FortiAP Management – Deploying WPA2-Enterprise SSID to FortiAP units

Deploying WPA2-Enterprise SSID to FortiAP units

The guide provides simple configuration instructions for developing WPA2-Enterprise SSID with FortiAP. The steps include creating an SSID, selecting the SSID for the FortiAP, and creating a policy from the SSID to the Internet.

The following shows a simple network topology for this recipe:

To deploy WPA2-Enterprise SSID to FortiAP units on the FortiOS GUI:

  1. Create an SSID as WPA2-Enterprise. Do one of the following:
  2. Create an SSID as WPA2-Enterprise with authentication from a RADIUS server:
  3. Create a RADIUS server:
  4. Go to User& Device > RADIUS Servers, then click Create New.
  5. Enter a server name. In the Primary Server> IP/Name field, enter the IP address or server name. iv. In the Primary Server> Secret field, enter the secret key.
    1. Click Test Connectivity to verify the connection with the RADIUS server.
    2. Click Test UserCredentials to verify that the user account can be authenticated with the RADIUS server.
  • Click OK.
  1. Create a WPA2-Enterprise SSID:
  1. Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
  2. Enter the desired interface name. For Traffic mode, select Tunnel.
  • In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
  1. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
  2. In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step i.
  3. Click OK.
  4. Create an SSID as WPA2-Enterprise with authentication from a user group:
  5. Create a user group:
    1. Go to User& Device > UserGroups, then click Create New.
    2. Enter the desired group name. For Type, select Firewall.
    3. For Remote Groups, click the + button. In the dropdown list, select the desired RADIUS server. Click OK.
    4. Click OK.
  6. Create a WPA2-Enterprise SSID:
    1. Go to WiFi & Switch Controller> SSID, select SSID, then click Create New.
    2. Enter the desired interface name. For Traffic mode, select Tunnel.
    3. In the Address > IP/Network Mask field, enter the IP address. DHCP Server is enabled by default. You can modify the DHCP IP address range manually.
    4. In the SSID field, enter the desired SSID name. For Security, select WPA2 Enterprise.
    5. In the Authentication field, select RADIUS Server. From the dropdown list, select the RADIUS server created in step i.
    6. Click OK.
  7. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C. Do one of the following: Select the SSID by editing the FortiAP:
  8. Go to WiFi & Switch Controller> Managed FortiAPs. Select the FortiAP-320C and click Edit. ii. Ensure that Managed AP Status is Connected.
    • Under WiFi Setting, ensure that the configured FortiAP profile is the desired profile, in this case FAP320C-default. Click Edit entry.
  1. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
  2. To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to select the Fortinet-PSK SSID.
  3. Click OK.
  4. Select the SSID by editing the FortiAP profile:
  5. Go to WiFi & Switch Controller> FortiAP Profile. Select the FAP320C-default profile, then click Edit.
  6. To broadcast the SSID from 2.4 G radio, scroll to Radio 1 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
  • To broadcast the SSID from 5 G radio, scroll to Radio 2 > SSIDs. Select Manual, then click + to create the Fortinet-PSK SSID.
  1. Click OK.
  1. Create the SSID-to-Internet firewall policy:
    1. Go to Policy & Objects > IPv4 Policy, then click Create New.
    2. Enter the desired policy name.
    3. From the Incoming Interface dropdown list, select the source interface, such as wifi-vap.
    4. From the Outgoing Interface dropdown list, select the destination interface, such as wan1.
    5. In the Source and Destination fields, select all. In the Service field, select ALL. If desired, you can configure different values for these fields.
    6. Click OK.

To deploy WPA2-Enterprise SSID to FortiAP units using the FortiOS CLI:

  1. Create a RADIUS server:

config user radius edit “wifi-radius” set server “172.16.200.55” set secret fortinet

next

end

  1. Create a user group:

config user group edit “group-radius” set member “wifi-radius”

next

end

  1. Create a WPA2-Enterprise SSID:
    1. Create an SSID with authentication from the RADIUS server:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Ent-Radius” set security wpa2-only-enterprise set auth radius

set radius-server “wifi-radius”

next

end

  1. Create an SSID with authentication from the user group:

config wireless-controller vap edit “wifi-vap” set ssid “Fortinet-Ent-Radius” set security wpa2-only-enterprise set auth usergroup set usergroup “group-radius”

next

end

  1. Configure an IP address and enable DHCP:

config system interface edit “wifi-vap” set ip 10.10.80.1 255.255.255.0

next end config system dhcp server

edit 1 set dns-service default set default-gateway 10.10.80.1 set netmask 255.255.255.0 set interface “wifi-vap” config ip-range edit 1 set start-ip 10.10.80.2 set end-ip 10.10.80.254

next

end

set timezone-option default

next

end

  1. Select the SSID on a managed FortiAP. The following configuration is based on a example using a managed FortiAP-320C and a “FAP320C-default” profile that is applied to the FortiAP-320C:

config wireless-controller wtp edit “FP320C3X14000640” set admin enable

set wtp-profile “FAP320C-default”

next

end

config wireless-controller wtp-profile edit “FAP320C-default” config radio-1 set vap-all disable set vaps “wifi-vap”

end config radio-2 set vap-all disable set vaps “wifi-vap”

end

next

end

  1. Create the SSID-to-Internet firewall policy: config firewall policy

edit 1 set name “WiFi to Internet” set srcintf “wifi-vap” set dstintf “wan1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set fsso disable set nat enable

next end

This entry was posted in Administration Guides, FortiAP, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.