A valid reason not to broadcast an SSID

I never thought I would find a reason not to broadcast an SSID for a wireless network, alas I have.

Fortinet provide a number of Wireless devices designed for remote deployment (in particular the FAP-11C, FAP-14C and FAP-28C), these devices connect back to your Wireless Controller via a remote network such as one you would use in a hotel. The devices are intended for travelling and remote staff to use your corporate network as if they were in the office.

A handy feature of these devices is that they include multiple LAN ports (1, 4 and 8 respectively), which are particularly handy for VoIP phones and other network devices that you would rather not have on WiFi.

Unfortunately, Fortinet's software currently only allows you to have these ports:

  1. Disconnected / None
  2. Bridged to the WAN Port
  3. NAT to the WAN Port
  4. Bridged to an SSID / Wireless Network
To get around this and prevent malicious users from connecting to what should be an internal network: Note - this section assumes your SSID / Network name isĀ A_LAN_Network.
  • Create a local group that doesn't contain any users: Group-No-Access
  • Configure the SSID WiFi Options: SSID-Interface-WiFi-Options
  • Hide the SSID - Unfortunately this has been removed from the GUI in FortiOS 5.2, use the commands below in the CLI:
    • config wireless-controller vap
      • edit A_LAN_Network
        • set broadcast-ssid disable
  • Apply the SSID to the LAN Port under the FortiAP Profile: FortiAP-Profile-WAN-Port
 

Pictured above is the FortiAP Profile options for a FAP-11C. It should be noted that the FAP-14C puts all 4 LAN ports on the single selected option whereas the FAP-28C allows all 8 LAN ports to be placed on different SSIDs / Networks.