Wireless network examples

Wireless network examples

This chapter provides an example wireless network configuration.

  • Basic wireless network
  • A more complex example

 

Basic wireless network

This example uses automatic configuration to set up a basic wireless network. To configure this wireless network, you must:

  • Configure authentication for wireless users
  • Configure the SSID (WiFi network interface)
  • Add the SSID to the FortiAP Profile
  • Configure the firewall policy
  • Configure and connect FortiAP units

 

Configuring authentication for wireless users

You need to configure user accounts and add the users to a user group. This example shows only one account, but multiple accounts can be added as user group members.

 

To configure a WiFi user – web-based manager

1. Go to User & Device > User Definition and select Create New.

2. Select Local User and then click Next.

3. Enter a User Name and Password and then click Next.

4. Click Next.

5. Make sure that Enable is selected and then click Create.

 

To configure the WiFi user group – web-based manager

1. Go to User & Device > User Groups and select Create New.

2. Enter the following information and then select OK:

Name                                           wlan_users

Type                                            Firewall

Members                                    Add users.

 

To configure a WiFi user and the WiFi user group – CLI

config user user edit “user01”

set type password

set passwd “asdf12ghjk”

end

config user group edit “wlan_users”

set member “user01” end

 

Configuring the SSID

First, establish the SSID (network interface) for the network. This is independent of the number of physical access points that will be deployed. The network assigns IP addresses using DHCP.

 

To configure the SSID – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.

2. Enter the following information and select OK:

 

Interface Name                                    example_wifi_if

 

Traffic Mode                                        Tunnel to Wireless Controller

 

IP/Network Mask                                 10.10.110.1/24

 

Administrative Access                       Ping (to assist with testing)

 

DHCP Server                                        Enable

 

Address Range           10.10.110.2 – 10.10.110.199

 

Netmask                       255.255.255.0

 

Default Gateway          Same As Interface IP

 

DNS Server                   Same as System DNS

 

SSID                                                      example_wifi

 

Security Mode                                     WPA2 Enterprise

 

Authentication                                     Local, select wlan_users user group.

 

Leave other settings at their default values.

 

 

To configure the SSID – CLI

config wireless-controller vap edit example_wifi_if

set ssid “example_wifi” set broadcast-ssid enable set security wpa-enterprise set auth usergroup

set usergroup wlan_users set schedule always

end

config system interface edit example_wifi_if

set ip 10.10.110.1 255.255.255.0

end

config system dhcp server edit 0

set default-gateway 10.10.110.1 set dns-service default

set interface “example_wifi_if” config ip-range

edit 1

set end-ip 10.10.110.199 set start-ip 10.10.110.2

end

set netmask 255.255.255.0 end

 

Adding the SSID to the FortiAP Profile

The radio portion of the FortiAP configuration is contained in the FortiAP Profile. By default, there is a profile for each platform (FortiAP model). You can create additional profiles if needed. The SSID needs to be specified in the profile.

 

To add the SSID to the FortiAP Profile – web-based manager

1. Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile for your model of FortiAP unit.

2. In Radio 1 and Radio 2, add example_wifi in SSID.

3. Select OK.

 

Configuring security policies

A security policy is needed to enable WiFi users to access the Internet on port1. First you create firewall address for the WiFi network, then you create the example_wifi to port1 policy.

 

To create a firewall address for WiFi users – web-based manager

1. Go to Policy & Objects > Addresses.

2. Select Create New > Address, enter the following information and select OK.

 

Name                                           wlan_user_net

 

Type                                            IP/Netmask

 

Subnet / IP Range                     10.10.110.0/24

 

Interface                                     example_wifi_if

 

Show in Address List               Enabled

 

 

To create a firewall address for WiFi users – CLI

config firewall address edit “wlan_user_net”

set associated-interface “example_wifi_if” set subnet 10.10.110.0 255.255.255.0

end

 

To create a security policy for WiFi users – web-based manager

1. Go to Policy & Objects > IPv4 Policyand select Create New.

2. Enter the following information and select OK:

 

Incoming Interface                   example_wifi_if

 

Source Address                        wlan_user_net

 

Outgoing Interface                   port1

 

Destination Address                 All

 

Schedule                                    always

 

Service                                       ALL

 

Action                                         ACCEPT

 

NAT                                             ON. Select Use Destination Interface Address (default).

 

Leave other settings at their default values.

 

To create a firewall policy for WiFi users – CLI

config firewall policy edit 0

set srcintf “example_wifi” set dstintf “port1”

set srcaddr “wlan_user_net” set dstaddr “all”

set schedule always set service ALL

set action accept set nat enable

end

 

Connecting the FortiAP units

You need to connect each FortiAP unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

 

To configure the interface for the AP unit – web-based manager

1. Go to Network > Interfaces and edit the port3 interface.

2. Set the Addressing mode to Dedicated to Extension Device and set the IP/Network Mask to 192.168.8.1/255.255.255.0.

3. Select OK.

This procedure automatically configures a DHCP server for the AP units.

 

To configure the interface for the AP unit – CLI

config system interface edit port3

set mode static

set ip 192.168.8.1 255.255.255.0 end

 

To configure the DHCP server for AP units – CLI

config system dhcp server edit 0

set interface port3 config exclude-range

edit 1

set end-ip 192.168.8.1 set start-ip 192.168.8.1

end

config ip-range edit 1

set end-ip 192.168.8.254 set start-ip 192.168.8.2

end

set netmask 255.255.255.0 set vci-match enable

set vci-string “FortiAP”

end

 

To connect a FortiAP unit – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.

2. Connect the FortiAP unit to port 3.

3. Periodically select Refresh while waiting for the FortiAP unit to be listed.

Recognition of the FortiAP unit can take up to two minutes.

If FortiAP units are connected but cannot be recognized, try disabling VCI-Match in the DHCP server settings.

4. When the FortiAP unit is listed, select the entry to edit it.

The Edit Managed Access Point window opens.

5. In State, select Authorize.

6. In FortiAP Profile, select the default profile for the FortiAP model.

7. Select OK.

8. Repeat Steps 2 through 8 for each FortiAP unit.

 

 

To connect a FortiAP unit – CLI

1. Connect the FortiAP unit to port 3.

2. Enter

config wireless-controller wtp

3. Wait 30 seconds, then enter get.

Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22B3U10600118 ]

wtp-id: FAP22B3U10600118

4. Edit the discovered FortiAP unit like this:

edit FAP22B3U10600118 set admin enable

end

5. Repeat Steps 2 through 4 for each FortiAP unit.

 

A more complex example

This example creates multiple networks and uses custom AP profiles.

 

Scenario

In this example, Example Co. provides two wireless networks, one for its employees and the other for customers or other guests of its business. Guest users have access only to the Internet, not to the company’s private network. The equipment for these WiFi networks consists of FortiAP-220B units controlled by a FortiGate unit.

The employee network operates in 802.11n mode on both the 2.4GHz and 5GHz bands. Client IP addresses are in the 10.10.120.0/24 subnet, with 10.10.120.1 the IP address of the WAP. The guest network also operates in 802.11n mode, but only on the 2.4GHz band. Client IP addresses are on the 10.10.115.0/24 subnet, with 10.10.115.1 the IP address of the WAP.

On FortiAP-220B units, the 802.11n mode also supports 802.11g and 802.11b clients on the 2.4GHz band and 802.11a clients on the 5GHz band.

The guest network WAP broadcasts its SSID, the employee network WAP does not.

The employees network uses WPA-Enterprise authentication through a FortiGate user group. The guest network features a captive portal. When a guest first tries to connect to the Internet, a login page requests logon credentials. Guests use numbered guest accounts authenticated by RADIUS. The captive portal for the guests includes a disclaimer page.

In this example, the FortiAP units connect to port 3 and are assigned addresses on the 192.168.8.0/24 subnet.

 

Configuration

To configure these wireless networks, you must:

  • Configure authentication for wireless users
  • Configure the SSIDs (network interfaces)
  • Configure the AP profile
  • Configure the WiFi LAN interface and a DHCP server
  • Configure firewall policies

 

Configuring authentication for employee wireless users

Employees have user accounts on the FortiGate unit. This example shows creation of one user account, but you can create multiple accounts and add them as members to the user group.

 

To configure a WiFi user – web-based manager

1. Go to User & Device > User Definition and select Create New.

2. Select Local User and then click Next.

3. Enter a User Name and Password and then click Next.

4. Click Next.

5. Make sure that Enable is selected and then click Create.

 

To configure the user group for employee access – web-based manager

1. Go to User & Device > User Groups and select Create New.

2. Enter the following information and then select OK:

 

Name                                           employee-group

 

Type                                            Firewall

 

Members                                    Add users.

 

 

To configure a WiFi user and the user group for employee access – CLI

config user user edit “user01”

set type password

set passwd “asdf12ghjk” end

config user group

edit “employee-group” set member “user01”

end

The user authentication setup will be complete when you select the employee-group in the SSID configuration.

 

Configuring authentication for guest wireless users

Guests are assigned temporary user accounts created on a RADIUS server. The RADIUS server stores each user’s group name in the Fortinet-Group-Name attribute. Wireless users are in the group named “wireless”.

The FortiGate unit must be configured to access the RADIUS server.

 

To configure the FortiGate unit to access the guest RADIUS server – web-based manager

1. Go to User & Device > RADIUS Servers and select Create New.

2. Enter the following information and select OK:

 

Name                                           guestRADIUS

 

Primary Server IP/Name           10.11.102.100

 

Primary Server Secret               grikfwpfdfg

 

Secondary Server IP/Name      Optional

 

Secondary Server Secret         Optional

 

Authentication Scheme            Use default, unless server requires otherwise.

 

Leave other settings at their default values.

 

 

 

To configure the FortiGate unit to access the guest RADIUS server – CLI

config user radius edit guestRADIUS

set auth-type auto

set server 10.11.102.100 set secret grikfwpfdfg

end

 

To configure the user group for guest access – web-based manager

1. Go to User & Device > User Groups and select Create New.

2. Enter the following information and then select OK:

 

Name                                           guest-group

 

Type                                            Firewall

 

Members                                    Leave empty.

3. Select Create new.

4. Enter:

 

Remote Server                           Select guestRADIUS.

 

Groups                                       Select wireless

 

5. Select OK.

 

 

To configure the user group for guest access – CLI

config user group edit “guest-group”

set member “guestRADIUS” config match

edit 0

set server-name “guestRADIUS” set group-name “wireless”

end

end

The user authentication setup will be complete when you select the guest-group user group in the SSID

configuration.

 

Configuring the SSIDs

First, establish the SSIDs (network interfaces) for the employee and guest networks. This is independent of the number of physical access points that will be deployed. Both networks assign IP addresses using DHCP.

 

To configure the employee SSID – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.

2. Enter the following information and select OK:

 

Interface Name                          example_inc

 

Traffic Mode                              Tunnel to Wireless Controller

 

IP/Netmask                                 10.10.120.1/24

 

Administrative Access             Ping (to assist with testing)

 

Enable DHCP                             Enable

 

Address Range                       10.10.120.2 – 10.10.120.199

 

Netmask                                   255.255.255.0

 

Default Gateway                      Same As Interface IP

 

DNS Server                              Same as System DNS

 

SSID                                            example_inc

 

Security Mode                           WPA/WPA2-Enterprise

 

Authentication                           Select Local, then select employee-group.

 

Leave other settings at their default values.

 

 

To configure the employee SSID – CLI

config wireless-controller vap edit example_inc

set ssid “example_inc”

set security wpa-enterprise set auth usergroup

set usergroup employee-group set schedule always

end

config system interface edit example_inc

set ip 10.10.120.1 255.255.255.0 end

config system dhcp server edit 0

set default-gateway 10.10.120.1 set dns-service default

set interface example_inc config ip-range

edit 1

set end-ip 10.10.120.199 set start-ip 10.10.120.2

end

set lease-time 7200

set netmask 255.255.255.0 end

 

 

To configure the example_guest SSID – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New.

2. Enter the following information and select OK:

 

Name                                           example_guest

 

IP/Netmask                                 10.10.115.1/24

 

Administrative Access             Ping (to assist with testing)

 

Enable DHCP                             Enable

 

Address Range                       10.10.115.2 – 10.10.115.50

 

Netmask                                   255.255.255.0

 

Default Gateway                      Same as Interface IP

 

DNS Server                              Same as System DNS

 

SSID                                            example_guest

 

Security Mode                           Captive Portal

 

Portal Type                                Authentication

 

Authentication Portal               Local

 

User Groups                              Select guestgroup

 

Leave other settings at their default values.

 

 

To configure the example_guest SSID – CLI

config wireless-controller vap edit example_guest

set ssid “example_guest”

set security captive-portal

set selected-usergroups guest-group set schedule always

end

config system interface edit example_guest

set ip 10.10.115.1 255.255.255.0 end

config system dhcp server edit 0

set default-gateway 10.10.115.1 set dns-service default

set interface “example_guest” config ip-range

edit 1

set end-ip 10.10.115.50 set start-ip 10.10.115.2

end

set lease-time 7200

set netmask 255.255.255.0 end

 

Configuring the FortiAP profile

The FortiAP Profile defines the radio settings for the networks. The profile provides access to both Radio 1 (2.4GHz) and Radio 2 (5GHz) for the employee virtual AP, but provides access only to Radio 1 for the guest virtual AP.

 

To configure the FortiAP Profile – web-based manager

1. Go to WiFi & Switch Controller > FortiAP Profiles and select Create New.

2. Enter the following information and select OK:

 

Name                                           example_AP

 

Platform                                      FAP220B

 

Radio 1

 

Mode                                        Access Point

 

Band                                         802.11n

 

Channel                                    Select 1, 6, and 11.

 

Tx Power                                  100%

 

SSID                                          Select SSIDs and select example_inc and example_guest.

 

Radio 2

 

Mode                                        Access Point

 

Band                                         802.11n_5G

 

Channel                                    Select all.

 

Tx Power                                  100%

 

SSID                                          Select SSIDs and select example_inc.

 

 

To configure the AP Profile – CLI

config wireless-controller wtp-profile edit “example_AP”

config platform set type 220B

end

config radio-1

set ap-bgscan enable set band 802.11n

set channel “1” “6” “11”

set vaps “example_inc” “example_guest” end

config radio-2

set ap-bgscan enable set band 802.11n-5G

set channel “36” “40” “44” “48” “149” “153” “157” “161” “165” set vaps “example_inc”

end

 

Configuring firewall policies

Identity-based firewall policies are needed to enable the WLAN users to access the Internet on Port1. First you create firewall addresses for employee and guest users, then you create the firewall policies.

 

To create firewall addresses for employee and guest WiFi users

1. Go to Policy & Objects > Addresses.

2. Select Create New, enter the following information and select OK.

 

Address Name                           employee-wifi-net

 

Type                                            Subnet / IP Range

 

Subnet / IP Range                     10.10.120.0/24

 

Interface                                     example_inc

 

 

3. Select Create New, enter the following information and select OK.

 

Address Name                           guest-wifi-net

 

Type                                            Subnet / IP Range

 

Subnet / IP Range                     10.10.115.0/24

 

Interface                                     example_guest

 

 

To create firewall policies for employee WiFi users – web-based manager

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information and select OK:

 

Incoming Interface                   example_inc

 

Source Address                        employee-wifi-net

 

Outgoing Interface                   port1

 

Destination Address                 all

 

Schedule                                    always

 

Service                                       ALL

 

Action                                         ACCEPT

 

NAT                                             Enable NAT

3. Optionally, select security profile for wireless users.

4. Select OK.

5. Repeat steps 1 through 4 but select Internal as the Destination Interface/Zone to provides access to the

ExampleCo private network.

 

 

To create firewall policies for employee WiFi users – CLI

config firewall policy edit 0

set srcintf “employee_inc” set dstintf “port1”

set srcaddr “employee-wifi-net” set dstaddr “all”

set action accept

set schedule “always” set service “ANY”

set nat enable

set schedule “always” set service “ANY”

next edit 0

set srcintf “employee_inc” set dstintf “internal”

set srcaddr “employee-wifi-net” set dstaddr “all”

set action accept

set schedule “always” set service “ANY”

set nat enable

set schedule “always” set service “ANY”

end

 

To create a firewall policy for guest WiFi users – web-based manager

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information and select OK:

 

Incoming Interface                   example_guest

 

Source Address                        guest-wifi-net

 

Outgoing Interface                   port1

 

Destination Address                 all

 

Schedule                                    always

 

Service                                       ALL

 

Action                                         ACCEPT

 

NAT                                             Enable NAT

3. Optionally, select UTM and set up UTM features for wireless users.

4. Select OK.

 

 

To create a firewall policy for guest WiFi users – CLI

config firewall policy edit 0

set srcintf “example_guest” set dstintf “port1”

set srcaddr “guest-wifi-net” set dstaddr “all”

set action accept

set schedule “always” set service “ANY”

set nat enable end

 

Connecting the FortiAP units

You need to connect each FortiAP-220A unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

 

To configure the interface for the AP unit – web-based manager

1. Go to Network > Interfaces and edit the port3 interface.

2. Set the Addressing mode to Dedicated to Extension Device and set the IP/Netmask to 192.168.8.1/255.255.255.0.

This step automatically configures a DHCP server for the AP units.

3. Select OK.

 

 

To configure the interface for the AP unit – CLI

config system interface edit port3

set mode static

set ip 192.168.8.1 255.255.255.0 end

 

To configure the DHCP server for AP units – CLI

config system dhcp server edit 0

set interface port3 config ip-range

edit 1

set end-ip 192.168.8.9 set start-ip 192.168.8.2

end

set netmask 255.255.255.0 set vci-match enable

set vci-string “FortiAP”

end

 

To connect a FortiAP-220A unit – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.

2. Connect the FortiAP unit to port 3.

3. Periodically select Refresh while waiting for the FortiAP unit to be listed.

Recognition of the FortiAP unit can take up to two minutes.

If there is persistent difficulty recognizing FortiAP units, try disabling VCI-Match in the DHCP server settings.

4. When the FortiAP unit is listed, select the entry to edit it.

The Edit Managed Access Point window opens.

5. In State, select Authorize.

6. In the AP Profile, select [Change] and then select the example_AP profile.

7. Select OK.

8. Repeat Steps 2 through 8 for each FortiAP unit.

 

 

To connect a FortiAP-220A unit – CLI

1. Connect the FortiAP unit to port 3.

2. Enter:

config wireless-controller wtp

3. Wait 30 seconds, then enter get.

Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22A3U10600118 ]

wtp-id: FAP22A3U10600118

4. Edit the discovered FortiAP unit like this:

edit FAP22A3U10600118 set admin enable

set wtp-profile example_AP

end

5. Repeat Steps 2 through 4 for each FortiAP unit.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.