Category Archives: Administration Guides

FortiWLC – Configuring Rogue AP Detection Using the CLI

1 Reply

Configuring Rogue AP Detection Using the CLI

These CLI commands configure rogue detection; for a complete explanation of the commands, see the FortiWLC (SD) Command Reference.

Configuring Rogue AP Detection Using the CLI

Adding APs to Scan List

default(15)# configure terminal default(15)(config)# rogue‐ap detection‐ap 1 default(15)(config)# rogue‐ap detection‐ap 3 default(15)(config)# exit

Show Output default(15)# sh rogue‐ap detection‐ap‐list

AP ID

1    

3    

        Rogue Device Detecting APs(2)

Deleting APs from Scan list

default(15)# configure terminal           default(15)(config)# no rogue‐ap detection‐ap 1 default(15)(config)# no rogue‐ap detection‐ap 3 default(15)(config)# end

Show Output default(15)# show rogue‐ap detection‐ap‐list

AP ID

        Rogue Device Detecting APs(No entries)

Configuring the AP Access and Block Lists with the CLI

The feature uses an Access Control List (ACL) containing a list of allowed BSSIDs and a list of Blocked BSSIDs. By default, all Fortinet ESS BSSIDs in the WLAN are automatically included in the allowed ACL. A BSSID cannot appear in both lists.

To add an access point with a BSSID of 00:0e:cd:cb:cb:cb to the access control list as an authorized access point, type the following:

controller (config)# rogue‐ap acl 00:0e:cd:cb:cb:cb controller (config)#

Configuring Rogue AP Detection Using the CLI

To see a listing of all BSSIDs on the authorized list, type the following:

controller# show rogue-ap acl

Allowed APs

BSSID

00:0c:e6:cd:cd:cd 00:0e:cd:cb:cb:cb

A BSSID cannot be on both the blocked list and the access list for rogue AP detection at the same time. Suppose 00:0c:e6:cd:cd:cd is to be placed on the blocked list. If this BSSID is already on the authorized list, you must remove the BSSID from the authorized list, and then add the BSSID to the blocked list, as follows:

controller (config)# no rogue‐ap acl 00:0c:e6:cd:cd:cd controller (config)# controller (config)# rogue‐ap blocked 00:0c:e6:cd:cd:cd                                 controller (config)# exit controller# show rogue-ap acl

Allowed APs

BSSID

00:0e:cd:cb:cb:cb controller# show rogue-ap blocked

BssId               Creation Date   Last Reported

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐‐‐‐

00:0c:e6:cd:cd:cd   11/02 01:05:54   11/02 01:06:20

The commands to enable and confirm the rogue AP detection state are as follows:

controller (config)# rogue‐ap detection controller# show rogue-ap globals

Global Settings

Detection                              : on

Mitigation                             : none

Rogue AP Aging (seconds)               : 60

Number of Candidate APs                : 3

Number of Mitigating APs               : 5

Scanning time in ms                    : 100

Operational time in ms                 : 400

Max mitigation frames sent per channel : 10

Scanning Channels                      :

1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165 RSSI Threshold for Mitigation          : ‐100

Use the CLI command show rogue-ap-list to display all rogue clients and APs in the network.

Rogue Mitigation Example

Rogue AP mitigation for APs in the blocked list is enabled and confirmed as follows:

Configuring Rogue AP Detection Using the CLI

 

controller# configure terminal controller (config)# rogue‐ap detection controller (config)# rogue-ap mitigation selected controller (config)# exit controller# show rogue-ap globals

Global Settings

Detection                              : on

Mitigation                             : selected

Rogue AP Aging (seconds)               : 60

Number of Candidate APs                : 3

Number of Mitigating APs               : 5

Scanning time in ms                    : 100

Operational time in ms                 : 400

Max mitigation frames sent per channel : 10

Scanning Channels                      :

1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165 RSSI Threshold for Mitigation          : ‐100

FortiWLC – Social Authentication Support

Leave a reply

Social Authentication Support

The captive portal authentication process now supports Fortinet Presence as an external CP authentication server that allows users to authentication using social media accounts like Facebook or Gmail OAuth.

Supported APs: AP122, AP822, AP832, OAP832, FAP-U421EV and FAP-U423EV.

Before proceeding, note the following:

  • Enable location service in the controller(See “Configuring FortiPresence API” on page 86. for more details).
  • Assign the AP in the data analytics store.
  • Not supported in “Bridge mode”.

To enable social authentication support, do the following:

  1. Create captive portal exemptions profile
  2. Configure captive portal profile to use Fortinet Presence
  3. Enable this captive portal profile in security profile and add this security profile in the ESS profile.

Social Authentication Support

Create Captive Portal Exemptions Profile

To enable social login, create a profile with the list of exempted URLs and in the captive portal profile and select FortiPresence as the external authentication server.

  1. Go to Configuration > Security > Captive Portal > Captive Portal Exemptions.
  2. Click the Add button to create a profile with the list of URLs that will be allowed for social authentications. To add multiple URLs to a profile, enter a space after each URL entry. You can add up to 32 URLs

Social Authentication Support

Configure Captive Portal Profile to use Fortinet Presence
  1. Go to Configuration > Security > Captive Portal > Captive Portal Profiles page
  2. Create a captive portal profile with local or radius as authentication type.
    • If Authentication type is Local, then create a guest user with the following credentials: username: gooduser
    • password:good. If Authentication type is RADIUS, then in that RADIUS server, create a user with the following credentials: username: gooduser
    • password:good.
  3. Make the following changes to External Portal Settings:
  4. Select Fortinet-Presence as the external server (1).
  5. Select the profile (2) created with the exempted URLs.
  6. Enter http://socialwifi.fortipresence.com/wifi.html?login as URL (3) in the external portal

URL.

Social Authentication Support

For Fortinet Presence server configuration and account, see the FortiPresence configuration guide: http://docs.fortinet.com/d/fortipresence-analytics-configuration-guide

Enable this captive portal profile in security and ESS profiles

Enable the captive portal profile in the security profile and map the security profile in the ESS Profile.  In the security profile, make the following changes to the CAPTIVE PORTAL SETTINGS section:

  1. Set Captive Portal to Webauth.
  2. Select the captive portal created for enabling social wifi login.
  3. Set Captive Portal Authentication Method as External.

 

FortiWLC – OAuth Authentication Support

Leave a reply

OAuth Authentication Support

FortiWLC (SD) along with Fortinet Connect (MCT) 14.10.0.2 supports OAuth authentication for captive portal users. In a typical scenario if a user (for example: a hotel guest) tries to access an external web site, they are re-directed to a captive portal page for authentication. In

OAuth Authentication Support

the captive portal page, the user must register with a username, password, e-mail etc and complete the authentication process after receiving confirmation from the hotel captive portal.

  • OAuth support must be enabled in the Fortinet Connect
  • Only wireless clients that access SSL3 enabled (HTTPS) destination can use this feature
  • If the wireless client uses a proxy server located on the wired network, then the client will be granted access to the internet till the login timeout expires.
  • Supported only for ESS profiles in tunneled mode.
  • Supported only for IPv4 clients.

By enabling OAuth, users can use any of the social media (Facebook, Google, Twitter, OpenID, etc) login credentials that support OAuth for captive portal authentication. For your users, this alleviates the need to spend time to register or remember passwords for repeated authentication.

FortiWLC – Configure a RADIUS Server for Captive Portal Authentication

Leave a reply

Configure a RADIUS Server for Captive Portal Authentication

Configure a RADIUS Server with Web UI for Captive Portal Authentication

You can, for authentication purposes, set up the identity and secret for the RADIUS server. This takes precedence over any configured User IDs but if RADIUS accounting fails over, the local authentication guest user IDs are used. To do this, follow these steps:

  1. Click Configuration > Security > RADIUS to access the RADIUS Profile Table.
  2. Click Add.
  3. Provide the RADIUS server information.
  4. Save the configuration by clicking OK.
  5. Enable a security profile for use with a Captive Portal login page by clicking Configuration > Security > RADIUS > Add.
  6. Provide the required information, such as the name of the RADIUS profile. L2MODE must be clear to use Captive Portal. Set the Captive Portal to WebAuth and adjust any other parameters as required.

The identity and secret are now configured.

Configure a RADIUS Server with CLI for Captive Portal Authentication

The CLI command ssl-server captive-portal authentication-type configures the controller to use either local authentication, RADIUS authentication, or both. If both is selected, local authentication is tried first; if that doesn’t work, RADIUS authentication is attempted.

Controller(config)# ssl‐server captive‐portal authentication‐type ? local                  Set Authentication Type to local. local‐radius           Set Authentication Type to Local and RADIUS. radius                 Set Authentication Type to RADIUS.

The following example configures an authentication RADIUS profile named radius-auth-pri.

/* RADIUS PROFILE FOR AUTHENTICATION */ default# configure terminal

default(config)# radius‐profile radius‐auth‐pri default(config‐radius)# ip‐address 172.27.172.3 default(config‐radius)# key sept20002 default(config‐radius)# mac‐delimiter hyphen default(config‐radius)# password‐type shared‐secret default(config‐radius)# port 1812 default(config‐radius)# end

Configure a RADIUS Server for Captive Portal Authentication

default#

default# sh radius‐profile radius‐auth‐pri

RADIUS Profile Table

RADIUS Profile Name   : radius‐auth‐pri

Description           :

RADIUS IP             : 172.27.172.3

RADIUS Secret         : *****

RADIUS Port           : 1812

MAC Address Delimiter : hyphen

Password Type         : shared‐secret

The following example configures a security RADIUS profile named radius-auth-sec.

default# configure terminal default(config)# radius‐profile radius‐auth‐sec default(config‐radius)# ip‐address 172.27.172.4 default(config‐radius)# key sept20002 default(config‐radius)# mac‐delimiter hyphen default(config‐radius)# password‐type shared‐secret default(config‐radius)# port 1812 default(config‐radius)# end default#

default# sh radius‐profile radius‐auth‐sec

RADIUS Profile Table

RADIUS Profile Name   : radius‐auth‐pri

Description           :

RADIUS IP             : 172.27.172.4

RADIUS Secret         : *****

RADIUS Port           : 1812

MAC Address Delimiter : hyphen Password Type         : shared‐secret

FortiWLC – Third-Party Captive Portal Solutions

Leave a reply

Third-Party Captive Portal Solutions

Instead of using the Fortinet Captive Portal solution, you can use a third-party solution; you cannot use both. Companies such as Bradford, Avenda, and CloudPath all provide Captive Portal solutions that work with FortiWLC (SD) 4.1 and later. There are two places that you need to indicate a third-party captive portal solution, in the corresponding Security Profile and in the Captive Portal configuration.

Configure Third-Party Captive Portal With the Web UI

Indicate that a third-party Captive Portal solution will be used in the Security Profile by setting Captive Portal Authentication Method to external. For complete directions, see Configure a Security Profile With the Web UI.

Indicate that a third-party Captive Portal solution will be used in the Captive Portal configuration by setting Captive Portal External URL to the URL of the Captive Portal box:

Third-Party Captive Portal Solutions

  1. Click Configuration > Security > Captive Portal.
  2. Change the value for CaptivePortal External URL to the URL of the third-party box.
  3. Click OK.
Configure Third-Party Captive Portal With the CLI

Configure an SSL server before configuring third-party captive portal in the security profile. For example, example of SSL server configuration:

controller1# show ssl‐server Captive Portal

Name                                         : Captive Portal

Server Port                                  : 10101

User Authentication Protocol                 : None

Server Lifetime                              : 100

Server IP                                    : 172.18.37.223

Certificate                                  :

Authentication Type                          : radius Primary Profile                              : IDAU1721946201

Secondary Profile                            :

Primary Profile                              : IDAC1721946201 Secondary Profile                            :

Accounting Interim Interval (seconds)        : 60

CaptivePortalSessionTimeout                  : 0 CaptivePortalActivityTimeout                 : 0 Protocol                                     : https

Portal URL                                   :

CaptivePortal External URL                   : https://172.19.46.201/portal/

172.18.37.223?meruInitialRedirect

CaptivePortal External IP                    : 172.18.37.223

L3 User Session Timeout(mins)                : 1

Apple Captive Network Assistant (CNA) Bypass : on Example of configuring SSID with external captive portal:

controller1# configure terminal  controller1(config)# security‐profile CPExternal

controller1(config‐security)# captive‐portal‐auth‐method external controller1(config‐security)# passthrough‐firewall‐filter‐id IDMAUTH controller1(config)# essid CaptivePortal‐External

controller1(config‐essid)# security‐profile CaptivePortal‐External controller1(config‐essid)# end

Third-Party Captive Portal Solutions

FortiWLC – CP Bypass for MAC Authenticated Clients

Leave a reply

CP Bypass for MAC Authenticated Clients

Wired and wireless clients that are successfully authenticated by their MAC address (MAC Filtering) are considered as captive portal authenticated clients. Both RADIUS-based MAC filtering and local MAC filtering is supported for CP bypass. However, to intentionally block a client, add its MAC address only to the local ACL deny list.

To bypass CP authentication, do the following in a security profile:

  1. Enable Captive Portal and MAC Filtering in the same security profile. 2. Enable the “Captive Portal Bypass For MAC Authentication”
  2. Use this security profile for the ESSID.

NOTES

  • Captive Portal must be enabled.
  • If MAC-filtering authentication fails then the client is redirected for Web Authentication

CP Bypass for MAC Authenticated Clients

Configuring using CLI

Use the captive‐portal‐bypass‐mac command to enable or disable this functionality.

The following station logs provide information on client status:

Wireless Station: MAC-filtering Success and CP is bypassed:

2016‐May‐ 1 04:24:53.030415 | 00:73:8d:b9:e6:bf | Mac Filtering | Mac in permit list ‐ accept client

2016‐May‐ 1 04:24:53.030895 | 00:73:8d:b9:e6:bf | Mac Filtering | Mac‐Filtering is Success and Captive Portal is Bypassed for Wireless Client <00:73:8d:b9:e6:bf>

CP Bypass for MAC Authenticated Clients

Wired Station: MAC-filtering Success and CP is bypassed:

2016‐May‐ 1 04:38:06.888828 | f0:1f:af:33:cd:4e | Mac Filtering | Mac in permit list ‐ accept client

2016‐May‐ 1 04:38:06.890213 | f0:1f:af:33:cd:4e | Mac Filtering | Mac‐Filtering is Success and Captive Portal is Bypassed for Wired Client <f0:1f:af:33:cd:4e>

The following flowchart illustrates the flow of CP bypass for MAC authenticated clients.

FortiWLC – Captive Portal (CP) Authentication for Wired Clients

Leave a reply

Captive Portal (CP) Authentication for Wired Clients

Wired clients connected via port profile (tunnelled and bridged) will require CP authentication to pass external traffic. Wired Clients can have CP Authentication with Security Profile configured with L2 mode in Clear profile or L2 mode in 802.1X Clear profile.

Supported access points: AP122, AP822v2, AP822, OAP832, AP832, AP332 (only supports G1/G2 port in mesh configuration), AP433 (only supports G1 port in mesh configuration), FAPU421EV, and FAP-U423EV

To allow wired clients to pass external traffic, do the following:

  1. Create a captive portal (CP)profile
  2. In the security profile, map the CP profile to the security profile. In the security profile ensure that at least one of the (802.1x, WebAuth, Mac Authentication, or CP Bypass) security option is enabled.
  3. In the port profile, map the security profile to port profile

NOTES

Captive Portal (CP) Authentication for Wired Clients

  • CP authentication is available only when VLAN trunk is disabled.
  • Dynamic VLAN is not supported.\
  • Wired clients connected to a leaf AP should be in bridge mode port profile.
  • Re-authentication will fail, If the Ethernet cable is disconnected and reconnected from the wired client’s port.

Station log for wired client

2015‐Dec‐2 14:31:55.075109 | 08:9e:01:28:64:25 | Station Assign | wired Assigned to <AP_ID=2>(v0)

FortiWLC – Captive Portal With N+1

Leave a reply

Captive Portal With N+1

Captive Portal changes are propagated in an Nplus1 environment as follows. When a slave takes over a master, it uses the master’s Captive Portal pages. If changes are made on that active slave, that change is not automatically propagated to the master.

Troubleshooting Captive Portal

  • The same subnet should not be entered for both CaptivePortal1 and CaptivePortal2. If you do this, only the CaptivePortal1 configured splash page will be displayed.

Captive Portal With N+1

  • Custom pages have to imported properly before making use of this feature. See “Optionally Customize and Use Your Own HTML Pages” on page 282.
  • To check if the pages and images have been properly imported into the controller use the command show web custom-area
  • To check if the imported page is coming up properly use the CLI https://<controller ip>/vpn/ <page Name>
  • To ensure that Captive Portal authentication is taking place, look at the access-accept message from the RADIUS server during Captive Portal authentication.
  • Even when using custom CP pages, four default HTML files are used; only two are actually customized. The only way to change this is to alter the four default files which are used for both CP1 and CP2.

Captive Portal Profiles

Captive portal profiles feature that allows you to create individual captive portal profiles with distinct configuration settings. Such captive portal profiles can be mapped to security profiles for fine control over captive portal user access.

A captive portal profile is created from the Configuration > Security > Captive Portal page. The Captive Portal Profile tab is used to specify the captive portal profile settings. Once created, this captive profile can be enabled in a security profile. The following screen-shots illustrate the process to create and assign a captive profile.

Captive Portal Profiles

  1. Creating a Captive Portal Profile
  2. Assigning a Captive Portal Profile to a Security Profile

Captive Portal Profiles