Configure a Security Profile With the CLI
The controller supports the ability to define multiple Security Profiles that can be assigned to different wireless LAN extended service sets (ESS) according to the level and type of security required. A Security Profile is a list of parameters that define how security is handled within an ESS. With Security Profiles, you can define the Layer 2 security method, including the cipher suite, primary and secondary RADIUS server, static WEP key entries and key index position, and other parameters. The various Security Profiles you create allow you to support multiple authentication and encryption methods within the same WLAN infrastructure.
The controller is shipped with OPEN authentication, meaning that there is no authentication, and that any wireless client can connect to the controller. These setting are defined in the default Security Profile named default.
You can view the default Security Profile using the show security-profile default command.
default# show security-profile default
Security Profile Table
Security Profile Name : default
L2 Modes Allowed : clear
Data Encrypt : none
Primary RADIUS Profile Name :
Secondary RADIUS Profile Name :
WEP Key (Alphanumeric/Hexadecimal) : *****
Static WEP Key Index : 1
Re‐Key Period (seconds) : 0
Captive Portal : disabled
802.1X Network Initiation : off
Tunnel Termination : PEAP, TTLS
Shared Key Authentication : off
Pre‐shared Key (Alphanumeric/Hexadecimal) : *****
Group Keying Interval (seconds) : 0
PMK Caching : disabled
Key Rotation : disabled
Reauthentication : off MAC Filtering : off
Firewall Capability : none
Firewall Filter ID :
Security Logging : off
Passthrough Firewall Filter ID) :
The default Security Profile is configured to allow “clear” Layer 2 access with no authentication method, encryption, or cipher suite specified.
The Tunnel Termination is configured separately for PEAP and TTLS.
Configure 802.1X RADIUS Security With the CLI
To allow WLAN access to your site’s 802.1X authorized and authenticated users, set up 802.1X RADIUS authentication. To do this:
- Create a global RADIUS Server Profile that specifies how to communicate with the primary RADIUS server in your network. If an optional secondary RADIUS server is to be used, a separate profile is also created for it.
- Create a Security Profile for the ESS that configures 802.1X Layer 2 security and assigns a primary RADIUS profile and optional secondary RADIUS profile
Refer to your RADIUS server documentation regarding how to configure the type of EAP protocol for your site and the procedure for installing any necessary certificates. The actual RADIUS server configuration is not covered here, only the configuration for enabling the communication between the RADIUS server and the controller is described.
The following commands set up a profile for the primary RADIUS server, main-auth, that specify the server’s IP address and secret key. All other default parameters (such as the port number (1812)) are acceptable, and not changed:
default# configure terminal default(config)# radius‐profile main‐auth default(config‐radius)# ip-address 10.1.100.10 default(config‐radius)# key secure-secret default(config‐radius)# exit
For additional reliability, configure a secondary RADIUS Server Profile to serve as a backup should the primary server become unavailable.
default# configure terminal default(config)# radius‐profile backup‐auth default(config‐radius)# ip-address 10.1.100.2 default(config‐radius)# key secure-secret2 default(config‐radius)# exit
Next, create the Security Profile that enables 802.1X and points to the profiles that describe the RADIUS primary and secondary servers.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!