Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
pprince
Staff
Staff

Created on ‎05-01-2025 06:47 AM Edited on ‎05-01-2025 11:43 AM By Moderator

Article Id 390042

Technical Tip: How to use a duplicate SSID (same SSID name, different backend configuration)

Description

This article describes how to configure and use a duplicate SSID.

 

In Fortinet’s Wi-Fi architecture, the wireless controller can use the same SSID name (the broadcasted wireless network name) in different SSID objects/profiles and map them to different interfaces or VLANs, even though the SSID string is the same. 
Scope All supported versions of FortiOS and FortiAP.
Solution
  1. FortiGate allows multiple SSID objects to have the same SSID value (name), but each can be mapped to:

  • A different VLAN interface.
  • Different security policies.
  • Different user roles.

 

  1. Each FortiAP profile or VAP can be configured to broadcast one of these SSID objects.

  2. Behind the scenes, FortiGate differentiates them by their VAP object name, VLAN ID, and interface association - not just the SSID string.

 

 

Example SSID config:

 

config wireless-controller va
    edit "TAC-ssid-1"
        set ssid "TACWiFi"
        set vlanid 10
        set security wpa2-only
    next
    edit "TAC-ssid-2"
        set ssid "TACWiFi"
        set vlanid 20
        set security wpa2-only
    next
end

 

FortiAP profile config:

 

config wireless-controller wtp-profil
    edit "ap-profile-1"
        config vap
            edit 1
                set vap-name "TAC-ssid-1"
            next
        end
    next
    edit "ap-profile-2"
        config vap
            edit 1
                set vap-name "TAC-ssid-2"
            next
        end
    next

 

Use case:

 

  1. Multi-tenant deployments.
Multiple organizations use the same SSID name (e.g. 'Guest'), but are isolated using VLANs or policy-based routing.

 

  1. Location-based traffic segmentation.

 

The same SSID name is used in different buildings or floors but mapped to different subnets or firewalls for segmentation and control.

 

  1. SSID tunneling scenarios.
FortiAPs in different branches use the same SSID, but traffic is tunneled to different FortiGates or VLANs centrally.

 

Important: Duplicate SSID is disabled by FortiGate and FortiEdge Cloud by default.

 

To enable it on FortiGate, make the following config change via CLI:

 

config wireless-controller setting
    set duplicate-ssid enable
end

 

Alternatively, enable this feature in the GUI only after enabling the Advanced WiFi Settings on Feature visibility (FortiGate 7.6.3 administration guide).

 

Enabling Duplicate SSID on FortiGateEnabling Duplicate SSID on FortiGate

 

To enable it on FortiEdge Cloud, enter the desired Network, then select Network Settings -> Wireless -> Duplicate SSID -> Allow Duplicate SSID.

 

Note:

  1. Roaming between APs with duplicate SSIDs across VLANs is not seamless unless the backend handles inter-VLAN routing and mobility support.
  2. DHCP scope and IP addressing must be handled carefully.
  3. Policy enforcement needs to differentiate based on VLAN/interface.
  4. Monitoring and troubleshooting become more complex: logs will show the SSID as the same, so VLAN and interface context are key.

 

Related document:

WiFi settings - FortiManager 7.6.1 administration guide
859
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.