Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NiklasE
New Contributor II

Created on ‎03-27-2025 09:33 AM

Authenticated user not getting vlan assignment in tunneled SSID mode

Hi,

I am looking for some input in to what I might be doing wrong in our new Fortinet setup. We are migrating from another vendor to a full Fortinet access-network consisting of Fortigates, Fortiswitches and FortiAP:s. The config is coming along nicely and we are almost ready to start testing this new network on a larger group of users. 

 

We have 2 VDOMs and Global, 7 VRFs and use OSPF to route traffic to the rest of the corporate network. Setting up wired access was a breeze with fortilink and the WIFI for corporate users (using Cisco ISE as Radius) is ready to be tested across the company. 

However I am having some issues with what I feel should be the easiest WIFI SSID to get up and running. The SSID intended for Guest. 

We have 4 SSID:s, one for corporate users having several VLANS attached to the SSID interface, each vlan belonging to different VRFs. One IOT SSID and one SSID for developers doing testing and lastly the SSID for Guest. They are all tunneled SSID:s. 

I have assigned the guest-vlan to the Guest-SSID. I have verified that the guest-vlan can reach the DHCP-relay server. I use WPA2 PSK for authentication (so ISE is not involved here) and the test-users gets authenticated without any issues, but for some reason they don't get a VLAN ID assignment and hence, no DHCP IP Address. 

I face similar issues at the start but that was because the user-vlan was placed under the fortilink-interface and not under the SSID-interface. A simple error from my part.

One major detail that differs the guest-vlan from the corporate vlans is that it is on global (vrf=0). But we verified that global has routing and access to the network services needed.

 

We have the same type of firewall policy that the corporate vlan has that allows traffic from the vlan-out.

I can see in Wireless Clients that the user gets authenticated and I see all the user data, except VLAN and DHCP-info. However, we see no traffic in the logs and the user gets a APIPA address.

I was thinking about doing a TAC case but I thought I would give the forum a chance as I am starting to believe I have missed something very basic but I can not figure out what.

 

Any hints and input that might put me in the right direction is greatly appreciated.

 

Labels:
341
0 Kudos
8 REPLIES 8
Anthony_E
Community Manager
Community Manager

Created on ‎03-30-2025 09:15 PM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
303
ebilcari
Staff
Staff

Created on ‎03-30-2025 11:57 PM

If the SSID is configured with a PSK and it is in tunnel mode, why does it need a VLAN ID assignment?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
287
NiklasE
New Contributor II
In response to ebilcari

Created on ‎03-31-2025 12:08 AM

Hi, and thank you for taking the time to review my problem.

I might have missed to explain the setup completely. This firewall is not internet facing and we are not using NAT. Its main purpose is to act as L3 GW and controller for the switches and AP:s. So all the traffic originating from this network need to have VLAN assignment traversing the bigger network beyond (Core, DC etc). Thats why we want the VLAN ID on guest. 

281
ebilcari
Staff
Staff
In response to NiklasE

Created on ‎03-31-2025 12:22 AM

Since the SSID is in tunnel mode, that VLAN ID is locally significant to the FGT and if this SSID will have only a single VLAN (no Dynamic VLAN assignment) the VLAN ID is not required. The IP configurations can be done at the SSID level and the packets will be normally routed in the network.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
273
NiklasE
New Contributor II
In response to ebilcari

Created on ‎03-31-2025 12:48 AM

Interesting, thank you for the feedback. Using tunneled mode, my thought process around this is that IP configuration should not be done on SSID level, but it has been quite many years since I worked with Fortinet WIFI so I am still "relearning" best practices. Would you say using a NAC policy is better for the long term design of the setup or is Optional VLAN ID a easier way to achieve the goal of tagging the traffic?

251
0 Kudos
ebilcari
Staff
Staff
In response to NiklasE

Created on ‎03-31-2025 03:02 AM

The most flexible way would be to use dynamic VLAN assignment through a RADIUS server, if these guests will need to be segmented in the future. If there is only one subnet I would suggest to configure it directly under the SSID and not use any VLAN ID.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
207
NiklasE
New Contributor II
In response to ebilcari

Created on ‎03-31-2025 03:13 AM

Thank you for taking the time to assist with this. I will take all your feedback in to consideration going forward. 

202
NiklasE
New Contributor II

Created on ‎03-31-2025 12:12 AM

After some more time on this issue I managed to "solve" this issue by using Optional VLAN ID. We also looked at setting up a NAC policy but so far Optional VLAN ID seems to be the simplest way to get the user a VLAN assignment. 

278
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.