Category Archives: FortiGate

Configuring wireless network clients

This chapter shows how to configure typical wireless network clients to connect to a wireless network with WPAEnterprise security.

Windows XP client

Windows 7 client

Mac OS client

Linux client

Troubleshooting

Windows XP client

To configure the WPA-Enterprise network connection

In the Windows Start menu, go to Control Panel > Network Connections > Wireless Network Connection or select the wireless network icon in the Notification area of the Taskbar. A list of available networks is displayed.

Windows XP

If you are already connected to another wireless network, the Connection Status window displays. Select View Wireless Networks on the General tab to view the list.

If the network broadcasts its SSID, it is listed. But do not try to connect until you have completed the configuration step below. Because the network doesn’t use the Windows XP default security configuration, configure the client’s network settings manually before trying to connect.

You can configure the WPA-Enterprise network to be accessible from the View Wireless Networks window even if it does not broadcast its SSID.
Select Change Advanced Settings and then select the Wireless Networks

Any existing networks that you have already configured are listed in the Preferred Networks list.

Windows XP client

Select Add and enter the following information:

Network Name (SSID)	The SSID for your wireless network
Network Authentication	WPA2
Data Encryption	AES

If this wireless network does not broadcast its SSID, select Connect even if this network is not broadcasting so that the network will appear in the View Wireless Networks

Windows XP

Select the Authentication
In EAP Type, select Protected EAP (PEAP).
Make sure that the other two authentication options are not selected.

Windows XP client

Select Properties.
Make sure that Validate server certificate is selected.
Select the server certificate Entrust Root Certification Authority.
In Select Authentication Method, select Secured Password (EAP-MSCHAPv2).
Ensure that the remaining options are not selected.
Select Configure.
If your wireless network credentials are the same as your Windows logon credentials, select Automatically use my Windows logon name and password. Otherwise, make sure that this option is not selected.
Select OK. Repeat until you have closed all of the Wireless Network Connection Properties

Windows 7

To connect to the WPA-Enterprise wireless network

Select the wireless network icon in the Notification area of the Taskbar.
In the View Wireless Networks list, select the network you just added and then select Connect. You might need to log off of your current wireless network and refresh the list.
When the following popup displays, click on it.
In the Enter Credentials window, enter your wireless network User name, Password, and Logon domain (if applicable). Then, select OK.

In future, Windows will automatically send your credentials when you log on to this network.

Windows 7 client

In the Windows Start menu, go to Control Panel > Network and Internet > Network and Sharing Center > Manage Wireless Networks or select the wireless network icon in the Notification area of the Taskbar. A list of available networks is displayed.

Windows 7 client

Do one of the following:

l If the wireless network is listed (it broadcasts its SSID), select it from the list. l Select Add > Manually create a network profile.

Windows 7

Enter the following information and select Next.

Network name	Enter the SSID of the wireless network. (Required only if you selected Add.)
Security type	WPA2-Enterprise
Encryption type	AES
Start this connection automatically	Select
Connect even if the network is not broadcasting.	Select

The Wireless Network icon will display a popup requesting that you click to enter credentials for the network. Click on the popup notification.

In the Enter Credentials window, enter your wireless network User name, Password, and Logon domain (if applicable). Then, select OK.
Select Change connection settings.
On the Connection tab, select Connect automatically when this network is in range.
On the Security tab, select the Microsoft PEAP authentication method and then select Settings.

Windows 7 client

Make sure that Validate server certificate is selected.
Select the server certificate Entrust Root Certification Authority.
In Select Authentication Method, select Secured Password (EAP-MSCHAPv2).
Select Configure.
If your wireless network credentials are the same as your Windows logon credentials, select Automatically use my Windows logon name and password. Otherwise, make sure that this option is not selected.
Ensure that the remaining options are not selected.
Select OK. Repeat until you have closed all of the Wireless Network Properties

Mac OS

Mac OS client

To configure network preferences

Right-click the AirPort icon in the toolbar and select Open Network Preferences.
Select Advanced and then select the 1X tab.
If there are no Login Window Profiles in the left column, select the + button and then select Add Login Window

Profile.

Select the Login Window Profile and then make sure that both TTLS and PEAP are selected in Authentication.

To configure the WPA-Enterprise network connection

Select the AirPort icon in the toolbar.
Do one of the following:

l If the network is listed, select the network from the list. l Select Connect to Other Network.

One of the following windows opens, depending on your selection.

Mac OS client

Enter the following information and select OK or Join:

Network name	Enter the SSID of your wireless network. (Other network only)
Wireless Security	WPA Enterprise
802.1X	Automatic
Username Password	Enter your logon credentials for the wireless network.
Remember this network	Select.

You are connected to the wireless network.

Linux

Linux client

This example is based on the Ubuntu 10.04 Linux wireless client.

To connect to a WPA-Enterprise network

Select the Network Manager icon to view the Wireless Networks menu.

Wireless networks that broadcast their SSID are listed in the Available section of the menu. If the list is long, it is continued in the More Networks submenu.

Do one of the following:
- Select the network from the list (also check More Networks).
- Select Connect to Hidden Wireless Network.

One of the following windows opens, depending on your selection.

Linux client

Enter the following information:

Connection	Leave as New. (Hidden network only)
Network name	Enter the SSID of your wireless network. (Hidden network only)
Wireless Security	WPA & WPA2 Enterprise
Authentication	Protected EAP (PEAP) for RADIUS-based authentication Tunneled TLS for TACACS+ or LDAP-based authentication
Anonymous identity	This is not required.
CA Certificate	If you want to validate the AP’s certificate, select the Entrust Root Certification Authority root certificate. The default location for the certificate is /usr/share/ca-certificates/mozilla/.
PEAP version	Automatic (applies only to PEAP)
Inner authentication	MSCHAPv2 for RADIUS-based authentication PAP or CHAP for TACACS+ or LDAP-based authentication
Username Password	Enter your logon credentials for the wireless network.

Troubleshooting

If you did not select a CA Certificate above, you are asked to do so. Select Ignore.
Select You are connected to the wireless network.

To connect to a WPA-Enterprise network

Select the Network Manager icon to view the Wireless Networks menu.
Select the network from the list (also check More Networks).

If your network is not listed (but was configured), select Connect to Hidden Wireless Network, select your network from the Connection drop-down list, and then select Connect.

Troubleshooting

Using tools provided in your operating system, you can find the source of common wireless networking problems.

Checking that client received IP address and DNS server information

Windows XP

Double-click the network icon in the taskbar to display the Wireless Network Connection Status

Check that the correct network is listed in the Connection section.

Select the Support

Check that the Address Type is Assigned by DHCP. Check that the IP Address, Subnet Mask, and Default Gateway values are valid.

Select Details to view the DNS server addresses.

The listed address should be the DNS serves that were assigned to the WAP. Usually a wireless network that provides access to the private LAN is assigned the same DNS servers as the wired private LAN. A wireless network that provides guest or customer users access to the Internet is usually assigned public DNS servers.

If any of the addresses are missing, select Repair.

If the repair procedure doesn’t correct the problem, check your network settings.

Mac OS

From the Apple menu, open System Preferences > Network.
Select AirPort and then select Configure.

Troubleshooting

On the Network page, select the TCP/IP
If there is no IP address or the IP address starts with 169, select Renew DHCP Lease.
To check DNS server addresses, open a terminal window and enter the following command:

cat /etc/resolv.conf

Check the listed nameserver addresses. A network for employees should us the wired private LAN DNS server. A network for guests should specify a public DNS server.

Linux

This example is based on the Ubuntu 10.04 Linux wireless client.

Troubleshooting

Right-click the Network Manager icon and select Connection Information.
Check the IP address, and DNS settings. If they are incorrect, check your network settings.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Wireless network monitoring

Leave a reply

Wireless network monitoring

You can monitor both your wireless clients and other wireless networks that are available in your coverage area.

Monitoring wireless clients

Monitoring rogue APs

Suppressing rogue APs

Monitoring wireless network health

Monitoring wireless clients

To view connected clients on a FortiWiFi unit

Go to Monitor > Client Monitor.

The following information is displayed:

SSID	The SSID that the client connected to.
FortiAP	The serial number of the FortiAP unit to which the client connected.
User	User name
IP	The IP address assigned to the wireless client.
Device
Auth	The type of authentication used.
Channel	WiFi radio channel in use.
Bandwidth Tx/Rx	Client received and transmitted bandwidth, in Kbps.
Signal Strength / Noise	The signal-to-noise ratio in deciBels calculated from signal strength and noise level.
Signal Strength
Association Time	How long the client has been connected to this access point.

Results can be filtered. Select the filter icon on the column you want to filter. Enter the values to include or select NOT if you want to exclude the specified values.

Monitoring rogue APs

The access point radio equipment can scan for other available access points, either as a dedicated monitor or in idle periods during AP operation.

Discovered access points are listed in Monitor > Rogue AP Monitor. You can then mark them as either Accepted or Rogue access points. This designation helps you to track access points. It does not affect anyone’s ability to use these access points.

It is also possible to suppress rogue APs. See Monitoring rogue APs on page 115.

On-wire rogue AP detection technique

Other APs that are available in the same area as your own APs are not necessarily rogues. A neighboring AP that has no connection to your network might cause interference, but it is not a security threat. A rogue AP is an unauthorized AP connected to your wired network. This can enable unauthorized access. When rogue AP detection is enabled, the On-wire column in the Rogue AP Monitor list shows a green up-arrow on detected rogues.

Rogue AP monitoring of WiFi client traffic builds a table of WiFi clients and the Access Points that they are communicating through. The FortiGate unit also builds a table of MAC addresses that it sees on the LAN. The FortiGate unit’s on-wire correlation engine constantly compares the MAC addresses seen on the LAN to the MAC addresses seen on the WiFi network.

There are two methods of Rogue AP on-wire detection operating simultaneously: Exact MAC address match and MAC adjacency.

Exact MAC address match

If the same MAC address is seen on the LAN and on the WiFi network, this means that the wireless client is connected to the LAN. If the AP that the client is using is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue. This scheme works for non-NAT rogue APs.

MAC adjacency

If an access point is also a router, it applies NAT to WiFi packets. This can make rogue detection more difficult.

However, an AP’s WiFi interface MAC address is usually in the same range as its wired MAC address. So, the MAC adjacency rogue detection method matches LAN and WiFi network MAC addresses that are within a defined numerical distance of each other. By default, the MAC adjacency value is 7. If the AP for these matching MAC addresses is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue.

Limitations

On-wire rogue detection has some limitations. There must be at least one WiFi client connected to the suspect AP and continuously sending traffic. If the suspect AP is a router, its WiFi MAC address must be very similar to its Ethernet port MAC address.

Logging

Information about detected rogue APs is logged and uploaded to your FortiAnalyzer unit, if you have one. By default, rogue APs generate an alert level log, unknown APs generate a warning level log. This log information can help you with PCI-DSS compliance requirements.

Rogue AP scanning as a background activity

Each WiFi radio can perform monitoring of radio channels in its operating band while acting as an AP. It does this by briefly switching from AP to monitoring mode. By default, a scan period starts every 300 seconds. Each second rogue APs

a different channel is monitored for 20ms until all channels have been checked.

During heavy AP traffic, it is possible for Spectrum Analysis background scanning to cause lost packets when the radio switches to monitoring. To reduce the probability of lost packets, you can set the CLI ap-bgscan-idle field to delay the switch to monitoring until the AP has been idle for a specified period. This means that heavy AP traffic may slow background scanning.

The following CLI example configures default background rogue scanning operation except that it sets apbgscan-idle to require 100ms of AP inactivity before scanning the next channel.

config wireless-controller wtp-profile edit ourprofile config radio-1 set wids-profile ourwidsprofile set spectrum-analysis enable

end

config wireless-controller wids-profile edit ourwidsprofile set ap-scan enable set rogue-scan enable set ap-bgscan-period 300 set ap-bgscan-intv 1 set ap-bgscan-duration 20 set ap-bgscan-idle 100

end

Configuring rogue scanning

All APs using the same FortiAP Profile share the same rogue scanning settings, unless override is configured.

To enable rogue AP scanning with on-wire detection – web-based manager

Go to WiFi & Switch Controller > WIDS Profiles.

On some models, the menu is WiFi & Switch Controller.

Select an existing WIDS Profile and edit it, or select Create New.
Make sure that Enable Rogue AP Detection is selected.
Select Enable On-Wire Rogue AP Detection.
Optionally, enable Auto Suppress Rogue APs in Foreground Scan.
Select OK.

To enable the rogue AP scanning feature in a custom AP profile – CLI

config wireless-controller wids-profile edit FAP220B-default set ap-scan enable set rogue-scan enable

end

Exempting an AP from rogue scanning

By default, if Rogue AP Detection is enabled, it is enabled on all managed FortiAP units. Optionally, you can exempt an AP from scanning. You should be careful about doing this if your organization must perform scanning to meet PCI-DSS requirements.

To exempt an AP from rogue scanning

Go to WiFi & Switch Controller > WIDS Profiles.
Create a new WIDS profile and disable Rogue AP detection.
Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile you wish to exempt from rogue scanning.
Assign the WIDS profile created in step 2.

MAC adjacency

You can adjust the maximum WiFi to Ethernet MAC difference used when determining whether an suspect AP is a rogue.

To adjust MAC adjacency

For example, to change the adjacency to 8, enter

config wireless-controller global set rogue-scan-mac-adjacency 8 end

Using the Rogue AP Monitor

Go to Monitor > Rogue AP Monitor to view the list of other wireless access points that are receivable at your location.

Information Columns

Actual columns displayed depends on Column Settings.

Rogue AP — Use this status for unauthorized APs that On-wire status indicates are attached to your wired networks.

Accepted AP — Use this status for APs that are an authorized part of your network or

Stateare neighboring APs that are not a security threat. To see accepted APs in the list, select Show Accepted.

Unclassified — This is the initial status of a discovered AP. You can change an AP back to unclassified if you have mistakenly marked it as Rogue or Accepted.

OnlineActive AP

Status

Inactive AP

Active ad-hoc WiFi device

Inactive ad-hoc WiFi device

SSID The wireless service set identifier (SSID) or network name for the wireless interface.

Security The type of security currently being used. Type

Channel The wireless radio channel that the access point uses.

MAC The MAC address of the Wireless interface. Address

Vendor

The name of the vendor.

Info

Signal The relative signal strength of the AP. Mouse over the symbol to view the signal-to-noise Strength ratio.

Detected

The name or serial number of the AP unit that detected the signal. By

On-wire A green up-arrow indicates a suspected rogue, based on the on-wire detection technique. A red down-arrow indicates AP is not a suspected rogue.

First Seen How long ago this AP was first detected.

Last Seen	How long ago this AP was last detected.
Rate	Data rate in bps.

To change the Online Status of an AP, right-click it and select Mark Accepted or Mark Rogue.

Suppressing rogue APs

In addition to monitoring rogue APs, you can actively prevent your users from connecting to them. When suppression is activated against an AP, the FortiGate WiFi controller sends deauthentication messages to the rogue AP’s clients, posing as the rogue AP, and also sends deauthentication messages to the rogue AP, posing as its clients. This is done using the monitoring radio.

To enable rogue AP suppression, you must enable monitoring of rogue APs with the on-wire detection technique. See “Monitoring rogue APs”. The monitoring radio must be in the Dedicated Monitor mode.

To activate AP suppression against a rogue AP

Go to Monitor > Rogue AP Monitor.
When you see an AP listed that is a rogue detected “on-wire”, select it and then select Mark > Mark Rogue.
To suppress an AP that is marked as a rogue, select it and then select Suppress AP.

To deactivate AP suppression

Go to Monitor > Rogue AP Monitor.
Select the suppressed rogue AP and then select Suppress AP > Unsuppress AP.

Monitoring wireless network health

To view the wireless health dashboard, go to Monitor > WiFi Health Monitor.

The wireless health dashboard provides a comprehensive view of the health of your network’s wireless infrastructure. The dashboard includes widgets to display: l AP Status

Active, Down or missing, up for over 24 hours, rebooted in past 24 hours l Client Count Over Time

Viewable for past hour, day, or 30 days l Top Client Count Per-AP

Separate widgets for 2.4GHz and 5GHz bands health

l Top Wireless Interference

Separate widgets for 2.4GHz and 5GHz bands, requires spectrum analysis to be enabled on the radios l Login Failures Information l WiFi Channel Utilization

Three views allowing users to view top 10-20 Most and Least utilized channels for each AP radio and a third histogram view showing counts for utilization

The list of active clients also shows MAC address entries (similar to the WiFi Client Monitor page), making client information easy to view when opening the Active Client widget.

Protecting the WiFi network

Leave a reply

Protecting the WiFi network

Wireless IDS

WiFi data channel encryption

Protected Management Frames and Opportunisitc Key Caching support

Preventing local bridge traffic from reaching the LAN

FortiAP-S UTM support

DHCP snooping and option 82 (circuit -id) options for wireless access points

Wireless IDS

The FortiGate Wireless Intrusion Detection System (WIDS) monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected the FortiGate unit records a log message.

You can create a WIDS profile to enable these types of intrusion detection:

Asleap Attack—ASLEAP is a tool used to perform attacks against LEAP authentication.
Association Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
Authentication Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
Broadcasting De-authentication—This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-athenticate, then re-authenticate with their AP.
EAPOL Packet Flooding—Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack. Several types of EAPOL packets are detected: EAPOL-FAIL, EAPOL-LOGOFF, EAPOL-START, EAPOL-SUCC.
Invalid MAC OUI—Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.
Long Duration Attack—To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200. l Null SSID Probe Response—When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.
Spoofed De-authentication—Spoofed de-authentication frames are a denial of service attack. They cause all clients to disconnect from the AP.
Weak WEP IV Detection—A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.
Wireless Bridge—WiFi frames with both the fromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.

You can enable wireless IDS by selecting a WIDS Profile in your FortiAP profile.

To create a WIDS Profile

Go to WiFi & Switch Controller > WIDS Profiles.
Select a profile to edit or select Create New.
Select the types of intrusion to protect against. By default, all types are selected.
Select Apply.

You can also configure a WIDS profile in the CLI using the config wireless-controller widsprofile command.

Rogue AP detection

The WIDS profile includes settings for detection of unauthorized (rogue) access points in your wireless network. For more information, see Wireless network monitoring on page 115.

WIDS client deauthentication rate for DoS attacks

As part of mitigating a Denial of Service (DoS) attack, the FortiGate sends deauthentication packets to unknown clients. In an aggressive attack, this deauthentication activity can prevent the processing of packets from valid clients. A WIDS Profile option in the CLI limits the deauthentication rate.

config wireless-controller wids-profile edit default set deauth-unknown-src-thresh <1-65535>

end

The value set is a measure of the number of deathorizations per second. 0 means no limit. The default is 10.

WiFi data channel encryption

Optionally, you can apply DTLS encryption to the data channel between the wireless controller and FortiAP units. This enhances security.

There are data channel encryption settings on both the FortiGate unit and the FortiAP units. At both ends, you can enable Clear Text, DTLS encryption, or both. The settings must agree or the FortiAP unit will not be able to join the WiFi network. By default, both Clear Text and DTLS-encrypted communication are enabled on the FortiAP unit, allowing the FortiGate setting to determine whether data channel encryption is used. If the FortiGate unit also enables both Clear Text and DTLS, Clear Text is used.

Data channel encryption settings are located in the FortiAP profile. By default, only Clear Text is supported.

Configuring encryption on the FortiGate unit

You can use the CLI to configure data channel encryption.

Enabling encryption

In the CLI, the wireless wtp-profile command contains a new field, dtls-policy, with options clear-text and dtls-enabled. To enable encryption in profile1 for example, enter:

config wireless-controller wtp-profile edit profile1 set dtls-policy dtls-enabled

end

Configuring encryption on the FortiAP unit

The FortiAP unit has its own settings for data channel encryption.

Enabling CAPWAP encryption – FortiAP web-based manager

On the System Information page, in WTP Configuration > AC Data Channel Security, select one of:

l Clear Text l DTLS Enabled l Clear Text or DTLS Enabled (default)

Select Apply.

Enabling encryption – FortiAP CLI

You can set the data channel encryption using the AP_DATA_CHAN_SEC variable: ‘clear’, or ‘ipsec’, or ‘dtls’.

For example, to set security to DTLS and then save the setting, enter:

cfg -a AP_DATA_CHAN_SEC=dtls cfg -c

Protected Management Frames and Opportunisitc Key Caching support

Protected Management Frames (PMF) protect some types of management frames like deauthorization, disassociation and action frames. This feature, now mandatory on WiFi certified 802.1ac devices, prevents attackers from sending plain deauthorization/disassociation frames to disrupt or tear down a connection/association. PMF is a Wi-Fi Alliance specification based on IEEE 802.11w.

To facilitate faster roaming client roaming, you can enable Opportunistic Key Caching (OKC) on your WiFi network. When a client associates with an AP, its PMK identifier is sent to all other APs on the network. This eliminates the need for an already-authenticated client to repeat the full EAP exchange process when it roams to another AP on the same network.

Use of PMF and OKC on an SSID is configurable only in the CLI:

config wireless-controller vap edit <vap_name> set pmf {disable | enable | optional} set pmf-assoc-comeback-timeout <integer> set pmf-sa-query-retry-timeout <integer>

set okc {disable | enable}

next end

Protected Management Frames and Opportunisitc Key Caching support

When pmf is set to optional, it is considered enabled, but will allow clients that do not use PMF. When pmf is set to enable, PMF is required by all clients.

Bluetooth Low Energy (BLE) Scan

The FortiGate can configure FortiAP Bluetooth Low Energy (BLE) scan, incorporating Google’s BLE beacon profile known as Eddystone, used to identify groups of devices and individual devices.

Use the following syntax to configure BLE profiles, configure BLE report intervals, and assign BLE profiles to WTP profiles.

CLI syntax – Configure BLE profiles

config wireless-controller ble-profile edit <name> set comment <comment>

set advertising {ibeacon | eddystone-uid | eddystone-url} set ibeacon-uuid <uuid> set major-id <0 – 65535> – (default = 1000) set minor-id <0 – 65535> – (default = 1000) set eddystone-namespace <10-byte namespace> set eddystone-instance <device id> set eddystone-url <url> set txpower <0 – 12> – (default = 0) set beacon-interval <40 – 3500> – (default = 100) set ble-scanning {enable | disable} – (default = disable)

end

Note that txpower determines the transmit power level on a scale of 0-12:

0: -21 dBm	1: -18 dBm	2: -15 dBm	3: -12 dBm	4: -9 dBm
5: -6 dBm	6: -3 dBm	7: 0 dBm	8: 1 dBm	9: 2 dBm
10: 3 dBm	11: 4 dBm	12: 5 dBm

CLI syntax – Configure BLE report intervals

config wireless-controller timers set ble-scan-report-intv – (default = 30 sec)

end

CLI syntax – Assign BLE profiles to WTP profiles

config wireless-controller wtp-profile edit <name> set ble-profile <name> next

end

Preventing local bridge traffic from reaching the LAN

The following command can be enabled so that when a client connects to a VAP, and its traffic is not tunneled to the controller, the admin can control whether the client can access the local network.

Note that this entry is only available when local-standalone-nat is set to enable.

Syntax:

config wireless-controller vap edit <name> set local-lan {allow | deny}

end

FortiAP-S UTM support

When a FortiAP-S is managed by a FortiGate in Bridge mode, support is provided for the following UTM functions: AntiVirus, IPS, Botnet, Web Filtering, and Application Control.

config wireless-controller utm-profile edit <name> set comment “Default configuration for offloading WiFi traffic.” set ips-sensor “wifi-default” set application-list “wifi-default” set antivirus-profile “wifi-default” set webfilter-profile “wifi-default”

set firewall-profile-protocol-options “wifi-default” set firewall-ssl-ssh-profile “wifi-default”

end

config wireless-controller vap edit <name> set utm-profile

end

DHCP snooping and option 82 (circuit -id) options for wireless access points

New commands are available to enable or disable (by default) DHCP 82 option insertion for wireless access points. DHCP snooping is used to prevent rogue DHCP servers from offering IP addresses to DHCP clients.

Syntax

config wireless-controll vap edit wifi set dhcp-option82-insertion {enable | disable}

set dhcp-option82-circuit-id-insertion {style-1 | style-2 | disable}

DHCP snooping and option 82 (circuit -id) options for wireless access points

set dhcp-option82-remote-id-insertion {style-1 | disable}

next end

Using remote WLAN FortiAPs

Leave a reply

Using remote WLAN FortiAPs

Remote WLAN FortiAP models enable you to provide a pre-configured WiFi access point to a remote or traveling employee. Once plugged in at home or in a hotel room, the FortiAP automatically discovers the enterprise FortiGate WiFi controller over the Internet and broadcasts the same wireless SSID used in the corporate office. Communication between the WiFi controller and the FortiAP is secure, eliminating the need for a VPN.

Split tunneling

By default, all traffic from the remote FortiAP is sent to the FortiGate WiFi controller. If split tunneling is configured, only traffic destined for the corporate office networks is routed to the FortiGate. Other general Internet traffic is routed unencrypted through the local gateway. Split tunneling avoids loading the FortiGate with unnecessary traffic and allows direct access to local private networks at the location of the FortiAP even if the connection to the WiFi controller goes down.

By default, split tunneling options are not visible in the FortiGate GUI. You can make these options visible using the following CLI command:

config system settings set gui-fortiap-split-tunneling enable

end

Split tunneling is configured in Managed FortiAPs, FortiAP Profiles, and enabled in the SSID.

Configuring the FortiGate for remote FortiAPs

This section assumes that you have already defined SSIDs and now want to make them available to remote FortiAPs.

Create FortiAP profiles for the Remote LAN FortiAP models l If split tunneling will be used l configure override split tunneling in Managed FortiAPs l enable Split Tunneling in the SSID
configure the split tunnel networks in the FortiAP profile

Override Split tunneling

Go to WiFi & Switch Controller > Managed FortiAPs and edit your managed APs. When preconfiguring the AP to connect to your FortiGate WiFi controller, you can choose to override split tunneling, optionally including the local subnet of the FortiAP.

Creating FortiAP profiles

If you were not already using Remote LAN FortiAP models, you will need to create FortiAP profiles for them. In the FortiAP profile, you specify the SSIDs that the FortiAP will broadcast. For more information, see “Creating a FortiAP profile” on page 34.

Configuring the FortiGate for remote FortiAPs Using remote WLAN FortiAPs

Configuring split tunneling – FortiGate GUI

Go to WiFi & Switch Controller > SSID and edit your SSID. In the WiFi Settings section, enable Split Tunneling.

Go to WiFi Controller > FortiAP Profiles and edit the FortiAP Profile(s) that apply to the AP types used in the WiFi network. In the Split Tunneling section, enable Include Local Subnet and Split Tunneling Subnet(s), where you can enter a list all of the destination IP address ranges that should not be routed through the the FortiGate WiFi controller. Packets for these destinations will instead be routed through the remote gateway local to the FortiAP.

The list of split tunneling subnets includes public Internet destinations and private subnets local to the FortiAP. Split tunneling public Internet destinations reduces traffic through the FortiGate unit. Split tunneling local private subnets allows these networks to be accessible to the client behind the FortiAP. Otherwise, private network IP destinations are assumed to be behind the FortiGate WiFi controller.

Configuring split tunneling – FortiGate CLI

In this example, split tunneling is configured on the example-ssid WiFi network. On FortiAP model 21D, traffic destined for the 192.168.x.x range will not be routed through the FortiGate WiFi controller. This private IP address range is typically used as a LAN by home routers.

config wireless-controller vap edit example-ssid set split-tunneling enable

end

config wireless-controller wtp-profile edit FAP21D-default set split-tunneling-acl-local-ap-subnet enable config split-tunneling-acl edit 1 set dest-ip 192.168.0.0 255.255.0.0

end

To enter multiple subnets, create a split-tunneling-acl entry for each one.

Overriding the split tunneling settings on a FortiAP

If the FortiAP Profile split tunneling settings are not appropriate for a particular FortiAP, you can override the settings on that unit.

config wireless-controller wtp edit FAP321C3X14019926 set override-split-tunnel enable

set split-tunneling-acl-local-ap-subnet enable config split-tunneling-acl edit 1 set dest-ip 192.168.10.0 255.255.255.0

end end

Using remote WLAN FortiAPs Configuring the FortiAP units

Configuring the FortiAP units

Prior to providing a Remote WLAN FortiAP unit to an employee, you need to preconfigure the AP to connect to your FortiGate WiFi controller.

To pre-configure a FortiAP

Connect the FortiAP to the FortiGate unit.
Go to WiFi & Switch Controller > Managed FortiAPs and wait for the FortiAP to be listed. Click Refresh periodically to see the latest information. Note the Connected Via IP address.
Go to Dashboard. In the CLI Console, log into the FortiAP CLI. For example, if the IP address is 192.168.1.4, enter:

exec telnet 192.168.1.4

Enter admin at the login prompt. By default, no password is set.

Enter the following commands to set the FortiGate WiFi controller IP address. This should be the FortiGate Internet-facing IP address, in this example 172.20.120.142.

cfg -a AC_IPADDR_1=172.20.120.142 cfg -c

Enter exit to log out of the FortiAP CLI.

Preauthorizing FortiAP units

By preauthorizing FortiAP units, you facilitate their automatic authorization on the network. Also, you can assign each unit a unique name, such as the employee’s name, for easier tracking.

Go to WiFi & Switch Controller > Managed FortiAPs and create a new entry.
Enter the Serial Number of the FortiAP unit and give it a Name. Select the appropriate FortiAP Profile.
Click OK.

Repeat this process for each FortiAP.

Features for high-density deployments

High-density environments such as auditoriums, classrooms, and meeting rooms present a challenge to WiFi providers. When a large number of mobile devices try to connect to a WiFi network, difficulties arise because of the limited number of radio channels and interference between devices.

FortiOS and FortiAP devices provide several tools to mitigate the difficulties of high-density environments.

Multiple FortiAP firmware upgrades at once

Administrators can configure multiple FortiAP and FortiSwitch firmware upgrades to occur in one click (under

WiFi & Switch Controller > Managed FortiAPs), removing the need to upgrade each device one at a time.

Power save feature

Occasionally, voice calls can become disrupted. One way to alleviate this issue is by controlling the power save feature, or to disable it altogether.

Manually configure packet transmit optimization settings by entering the following command:

config wireless-controller wtp-profile edit <name> config <radio-1> | <radio-2> set transmit-optimize {disable | power-save | aggr-limit | retry-limit | sendbar}

l disable: Disable transmit optimization. l power-save: Mark a client as power save mode if excessive transmit retries happen. l aggr-limit: Set aggregation limit to a lower value when data rate is low. l retry-limit: Set software retry limit to a lower value when data rate is low. l send-bar: Do not send BAR frame too often.

11n radio powersave optimization

The following powersave-optimize parameters (under config radio) are used for 11n radios to optimize system performance for specific situations.

tim: Set traffic indication map (TIM) bit for client in power save mode. TIM bit mask indicates to any sleeping listening stations if the AP has any buffered frames present. If enabled, the AP will always indicate to the connected client that there is a packet waiting in the AP, so it will help to prevent the client from entering a sleep state.
ac-vo: Use Access Category (AC) Voice (VO) priority to send packets in the power save queue. AC VO is one of the highest classes/priority levels used to ensure quality of service (QoS). If enabled, when a client returns from a sleep state, the AP will send its buffered packet using a higher priority queue, instead of the normal priority queue.
no-obss-scan: Do not put Overlapping Basic Service Set (OBSS), or high-noise (i.e. non-802.11), scan IE into a Beacon or Probe Response frame.
no-11b-rate: Do not send frame using 11b data rate.

Broadcast packet suppression

client-rate-follow: Adapt transmitting PHY rate with receiving PHY rate from client. If enabled, the AP will integrate the current client’s transmission PHY rate into its rate adaptation algorithm for transmitting.

Broadcast packet suppression

Broadcast packets are sent at a low data rate in WiFi networks, consuming valuable air time. Some broadcast packets are unnecessary or even potentially detrimental to the network and should be suppressed.

ARP requests and replies could allow clients to discover each other’s IP addresses. On most WiFi networks, intraclient communication is not allowed, so these ARP requests are of no use, but they occupy air time.

DHCP (upstream) should be allowed so that clients can request an IP address using DHCP.

DHCP (downstream) should be suppressed because it would allow a client to provide DHCP service to other clients. Only the AP should do this.

NetBIOS is a Microsoft Windows protocol for intra-application communication. Usually this is not required in highdensity deployments.

IPv6 broadcast packets can be suppressed if your network uses IPv4 addressing.

You can configure broadcast packet suppression in the CLI. The following options are available for broadcast suppression:

config wireless-controller vap edit <name> set broadcast-suppression {dhcp-up | dhcp-down | dhcp-starvation | arp-known | arpunknown | arp-reply | arp-poison | arp-proxy | netbios-ns | netbios-ds | ipv6 | all-other-mc | all-other-bc}

end

dhcp-starvation helps prevent clients from depleting the DHCP address pool by making multiple requests. arp-poison helps prevent clients from spoofing ARP messages.

Because of all these specific multicast and broadcast packet types, the two options all-other-mc and allother-bc help suppress multicast (mc) and broadcast (bc) packets that are not covered by any of the specific options.

Multicast to unicast conversion

Multicast data such as streaming audio or video are sent at a low data rate in WiFi networks. This causes them to occupy considerable air time. FortiOS provides a multicast enhancement option that converts multicast streams to unicast. A unicast stream is sent to each client at high data rate that makes more efficient use of air time. You can configure multicast-to-unicast conversion in the CLI:

config wireless-controller vap edit <vap_name> set multicast-enhance enable end

Ignore weak or distant clients

Clients beyond the intended coverage area can have some impact on your high-density network. Your APs will respond to these clients’ probe signals, consuming valuable air time. You can configure your WiFi network to ignore weak signals that most likely come from beyond the intended coverage area. The settings are available in the CLI:

config wireless-controller vap edit <vap_name> set probe-resp-suppression enable set probe-resp-threshold <level_int>

end vap_name is the SSID name.

probe-resp-threshold is the signal strength in dBm below which the client is ignored. The range is -95 to 20dBm. The default level is -80dBm.

Turn off 802.11b protocol

By disabling support for the obsolete 802.11b protocol, you can reduce the air time that data frames occupy. These signals will now be sent at a minimum of 6Mbps, instead of 1Mbps. You can set this for each radio in the FortiAP profile, using the CLI:

config wireless-controller wtp-profile edit <name_string> config radio-1 set powersave-optimize no-11b-rate

end

Disable low data rates

Each of the 802.11 protocols supports several data rates. By disabling the lowest rates, air time is conserved, allowing the channel to serve more users. You can set the available rates for each 802.11 protocol: a, b, g, n, ac. Data rates set as Basic are mandatory for clients to support. Other specified rates are supported.

The 802.11 a, b, and g protocols are specified by data rate. 802.11a can support 6,9,12, 18, 24, 36, 48, and 54

Mb/s. 802.11b/g can support 1, 2, 5.5, 6, 9,12, 18, 24, 36, 48, 54 Mb/s. Basic rates are specified with the suffix “basic”, “12-basic” for example. The capabilities of expected client devices need to be considered when deciding the lowest Basic rate.

The 802.11n and ac protocols are specified by the Modulation and Coding Scheme (MCS) Index and the number of spatial streams.

11n with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1,mcs8/2,mcs9/2, mcs10/2, mcs11/2, mcs12/2, mcs13/2, mcs14/2, mcs15/2.
11n with 3 or 4 spatial streams can support mcs16/3, mcs17/3, mcs18/3, mcs19/3, mcs20/3, mcs21/3, mcs22/3, mcs23/3, mcs24/4, mcs25/4, mcs26/4, mcs27/4, mcs28/4, mcs29/4, mcs30/4, mcs31/4.

Limit power

11ac with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1, mcs8/1, mcs9/1, mcs0/2, mcs1/2, mcs2/2, mcs3/2, mcs4/2, mcs5/2, mcs6/2, mcs7/2, mcs8/2, mcs9/2.
11ac with 3 or 4 spatial streams can support mcs0/3, mcs1/3, mcs2/3, mcs3/3, mcs4/3, mcs5/3, mcs6/3, mcs7/3, mcs8/3, mcs9/3, mcs0/4, mcs1/4, mcs2/4, mcs3/4, mcs4/4, mcs5/4, mcs6/4, mcs7/4, mcs8/4, mcs9/4 Here are some examples of setting basic and supported rates.

config wireless-controller vap edit <vap_name> set rates-11a 12-basic 18 24 36 48 54 set rates-11bg 12-basic 18 24 36 48 54

set rates-11n-ss34 mcs16/3 mcs18/3 mcs20/3 mcs21/3 mcs22/3 mcs23/3 mcs24/4 mcs25/4 set rates-11ac-ss34 mcs0/3 mcs1/3 mcs2/3 mcs9/4 mcs9/3

end

Limit power

High-density deployments usually cover a small area that has many clients. Maximum AP signal power is usually not required. Reducing the power reduces interference between APs. Fortinet recommends that you use FortiAP automatic power control. You can set this in the FortiAP profile.

Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile for your AP model.
For each radio, enable Auto TX Power Control and set the TX Power Low and TX Power High The default range of 10 to 17dBm is recommended.

Use frequency band load-balancing

In a high-density environment is important to make the best use of the two WiFi bands, 2.4GHz and 5GHz. The 5GHz band has more non-overlapping channels and receives less interference from non-WiFi devices, but not all devices support it. Clients that are capable of 5GHz operation should be encouraged to use 5GHz rather than the 2.4GHz band.

To load-balance the WiFi bands, you enable Frequency Handoff in the FortiAP profile. In the FortiGate webbased manager, go to WiFi & Switch Controller > FortiAP Profiles and edit the relevant profile. Or, you can use the CLI:

config wireless-controller wtp-profile edit FAP221C-default config radio-1 set frequency-handoff enable

end

The FortiGate wireless controller continuously performs a scan of all clients in the area and records their signal strength (RSSI) on each band. When Frequency Handoff is enabled, the AP does not reply to clients on the

2.4GHz band that have sufficient signal strength on the 5GHz band. These clients can associate only on the 5GHz band. Devices that support only 2.4GHz receive replies and associate with the AP on the 2.4GHz band.

Setting the handoff RSSI threshold

The FortiAP applies load balancing to a client only if the client has a sufficient signal level on 5GHz. The minimum signal strength threshold is set in the FortiAP profile, but is accessible only through the CLI:

AP load balancing

config wireless-controller wtp-profile edit FAP221C-default set handoff-rssi 25

end

handoff-rssi has a range of 20 to 30. RSSI is a relative measure. The higher the number, the stronger the signal.

AP load balancing

The performance of an AP is degraded if it attempts to serve too many clients. In high-density environments, multiple access points are deployed with some overlap in their coverage areas. The WiFi controller can manage the association of new clients with APs to prevent overloading.

To load-balance between APs, enable AP Handoff in the FortiAP profile. In the FortiGate web-based manager, go to WiFi & Switch Controller > FortiAP Profiles and edit the relevant profile. Or, you can use the CLI:

config wireless-controller wtp-profile edit FAP221C-default config radio-1 set ap-handoff enable

end

When an AP exceeds the threshold (the default is 30 clients), the overloaded AP does not reply to a new client that has a sufficient signal at another AP.

Setting the AP load balance threshold

The thresholds for AP handoff are set in the FortiAP profile, but is accessible only through the CLI:

config wireless-controller wtp-profile edit FAP221C-default set handoff-sta-thresh 30 set handoff-rssi 25

end

handoff-sta-thresh sets the number of clients at which AP load balancing begins. It has a range of 5 to 35.

handoff-rssi Sets the minimum signal strength that a new client must have at an alternate AP for the overloaded AP to ignore the client. It has a range of 20 to 30. RSSI is a relative measure. The higher the number, the stronger the signal.

Application rate-limiting

To prevent particular application types from consuming too much bandwidth, you can use the FortiOS Application Control feature.

Go to Security Profiles > Application Control.

You can use the default profile or create a new one.

Click the category, select Traffic Shaping and then select the priority for the category.

Repeat for each category to be controlled.

Select Apply.
Go to Policy & Objects > IPv4 Policy and edit your WiFi security policy.

AP group management and dynamic VLAN assignment

In Security Profiles, set Application Control ON and select the security profile that you edited.
Select OK.

AP group management and dynamic VLAN assignment

The FortiGate can create FortiAP Groups, under WiFi & Switch Controller > Managed FortiAPs by selecting Create New > Managed AP Group, where multiple APs can be managed. AP grouping allows specific profile settings to be applied to many APs all at once that belong to a certain AP group, simplifying the administrative workload.

Note that each AP can only belong to one group.

In addition, VLANs can be assigned dynamically based on the group which an AP belongs. When defining an SSID, under WiFi & Switch Controller > SSID, a setting called VLAN Pooling can be enabled where you can either assign the VLAN ID of the AP group the device is connected to, to each device as it is detected, or to always assign the same VLAN ID to a specific device. Dynamic VLAN assignment allows the same SSID to be deployed to many APs, avoiding the need to produce multiple SSIDs.

Sharing tunnel SSIDs within a single managed AP between VDOMs as a virtual AP for multi-tenancy

This feature provides the ability to move a tunnel mode VAP into a VDOM, similar to an interface/VLAN in VDOMs. FortiAP is registered into the root VDOM.

Within a customer VDOM, customer VAPs can be created/added. In the root VDOM, the customer VAP can be added to the registered FortiAP. Any necessary firewall rules and interfaces can be configured between the two VDOMs.

Syntax

config wireless-controller global set wtp-share {enable | disable}

end

Manual quarantine of devices on FortiAP (tunnel mode)

Quarantined MAC addresses are blocked on the connected FortiAP from the network and the LAN. When a tunnel VAP is created, a sub-interface named wqtn is automatically created under tunnel interface. ThisThis subinterface is added under a software switch.

To quarantine an SSID, go to WiFi & Switch Controller > SSID. Edit the SSID, and enable Quarantine Host is enabled under WiFi Settings.

Alternatively, this can be configured in the CLI Console. This feature consolidates previous CLI syntax for quarantining a host, so that the host does not need to be configured in multiple places (FortiAP and FortiSwitch). Host endpoints can be entered in a single place and the host will be quarantined throughout the access layer devices on the Fortinet Security Fabric.

Manual quarantine of devices on FortiAP (tunnel mode)

Syntax – SSID:

config wireless-controller vap edit <name> set quarantine {enable | disable}

end

Syntax – Software Switch, DHCP, and User Quarantine

config system switch-interface edit “wqt.root” set vdom “root” set member “wqtn.26.AV-Qtn”

end

config system dhcp server edit <id> set interface “AV-Qtn” config ip-range edit <id> set start-ip 10.111.0.2 set end-ip 10.111.0.254

next …

config user quarantine set quarantine {enable | disable}

end

To list stations in quarantine, use the following diagnose command:

diagnose wireless-controller wlac -c sta-qtn

Host quarantine per SSID

Upon creating or editing an SSID, a Quarantine Host option is available to enable (by default) or disable quarantining devices that are connected in Tunnel-mode. The option to quarantine a device is available on Topology and FortiView WiFi pages.

When a host is put into quarantine VLAN, it will get its IP from the quarantine VLAN’s DHCP server, and become part of the quarantined network.

Syntax

config wireless-controller vap edit <name> set quarantine {enable | disable}

next end

Locate a FortiAP with LED blinking

To list all stations in quarantine:

diagnose wireless-controller wlac -c sta-qtn

Locate a FortiAP with LED blinking

If you have an environment that contains numerous APs, and there is one AP that you need to frequently monitor, you can configure it to blink in the FortiCloud web portal. The blinking AP will be easier to locate.

To start or stop LED blinking of a managed FortiAP, using the GUI:

Go to WiFi & Switch Controller > Managed FortiAPs.
Right-click in the row of the device you want to control.
In the dialog box, scroll down to LED Blink and select Start or Stop.

The following models support LED blink control through the GUI, operating on FortiAP software 6.0.1, or later:

FortiAP-112D, 221C, 223C, 224D, 320C, 321C l FortiAP-S/W2

To start or stop LED blinking of a managed FortiAP, using the CLI:

execute wireless-controller led-blink <wtp-id> {on | on 10 | off}

The following models support LED blink control through the CLI, operating on FortiAP software 5.6.2, or later:

FortiAP-112D, 221C, 223C, 224D, 320C, 321C l FortiAP-S/W2

Wireless controller optimization for large deployment – AP image upgrade

Using the CLI to upgrade FortiAP image is the preferred method especially for large deployments. Use the following execute command to upload the desired FortiAP image on the controller:

execute wireless-controller upload-wtp-image

After entering the command, reboot the FortiAP devices. This feature allows the administrator to configure all FortiAP devices to download the image from the controller at join time.

Syntax

config wireless-controller global set image-download {enable | disable}

end

To fine-tune this process, in order to deploy FortiAP image upgrades to a subset of devices for pilot testing, use the following command:

config wireless-controller wtp edit <name> set image-download {enable | disable} next

Control message off-loading and aeroscout enhancement

end

Control message off-loading and aeroscout enhancement

Users can configure control message off-loading to optimize performance. This is especially useful in environments where the AP count is around 300-350 (with a device count between 1500 and 3000), where existing users are disconnected and unable to reauthenticate due to high CPU usage. This feature includes aeroscout enhancements.

Syntax

config wireless-controller global set control-message-offload {evp-frame | areoscout-tag | ap-list | sta-list | sta-caplist | stats | aeroscout-mu}

end

config wireless-controller wtp-profile edit <name> set control-message-offload {enable | disable} config lbs set ekahau-blink-mode {enable | disable} set aeroscout {enable | disable} set aeroscout-server-ip <address>

set aeroscount-server-port <UDP listening port> set aeroscout-mu {enable | disable}

end end

Combining WiFi and wired networks with a software switch

Leave a reply

Combining WiFi and wired networks with a software switch

FortiAP local bridging (Private cloud-managed AP)

Using bridged FortiAPs to increase scalability

Combining WiFi and wired networks with a software switch

A WiFi network can be combined with a wired LAN so that WiFi and wired clients are on the same subnet. This is a convenient configuration for users. Note that software switches are only available if your FortiGate is in Interface mode.

To create the WiFi and wired LAN configuration, you need to:

Configure the SSID so that traffic is tunneled to the WiFi controller.
Configure a software switch interface on the FortiGate unit with the WiFi and internal network interface as members. l Configure Captive Portal security for the software switch interface.

To configure the SSID – web-based manager

Go to WiFi & Switch Controller > SSID and select Create New.
Enter:

Interface name	A name for the new WiFi interface, homenet_if for example.
Traffic Mode	Tunnel to Wireless Controller
SSID	The SSID visible to users, homenet for example.
Security Mode Data Encryption Preshared Key	Configure security as you would for a regular WiFi network.

Select OK.
Go to WiFi & Switch Controller > Managed FortiAPs, select the FortiAP unit for editing.
Authorize the FortiAP unit.

The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.

To configure the SSID – CLI

This example creates a WiFi interface “homenet_if” with SSID “homenet” using WPA-Personal security, passphrase “Fortinet1”.

config wireless-controller vap edit “homenet_if” set vdom “root” set ssid “homenet” set security wpa-personal set passphrase “Fortinet1”

end

config wireless-controller wtp edit FAP22B3U11005354 set admin enable set vaps “homenet_if”

end

To configure the FortiGate software switch – web-based manager

Go to Network > Interfaces and select Create New > Interface.
Enter:

Interface Name	A name for the new interface, homenet_nw for example.
Type	Software Switch
Physical Interface Members	Add homenet_if and the internal network interface.
Addressing mode	Select Manual and enter an address, for example 172.16.96.32/255.255.255.0
DHCP Server	Enable and configure an address range for clients.
Security Mode	Select Captive Portal. Add the permitted User Groups.

Select OK.

To configure the FortiGate unit – CLI

config system interface edit homenet_nw set ip 172.16.96.32 255.255.255.0 set type switch set security-mode captive-portal set security-groups “Guest-group”

end

config system interface edit homenet_nw set member “homenet_if” “internal” end

FortiAP local bridging (Private cloud-managed AP)

VLAN configuration

If your environment uses VLAN tagging, you assign the SSID to a specific VLAN in the CLI. For example, to assign the homenet_if interface to VLAN 100, enter:

config wireless-controller vap edit “homenet_if” set vlanid 100

end

Additional configuration

The configuration described above provides communication between WiFi and wired LAN users only. To provide access to other networks, create appropriate firewall policies between the software switch and other interfaces.

FortiAP local bridging (Private cloud-managed AP)

A FortiAP unit can provide WiFi access to a LAN, even when the wireless controller is located remotely. This configuration is useful for the following situations:

Installations where the WiFI controller is remote and most of the traffic is local or uses the local Internet gateway l Wireless-PCI compliance with remote WiFi controller
Telecommuting, where the FortiAP unit has the WiFi controller IP address pre-configured and broadcasts the office SSID in the user’s home or hotel room. In this case, data is sent in the wireless tunnel across the Internet to the office and you should enable encryption using DTLS.

FortiAP local bridging (Private cloud-managed AP)

Remotely-managed FortiAP providing WiFi access to local network

On the remote FortiGate wireless controller, the WiFi SSID is created with the Bridge with FortiAP Interface option selected. In this mode, no IP addresses are configured. The WiFi and Ethernet interfaces on the FortiAP behave as a switch. WiFi client devices obtain IP addresses from the same DHCP server as wired devices on the LAN.

The local bridge feature cannot be used in conjunction with Wireless Mesh features.

Block-Intra-SSID Traffic is available in Bridge mode. This is useful in hotspotdeployments managed by a central FortiGate, but would also be useful in cloud deployments. Previously, this was only supported in Tunnel mode.

To configure a FortiAP local bridge – web-based manager

Go to WiFi & Switch Controller > SSID and select Create New > SSID.
Enter:

Interface name	A name for the new WiFi interface.
Traffic Mode	Local bridge with FortiAP’s Interface
SSID	The SSID visible to users.

Security Mode

Data Encryption

Preshared Key

Configure security as you would for a regular WiFi network.

Select OK.
Go to WiFi & Switch Controller > Managed FortiAPs and select the FortiAP unit for editing.
Authorize the FortiAP unit.

The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.

SSID configured for local bridge operation

To configure a FortiAP local bridge – CLI

This example creates a WiFi interface “branchbridge” with SSID “LANbridge” using WPA-Personal security, passphrase “Fortinet1”.

config wireless-controller vap edit “branchbridge” set vdom “root” set ssid “LANbridge” set local-bridging enable set security wpa-personal set passphrase “Fortinet1”

end

config wireless-controller wtp edit FAP22B3U11005354 set admin enable set vaps “branchbridge” end

Using bridged FortiAPs to increase scalability

Continued FortiAP operation when WiFi controller connection is down

The wireless controller, or the connection to it, might occasionally become unavailable. During such an outage, clients already associated with a bridge mode FortiAP unit continue to have access to the WiFi and wired networks. Optionally, the FortiAP unit can also continue to authenticate users if the SSID meets these conditions:

Traffic Mode is Local bridge with FortiAP’s Interface.

In this mode, the FortiAP unit does not send traffic back to the wireless controller.

Security Mode is WPA2 Personal.

These modes do not require the user database. In WPA2 Personal authentication, all clients use the same preshared key which is known to the FortiAP unit.

Allow New WiFi Client Connections When Controller is down is enabled. This field is available only if the other conditions have been met.

The “LANbridge” SSID example would be configured like this in the CLI:

config wireless-controller vap edit “branchbridge” set vdom “root” set ssid “LANbridge” set local-bridging enable set security wpa-personal set passphrase “Fortinet1” set local-authentication enable

end

Using bridged FortiAPs to increase scalability

The FortiGate wireless controller can support more FortiAP units in local bridge mode than in the normal mode. But this is only true if you configure some of your FortiAP units to operate in remote mode, which supports only local bridge mode SSIDs.

The Managed FortAP page (WiFi & Switch Controller > Managed FortiAPs) shows at the top right the current number of Managed FortiAPs and the maximum number that can be managed, “5/64” for example. The maximum number, however, is true only if all FortiAP units operate in remote mode. For more detailed information, consult the Maximum Values Table. For each FortiGate model, there are two maximum values for managed FortiAP units: the total number of FortiAPs and the number of FortiAPs that can operate in normal mode.

Using bridged FortiAPs to increase scalability

To configure FortiAP units for remote mode operation

Create at least one SSID with Traffic Mode set to Local bridge with FortiAP’s Interface.
Create a custom AP profile that includes only local bridge SSIDs.
Configure each managed FortiAP unit to use the custom AP profile. You also need to set the FortiAP unit’s wtpmode to remote, which is possible only in the CLI. The following example uses the CLI both to set wtp-mode and select the custom AP profile:

config wireless-controller wtp edit FAP22B3U11005354 set wtp-mode remote set wtp-profile 220B_bridge end

Wireless mesh

1 Reply

Wireless mesh

The access points of a WiFi network are usually connected to the WiFi controller through Ethernet wiring. A wireless mesh eliminates the need for Ethernet wiring by connecting WiFi access points to the controller by radio. This is useful where installation of Ethernet wiring is impractical.

Overview of Wireless mesh

Configuring a meshed WiFi network

Configuring a point-to-point bridge

Overview of Wireless mesh

The figure below shows a wireless mesh topology.

A wireless mesh is a multiple AP network in which only one FortiAP unit is connected to the wired network. The other FortiAPs communicate with the controller over a separate backhaul SSID that is not available to regular WiFi clients. The AP that is connected to the network by Ethernet is called the Mesh Root node. The backhaul SSID carries CAPWAP discovery, configuration, and other communications that would usually be carried on an Ethernet connection.

The root node can be a FortiAP unit or the built-in AP of a FortiWiFi unit. APs that serve regular WiFi clients are called Leaf nodes. Leaf APs also carry the mesh SSID for more distant leaf nodes. A leaf node can connect to the mesh SSID directly from the root node or from any of the other leaf nodes. This provides redundancy in case of an AP failure.

All access points in a wireless mesh configuration must have at least one of their radios configured to provide mesh backhaul communication. As with wired APs, when mesh APs start up they can be discovered by a FortiGate or FortiWiFi unit WiFi controller and authorized to join the network.

Overview of

The backhaul SSID delivers the best performance when it is carried on a dedicated radio. On a two-radio FortiAP unit, for example, the 5GHz radio could carry only the backhaul SSID while the 2.4GHz radio carries one or more SSIDs that serve users. Background WiFi scanning is possible in this mode.

The backhaul SSID can also share the same radio with SSIDs that serve users. Performance is reduced because the backhaul and user traffic compete for the available bandwidth. Background WiFi scanning is not available in this mode. One advantage of this mode is that a two-radio AP can offer WiFi coverage on both bands.

Wireless mesh deployment modes

There are two common wireless mesh deployment modes:

Wireless Mesh

Access points are wirelessly connected to a FortiGate or FortiWiFi unit WiFi controller. WiFi users connect to wireless SSIDs in the same way as on non-mesh WiFi networks.

Wireless bridging

Two LAN segments are connected together over a wireless link (the backhaul SSID).

On the leaf AP, the Ethernet connection can be used to provide a wired network. Both WiFi and wired users on the leaf AP are connected to the LAN segment to which the root AP is connected.

Firmware requirements

All FortiAP units that will be part of the wireless mesh network must be upgraded to FAP firmware version 5.0 build 003. FortiAP-222B units must have their BIOS upgraded to version 400012. The FortiWiFi or FortiGate unit used as the WiFi controller must be running FortiOS 5.0.

Types of wireless mesh

A WiFi mesh can provide access to widely-distributed clients. The root mesh AP which is directly connected to the WiFi controller can be either a FortiAP unit or the built-in AP of a FortiWiFi unit that is also the WiFi controller.

FortiAP units used as both mesh root AP and leaf AP

Overview of Wireless mesh

FortiWiFi unit as root mesh AP with FortiAP units as leaf APs

An alternate use of the wireless mesh functionality is as a point-to-point relay. Both wired and WiFi users on the leaf AP side are connected to the LAN segment on the root mesh side.

Overview of

Point-to-point wireless mesh

Fast-roaming for mesh backhaul link

Mesh implementations for leaf FortiAP can perform background scan when the leaf AP is associated to root. Various options for background scanning can be configured with the CLI. See Mesh variables on page 189 for more details.

Configuring a meshed WiFi network

You need to:

Create the mesh root SSID. l Create the FortiAP profile. l Configure mesh leaf AP units. l Configure the mesh root AP, either a FortiWiFi unit’s Local Radio or a FortiAP unit. l Authorize the mesh branch/leaf units when they connect to the WiFi Controller.
Create security policies.

This section assumes that the end-user SSIDs already exist.

Creating the mesh root SSID

The mesh route SSID is the radio backhaul that conveys the user SSID traffic to the leaf FortiAPs.

To configure the mesh root SSID

Go to WiFi & Switch Controller > SSID and select Create New > SSID.
Enter a Name for the WiFi interface.
In Traffic Mode, select Mesh Downlink.
Enter the SSID.
Set Security Mode to WPA2 Personal and enter the Pre-shared key.

Remember the key, you need to enter it into the configurations of the leaf FortiAPs.

Select OK.

Creating the FortiAP profile

Create a FortiAP profile for the meshed FortiAPs. If more than one FortiAP model is involved, you need to create a profile for each model. Typically, the profile is configured so that Radio 1 (5GHz) carries the mesh backhaul SSID while Radio 2 (2.4GHz) carries the SSIDs to which users connect.

The radio that carries the backhaul traffic must not carry other SSIDs. Use the Select SSIDs option and choose only the backhaul SSID. Similarly, the radio that carries user SSIDs, should not carry the backhaul. Use the Select SSIDs option and choose the networks that you want to provide.

For more information, see Configuring a WiFi LAN on page 30.

Configuring the mesh root FortiAP

The mesh root AP can be either a FortiWiFi unit’s built-in AP or a FortiAP unit.

Configuring a meshed WiFi network

To enable a FortiWiFi unit’s Local Radio as mesh root – web-based manager

Go to WiFi Controller > Local WiFi Radio.
Select Enable WiFi Radio.
In SSID, select Select SSIDs, then select the mesh root SSID.
Optionally, adjust TX Power or select Auto Tx Power Control.
Select Apply.

In a network with multiple wireless controllers, make sure that each mesh root has a unique SSID. Other controllers using the same mesh root SSID might be detected as fake or rogue APs. Go to WiFi & Switch Controller > SSID to change the SSID.

To configure a network interface for the mesh root FortiAP unit

On the FortiGate unit, go to Network > Interfaces.
Select the interface where you will connect the FortiAP unit, and edit it.
Make sure that Role is LAN.
In Addressing mode, select Dedicated to Extension Device.
In IP/Network Mask, enter an IP address and netmask for the interface.

DHCP will provide addresses to connected devices. To maximize the number of available addresses, the interface address should end with 1, for example 192.168.10.1.

Select OK.

At this point you can connect the mesh root FortiAP, as described next. If you are going to configure leaf FortiAPs through the wireless controller (see “Configuring a meshed WiFi network” on page 82), it would be convenient to leave connecting the root unit for later.

To enable the root FortiAP unit

Connect the root FortiAP unit’s Ethernet port to the FortiGate network interface that you configured for it.
Go to WiFi & Switch Controller > Managed FortiAPs.

If the root FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the root FortiAP unit and try again.

Right-click the FortiAP entry and choose your profile from the Assign Profile
Right-click the FortiAP entry and select Authorize.

Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

Select OK.

You might need to select Refresh a few times before the FortiAP shows as Online.

Configuring the leaf mesh FortiAPs

The FortiAP units that will serve as leaf nodes must be preconfigured. This involves changing the FortiAP unit internal configuration.You can do this by direct connection or through the FortiGate wireless controller. meshed WiFi network

Method 1: Direct connection to the FortiAP

Connect a computer to the FortiAP unit’s Ethernet port. Configure the computer’s IP as 192.168.1.3.
Telnet to 192.168.1.2. Login as admin. By default, no password is set.
Enter the following commands, substituting your own SSID and password (pre-shared key):

cfg -a MESH_AP_TYPE=1 cfg -a MESH_AP_SSID=fortinet.mesh.root cfg -a MESH_AP_PASSWD=hardtoguess

cfg -c exit

Disconnect the computer.
Power down the FortiAP.
Repeat the preceding steps for each branch FortiAP.

Method 2: Connecting through the FortiGate unit

Connect the branch FortiAP unit’s Ethernet port to the FortiGate network interface that you configured for FortiAPs. Connect the FortiAP unit to a power source unless POE is used.
Go to WiFi & Switch Controller > Managed FortiAPs.

If the FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the FortiAP unit and try again.

Select the discovered FortiAP unit and authorize it. Click Refresh every 10 seconds until the State indicator is green.
Right-click the FortiAP and select >_Connect to CLI. The CLI Console window opens. Log in as “admin”.
Enter the following commands, substituting your own SSID and password (pre-shared key):

cfg -a MESH_AP_TYPE=1 cfg -a MESH_AP_SSID=fortinet.mesh.root cfg -a MESH_AP_PASSWD=hardtoguess

cfg -c exit

Disconnect the branch FortiAP and delete it from the Managed FortiAP list.
Repeat the preceding steps for each branch FortiAP.

Authorizing leaf APs

When the root FortiAP is connected and online, apply power to the pre-configured leaf FortiAPs. The leaf FortiAPs will connect themselves wirelessly to the WiFi Controller through the mesh network. You must authorize each unit.

Go to WiFi & Switch Controller > Managed FortiAPs. Periodically select Refresh until the FortiAP unit is listed. This can take up to three minutes.

The State of the FortiAP unit should be Waiting for Authorization.

Right-click the FortiAP entry and choose your profile from the Assign Profile
Right-click the FortiAP entry and select Authorize.

Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

Creating security policies

You need to create security policies to permit traffic to flow from the end-user WiFi network to the network interfaces for the Internet and other networks. Enable NAT.

Viewing the status of the mesh network

Go to WiFi & Switch Controller > Managed FortiAPs to view the list of APs.

The Connected Via field lists the IP address of each FortiAP and uses icons to show whether the FortiAP is connected by Ethernet or Mesh.

Ethernet

Mesh

If you mouse over the Connected Via information, a topology displays, showing how the FortiGate wireless controller connects to the FortiAP.

Configuring a point-to-point bridge

You can create a point-to-point bridge to connect two wired network segments using a WiFi link. The effect is the same as connecting the two network segments to the same wired switch.

You need to:

point-to-point bridge

l Configure a backhaul link and root mesh AP as described in Configuring a point-to-point bridge on page 84.

Note: The root mesh AP for a point-to-point bridge must be a FortiAP unit, not the internal AP of a FortiWiFi unit. l Configure bridging on the leaf AP unit.

To configure the leaf AP unit for bridged operation – FortiAP web-based manager

With your browser, connect to the FortiAP unit web-based manager.

You can temporarily connect to the unit’s Ethernet port and use its default address: 192.168.1.2.

Enter:

Operation Mode	Mesh
Mesh AP SSID	fortinet-ap
Mesh AP Password	fortinet
Ethernet Bridge	Select

Select Apply.
Connect the local wired network to the Ethernet port on the FortiAP unit.

Users are assigned IP addresses from the DHCP server on the wired network connected to the root mesh AP unit.

To configure a FortiAP unit as a leaf AP – FortiAP CLI

cfg -a MESH_AP_SSID=fortinet-ap cfg -a MESH_AP_PASSWD=fortinet cfg -a MESH_ETH_BRIDGE=1 cfg -a MESH_AP_TYPE=1 cfg -c

Hotspot 2.0

Hotspot 2.0 Access Network Query Protocol (ANQP) is a query and response protocol that defines seamless roaming services offered by an AP. The following CLI commands are available under config wirelesscontroller, to configure Hotspot 2.0 ANQP.

Syntax

config wireless-controller hotspot20 anqp-3gpp-cellular edit {name} config mcc-mnc-list edit {id} set id {integer} set mcc {string} set mnc {string}

end

config wireless-controller hotspot20 anqp-ip-address-type edit {name} set ipv6-address-type {option} set ipv4-address-type {option}

end

config wireless-controller hotspot20 anqp-nai-realm edit {name} config nai-list edit {name} set encoding {enable | disable} set nai-realm {string} config eap-method edit {index} set index {integer} set method {option} config auth-param edit {index} set index {integer} set id {option} set val {option}

end

config wireless-controller hotspot20 anqp-network-auth-type edit {name} set auth-type {option} set url {string}

next end

Hotspot 2.0

config wireless-controller hotspot20 anqp-roaming-consortium edit {name} config oi-list edit {index} set index {integer} set oi {string} set comment {string}

end

config wireless-controller hotspot20 anqp-venue-name edit {name} config value-list edit {index} set index {integer} set lang {string} set value {string}

end

config wireless-controller hotspot20 h2qp-conn-capability edit {name} set icmp-port {option} set ftp-port {option} set ssh-port {option} set http-port {option} set tls-port {option} set pptp-vpn-port {option} set voip-tcp-port {option} set voip-udp-port {option} set ikev2-port {option} set ikev2-xx-port {option} set esp-port {option}

end

config wireless-controller hotspot20 h2qp-operator-name edit {name} config value-list edit {index} set index {integer} set lang {string} set value {string}

end config wireless-controller hotspot20 h2qp-osu-provider

Configuring a point-to-point bridge

edit {name} config friendly-name edit {index} set index {integer} set lang {string} set friendly-name {string}

Configuring a point-to-point bridge Hotspot 2.0

next set server-uri {string} set osu-method {option} set osu-nai {string} config service-description edit {service-id} set service-id {integer} set lang {string}

set service-description {string}

set icon {string}

end

config wireless-controller hotspot20 h2qp-wan-metric edit {name} set link-status {option} set symmetric-wan-link {option} set link-at-capacity {enable | disable} set uplink-speed {integer} set downlink-speed {integer} set uplink-load {integer} set downlink-load {integer} set load-measurement-duration {integer}

end

config wireless-controller hotspot20 hs-profile edit {name} set access-network-type {option} set access-network-internet {enable | disable} set access-network-asra {enable | disable} set access-network-esr {enable | disable} set access-network-uesa {enable | disable} set venue-group {option} set venue-type {option} set hessid {mac address} set proxy-arp {enable | disable} set l2tif {enable | disable} set pame-bi {enable | disable} set anqp-domain-id {integer} set domain-name {string} set osu-ssid {string} set gas-comeback-delay {integer} set gas-fragmentation-limit {integer} set dgaf {enable | disable} set deauth-request-timeout {integer} set wnm-sleep-mode {enable | disable} set bss-transition {enable | disable} set venue-name {string} set roaming-consortium {string} set nai-realm {string} set oper-friendly-name {string} config osu-provider edit {name} next set wan-metrics {string}

Hotspot 2.0 Configuring a point-to-point bridge

set network-auth {string} set 3gpp-plmn {string} set conn-cap {string} set qos-map {string} set ip-addr-type {string}

end

config wireless-controller hotspot20 icon edit {name} config icon-list edit {name} set lang {string} set file {string} set type {option} set width {integer} set height {integer}

end

config wireless-controller hotspot20 qos-map edit {name} config dscp-except edit {index} set index set dscp set up

config dscp-range edit {index} set index set up set low set high

next end

Access point deployment

Leave a reply

Access point deployment

Overview

FortiAP units discover WiFi controllers. The administrator of the WiFi controller authorizes the FortiAP units that the controller will manage.

In most cases, FortiAP units can find WiFi controllers through the wired Ethernet without any special configuration. Review the following section, Access point deployment on page 55, to make sure that your method of connecting the FortiAP unit to the WiFi controller is valid. Then, you are ready to follow the procedures in Access point deployment on page 55.

If your FortiAP units are unable to find the WiFi controller, refer to Access point deployment on page 55 for detailed information about the FortiAP unit’s controller discovery methods and how you can configure them.

Network topology for managed APs

The FortiAP unit can be connected to the FortiGate unit in any of the following ways:

Direct connection: The FortiAP unit is directly connected to the FortiGate unit with no switches between them.

This configuration is common for locations where the number of FortiAP’s matches up with the number of

‘internal’ ports available on the FortiGate. In this configuration the FortiAP unit requests an IP address from the FortiGate unit, enters discovery mode and should quickly find the FortiGate WiFi controller. This is also known as a wirecloset deployment. See “Wirecloset and Gateway deployments” below.

Wirecloset deployment

Switched Connection: The FortiAP unit is connected to the FortiGate WiFi controller by an Ethernet switch operating in L2 switching mode or L3 routing mode. There must be a routable path between the FortiAP unit and the FortiGate unit and ports 5246 and 5247 must be open. This is also known as a gateway deployment. See Gateway Deployment below.

Gateway Deployment

Network topology for managed

Connection over WAN: The FortiGate WiFi controller is off-premises and connected by a VPN tunnel to a local FortiGate. In this method of connectivity its best to configure each FortiAP with the static IP address of the WiFi controller. Each FortiAP can be configured with three WiFi controller IP addresses for redundant failover. This is also known as a datacenter remote management deployment. See Remote deployment below.

Remote deployment

Pages: 1 2 3 4 5 6 7 8 9 10

Configuring a WiFi LAN

2 Replies

Configuring a WiFi LAN

When working with a FortiGate WiFi controller, you can configure your wireless network before you install any access points. If you are working with a standalone FortiWiFi unit, the access point hardware is already present but the configuration is quite similar. Both are covered in this section.

Overview of WiFi controller configuration

Setting your geographic location

Creating a FortiAP profile

Defining a wireless network interface (SSID)

Defining SSID groups

Dynamic user VLAN assignment

Configuring user authentication

Configuring firewall policies for the SSID

Configuring the built-in access point on a FortiWiFi unit

Enforcing UTM policies on a local bridge SSID for managed smart APs

On FortiGate model 30D, web-based manager configuration of the WiFi controller is disabled by default. To enable it, enter the following CLI commands:

config system global

set gui-wireless-controller enable end

The WiFi Controller and Switch Controller are enabled through the Feature Store (under System > Feature Select). However, they are separately enabled and configured to display in the GUI via the CLI.

To enable both WiFi and Switch controllers, enter the following:

config system global set wireless-controller enable set switch-controller enable

end

To enable the GUI display for both controllers, have also been separated:

config system settings set gui-wireless-controller enable set gui-switch-controller enable end

If you want to connect and authorize external APs, such as FortiAP units, see the next chapter, Access point deployment.

Pages: 1 2 3 4 5 6 7 8 9