Description
This article describes the steps to enable and disable the broadcast of SSID of the access points. Broadcasting the SSID enables clients to connect to a wireless network without first knowing the SSID.
Sometimes it may be required to disable the broadcast of the SSID of a wireless unit or to hide the SSID of the wireless in the FortiWiFi or the FortiAP which connects to the FortiGate unit.
Scope
FortiGate, FortiWiFi, FortiAP.
Solution
For some environments, it may be necessary to disable the broadcast SSID (Service Set Identifier) which is shared by all users in the wireless network or to hide the SSID from an unknown attack in FortiGate v5.0 and above. The following CLI command can be used to turn on or off the SSID broadcasting.
config wireless-controller vap
edit <vap_name>
set broadcast-ssid {enable | disable}
next
end
Where <vap_name> is the name for this Virtual Access Point.
For example:
FGT # config wireless-controller vap
FGT (vap) # edit TAC24AP <vap_name>
FGT (TAC24AP) # set broadcast-ssid disable ---> Disable to hide the SSID. It will be enabled by default.
FGT (TAC24AP) # end
Enabling broadcast will allow users to see the SSID when scanning the network for a wireless connection. Broadcasting the SSID enables clients to connect to the wireless network without first knowing the SSID. For better security, do not broadcast the SSID.
Disabling the same will stop broadcasting the SSID. This does not mean that users cannot connect to that SSID. A user who knows the SSID name and the password will still be able to join if they try to enter the SSID details manually on the client machine.
By disabling the SSID broadcast, the client will not be able to detect the SSID by scanning the wireless network.
The above commands will work regardless of the traffic mode or even if the VAP is part of a software switch wherein the wireless is bridged with the local LAN network.
To disable the 'Broadcast SSID' from the GUI, follow the steps in the article: Technical Tip: How to disable the broadcasting of the SSID. The broadcast SSID option will only be available if the traffic mode is ‘tunnel’. If the traffic mode is ‘Local Bridge’, it will have to be enabled/disabled from the CLI. By default, SSID broadcast is enabled.
In order to validate whether the SSID is in tunnel mode or bridge mode via CLI, run the show command under the SSID config level.
If the "set local-bridge enable" parameter is present, the SSID is in bridge mode:
FGT-1 (SSID-1) # show
set ssid "SSID-1"
set passphrase ENC [omitted]
set local-bridging enable <--- Bridge mode.
set schedule "always"
If this parameter is not present when running a regular show command, the SSID is in tunnel mode, as this parameter is disabled by default:
FGT-1 (SSID-2) # show
set passphrase ENC [omitted]
set schedule "always"
FGT-1 (SSID-2) # show full-configuration | grep local-bridging
set local-bridging disable <--- Tunnel mode.
The SSID Interface can be enabled/disabled from the FortiGate or FortiManager CLI using the following commands:
CLI commands to disable the SSID Interface:
config system interface
edit "SSID_NAME"
set status down
next
end
CLI commands to enable the SSID Interface:
config system interface
edit " SSID_NAME "
unset status
next
end
