Stations can receive IP dynamically when the AP is in tunneled and bridged mode with the RADIUS server dynamically assigning the VLAN’s.
You can enable VLAN tagging for wired ports in bridged mode. VLAN tagging for wired ports provide four VLAN policies:
In the port profile configuration, use the following commands to specify the policy and the VLAN tag.
VLAN Tagging in Bridge Mode for Wired Ports
When creating an ESS, AP400/AP822/AP832, FAP-U421EV, FAP-U423EV and AP1000 can be configured to bridge the traffic to the Ethernet interface. This is called bridged VLAN dataplane mode (per ESSID); it is also sometimes known as Remote AP mode. These two AP models also have the capability to tag the Ethernet frames when egressing the port, using 802.1Q VLAN tags, and setting the 802.1p priority bit. Bridging is configured setting the Dataplane Mode parameter in the ESS profile to Bridged (default is Tunneled).
Configure and Deploy a VLAN
In Tunneled mode, all traffic in an ESS is sent from the AP to the controller, and then forwarded from there. This is configured on a per ESS profile basis. In Bridged mode, client traffic is sent out to the local switch. Fortinet control and coordination traffic is still sent between the AP and the controller.
Remote AP400s can use VLANs with FortiWLC (SD) 4.0 and later. When configuring an ESS, the Dataplane Mode setting selects the type of AP/Controller configuration:
Bridged VLANs support:
See the ESSID chapters in this guide for more information on configuring an ESSID.
VLANs can be configured/owned either by E(z)RF Network Manager or by a controller. You can tell where a profile was configured by checking the read-only field Owner; the Owner is either nms-server or controller.
In order to map an ESSID to a VLAN, the VLAN must first be configured. To create a VLAN from the CLI, use the command vlan name tag id. The name can be up to 16 alphanumeric characters long and the tag id between 1 and 4,094.
For example, to create a VLAN named guest with a tag number of 1, enter the following in global configuration mode:
controller (config)# vlan guest tag 1 controller (config‐vlan)#
As shown by the change in the prompt above, you have entered VLAN configuration mode, where you can assign the VLAN interface IP address, default gateway, DHCP Pass-through or optional DHCP server (if specified, this DHCP server overrides the controller DHCP server configuration).
In the following example, the following parameters are set:
controller (config‐vlan)# ip address 10.1.1.2 255.255.255.0 controller (config‐vlan)# ip default-gateway 10.1.1.1 controller (config‐vlan)# ip dhcp-server 10.1.1.254 controller (config‐vlan)# exit controller (config)#
To create a VLAN from the GUI, click Config > Wired > VLAN > Add.
A virtual local area network (VLAN) is a broadcast domain that can span across wired or wireless LAN segments. Each VLAN is a separate logical network. Several VLANs can coexist within any given network, logically segmenting traffic by organization or function. In this way, all systems used by a given organization can be interconnected independent of physical location. This has the benefit of limiting the broadcast domain and increasing security. VLANs can be configured in software, which enhances their flexibility. VLANs operate at the data link layer (OSI Layer 2), however, they are often configured to map directly to an IP network, or subnet, at the network layer (OSI Layer 3). You can create up to 512 VLANs.
IEEE 802.1Q is the predominant protocol used to tag traffic with VLAN identifiers. VLAN1 is called the default or native VLAN. It cannot be deleted, and all traffic on it is untagged. A trunk port is a network connection that aggregates multiple VLANs or tags, and is typically used between two switches or between a switch and a router. VLAN membership can be portbased, MAC-based, protocol-based, or authentication-based when used in conjunction with the 802.1x protocol. Used in conjunction with multiple ESSIDs, VLANs support multiple wireless networks on a single Access Point using either a one-to-one mapping of ESSID to VLAN, or mapping multiple ESSIDs to one VLAN. By assigning a security profile to a VLAN, the security requirements can be fine-tuned based on the use of the VLAN, providing wire-like security or better on a wireless network.
VLAN assignment is done for RADIUS-based MAC filtering and authentication. VLAN assignment is not done in Captive Portal Authentication by any of the returned attributes. Because VLANs rely on a remote switch that must be configured to support trunking, also refer to the Fortinet Wi-Fi Technology Note WF107, “VLAN Configuration and Deployment.” This document contains the recommended configuration for switches as well as a comprehensive description of VLAN configuration and deployment.
The default settings that are configured for the rogue AP detection and mitigation features are adequate for most situations. However, many default settings can be changed if your network requires lighter or heavier scanning and/or mitigation services. The following is the list of rogue-ap commands:
controller (config)# rogue‐ap ?
acl Add a new rogue AP ACL entry. aging Sets the aging of alarms for rogue APs. assigned‐aps Number of APs assigned for mitigation. blocked Add a new rogue AP blocked entry. detection Turn on rogue AP detection. min‐rssi Sets RSSI Threshold for Mitigation. mitigation Set the rogue AP mitigation parameters.
mitigation‐frames Sets the maximum number of mitigation frames sent out per channel.
operational‐time Sets the APs time on the home channel during scanning. scanning‐channels Sets the global Rogue AP scanning channels. scanning‐time Sets the APs per channel scanning time
As a general rule, unless the AP is in dedicated scanning mode, the more time that is spent scanning and mitigating, the less time is spent by the AP in normal WLAN operating services. Some rules determine how service is provided:
By default, three Mitigating APs are selected by the controller to perform scanning and mitigation. This number can be set to a high of 20 APs or down to 1 AP, depending on the needs of your network. To change the number of mitigating APs to 5:
controller (config)# rogue-ap assigned-aps 5
When rogue AP scanning is enabled, for any given period, the AP spends part of the time scanning channels, and part of the time performing normal AP WLAN operations on the home channel. This cycle of scan/operate repeats so quickly that both tasks are performed without noticeable network operation degradation.
If scanning is enabled, the rogue-ap operational-time command sets the number of milliseconds that are spent in operational time, performing normal wireless services, on the home channel. This command is related to the rogue-ap scanning-time command. The channels that are scanned are determined by the rogue-ap scanning channels command. The complete set of default channels are 1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165.
The following command changes the operational time from the default 400 to 2500 milliseconds: controller (config)# rogue-ap operational-time 2500
The following command changes the scanning time from the default 100 to 200 milliseconds: controller (config)# rogue-ap scanning-time 200
The following command sets the scanning channels to 1, 6, 11, 36, 44, 52, 60:
controller (config)# rogue-ap scanning-channels 1,6,11,36,44,52,60 controller (config)# exit
To verify the changes, use the show rogue-ap globals command:
controller# show rogue-ap globals
Global Settings
Detection : on
Mitigation : selected
Rogue AP Aging (seconds) : 60
Number of Candidate APs : 5
Number of Mitigating APs :5
Scanning time in ms : 200
Operational time in ms : 2500
Max mitigation frames sent per channel : 10
Scanning Channels : 1,6,11,36,44,52,60
RSSI Threshold for Mitigation : ‐100
RSSI is the threshold for which APs attempt to mitigate rogues; if the signal is very week (distant AP), APs won’t try to mitigate it.
The command to change the minimum RSSI (Received Signal Strength Indication) level, over which a station will be mitigated is rogue-ap min-rssi. A level range of 0 of -100 is supported, with -100 being the default setting.
The following command sets the minimum RSSI level to -80:
controller (config)# rogue-ap min-rssi -80 controller (config)#
TABLE 20: CLI Commands for Rogue Mitigation
| Rogue Mitigation Command | Action |
| rogue-ap mitigation all | Sets rogue mitigation for all rogue APs that are not on the access control list. |
| rogue-ap mitigation selected | Sets rogue mitigation for all rogue APs that are on the blocked list. |
| rogue-ap mitigation wiredrogue | Sets rogue mitigation for all wired-side rogue APs. If rogue clients on the wired side are added to the blocked ACL list, then only those listed wired-side rogue clients are blocked. |
| show rogue-ap globals | Displays current rogue data. |
| rogue-ap mitigation none | Turns off rogue mitigation. |
Rogue AP mitigation for APs in the blocked list is enabled and confirmed as follows:
controller# configure terminal controller(config)# rogue‐ap detection controller(config)# rogue-ap mitigation selected controller(config)# exit controller# show rogue-ap globals
Global Settings
Detection : on
Mitigation : selected
Rogue AP Aging (seconds) : 60
Number of Candidate APs : 3
Number of Mitigating APs : 5
Scanning time in ms : 100
Operational time in ms : 400
Max mitigation frames sent per channel : 10
Scanning Channels :
1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165 RSSI Threshold for Mitigation : ‐100
The default settings that are configured for the rogue AP detection and mitigation features are adequate for most situations. However, many default settings can be changed if your network requires lighter or heavier scanning and/or mitigation services. The following is the list of rogue-ap commands:
controller(config)# rogue‐ap ?
acl Add a new rogue AP ACL entry. aging Sets the aging of alarms for rogue APs. assigned‐aps Number of APs assigned for mitigation. blocked Add a new rogue AP blocked entry. detection Turn on rogue AP detection.
min‐rssi Sets RSSI Threshold for Mitigation. mitigation Set the rogue AP mitigation parameters.
mitigation‐frames Sets the maximum number of mitigation frames sent out per channel.
operational‐time Sets the APs time on the home channel during scanning. scanning‐channels Sets the global Rogue AP scanning channels. scanning‐time Sets the APs per channel scanning time
As a general rule, unless the AP is in dedicated scanning mode, the more time that is spent scanning and mitigating, the less time is spent by the AP in normal WLAN operating services. Some rules determine how service is provided:
By default, three mitigating APs are selected by the controller to perform scanning and mitigation. This number can be set to a high of 20 APs or down to 1 AP, depending on the needs of your network, although we do not recommend assigning a high number of APs for mitigation because they can interfere with each other while mitigating the rogue. To change the number of mitigating APs to 5: controller(config)# rogue‐ap assigned‐aps 5
When rogue AP scanning is enabled, for any given period, the AP spends part of the time scanning channels, and part of the time performing normal AP WLAN operations on the home channel. This cycle of scan/operate repeats so quickly that both tasks are performed without noticeable network operation degradation.
If scanning is enabled, the rogue-ap operational-time command sets the number of milliseconds that are spent in operational time, performing normal wireless services, on the home channel. This command is related to the rogue-ap scanning-time command. The channels that are scanned are determined by the rogue-ap scanning channels command. The complete set of default channels are 1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165.
The following command changes the operational time from the default 400 to 2500 milliseconds: controller(config)# rogue-ap operational-time 2500
The following command changes the scanning time from the default 100 to 200 milliseconds: controller(config)# rogue-ap scanning-time 200
The following command sets the scanning channels to 1, 6, 11, 36, 44, 52, 60:
controller(config)# rogue-ap scanning-channels 1,6,11,36,44,52,60 controller(config)# exit
To verify the changes, use the show rogue-ap globals command:
controller# show rogue-ap globals
Global Settings
Detection : on
Mitigation : selected
Rogue AP Aging (seconds) : 60
Number of Candidate APs : 5
Number of Mitigating APs : 5
Scanning time in ms : 200
Operational time in ms : 2500
Max mitigation frames sent per channel : 10 Scanning Channels : 1,6,11,36,44,52,60
RSSI Threshold for Mitigation : ‐100
RSSI is the threshold for which APs attempt to mitigate rogues; if the signal is very week (distant AP), APs won’t try to mitigate it.
The command to change the minimum RSSI (Received Signal Strength Indication) level, over which a station will be mitigated is rogue-ap min-rssi. A level range of 0 of -100 is supported, with -100 being the default setting.
The following command sets the minimum RSSI level to -80:
controller(config)# rogue-ap min-rssi -80 controller(config)#
To prevent clients of unauthorized APs from accessing your network, enable the options for both scanning for the presence of rogue APs and mitigating the client traffic originating from them. These features are set globally, with the controller managing the lists of allowable and blocked WLAN BSSIDs and coordinating the set of APs (the Mitigating APs) that perform mitigation when a rogue AP is detected.
When rogue AP scanning (detection) is enabled, for any given period, the AP spends part of the time scanning channels (determined by the Scanning time in ms setting), and part of the time performing normal AP WLAN operations on the home channel (determined by the Operational time in ms setting). This cycle of scan/operate repeats so quickly that both tasks are performed without noticeable network operation degradation.
The channels that are scanned by a particular AP are determined by the model of AP. As a result of the channel scan, a list of rogue APs is compiled and sent by the controller to a number of Mitigating APs that are closest to the rogue AP. Mitigating APs send mitigation (deauth) frames to the rogue AP where clients are associated to remove those clients from the network. This presence of the rogue AP generates alarms that are noted on the Web UI monitoring dashboard and via syslog alarm messages so the administrator is aware of the situation and can then remove the offending AP or update the configuration list.
As well, if a rogue device seen on the wired interface of the AP and if the device is in the AP’s discovered list of stations a wired rogue notification will be sent via the Web UI monitoring dashboard and syslog alarm message. If the rogue client is associated with the AP, that client is also classified as a rogue.
To change the list of allowed APs, follow these steps:
Figure 63: Web UI List of Allowed APs
To change the list of allowed APs, follow these steps:
To configure rogue AP scanning and mitigation settings, follow these steps:
The Rogue AP screen appears with the Global Settings tab selected. See Figure 62.
Figure 64: Web UI Rogue AP Global Settings
1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165.
10.In the RSSI Threshold for Mitigation text box, enter the minimum threshold level over which stations are mitigated. The range of valid values is from to -100 to 0.
11.Click OK.
If a station that is already present in the discovered station database (learned wirelessly by the AP) is also discovered via DHCP broadcast on the APs wired interface, it implies that the station is connected to the same physical wired network as the AP. Such a station could potentially be a rogue device and is flagged by the controller as a wired rogue, indicating the rogue was identified as being present on the same wired network as the AP. If mitigation is enabled for wired rogue, mitigation action is performed accordingly on the rogue device.
Rogue APs are unauthorized wireless access points. These rogues can be physically connected to the wired network or they can be outside the building in a neighbor’s network or they can be in a hacker’s parked car. Valid network users should not be allowed to connect to the rogue APs because rogues pose a security risk to the corporate network. Rogue APs can appear in an enterprise network for reasons as innocent as users experimenting with WLAN technology, or reasons as dangerous as a malicious attack against an otherwise secure network. Physical security of the building, which is sufficient for wired networks with the correct application of VPN and firewall technologies, is not enough to secure the WLAN. RF propagation inherent in WLANs enables unauthorized users in near proximity of the targeted WLAN (for example, in a parking lot) to gain network access as if they were inside the building.
TABLE 19: Fortinet Support of Rogue Detection and Mitigation
| Rogue Detection | Rogue Mitigation | |
| AP1000 | 4.1 and later | 4.1 and later |
| AP400 | 5.0 and later | 5.0 and later |
Regardless of why a rogue AP exists on a WLAN, it is not subject to the security policies of the rest of the WLAN and is the weak link in an overall security architecture. Even if the person who introduced the rogue AP had no malicious intent, malicious activity can eventually occur. Such malicious activity includes posing as an authorized access point to collect security information that can be used to further exploit the network. Network security mechanisms typically protect the network from unauthorized users but provide no means for users to validate the authenticity of the network itself. A security breach of this type can lead to the collection of personal information, protected file access, attacks to degrade network performance, and attacks to the management of the network.
To prevent clients of unauthorized APs from accessing your network, enable the options for both scanning for the presence of rogue APs and mitigating the client traffic originating from them. These features are set globally from either the CLI or Web UI, with the controller managing the lists of allowable and blocked WLAN BSSIDs and coordinating the set of APs (the mitigating APs) that perform mitigation when a rogue AP is detected.
As a result of the channel scan, a list of rogue APs is compiled and sent by the controller to a number of mitigating APs that are closest to the rogue AP. Mitigating APs send mitigation
307
(deauth) frames to the rogue AP where clients are associated to remove those clients from the network. This presence of the rogue AP generates alarms that are noted on the Web UI monitoring dashboard and via syslog alarm messages so the administrator is aware of the situation and can then remove the offending AP or update the configuration list.
Rogue Scanning can be configured so that it is a dedicated function of a radio on a dual radio AP or a part time function of the same radio that also serves clients. When rogue AP scanning (detection) is enabled, for any given period, an AP spends part of the time scanning channels and part of the time performing normal AP WLAN operations on the home channel. This cycle of scan/operate, which occurs on a designated AP or an AP interface without assigned stations, ensures there is no network operation degradation.
For AP400 and AP1000, each radio is dual band (supports both 2.4GHz and 5.0GHz) and capable of scanning for all channels and all bands when configured as a dedicated scanning radio. As access points are discovered, their BSSID is compared to an AP access control list of BSSIDs. An access point might be known, blocked, or nonexistent on the access control list. A “known” AP is considered authorized because that particular BSSID was entered into the list by the system administrator. A “selected” AP is blocked by the Wireless LAN System as an unauthorized AP. The Fortinet WLAN also reports other APs that are not on the access control list; these APs trigger alerts to the admin console until the AP is designated as known or selected in the access control list. For example, a third party BSS is detected as a rogue unless it is added to the access control list.
Fortinet APs also detect rogue APs by observing traffic either from the access point or from a wireless station associated to a rogue. This enables the system to discover a rogue AP when the rogue is out of range, but one or more of the wireless stations associated to it are within range.
To prevent clients of unauthorized APs from accessing your network, enable the options for both scanning for the presence of rogue APs and mitigating the client traffic originating from them. These features are set globally, with the controller managing the lists of allowable and blocked WLAN BSSIDs and coordinating the set of APs (the Mitigating APs) that perform mitigation when a rogue AP is detected.
Configuring Rogue AP Mitigation with Web UI
You can create a white-list of APs that will perform rogue detection. Other APs that are not added to this white-list will not scan for rogue AP/clients.
When rogue AP scanning (detection) is enabled, for any given period, the AP spends part of the time scanning channels (determined by the setting Scanning time in ms), and part of the time performing normal AP WLAN operations on the home channel (determined by the setting Operational time in ms). This cycle of scan/operate repeats so quickly that both tasks are performed without noticeable network operation degradation.
The channels that are scanned by a particular AP are determined by the model of the AP. As a result of the channel scan, a list of rogue APs is compiled and sent by the controller to a number of Mitigating APs that are closest to the rogue AP. Mitigating APs send mitigation (deauth) frames to the rogue AP where clients are associated to remove those clients from the network. This presence of the rogue AP generates alarms that are noted on the Web UI monitoring dashboard and via syslog alarm messages so the administrator is aware of the situation and can then remove the offending AP or update the configuration list.
As well, if a rogue device seen on the wired interface of the AP and if the device is in the AP’s discovered list of stations a wired rogue notification will be sent via the Web UI monitoring dashboard and syslog alarm message. If the rogue client is associated with the AP, that client is also classified as a rogue.
To change the list of allowed APs, follow these steps:
Configuring Rogue AP Mitigation with Web UI
To change the list of allowed APs, follow these steps:
Configuring Rogue AP Mitigation with Web UI
To configure rogue AP scanning and mitigation settings, follow these steps:
The Rogue AP screen appears with the Global Settings tab selected. See Figure 62.
Figure 62: Web UI Rogue AP Global Settings
Configuring Rogue AP Mitigation with Web UI
1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165.
10.In the RSSI Threshold for Mitigation text box, enter the minimum threshold level over which stations are mitigated. The range of valid values is from to -100 to 0.
11.Click OK.