I never thought I would find a reason not to broadcast an SSID for a wireless network, alas I have.
Fortinet provide a number of Wireless devices designed for remote deployment (in particular the FAP-11C, FAP-14C and FAP-28C), these devices connect back to your Wireless Controller via a remote network such as one you would use in a hotel. The devices are intended for travelling and remote staff to use your corporate network as if they were in the office.
A handy feature of these devices is that they include multiple LAN ports (1, 4 and 8 respectively), which are particularly handy for VoIP phones and other network devices that you would rather not have on WiFi.
Unfortunately, Fortinet’s software currently only allows you to have these ports:
- Disconnected / None
- Bridged to the WAN Port
- NAT to the WAN Port
- Bridged to an SSID / Wireless Network
To get around this and prevent malicious users from connecting to what should be an internal network: Note – this section assumes your SSID / Network name is A_LAN_Network.
- Create a local group that doesn’t contain any users:
- Configure the SSID WiFi Options:
- Hide the SSID – Unfortunately this has been removed from the GUI in FortiOS 5.2, use the commands below in the CLI:
- config wireless-controller vap
- edit A_LAN_Network
- set broadcast-ssid disable
- edit A_LAN_Network
- config wireless-controller vap
- Apply the SSID to the LAN Port under the FortiAP Profile:
Pictured above is the FortiAP Profile options for a FAP-11C. It should be noted that the FAP-14C puts all 4 LAN ports on the single selected option whereas the FAP-28C allows all 8 LAN ports to be placed on different SSIDs / Networks.