Skip to main content
sdash_FTNT
Staff
sdash_FTNT
Staff
January 7, 2015

Technical Tip: How to enable and disable broadcast of SSID

  • January 7, 2015
  • 0 replies
  • 30416 views

Description

 
This article describes the steps to enable and disable the broadcast of SSID of the access points. Broadcasting the SSID enables clients to connect to a wireless network without first knowing the SSID.

Sometimes it may be required to disable the broadcast of the SSID of a wireless unit or to hide the SSID of the wireless in the FortiWiFi or the FortiAP which connects to the FortiGate unit.


Scope

 
FortiGate, FortiWiFi, FortiAP.


Solution

 
For some environments, it may be necessary to disable the broadcast SSID (Service Set Identifier) which is shared by all users in the wireless network. The following CLI command can be used to turn on or off the SSID broadcasting.
 
config wireless-controller vap
    edit <vap_name>
        set broadcast-ssid {enable | disable}
    next
end
 
Where <vap_name> is the name for this Virtual Access Point.

For example:
 
FGT # config wireless-controller vap
FGT (vap) # edit TAC24AP <vap_name>
FGT (TAC24AP) # set broadcast-ssid disable  ---> Disable to hide the SSID. It will be enabled by default.
FGT (TAC24AP) # end
 
The above commands will work regardless of the traffic mode or even if the VAP is part of a software switch wherein the wireless is bridged with the local LAN network.
 
To disable the 'Broadcast SSID' from the GUI, follow the steps in the article: Technical Tip: How to disable the broadcasting of the SSID. The broadcast SSID option will only be available if the traffic mode is ‘tunnel’.  If the traffic mode is ‘Local Bridge’, it will have to be enabled/disabled from the CLI. By default, SSID broadcast is enabled.
 

In order to validate whether the SSID is in tunnel mode or bridge mode via CLI, run the show command under the SSID config level.

If the "set local-bridge enable" parameter is present, the SSID is in bridge mode:

 

FGT-1 (SSID-1) # show
    set ssid "SSID-1"
    set passphrase ENC [omitted]
    set local-bridging enable <--- Bridge mode.
    set schedule "always"


If this parameter is not present when running a regular show command, the SSID is in tunnel mode, as this parameter is disabled by default:

 

FGT-1 (SSID-2) # show
    set passphrase ENC [omitted]
    set schedule "always"


FGT-1 (SSID-2) # show full-configuration | grep local-bridging
    set local-bridging disable <--- Tunnel mode.

 

The SSID Interface can be enabled/disabled from the FortiGate or FortiManager CLI using the following commands:

 

CLI commands to disable the SSID Interface:


config system interface
    edit "SSID_NAME"
        set status down
    next
end

 

CLI commands to enable the SSID Interface:


config system interface

    edit " SSID_NAME "
        unset status
    next
end

  

Important note:
Enabling broadcast will allow users to see the SSID when scanning the network for a wireless connection. Broadcasting the SSID enables clients to connect to the wireless network without first knowing the SSID.  
Disabling it will stop broadcasting the SSID. When the SSID is hidden, clients must be pre-configured and they will actively send probe requests looking specifically for that SSID.
 
This may cause any of the following problems:
  • Roaming delays.
  • Clients taking longer to connect.
  • An increased number of probes and consequent airtime overhead.
  • Excessive battery drain on the clients.
 
Security is not improved as the SSID still appears in management frames and can be easily found with any wireless analyzer tool.
To improve security, consider implementing stronger authentication methods (WPA3, 802.1x with certificates, etc.)
Terms & ConditionsAccessibility statement