic with.
   • IP/Netmask — gateway for clients (if Tunnel mode).
   • DHCP Server — enable if Tunnel mode.
   • Broadcast SSID — Enable to show the name in client scan; Disable to hide.
   • SSID — what users see (e.g. WTG-Corporate).
   • Security Mode — see Configure Wireless Security.
   • Pre-shared Key (if WPA2/3 PSK) — strong password.
   • Schedule — always or restrict by time.
   • Block Intra-SSID Traffic — prevents client-to-client on the same SSID (good for Guest).
   • Max Clients — cap per AP.
3. OK.

Attach SSID to AP Profile

1. WiFi & Switch Controller → FortiAP Profiles → edit the profile.
2. Radio 1 / Radio 2 → SSID — pick your SSID. Can pick multiple.
3. Apply.

The AP picks up the new SSID within ~30 seconds.

📸 Screenshot needed

SSID create form with security mode and VLAN visible, plus AP Profile edit dialog showing SSIDs attached.

CLI Equivalent

config wireless-controller vap
edit "corp-wifi-ssid"
    set ssid "WTG-Corporate"
    set security wpa2-only-personal
    set passphrase ENC ...
    set schedule "always"
    set vlanid 20
next
end

config wireless-controller wtp-profile
edit "FAP221E-default"
    config radio-1
        set vap-all manual
        set vaps "corp-wifi-ssid"
    end
next
end

Verify

diagnose wireless-controller wlac -c vap-status

Should show the SSID broadcasting on each AP's radios.

From a phone/laptop, scan for Wi-Fi — WTG-Corporate should appear. Connect with PSK.

Common Issues

• SSID not broadcasting. AP Profile not attached, or radio is off. Check wlac -c vap-status.
• Connects but no internet. No firewall policy from the wireless VLAN to WAN. Add policy.
• DHCP not assigning. Bridge mode expects upstream DHCP. Tunnel mode expects FortiGate-hosted DHCP. Check which mode.
• Authentication fails. Wrong PSK, or in WPA-Enterprise mode the RADIUS server isn't responding.

Related Pages

• Add a FortiAP
• Configure Wireless Security
• Create a Guest Wi-Fi Network