Category Archives: Administration Guides

Configuring user authentication

Leave a reply

Configuring user authentication

You can perform user authentication when the wireless client joins the wireless network and when the wireless user communicates with another network through a firewall policy. WEP and WPA-Personal security rely on legitimate users knowing the correct key or passphrase for the wireless network. The more users you have, the more likely it is that the key or passphrase will become known to unauthorized people. WPA-Enterprise and captive portal security provide separate credentials for each user. User accounts can be managed through FortiGate user groups or an external RADIUS authentication server.

 

WPA2 Enterprise authentication

Enterprise authentication can be based on the local FortiGate user database or on a remote RADIUS server.

Local authentication is essentially the same for WiFi users as it is for wired users, except that authentication for WiFi users occurs when they associate their device with the AP. Therefore, enterprise authentication must be configured in the SSID. WiFi users can belong to user groups just the same as wired users and security policies will determine which network services they can access.

If your WiFi network uses WPA2 Enterprise authentication verified by a RADIUS server, you need to configure the FortiGate unit to connect to that RADIUS server.

Configuring connection to a RADIUS server – web-based manager

  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter a Name for the server.

This name is used in FortiGate configurations. It is not the actual name of the server.

  1. In Primary Server Name/IP, enter the network name or IP address for the server.
  2. In Primary Server Secret, enter the shared secret used to access the server.
  3. Optionally, enter the information for a secondary or backup RADIUS server.
  4. Select OK.

To configure the FortiGate unit to access the RADIUS server – CLI

config user radius edit exampleRADIUS set auth-type auto set server 10.11.102.100 set secret aoewmntiasf

end

To implement WPA2 Enterprise security, you select this server in the SSID security settings. See Configuring user authentication on page 58.

To use the RADIUS server for authentication, you can create individual FortiGate user accounts that specify the authentication server instead of a password, and you then add those accounts to a user group. Or, you can add the authentication server to a FortiGate user group, making all accounts on that server members of the user group.

Creating a wireless user group

Most wireless networks require authenticated access. To enable creation of firewall policies specific to WiFi users, you should create at least one WiFi user group. You can add or remove users later. There are two types of user group to consider:

  • A Firewall user group can contain user accounts stored on the FortiGate unit or external authentication servers such as RADIUS that contain and verify user credentials.
  • A Fortinet Single Sign-On (FSSO) user group is used for integration with Windows Active Directory or Novell eDirectory. The group can contain Windows or Novell user groups who will be permitted access to the wireless LAN.

WiFi Single Sign-On (WSSO) authentication

WSSO is RADIUS-based authentication that passes the user’s user group memberships to the FortiGate. For each user, the RADIUS server must provide user group information in the Fortinet-Group-Name attribute. This information is stored in the server’s database. After the user authenticates, security policies provide access to network services based on user groups.

  1. Configure the RADIUS server to return the Fortinet-Group-Name attribute for each user.
  2. Configure the FortiGate to access the RADIUS server, as described in WPA2 Enterprise authentication on page 59.
  3. Create firewall user groups on the FortiGate with the same names as the user groups listed in the RADIUS database. Leave the groups empty.
  4. In the SSID choose WPA2-Enterprise authentication. In the Authentication field, select RADIUS Server and choose the RADIUS server that you configured.
  5. Create security policies as needed, using user groups (Source User(s) field) to control access.

When a user authenticates by WSSO, the firewall monitor Monitor > Firewall Monitor) shows the authentication method as WSSO.

Assigning WiFi users to VLANs dynamically

Some enterprise networks use Virtual LANs (VLANs) to separate traffic. In this environment, to extend network access to WiFi users might appear to require multiple SSIDs. But it is possible to automatically assign each user to their appropriate VLAN from a single SSID. To accomplish this requires RADIUS authentication that passes the appropriate VLAN ID to the FortiGate by RADIUS attributes. Each user’s VLAN assignment is stored in the user database of the RADIUS server.

  1. Configure the RADIUS server to return the following attributes for each user:

Tunnel-Type (value: VLAN)

Tunnel-Medium-Type (value: IEEE-802)

Tunnel_Private-Group-Id (value: the VLAN ID for the user’s VLAN)

  1. Configure the FortiGate to access the RADIUS server.
  2. Configure the SSID with WPA2-Enterprise authentication. In the Authentication field, select RADIUS Server and choose the RADIUS server that you will use.
  3. Create VLAN subinterfaces on the SSID interface, one for each VLAN. Set the VLAN ID of each as appropriate. You can do this on the Network > Interfaces
  4. Enable Dynamic VLAN assignment for the SSID. For example, if the SSID interface is “office”, enter:

config wireless-controller vap edit office set dynamic-vlan enable

end

  1. Create security policies for each VLAN. These policies have a WiFI VLAN subinterface as Incoming Interface and allow traffic to flow to whichever Outgoing Interface these VLAN users will be allowed to access.

MAC-based authentication

Wireless clients can also be supplementally authenticated by MAC address. A RADIUS server stores the allowed MAC address for each client and the wireless controller checks the MAC address independently of other authentication methods.

firewall policies for the SSID

MAC-based authentication must be configured in the CLI. In the following example, MAC-based authentication is added to an existing access point “vap1” to use RADIUS server hq_radius (configured on the FortiGate):

config wireless-controller vap edit vap1 set radius-mac-auth enable set radius-mac-auth-server hq_radius

end

Authenticating guest WiFi users

The FortiOS Guest Management feature enables you to easily add guest accounts to your FortiGate unit. These accounts are authenticate guest WiFi users for temporary access to a WiFi network managed by a FortiGate unit. To implement guest access, you need to

  1. Go to User & Device > User Groups and create one or more guest user groups.
  2. Go to User & Device > Guest Management to create guest accounts. You can print the guest account credentials or send them to the user as an email or SMS message.
  3. Go to WiFi & Switch Controller > SSID and configure your WiFi SSID to use captive portal authentication. Select the guest user group(s) that you created.

Guest users can log into the WiFi captive portal with their guest account credentials until the account expires. For more detailed information about creating guest accounts, see “Managing Guest Access” in the Authentication chapter of the FortiOS Handbook.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

WIFI Dynamic user VLAN assignment

Leave a reply

Dynamic user VLAN assignment

Clients connecting to the WiFi network can be assigned to a VLAN. You can do this with RADIUS attributes when the user authenticates or with VLAN pooling when the client associates with a particular FortiAP. You cannot use both of these methods at the same time.

VLAN assignment by RADIUS

You can assign each individual user to a VLAN based on information stored in the RADIUS authentication server. If the user’s RADIUS record does not specify a VLAN ID, the user is assigned to the default VLAN for the SSID.

The RADIUS user attributes used for the VLAN ID assignment are:

IETF 64 (Tunnel Type)—Set this to VLAN.

IETF 65 (Tunnel Medium Type)—Set this to 802

IETF 81 (Tunnel Private Group ID)—Set this to the VLAN ID.  To configure dynamic VLAN assignment, you need to:

  1. Configure access to the RADIUS server.
  2. Create the SSID and enable dynamic VLAN assignment.
  3. Create a FortiAP Profile and add the local bridge mode SSID to it.
  4. Create the VLAN interfaces and their DHCP servers.
  5. Create security policies to allow communication from the VLAN interfaces to the Internet.
  6. Authorize the FortiAP unit and assign the FortiAP Profile to it.

Dynamic user VLAN assignment

To configure access to the RADIUS server

  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter a Name, the name or IP address in Primary Server IP/Name, and the server secret in Primary Server Secret.
  3. Select OK.

To create the dynamic VLAN SSID

  1. Go to WiFi & Switch Controller > SSID, select Create New > SSID and enter:
Name An identifier, such as dynamic_vlan_ssid.
Traffic Mode Local bridge or Tunnel, as needed.
SSID An identifier, such as DYNSSID.
Security Mode WPA2 Enterprise
Authentication RADIUS Server. Select the RADIUS server that you configured.
  1. Select OK.
  2. Enable dynamic VLAN in the CLI. Optionally, you can also assign a VLAN ID to set the default VLAN for users without a VLAN assignment.

config wireless-controller vap edit dynamic_vlan_ssid set dynamic-vlan enable set vlanid 10

end

To create the FortiAP profile for the dynamic VLAN SSID

  1. Go to WiFi & Switch Controller > FortiAP Profiles, select Create New and enter:
Name A name for the profile, such as dyn_vlan_profile.
Platform The FortiAP model you are using. If you use more than one model of FortiAP, you will need a FortiAP Profile for each model.
Radio 1 and Radio 2
SSID Select the SSID you created (example dynamic_vlan_ssid). Do not add other SSIDs.
  1. Adjust other radio settings as needed.
  2. Select OK.

To create the VLAN interfaces

  1. Go to Network > Interfaces and select Create New > Interface.
  2. Enter:

Dynamic user VLAN assignment

Name A name for the VLAN interface, such as VLAN100.
Interface The physical interface associated with the VLAN interface.
VLAN ID The numeric VLAN ID, for example 100.
Addressing mode Select Manual and enter the IP address / Network Mask for the virtual interface.
DHCP Server Enable and then select Create New to create an address range.
  1. Select OK.
  2. Repeat the preceding steps to create other VLANs as needed.

Security policies determine which VLANs can communicate with which other interfaces. These are the simple Firewall Address policy without authentication. Users are assigned to the appropriate VLAN when they authenticate.

To connect and authorize the FortiAP unit

  1. Connect the FortiAP unit to the FortiGate unit.
  2. Go to WiFi & Switch Controller > Managed FortiAPs.
  3. When the FortiAP unit is listed, double-click the entry to edit it.
  4. In FortiAP Profile, select the FortiAP Profile that you created.
  5. Select Authorize.
  6. Select OK.

VLAN assignment by VLAN pool

In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN pool can

l assign a specific VLAN based on the AP’s FortiAP Group, usually for network configuration reasons, or l assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)

To assign a VLAN by FortiAP Group – CLI

In this example, VLAN 101, 102, or 103 is assigned depending on the AP’s FortiAP Group.

config wireless-controller vap edit wlan set vlan-pooling wtp-group config vlan-pool edit 101 set wtp-group wtpgrp1

next edit 102 set wtp-group wtpgrp2

next edit 101 set wtp-group wtpgrp3

end

end end

Configuring user authentication

Load balancing

There are two VLAN pooling methods used for load balancing: The choice of VLAN can be based on any one of the following criteria:

l round-robin – from the VLAN pool, choose the VLAN with the smallest number of clients l hash – choose a VLAN from the VLAN pool based on a hash of the current number of SSID clients and the number of entries in the VLAN pool

If the VLAN pool contains no valid VLAN ID, the SSID’s static VLAN ID setting is used.

To assign a VLAN by round-robin selection – CLI

In this example, VLAN 101, 102, or 103 is assigned using the round-robin method:

config wireless-controller vap edit wlan set vlan-pooling round-robin config vlan-pool edit 101 next edit 102 next edit 103 end

end

end

To assign a VLAN by hash-based selection – CLI

In this example, VLAN 101, 102, or 103 is assigned using the hash method:

config wireless-controller vap edit wlan set vlan-pooling hash config vlan-pool edit 101 next edit 102 next edit 103 end

end

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Defining SSID Groups

Leave a reply

Defining SSID Groups

Optionally, you can define SSID Groups. An SSID Group has SSIDs as members and can be specified just like an SSID in a FortiAP Profile.

To create an SSID Group – GUI

Go to WiFi & Switch Controller > SSID and select Create New > SSID Group. Give the group a Name and choose Members (SSIDs, but not SSID Groups).

To create an SSID Group – CLI:

config wireless-controller vap-group edit vap-group-name set vaps “ssid1” “ssid2”

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring WiFi captive portal security – FortiGate captive portal

Leave a reply

Configuring WiFi captive portal security – FortiGate captive portal

The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.

To configure a WiFi Captive Portal – web-based manager:

  1. Go to WiFi & Switch Controller > SSID and create your SSID.

If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.

  1. In Security Mode, select Captive Portal.
  2. Enter
Portal Type The portal can provide authentication and/or disclaimer, or perform user email address collection. See Defining a wireless network interface (SSID) on page 45.
Authentication Portal Local
User Groups Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.
Exempt List Select exempt lists whose members will not be subject to captive portal authentication.
Customize Portal Messages Click the link of the portal page that you want to modify. For more information see the Captive Portal chapter of the Authentication Guide.
  1. Select OK.

Configuring WiFi captive portal security – external server

An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.

On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data magic=session_id&username=<username>&password=<password>.

(The magic value was provided in the initial FortiGate request to the web server.)

To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

config user setting set auth-secure-http enable

end

To configure use of an external WiFi Captive Portal – web-based manager:

  1. Go to WiFi & Switch Controller > SSIDand create your SSID.

If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.

  1. In Security Mode, select Captive Portal.
  2. Enter
Portal Type The portal can provide authentication and/or disclaimer, or perform user email address collection.
Authentication Portal External – enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.
User Groups Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.
Exempt List Select exempt lists whose members will not be subject to captive portal authentication.
Redirect after Captive Portal Original Request

Specific URL – enter URL

 

SSID Groups

  1. Select OK.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Fortinet and Wifi Multicast Enhancement

Leave a reply

Multicast enhancement

FortiOS can translate multicast traffic into unicast traffic to send to clients, maintaining its own multicast client through IGMP snooping. You can configure this in the CLI:

config wireless-controller vap edit example_wlan set multicast-enhance enable set me-disable-thresh 32

end

If the number of clients on the SSID is larger than me-disable-thresh, multicast enhancement is disabled.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiAP and Wireless

Leave a reply

Limiting the number of clients

You might want to prevent overloading of your access point by limiting the number of clients who can associate with it at the same time. Limits can be applied per SSID, per AP, or per radio.

To limit the number of clients per SSID – GUI

  1. Go to WiFi & Switch Controller > SSID and edit your SSID.
  2. Turn on Maximum Clients and enter the maximum number of clients in Limit Concurrent WiFi Clients.

To limit the number of clients per AP- CLI

Edit the wtp-profile (FortiAP profile), like this:

config wireless-controller wtp-profile edit “FAP221C-default” set max-clients 30

end

To limit the number of clients per radio – CLI

Edit the wtp-profile (FortiAP profile), like this:

config wireless-controller wtp-profile edit “FAP221C-default” config radio-1 set max-clients 10

end config radio-2 set max-clients 30

end

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring wireless security

Leave a reply

Configuring security

Using the web-based manager, you can configure Captive Portal security or WiFi Protected Access version 2 (WPA2) security modes WPA2-Personal and WPA2-Enterprise. Using the CLI, you can also choose WPA/WPA2 modes that support both WPA version 1 and WPA version 2.

WPA2 security with a pre-shared key for authentication is called WPA2-Personal. This can work well for one person or a small group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.

A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes possible Role-Based Access Control (RBAC).

By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP) . You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accomodate clients with either TKIP or AES, enter:

config wireless-controller vap edit example_wlan set security wpa-personal set passphrase “hardtoguess” set encrypt TKIP-AES

end

Captive Portal security connects users to an open web portal defined in replacement messages. To navigate to any location beyond the web portal, the user must pass FortiGate user authentication.

WPA-Personal security

WPA2-Personal security setup requires only the preshared key that you will provide to your clients.

To configure WPA2-Personal security – web-based manager
  1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
  2. In Security Mode, select WPA2 Personal.
  3. In Pre-shared Key, enter a key between 8 and 63 characters long.
  4. Select OK.
To configure WPA2-Personal security – CLI

config wireless-controller vap edit example_wlan set security wpa2-personal set passphrase “hardtoguess”

end

WPA-Enterprise security

If you will use FortiOS user groups for authentication, go to User & Device > User > User Groups and create those groups first. The groups should be Firewall groups.

If you will use a RADIUS server to authenticate wireless clients, you must first configure the FortiGate unit to access the RADIUS server.

To configure FortiGate unit access to the RADIUS server – web-based manager
  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter a Name for the server.
  3. In Primary Server Name/IP, enter the network name or IP address for the server.
  4. In Primary Server Secret, enter the shared secret used to access the server.
  5. Optionally, enter the information for a secondary or backup RADIUS server.
  6. Select OK.
To configure the FortiGate unit to access the RADIUS server – CLI

config user radius edit exampleRADIUS set auth-type auto set server 10.11.102.100 set secret aoewmntiasf

end

RADIUS Change of Authorization (CoA) support

The CoA feature enables the FortiGate to receive a client disconnect message from the RADIUS server. This is used to disconnect clients when their time, credit or bandwidth had been used up. Enable this on the RADIUS server using the CLI:

config user radius edit <name> set radius-coa enable

end

To configure WPA-Enterprise security – web-based manager
  1. Go to WiFi & Switch Controller > SSIDand edit your SSID entry.
  2. In Security Mode, select WPA2 Enterprise.
  3. In Authentication, do one of the following:

l If you will use a RADIUS server for authentication, select RADIUS Server and then select the RADIUS server. l If you will use a local user group for authentication, select Local and then select the user group(s) permitted to use the wireless network.

  1. Select OK.
To configure WPA-Enterprise security – CLI

config wireless-controller vap edit example_wlan set security wpa2-enterprise set auth radius

set radius-server exampleRADIUS

end

Captive Portal security

Captive Portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

The captive portal can be hosted on the FortiGate unit, or externally. For details see

Configuring WiFi captive portal security – FortiGate captive portal on page 53

Configuring WiFi captive portal security – external server on page 54

For general information about captive portals, see the Captive Portal chapter of the Authentication Guide.

Adding a MAC filter

On each SSID, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

This is actually not as secure as it appears. Someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

To configure a MAC filter – web-based manager

  1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
  2. In the DHCP Server section, expand Advanced.
  3. In MAC Reservation + Access Control, double-click in the Unknown MAC Addresses line and select Assign IP or Block, as needed.

By default, unlisted MAC addresses are assigned an IP address automatically.

  1. In MAC Reservation + Access Control, select Create New.
  2. Enter a MAC address In the MAC
  3. In IP or Action, select one of:
    • Reserve IP — enter the IP address that is always assigned to this MAC address. l Assign IP — an IP address is assigned to this MAC address automatically.
    • Block — This MAC address will not be assigned an IP address.
  4. Repeat steps 4 through 6 for each additional MAC address that you want to add.
  5. Select OK.

To configure a MAC filter – CLI

  1. Enter config system dhcp server show
  2. Find the entry where interface is your WiFi interface. Edit that entry and configure the MAC filter. In this example, the MAC address 11:11:11:11:11:11will be excluded. Unlisted MAC addresses will be assigned an IP address automatically. edit 3 config reserved-address edit 1 set action block set mac 11:11:11:11:11:11

end

set mac-acl-default-action assign

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring DHCP for WiFi clients

Leave a reply

Configuring DHCP for WiFi clients

Wireless clients need to have IP addresses. If you use RADIUS authentication, each user’s IP address can be stored in the Framed-IP-Address attribute. Otherwise, you need to configure a DHCP server on the WLAN interface to assign IP addresses to wireless clients.

To configure a DHCP server for WiFi clients – web-based manager

  1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
  2. In DHCP Server select Enable.
  3. In Address Range, select Create New.
  4. In the Starting IP and End IP fields, enter the IP address range to assign.

By default an address range is created in the same subnet as the wireless interface IP address, but not including that address.

  1. Set the Netmask to an appropriate value, such as 255.255.255.0.
  2. Set the Default Gateway to Same as Interface IP.
  3. Set the DNS Server to Same as System DNS.
  4. If you want to restrict access to the wireless network by MAC address, see Adding a MAC filter on page 51.
  5. Select OK.

To configure a DHCP server for WiFi clients – CLI

In this example, WiFi clients on the example_wlan interface are assigned addresses in the 10.10.120.2-9 range to connect with the WiFi access point on 10.10.120.1.

config system dhcp server edit 0 set default-gateway 10.10.120.1 set dns-service default set interface example_wlan set netmask 255.255.255.0 config ip-range edit 1 set end-ip 10.10.120.9 set start-ip 10.10.120.2

end

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!