FortiWLC – Configure a Security Profile With the Web UI

Configure a Security Profile With the Web UI

To configure Security Profile parameters, follow these steps:

  1. Click Configuration > Security > Profile.
  2. In the Security Profile Name box, type the name of the security profile. The name can be up to 32 alphanumeric characters long and cannot contain spaces.
  3. In the L2 Modes Allowed area, select one of the following Layer 2 security modes: Clear: The WLAN does not require authentication or encryption, and the WLAN does not secure client traffic. This is the default setting.
    • 1X: Can provide 802.1X authentication and WEP64 or WEP128 encryption.
    • Static WEP keys: Requires that stations use a WEP key (see step 6).
    • WPA2: Requires 802.1x RADIUS server authentication with one of the EAP types (see step 4 to select a pre-configured RADIUS server profile). For more information, see “WiFi Protected Access (WPA2)” on page 220. WPA2 PSK: Uses the CCMP-AES encryption protocol and requires a pre-shared key (see step 12 to enter the pre-shared key).
    • WPA2-TKIP
    • MIXED: Allows WPA2 clients using a single security profile.
    • MIXED PSK: Allows pre-shared key clients to use a single security profile.
    • WAI: Uses the WPI-SMS4 encryption protocol. WAI PSK: Uses the WPI-SMS4 encryption protocol and requires a shared key.
  4. In the Data Encrypt area, select one of the following (available choices are determined by the L2 Mode selected):
    • Clear: The WLAN does not require encryption.
    • WEP64: A 64-bit WEP key is used to encrypt packets. For more information, see “WEP Security Features” on page 220.
    • WEP128: A 128-bit WEP key is used to encrypt packets. For more information, see “WEP Security Features” on page 220. CCMP-AES: A 128-bit block key is used to encrypt packets with WPA2. For more information, see “CCMP-AES” on page 220.
    • WPI-SMS4: Encryption algorithm used with WAI and WAI PSK.

Configure a Security Profile With the Web UI

If you select WEP64 or WEP128, you need to specify a WEP key, as described in step 6. If you specify CCMP-AES for WPA2-PSK, a pre-shared key must be set, as described in step 12.

  1. From the Primary RADIUS Profile Name list, select one of the configured RADIUS Server Profiles for use as the primary server or select the No RADIUS option. If no RADIUS

Server Profiles have been configured, the selectable list is unavailable and the text “No Data for Primary RADIUS Profile Name” displays. To configure a RADIUS Server Profile, click Configuration > Security > RADIUS.

  1. From the Secondary RADIUS Profile Name list, select one of the configured RADIUS Server Profiles for use as the secondary server or select the No RADIUS option. If no RADIUS Server Profiles have been configured, the selectable list is unavailable and the text “No Data for Primary RADIUS Profile Name” displays. To configure a RADIUS server profile, click Configuration > Security > RADIUS.
  2. In the WEP Key box, specify a WEP key. If you selected Static WEP Keys in step 2, you need to specify a WEP key in hexadecimal or text string format.

A WEP64 key must be 5 octets long, which you can specify as 10 hexadecimal digits (the hexadecimal string must be preceded with 0x) or 5 printable alphanumeric characters (the ! character cannot be used). For example, 0x619B947A3D is a valid hexadecimal value, and wpass is a valid alphanumeric string.

A WEP128 key must be 13 octets long, which you can specify as 26 hexadecimal digits (the hexadecimal string must be preceded with 0x) or 13 printable alphanumeric characters (the ! character cannot be used). For example, 0xB58CE2C2C75D73B298A36CDA6A is a valid hexadecimal value, and mypass8Word71 is a valid alphanumeric string.

  1. In the Static WEP Key Index box, type the index number to be used with the WEP key for encryption and decryption. A station can have up to four static WEP keys configured. The static WEP key index must be an integer between 1 through 4 (although internal mapping is performed to handle wireless clients that use 0 through 3 assignments).
  2. In the Re-Key Period box, type the duration that the key is valid. Specify a value from 0 to 65,535 seconds. The default re-key value is zero (0). Specifying 0 indicates that re-keying is disabled, which means that the key is valid for the entire session, regardless of the duration.

10.In the BKSA Caching Period (seconds), the duration that the key is valid. Specify a value from 0 to 65,535 seconds. The default value is 43200.

11.In the Captive Portal list, select one of the following:

  • Disabled: Disables Captive Portal.
  • WebAuth: Enables a WebAuth Captive Portal. This feature can be set for all L2 Mode selections.

12.If you want to use a third-party Captive Portal solution from a company such as Bradford,

Avenda, or CloudPath change the value for Captive Portal Authentication Method to

Configure a Security Profile With the Web UI

external. For more information, see Captive Portal (CP) Authentication for Wired Clients.

13.To use 802.1X, select one of the following in the 802.1X Network Initiation list: On: The controller initiates 802.1X authentication by sending an EAP-REQUEST packet to the client. By default, this feature is enabled.

  • Off: The client sends an EAP-START packet to the controller to initiate 802.1X authentication. If you select this option, the controller cannot initiate 802.1X authentication.

14.Tunnel Termination: Tunnel-Termination is provided by IOSCLI and Controller GUI, to perform configuration on per-security profile basis. Select one of the following in the Tunnel Termination list:

  • PEAP: PEAP (Protected Extensible Authentication Protocol) is a version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. It is designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control. It authenticates the server with a public key certificate and carries the authentication in a secure Transport Layer Security (TLS)
  • TTLS: TTLS (Tunneled Transport Layer Security) is a proposed wireless security protocol.

Note that when Tunnel Termination is enabled, Fortinet’s default certificate is used. In this case, the certificate must be “trusted” on the wireless client end in order for authentication to be successful. Refer to Security Certificates for details on how to import a certificate.

15.If the Static WEP Key mode is used, in the Shared Key Authentication list, select one of the following:

  • On: Allows 802.1X shared key authentication. Off: Uses Open authentication. By default, this feature is off.

16.In the Pre-shared Key text box, enter the key if WPA2-PSK was selected in step 2 above. The key can be from 8 to 63 ASCII characters or 64 hex characters (hex keys must use the prefix “0x” or the key will not work).

17.In the Group Keying Interval text box, enter the time in seconds for the interval before a new group key is distributed.

18.In PMK Caching, select On or Off.

19.In the Key Rotation drop-down list, select whether to enable or disable this feature.

20.The timeout value for Backend Authentication Server Timeout can be 1-65535 seconds.  Configure a Security Profile With the Web UI

21.For Re-authentication, select one of the following: On: Causes the controller to honor and enforce the “Session-timeout” RADIUS attribute that may be present in a RADIUS Access-Accept packet. A customer would use this option if the Session-timeout attribute is used to require stations to re-authenticate to the network (802.1X) at a specified period. If “Session-timeout” is not used, there is no reason to enable re-authentication.

  • Off: Disables re-authentication for this security profile.

22.In the MAC Filtering list, select one of the following:

  • On: Enables MAC Filtering for this security profile. Off: Disables MAC Filtering for this security profile.

23.In the MAC Auth Primary RADIUS Profile Name list, select the name of a previously configured authentication server profile.

24.In the MAC Auth Secondary RADIUS Profile Name list, select the name of a previously configured authentication server profile.

25.In the MAC Accounting Primary RADIUS Profile Name list, select the name of a previously configured RADIUS accounting server profile or the No RADIUS option.

26.In the MAC Accounting Secondary RADIUS Profile Name list, select the name of a previously configured RADIUS accounting server profile or the No RADIUS option.

27.In the Firewall Capability drop-down list, select one of the following: Configured: The controller defines the policy through configuration of the Firewall filterid.

  • RADIUS-configured: The RADIUS server provides the policy after successful 802.1X authentication of the user. This option requires the RADIUS server have the filter-id configured. If this is not configured, the firewall capability is not guaranteed.
  • None: Disables the Firewall Capability for this security profile.

28.In the Firewall Filter ID text box, enter the firewall filter-id that is used for this security profile. The filter-id is an alphanumeric value that defines the firewall policy to be used on the controller, when the firewall capability is set to configured. For example, 1.

29.In the Security Logging drop-down list, select one of the following:

  • On: Enables logging of security-related messages for this security profile.
  • Off: Disables logging of security-related messages for this security profile

30.In the Passthrough Firewall Filter ID text box, enter a firewall filter ID that was created using Configuration > QoS > System Settings > QoS and Firewall Rules > Add. The filter ID is an alphanumeric value that defines the firewall policy to be used on the controller for a Captive Portal-enabled client that has no authentication.

31.Click OK.

Configure a Security Profile With the Web UI

Wi-Fi Protected Access (WPA2)

Fortinet Wireless LAN System supports both WPA2 and 802.1x protocols that have been presented by the Wi-Fi Alliance as interim security standards that improve upon the known vulnerabilities of WEP until the release of the 802.11i standard.

In WPA2, the WPA Message Integrity Code (MIC) algorithm is replaced by a message authentication code, CCMP, that is considered fully secure and the RC4 cipher is replaced by the Advanced Encryption Standard (AES), as described in “CCMP-AES” on page 220.

If 802.1X authentication is not available (in a SOHO, for example), WPA2-Personal can be implemented as alternatives and provide for manual key distribution between APs and clients.

To achieve a truly secure WPA2 implementation, the installation must be “pure,” that is, all APs and client devices are running WPA2-Enterprise. Implement this for Wireless LAN System with an ESS that uses a Security Profile that configures WPA2, leverages the site’s 802.1X user authentication and includes TKIP or CCMP encryption. Once associated with this profile, users and enterprises can be assured of a high level of data protection.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.