Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
markdr_FTNT
Staff
Staff

Created on ‎10-28-2024 01:16 AM Edited on ‎12-03-2024 12:25 AM By Community Manager

Article Id 353045

Technical Tip: How to create a Wi-Fi Administrator Profile

Description

This article describes how to create a restricted access user account for the Fortigate Wireless Controller that permits an admin user to modify the Wireless Access Points and Wireless configuration, without providing access to other Firewall functions.

 

This can be useful if, for example, a Wireless RF engineer needs to fine-tune the Wireless Network configuration elements, such as FortiAP channels and transmit power.
Scope

FortiGate Wireless Controllers and FortiAPs.
Solution

The required solution to meet a Wireless Administrator requires to creation of an administrator profile with Read/Write Access to the Wi-Fi & Switch controller and also Read access to the Security Fabric (without the Security Fabric 'Read' access, the user cannot see the Access Points).

 

From the GUI, select: Global -> System -> Admin Profiles -> Create New. The admin profile should look like this:

WiFI_Admin_Profile.PNG

 

To create a new admin user, select: Global -> System -> Administrators -> Create New -> Administrator. Create a username (this one uses 'WiFI_Admin') and password, and assign the new WiFi_Admin profile:

 

WiFI_Admin_Profile_New_Admin.PNG


(For added security, enable trusted hosts and enter the source IP that this user will be connecting from, and enable two-factor authentication too).

 

Note:

The Wifi_Admin password needs to be generated manually when it expires. It is impossible to autogenerate the expired passwords for the Admins or Users on FortiGate Wireless Controllers and FortiAPs.

 

The required CLI configuration is as follows:

  • To create an admin profile called 'WiFi_Admin':

 

config global
(global)config system accprofile
    edit WiFi_Admin
    (WiFi_Admin)
        set comments "Permits access to see and edit the Wireless Access Points"
        set secfabgrp read
        set wifi read-write
    end
end

 

  • To create a new administrator account and attach the new profile:
 

config system global

(global) config system admin

(admin) edit WiFi_Admin

(WiFi_Admin) set password H@rd2Gue$$1976

(WiFi_Admin) set accprofile WiFi_Admin

(WiFi_Admin) set vdom root

(WiFi_Admin) end

 

Once created, log in with the new WiFI_Admin user account to test it. A screen similar to the following should be accessible, with access to both the Managed FortiAPs and the FortiAP Operation Profiles.

 

WiFI_Admin_Profile_Login.PNG

 

Note:

This admin account and admin profile will NOT provide access to the actual SSIDs (since these will provide access to restricted network resources), this configuration will only allow the configuration of the Wireless Access Points (and the Switches), such as transmit power, channel allocation and specific Wireless configuration elements that a Wireless RF engineer would typically require access to.

 

If the admin user will also be required to actually create the SSIDs, then it will be necessary to add the 'Network' Access Control permission, to the Admin Profile (as shown below) which is a powerful permission, so use it with caution.

 

WiFI_Admin_Profile1.PNG

323
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.