Category Archives: Administration Guides

Wireless network examples

Wireless network examples

This chapter provides an example wireless network configuration.

Basic wireless network A more complex example

Basic wireless network

This example uses automatic configuration to set up a basic wireless network.

To configure this wireless network, you must:

l Configure authentication for wireless users l Configure the SSID (WiFi network interface) l Add the SSID to the FortiAP Profile l Configure the firewall policy l Configure and connect FortiAP units

Configuring authentication for wireless users

You need to configure user accounts and add the users to a user group. This example shows only one account, but multiple accounts can be added as user group members.

To configure a WiFi user – web-based manager

  1. Go to User & Device > User Definition and select Create New.
  2. Select Local User and then click Next.
  3. Enter a User Name and Password and then click Next.
  4. Click
  5. Make sure that Enable is selected and then click Create.

To configure the WiFi user group – web-based manager

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name wlan_users
Type Firewall
Members Add users.

To configure a WiFi user and the WiFi user group – CLI

config user user edit “user01”

Basic wireless network

set type password set passwd “asdf12ghjk”

end

config user group edit “wlan_users” set member “user01”

end

Configuring the SSID

First, establish the SSID (network interface) for the network. This is independent of the number of physical access points that will be deployed. The network assigns IP addresses using DHCP.

To configure the SSID – web-based manager

  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter the following information and select OK:
Interface Name                                  example_wifi_if
Traffic Mode                                      Tunnel to Wireless Controller
IP/Network Mask                                10.10.110.1/24
Administrative Access                      Ping (to assist with testing)
DHCP Server                                     Enable
Address Range 10.10.110.2 – 10.10.110.199
Netmask 255.255.255.0
Default Gateway Same As Interface IP
DNS Server Same as System DNS
SSID                                                 example_wifi
Security Mode                                   WPA2 Enterprise
Authentication                                  Local, select wlan_users user group.
Leave other settings at their default values.

To configure the SSID – CLI

config wireless-controller vap edit example_wifi_if set ssid “example_wifi” set broadcast-ssid enable set security wpa-enterprise set auth usergroup set usergroup wlan_users set schedule always

end config system interface

Basic wireless network

edit example_wifi_if set ip 10.10.110.1 255.255.255.0

end

config system dhcp server edit 0 set default-gateway 10.10.110.1

set dns-service default set interface “example_wifi_if” config ip-range edit 1 set end-ip 10.10.110.199 set start-ip 10.10.110.2

end

set netmask 255.255.255.0

end

Adding the SSID to the FortiAP Profile

The radio portion of the FortiAP configuration is contained in the FortiAP Profile. By default, there is a profile for each platform (FortiAP model). You can create additional profiles if needed. The SSID needs to be specified in the profile.

To add the SSID to the FortiAP Profile – web-based manager

  1. Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile for your model of FortiAP unit.
  2. In Radio 1 and Radio 2, add example_wifi in SSID.
  3. Select OK.

Configuring security policies

A security policy is needed to enable WiFi users to access the Internet on port1. First you create firewall address for the WiFi network, then you create the example_wifi to port1 policy.

To create a firewall address for WiFi users – web-based manager

  1. Go to Policy & Objects > Addresses.
  2. Select Create New > Address, enter the following information and select OK.
Name wlan_user_net
Type IP/Netmask
Subnet / IP Range 10.10.110.0/24
Interface example_wifi_if
Show in Address List Enabled

To create a firewall address for WiFi users – CLI

config firewall address edit “wlan_user_net” set associated-interface “example_wifi_if”

Basic wireless network

set subnet 10.10.110.0 255.255.255.0

end

To create a security policy for WiFi users – web-based manager

  1. Go to Policy & Objects > IPv4 Policyand select Create New.
  2. Enter the following information and select OK:
Incoming Interface                  example_wifi_if
Source Address                      wlan_user_net
Outgoing Interface                  port1
Destination Address                All
Schedule                                always
Service                                   ALL
Action                                    ACCEPT
NAT                                       ON. Select Use Destination Interface Address (default).
Leave other settings at their default values.

To create a firewall policy for WiFi users – CLI

config firewall policy edit 0 set srcintf “example_wifi” set dstintf “port1” set srcaddr “wlan_user_net” set dstaddr “all” set schedule always set service ALL set action accept set nat enable

end

Connecting the FortiAP units

You need to connect each FortiAP unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

To configure the interface for the AP unit – web-based manager

  1. Go to Network > Interfaces and edit the port3 interface.

2. Set the Addressing mode to Dedicated to Extension Device and set the IP/Network Mask to

Basic wireless network

192.168.8.1/255.255.255.0.

  1. Select OK.

This procedure automatically configures a DHCP server for the AP units.

To configure the interface for the AP unit – CLI

config system interface edit port3 set mode static

set ip 192.168.8.1 255.255.255.0

end

To configure the DHCP server for AP units – CLI

config system dhcp server edit 0 set interface port3 config exclude-range edit 1 set end-ip 192.168.8.1 set start-ip 192.168.8.1

end

config ip-range edit 1 set end-ip 192.168.8.254 set start-ip 192.168.8.2

end set netmask 255.255.255.0 set vci-match enable set vci-string “FortiAP”

end

To connect a FortiAP unit – web-based manager

  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Connect the FortiAP unit to port 3.
  3. Periodically select Refresh while waiting for the FortiAP unit to be listed.

Recognition of the FortiAP unit can take up to two minutes.

If FortiAP units are connected but cannot be recognized, try disabling VCI-Match in the DHCP server settings.

  1. When the FortiAP unit is listed, select the entry to edit it. The Edit Managed Access Point window opens.
  2. In State, select
  3. In FortiAP Profile, select the default profile for the FortiAP model.
  4. Select OK.
  5. Repeat Steps 2 through 8 for each FortiAP unit.

To connect a FortiAP unit – CLI

  1. Connect the FortiAP unit to port 3.
  2. Enter config wireless-controller wtp

 

  1. Wait 30 seconds, then enter get.

Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22B3U10600118 ] wtp-id: FAP22B3U10600118

  1. Edit the discovered FortiAP unit like this:

edit FAP22B3U10600118 set admin enable

end

  1. Repeat Steps 2 through 4 for each FortiAP unit.

A more complex example

This example creates multiple networks and uses custom AP profiles.

Scenario

In this example, Example Co. provides two wireless networks, one for its employees and the other for customers or other guests of its business. Guest users have access only to the Internet, not to the company’s private network. The equipment for these WiFi networks consists of FortiAP-220B units controlled by a FortiGate unit.

The employee network operates in 802.11n mode on both the 2.4GHz and 5GHz bands. Client IP addresses are in the 10.10.120.0/24 subnet, with 10.10.120.1 the IP address of the WAP. The guest network also operates in 802.11n mode, but only on the 2.4GHz band. Client IP addresses are on the 10.10.115.0/24 subnet, with 10.10.115.1 the IP address of the WAP.

On FortiAP-220B units, the 802.11n mode also supports 802.11g and 802.11b clients on the 2.4GHz band and 802.11a clients on the 5GHz band.

The guest network WAP broadcasts its SSID, the employee network WAP does not.

The employees network uses WPA-Enterprise authentication through a FortiGate user group. The guest network features a captive portal. When a guest first tries to connect to the Internet, a login page requests logon credentials. Guests use numbered guest accounts authenticated by RADIUS. The captive portal for the guests includes a disclaimer page.

In this example, the FortiAP units connect to port 3 and are assigned addresses on the 192.168.8.0/24 subnet.

Configuration

To configure these wireless networks, you must:

  • Configure authentication for wireless users l Configure the SSIDs (network interfaces) l Configure the AP profile l Configure the WiFi LAN interface and a DHCP server
  • Configure firewall policies

Configuring authentication for employee wireless users

Employees have user accounts on the FortiGate unit. This example shows creation of one user account, but you can create multiple accounts and add them as members to the user group.

To configure a WiFi user – web-based manager

  1. Go to User & Device > User Definition and select Create New.
  2. Select Local User and then click Next.
  3. Enter a User Name and Password and then click Next.
  4. Click Next.
  5. Make sure that Enable is selected and then click Create.

To configure the user group for employee access – web-based manager

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name employee-group
Type Firewall
Members Add users.

To configure a WiFi user and the user group for employee access – CLI

config user user edit “user01” set type password set passwd “asdf12ghjk”

end

config user group edit “employee-group” set member “user01”

end

The user authentication setup will be complete when you select the employee-group in the SSID configuration.

Configuring authentication for guest wireless users

Guests are assigned temporary user accounts created on a RADIUS server. The RADIUS server stores each user’s group name in the Fortinet-Group-Name attribute. Wireless users are in the group named “wireless”.

The FortiGate unit must be configured to access the RADIUS server.

To configure the FortiGate unit to access the guest RADIUS server – web-based manager

  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter the following information and select OK:
Name                                     guestRADIUS
Primary Server IP/Name          10.11.102.100
Primary Server Secret             grikfwpfdfg
Secondary Server IP/Name      Optional
Secondary Server Secret         Optional
Authentication Scheme          Use default, unless server requires otherwise.
Leave other settings at their default values.

To configure the FortiGate unit to access the guest RADIUS server – CLI

config user radius

edit guestRADIUS

set auth-type auto set server 10.11.102.100 set secret grikfwpfdfg

end

To configure the user group for guest access – web-based manager

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name guest-group
Type Firewall
Members Leave empty.
  1. Select Create new.
  2. Enter:
Remote Server Select guestRADIUS.
Groups Select wireless
  1. Select OK.

To configure the user group for guest access – CLI

config user group

edit “guest-group” set member “guestRADIUS” config match

edit 0

set server-name “guestRADIUS” set group-name “wireless”

end end

The user authentication setup will be complete when you select the guest-group user group in the SSID configuration.

Configuring the SSIDs

First, establish the SSIDs (network interfaces) for the employee and guest networks. This is independent of the number of physical access points that will be deployed. Both networks assign IP addresses using DHCP.

To configure the employee SSID – web-based manager

  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter the following information and select OK:
Interface Name                       example_inc
Traffic Mode                           Tunnel to Wireless Controller
IP/Netmask                             10.10.120.1/24
Administrative Access            Ping (to assist with testing)
Enable DHCP                          Enable
  Address Range                     10.10.120.2 – 10.10.120.199
  Netmask                               255.255.255.0
  Default Gateway                   Same As Interface IP
  DNS Server                           Same as System DNS
SSID                                       example_inc
Security Mode                        WPA/WPA2-Enterprise
Authentication                        Select Local, then select employee-group.
Leave other settings at their default values.

To configure the employee SSID – CLI

config wireless-controller vap edit example_inc set ssid “example_inc” set security wpa-enterprise set auth usergroup set usergroup employee-group set schedule always

end

config system interface edit example_inc set ip 10.10.120.1 255.255.255.0

end

config system dhcp server edit 0

set default-gateway 10.10.120.1 set dns-service default set interface example_inc config ip-range

edit 1

set end-ip 10.10.120.199 set start-ip 10.10.120.2

end

set lease-time 7200 set netmask 255.255.255.0

end

To configure the example_guest SSID – web-based manager

  1. Go to WiFi & Switch Controller > SSID and select Create New.
  2. Enter the following information and select OK:
Name                                     example_guest
IP/Netmask                             10.10.115.1/24
Administrative Access            Ping (to assist with testing)
Enable DHCP                          Enable
  Address Range                     10.10.115.2 – 10.10.115.50
  Netmask                               255.255.255.0
  Default Gateway                    Same as Interface IP
  DNS Server                           Same as System DNS
SSID                                       example_guest
Security Mode                        Captive Portal
Portal Type                             Authentication
Authentication Portal              Local
User Groups                           Select guest-group
Leave other settings at their default values.

To configure the example_guest SSID – CLI

config wireless-controller vap edit example_guest

set ssid “example_guest” set security captive-portal set selected-usergroups guest-group set schedule always

end

config system interface

edit example_guest

set ip 10.10.115.1 255.255.255.0

end

config system dhcp server edit 0 set default-gateway 10.10.115.1 set dns-service default set interface “example_guest” config ip-range

edit 1 set end-ip 10.10.115.50 set start-ip 10.10.115.2

end

set lease-time 7200 set netmask 255.255.255.0

end

Configuring the FortiAP profile

The FortiAP Profile defines the radio settings for the networks. The profile provides access to both Radio 1 (2.4GHz) and Radio 2 (5GHz) for the employee virtual AP, but provides access only to Radio 1 for the guest virtual AP.

To configure the FortiAP Profile – web-based manager

  1. Go to WiFi & Switch Controller > FortiAP Profiles and select Create New.
  2. Enter the following information and select OK:
Name example_AP
Platform FAP220B
Radio 1
  Mode Access Point
  Band 802.11n
  Channel Select 1, 6, and 11.
  Tx Power 100%
  SSID Select SSIDs and select example_inc and example_guest.
Radio 2
  Mode Access Point
  Band 802.11n_5G
  Channel Select all.
  Tx Power 100%
  SSID Select SSIDs and select example_inc.

To configure the AP Profile – CLI

config wireless-controller wtp-profile edit “example_AP” config platform set type 220B

end config radio-1 set ap-bgscan enable set band 802.11n set channel “1” “6” “11” set vaps “example_inc” “example_guest”

end config radio-2 set ap-bgscan enable set band 802.11n-5G

set channel “36” “40” “44” “48” “149” “153” “157” “161” “165” set vaps “example_inc” end

Configuring firewall policies

Identity-based firewall policies are needed to enable the WLAN users to access the Internet on Port1. First you create firewall addresses for employee and guest users, then you create the firewall policies.

To create firewall addresses for employee and guest WiFi users

  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information and select OK.
Address Name employee-wifi-net
Type Subnet / IP Range
Subnet / IP Range 10.10.120.0/24
Interface example_inc
  1. Select Create New, enter the following information and select OK.
Address Name guest-wifi-net
Type Subnet / IP Range
Subnet / IP Range 10.10.115.0/24
Interface example_guest

To create firewall policies for employee WiFi users – web-based manager

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK:
Incoming Interface example_inc
Source Address employee-wifi-net
Outgoing Interface port1
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT Enable NAT
  1. Optionally, select security profile for wireless users.
  2. Select OK.
  3. Repeat steps 1 through 4 but select Internal as the Destination Interface/Zone to provides access to the ExampleCo private network.

To create firewall policies for employee WiFi users – CLI

config firewall policy edit 0 set srcintf “employee_inc” set dstintf “port1” set srcaddr “employee-wifi-net” set dstaddr “all” set action accept set schedule “always” set service “ANY” set nat enable set schedule “always” set service “ANY”

next edit 0 set srcintf “employee_inc” set dstintf “internal” set srcaddr “employee-wifi-net” set dstaddr “all” set action accept set schedule “always” set service “ANY” set nat enable set schedule “always” set service “ANY”

end

To create a firewall policy for guest WiFi users – web-based manager

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK:
Incoming Interface example_guest
Source Address guest-wifi-net
Outgoing Interface port1
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT Enable NAT
  1. Optionally, select UTM and set up UTM features for wireless users.
  2. Select OK.

To create a firewall policy for guest WiFi users – CLI

config firewall policy edit 0 set srcintf “example_guest” set dstintf “port1” set srcaddr “guest-wifi-net” set dstaddr “all” set action accept set schedule “always” set service “ANY” set nat enable

end

Connecting the FortiAP units

You need to connect each FortiAP-220A unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

To configure the interface for the AP unit – web-based manager

  1. Go to Network > Interfaces and edit the port3 interface.

2. Set the Addressing mode to Dedicated to Extension Device and set the IP/Netmask to

192.168.8.1/255.255.255.0.

This step automatically configures a DHCP server for the AP units.

  1. Select OK.

To configure the interface for the AP unit – CLI

config system interface edit port3

set mode static

set ip 192.168.8.1 255.255.255.0

end

To configure the DHCP server for AP units – CLI

config system dhcp server edit 0 set interface port3 config ip-range

edit 1 set end-ip 192.168.8.9 set start-ip 192.168.8.2

end

set netmask 255.255.255.0 set vci-match enable set vci-string “FortiAP”

end

To connect a FortiAP-220A unit – web-based manager

  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Connect the FortiAP unit to port 3.
  3. Periodically select Refresh while waiting for the FortiAP unit to be listed.

Recognition of the FortiAP unit can take up to two minutes.

If there is persistent difficulty recognizing FortiAP units, try disabling VCI-Match in the DHCP server settings.

  1. When the FortiAP unit is listed, select the entry to edit it. The Edit Managed Access Point window opens.
  2. In State, select
  3. In the AP Profile, select [Change] and then select the example_AP
  4. Select OK.
  5. Repeat Steps 2 through 8 for each FortiAP unit.

To connect a FortiAP-220A unit – CLI

  1. Connect the FortiAP unit to port 3.
  2. Enter:

config wireless-controller wtp

  1. Wait 30 seconds, then enter get.

Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22A3U10600118 ] wtp-id: FAP22A3U10600118

  1. Edit the discovered FortiAP unit like this:

edit FAP22A3U10600118 set admin enable set wtp-profile example_AP

end

  1. Repeat Steps 2 through 4 for each FortiAP unit.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring wireless network clients

Configuring wireless network clients

This chapter shows how to configure typical wireless network clients to connect to a wireless network with WPAEnterprise security.

Windows XP client

Windows 7 client

Mac OS client

Linux client

Troubleshooting

Windows XP client

To configure the WPA-Enterprise network connection

  1. In the Windows Start menu, go to Control Panel > Network Connections > Wireless Network Connection or select the wireless network icon in the Notification area of the Taskbar. A list of available networks is displayed.

Windows XP

If you are already connected to another wireless network, the Connection Status window displays. Select View Wireless Networks on the General tab to view the list.

If the network broadcasts its SSID, it is listed. But do not try to connect until you have completed the configuration step below. Because the network doesn’t use the Windows XP default security configuration, configure the client’s network settings manually before trying to connect.

  1. You can configure the WPA-Enterprise network to be accessible from the View Wireless Networks window even if it does not broadcast its SSID.
  2. Select Change Advanced Settings and then select the Wireless Networks

Any existing networks that you have already configured are listed in the Preferred Networks list.

Windows XP client

  1. Select Add and enter the following information:
Network Name (SSID) The SSID for your wireless network
Network Authentication WPA2
Data Encryption AES
  1. If this wireless network does not broadcast its SSID, select Connect even if this network is not broadcasting so that the network will appear in the View Wireless Networks

Windows XP

  1. Select the Authentication
  2. In EAP Type, select Protected EAP (PEAP).
  3. Make sure that the other two authentication options are not selected.

Windows XP client

  1. Select Properties.
  2. Make sure that Validate server certificate is selected.
  3. Select the server certificate Entrust Root Certification Authority.
  4. In Select Authentication Method, select Secured Password (EAP-MSCHAPv2).
  5. Ensure that the remaining options are not selected.
  6. Select Configure.
  7. If your wireless network credentials are the same as your Windows logon credentials, select Automatically use my Windows logon name and password. Otherwise, make sure that this option is not selected.
  8. Select OK. Repeat until you have closed all of the Wireless Network Connection Properties

Windows 7

To connect to the WPA-Enterprise wireless network

  1. Select the wireless network icon in the Notification area of the Taskbar.
  2. In the View Wireless Networks list, select the network you just added and then select Connect. You might need to log off of your current wireless network and refresh the list.
  3. When the following popup displays, click on it.
  4. In the Enter Credentials window, enter your wireless network User name, Password, and Logon domain (if applicable). Then, select OK.

In future, Windows will automatically send your credentials when you log on to this network.

Windows 7 client

  1. In the Windows Start menu, go to Control Panel > Network and Internet > Network and Sharing Center > Manage Wireless Networks or select the wireless network icon in the Notification area of the Taskbar. A list of available networks is displayed.

Windows 7 client

  1. Do one of the following:

l If the wireless network is listed (it broadcasts its SSID), select it from the list. l Select Add > Manually create a network profile.

Windows 7

  1. Enter the following information and select Next.
Network name Enter the SSID of the wireless network. (Required only if you selected Add.)
Security type WPA2-Enterprise
Encryption type AES
Start this connection automatically Select
Connect even if the network is not broadcasting. Select

The Wireless Network icon will display a popup requesting that you click to enter credentials for the network. Click on the popup notification.

  1. In the Enter Credentials window, enter your wireless network User name, Password, and Logon domain (if applicable). Then, select OK.
  2. Select Change connection settings.
  3. On the Connection tab, select Connect automatically when this network is in range.
  4. On the Security tab, select the Microsoft PEAP authentication method and then select Settings.

Windows 7 client

  1. Make sure that Validate server certificate is selected.
  2. Select the server certificate Entrust Root Certification Authority.
  3. In Select Authentication Method, select Secured Password (EAP-MSCHAPv2).
  4. Select Configure.
  5. If your wireless network credentials are the same as your Windows logon credentials, select Automatically use my Windows logon name and password. Otherwise, make sure that this option is not selected.
  6. Ensure that the remaining options are not selected.
  7. Select OK. Repeat until you have closed all of the Wireless Network Properties

Mac OS

Mac OS client

To configure network preferences

  1. Right-click the AirPort icon in the toolbar and select Open Network Preferences.
  2. Select Advanced and then select the 1X tab.
  3. If there are no Login Window Profiles in the left column, select the + button and then select Add Login Window

Profile.

  1. Select the Login Window Profile and then make sure that both TTLS and PEAP are selected in Authentication.

To configure the WPA-Enterprise network connection

  1. Select the AirPort icon in the toolbar.
  2. Do one of the following:

l If the network is listed, select the network from the list. l Select Connect to Other Network.

Mac OS client

One of the following windows opens, depending on your selection.

  1. Enter the following information and select OK or Join:
Network name Enter the SSID of your wireless network. (Other network only)
Wireless Security WPA Enterprise
802.1X Automatic
Username Password Enter your logon credentials for the wireless network.
Remember this network Select.

You are connected to the wireless network.

Linux

Linux client

This example is based on the Ubuntu 10.04 Linux wireless client.

To connect to a WPA-Enterprise network

  1. Select the Network Manager icon to view the Wireless Networks menu.

Wireless networks that broadcast their SSID are listed in the Available section of the menu. If the list is long, it is continued in the More Networks submenu.

  1. Do one of the following:
    • Select the network from the list (also check More Networks).
    • Select Connect to Hidden Wireless Network.

One of the following windows opens, depending on your selection.

Linux client

  1. Enter the following information:
Connection Leave as New. (Hidden network only)
Network name Enter the SSID of your wireless network. (Hidden network only)
Wireless Security WPA & WPA2 Enterprise
Authentication Protected EAP (PEAP) for RADIUS-based authentication

Tunneled TLS for TACACS+ or LDAP-based authentication

Anonymous identity This is not required.
CA Certificate If you want to validate the AP’s certificate, select the Entrust Root Certification Authority root certificate. The default location for the certificate is /usr/share/ca-certificates/mozilla/.
PEAP version Automatic (applies only to PEAP)
Inner authentication MSCHAPv2 for RADIUS-based authentication

PAP or CHAP for TACACS+ or LDAP-based authentication

Username Password Enter your logon credentials for the wireless network.

 

Troubleshooting

  1. If you did not select a CA Certificate above, you are asked to do so. Select Ignore.
  2. Select You are connected to the wireless network.

To connect to a WPA-Enterprise network

  1. Select the Network Manager icon to view the Wireless Networks menu.
  2. Select the network from the list (also check More Networks).

If your network is not listed (but was configured), select Connect to Hidden Wireless Network, select your network from the Connection drop-down list, and then select Connect.

Troubleshooting

Using tools provided in your operating system, you can find the source of common wireless networking problems.

Checking that client received IP address and DNS server information

Windows XP

  1. Double-click the network icon in the taskbar to display the Wireless Network Connection Status

Check that the correct network is listed in the Connection section.

  1. Select the Support

Check that the Address Type is Assigned by DHCP. Check that the IP Address, Subnet Mask, and Default Gateway values are valid.

  1. Select Details to view the DNS server addresses.

The listed address should be the DNS serves that were assigned to the WAP. Usually a wireless network that provides access to the private LAN is assigned the same DNS servers as the wired private LAN. A wireless network that provides guest or customer users access to the Internet is usually assigned public DNS servers.

  1. If any of the addresses are missing, select Repair.

If the repair procedure doesn’t correct the problem, check your network settings.

Troubleshooting

Mac OS

  1. From the Apple menu, open System Preferences > Network.
  2. Select AirPort and then select Configure.
  3. On the Network page, select the TCP/IP
  4. If there is no IP address or the IP address starts with 169, select Renew DHCP Lease.
  5. To check DNS server addresses, open a terminal window and enter the following command:

cat /etc/resolv.conf

Check the listed nameserver addresses. A network for employees should us the wired private LAN DNS server. A network for guests should specify a public DNS server.

Linux

This example is based on the Ubuntu 10.04 Linux wireless client.

Troubleshooting

  1. Right-click the Network Manager icon and select Connection Information.
  2. Check the IP address, and DNS settings. If they are incorrect, check your network settings.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Monitoring wireless network health

Monitoring wireless network health

The Wireless Health Dashboard provides a comprehensive view of the health of your network’s wireless infrastructure. The dashboard includes widgets to display

  • AP Status – Active, Down or missing, up for over 24 hours, rebooted in past 24 hours l Client Count Over Time – viewable for past hour, day, or 30 days l Top Client Count Per-AP – separate widgets for 2.4GHz and 5GHz bands l Top Wireless Interference – separate widgets for 2.4GHz and 5GHz bands, requires spectrum analysis to be enabled on the radios
  • Login Failures Information

To view the Wireless Health dashboard, go to Monitor > Wireless Health Monitor.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Suppressing rogue APs

Suppressing rogue APs

In addition to monitoring rogue APs, you can actively prevent your users from connecting to them. When suppression is activated against an AP, the FortiGate WiFi controller sends deauthentication messages to the rogue AP’s clients, posing as the rogue AP, and also sends deauthentication messages to the rogue AP, posing as its clients. This is done using the monitoring radio.

To enable rogue AP suppression, you must enable monitoring of rogue APs with the on-wire detection technique. See “Monitoring rogue APs”. The monitoring radio must be in the Dedicated Monitor mode.

To activate AP suppression against a rogue AP

  1. Go to Monitor > Rogue AP Monitor.
  2. When you see an AP listed that is a rogue detected “on-wire”, select it and then select Mark > Mark Rogue.
  3. To suppress an AP that is marked as a rogue, select it and then select Suppress AP.

To deactivate AP suppression

  1. Go to Monitor > Rogue AP Monitor.
  2. Select the suppressed rogue AP and then select Suppress AP > Unsuppress AP.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Using the Rogue AP Monitor

Using the Rogue AP Monitor

Go to Monitor > Rogue AP Monitor to view the list of other wireless access points that are receivable at your location.

Information Columns

Actual columns displayed depends on Column Settings.

Rogue AP — Use this status for unauthorized APs that On-wire status indicates are attached to your wired networks.

Accepted AP — Use this status for APs that are an authorized part of your network or

Stateare neighboring APs that are not a security threat. To see accepted APs in the list, select Show Accepted.

Unclassified — This is the initial status of a discovered AP. You can change an AP back to unclassified if you have mistakenly marked it as Rogue or Accepted.

OnlineActive AP

Status

Inactive AP

Active ad-hoc WiFi device

Inactive ad-hoc WiFi device

SSID            The wireless service set identifier (SSID) or network name for the wireless interface.
Security           The type of security currently being used. Type
Channel       The wireless radio channel that the access point uses.
MAC     The MAC address of the Wireless interface. Address
Vendor

The name of the vendor.

Info

Signal  The relative signal strength of the AP. Mouse over the symbol to view the signal-to-noise Strength           ratio.
Detected

The name or serial number of the AP unit that detected the signal. By

On-wire         A green up-arrow indicates a suspected rogue, based on the on-wire detection technique. A red down-arrow indicates AP is not a suspected rogue.
First Seen     How long ago this AP was first detected.

Suppressing

Last Seen How long ago this AP was last detected.
Rate Data rate in bps.

To change the Online Status of an AP, right-click it and select Mark Accepted or Mark Rogue.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring rogue scanning

Configuring rogue scanning

All APs using the same FortiAP Profile share the same rogue scanning settings, unless override is configured.

To enable rogue AP scanning with on-wire detection – web-based manager

  1. Go to WiFi & Switch Controller > WIDS Profiles.

On some models, the menu is WiFi & Switch Controller.

  1. Select an existing WIDS Profile and edit it, or select Create New.
  2. Make sure that Enable Rogue AP Detection is selected.
  3. Select Enable On-Wire Rogue AP Detection.
  4. Optionally, enable Auto Suppress Rogue APs in Foreground Scan.
  5. Select OK.

To enable the rogue AP scanning feature in a custom AP profile – CLI

config wireless-controller wids-profile edit FAP220B-default set ap-scan enable set rogue-scan enable

end

Exempting an AP from rogue scanning

By default, if Rogue AP Detection is enabled, it is enabled on all managed FortiAP units. Optionally, you can exempt an AP from scanning. You should be careful about doing this if your organization must perform scanning to meet PCI-DSS requirements.

Monitoring

To exempt an AP from rogue scanning – web-based manager
  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Select which AP to edit.
  3. In Wireless Settings, enable Override Settings.
  4. Select Do not participate in Rogue AP Scanning and then select OK.
To exempt an AP from rogue scanning – CLI

This example shows how to exempt access point AP1 from rogue scanning.

config wireless-controller wtp edit AP1 set override-profile enable set ap-scan disable

end

MAC adjacency

You can adjust the maximum WiFi to Ethernet MAC difference used when determining whether an suspect AP is a rogue.

To adjust MAC adjacency

For example, to change the adjacency to 8, enter

config wireless-controller global set rogue-scan-mac-adjacency 8 end

Monitoring rogue APs                                                                                                  Wireless network monitoring


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Rogue AP scanning as a background activity

Rogue AP scanning as a background activity

Each WiFi radio can perform monitoring of radio channels in its operating band while acting as an AP. It does this by briefly switching from AP to monitoring mode. By default, a scan period starts every 300 seconds. Each second a different channel is monitored for 20ms until all channels have been checked.

Monitoring rogue APs                                                                                                  Wireless network monitoring

During heavy AP traffic, it is possible for Spectrum Analysis background scanning to cause lost packets when the radio switches to monitoring. To reduce the probability of lost packets, you can set the CLI ap-bgscan-idle field to delay the switch to monitoring until the AP has been idle for a specified period. This means that heavy AP traffic may slow background scanning.

The following CLI example configures default background rogue scanning operation except that it sets apbgscan-idle to require 100ms of AP inactivity before scanning the next channel.

config wireless-controller wtp-profile edit ourprofile config radio-1 set wids-profile ourwidsprofile set spectrum-analysis enable

end

end

config wireless-controller wids-profile edit ourwidsprofile set ap-scan enable set rogue-scan enable set ap-bgscan-period 300 set ap-bgscan-intv 1 set ap-bgscan-duration 20 set ap-bgscan-idle 100

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

On-wire rogue AP detection technique

On-wire rogue AP detection technique

Other APs that are available in the same area as your own APs are not necessarily rogues. A neighboring AP that has no connection to your network might cause interference, but it is not a security threat. A rogue AP is an unauthorized AP connected to your wired network. This can enable unauthorized access. When rogue AP detection is enabled, the On-wire column in the Rogue AP Monitor list shows a green up-arrow on detected rogues.

Rogue AP monitoring of WiFi client traffic builds a table of WiFi clients and the Access Points that they are communicating through. The FortiGate unit also builds a table of MAC addresses that it sees on the LAN. The FortiGate unit’s on-wire correlation engine constantly compares the MAC addresses seen on the LAN to the MAC addresses seen on the WiFi network.

There are two methods of Rogue AP on-wire detection operating simultaneously: Exact MAC address match and MAC adjacency.

Exact MAC address match

If the same MAC address is seen on the LAN and on the WiFi network, this means that the wireless client is connected to the LAN. If the AP that the client is using is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue. This scheme works for non-NAT rogue APs.

MAC adjacency

If an access point is also a router, it applies NAT to WiFi packets. This can make rogue detection more difficult.

However, an AP’s WiFi interface MAC address is usually in the same range as its wired MAC address. So, the MAC adjacency rogue detection method matches LAN and WiFi network MAC addresses that are within a defined numerical distance of each other. By default, the MAC adjacency value is 7. If the AP for these matching MAC addresses is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue.

Limitations

On-wire rogue detection has some limitations. There must be at least one WiFi client connected to the suspect AP and continuously sending traffic. If the suspect AP is a router, its WiFi MAC address must be very similar to its Ethernet port MAC address.

Logging

Information about detected rogue APs is logged and uploaded to your FortiAnalyzer unit, if you have one. By default, rogue APs generate an alert level log, unknown APs generate a warning level log. This log information can help you with PCI-DSS compliance requirements.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!