Tag Archives: configure wifi fortiwifi

Wireless network examples

Wireless network examples

This chapter provides an example wireless network configuration.

  • Basic wireless network
  • A more complex example

 

Basic wireless network

This example uses automatic configuration to set up a basic wireless network. To configure this wireless network, you must:

  • Configure authentication for wireless users
  • Configure the SSID (WiFi network interface)
  • Add the SSID to the FortiAP Profile
  • Configure the firewall policy
  • Configure and connect FortiAP units

 

Configuring authentication for wireless users

You need to configure user accounts and add the users to a user group. This example shows only one account, but multiple accounts can be added as user group members.

 

To configure a WiFi user – web-based manager

1. Go to User & Device > User Definition and select Create New.

2. Select Local User and then click Next.

3. Enter a User Name and Password and then click Next.

4. Click Next.

5. Make sure that Enable is selected and then click Create.

 

To configure the WiFi user group – web-based manager

1. Go to User & Device > User Groups and select Create New.

2. Enter the following information and then select OK:

Name                                           wlan_users

Type                                            Firewall

Members                                    Add users.

 

To configure a WiFi user and the WiFi user group – CLI

config user user edit “user01”

set type password

set passwd “asdf12ghjk”

end

config user group edit “wlan_users”

set member “user01” end

 

Configuring the SSID

First, establish the SSID (network interface) for the network. This is independent of the number of physical access points that will be deployed. The network assigns IP addresses using DHCP.

 

To configure the SSID – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.

2. Enter the following information and select OK:

 

Interface Name                                    example_wifi_if

 

Traffic Mode                                        Tunnel to Wireless Controller

 

IP/Network Mask                                 10.10.110.1/24

 

Administrative Access                       Ping (to assist with testing)

 

DHCP Server                                        Enable

 

Address Range           10.10.110.2 – 10.10.110.199

 

Netmask                       255.255.255.0

 

Default Gateway          Same As Interface IP

 

DNS Server                   Same as System DNS

 

SSID                                                      example_wifi

 

Security Mode                                     WPA2 Enterprise

 

Authentication                                     Local, select wlan_users user group.

 

Leave other settings at their default values.

 

 

To configure the SSID – CLI

config wireless-controller vap edit example_wifi_if

set ssid “example_wifi” set broadcast-ssid enable set security wpa-enterprise set auth usergroup

set usergroup wlan_users set schedule always

end

config system interface edit example_wifi_if

set ip 10.10.110.1 255.255.255.0

end

config system dhcp server edit 0

set default-gateway 10.10.110.1 set dns-service default

set interface “example_wifi_if” config ip-range

edit 1

set end-ip 10.10.110.199 set start-ip 10.10.110.2

end

set netmask 255.255.255.0 end

 

Adding the SSID to the FortiAP Profile

The radio portion of the FortiAP configuration is contained in the FortiAP Profile. By default, there is a profile for each platform (FortiAP model). You can create additional profiles if needed. The SSID needs to be specified in the profile.

 

To add the SSID to the FortiAP Profile – web-based manager

1. Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile for your model of FortiAP unit.

2. In Radio 1 and Radio 2, add example_wifi in SSID.

3. Select OK.

 

Configuring security policies

A security policy is needed to enable WiFi users to access the Internet on port1. First you create firewall address for the WiFi network, then you create the example_wifi to port1 policy.

 

To create a firewall address for WiFi users – web-based manager

1. Go to Policy & Objects > Addresses.

2. Select Create New > Address, enter the following information and select OK.

 

Name                                           wlan_user_net

 

Type                                            IP/Netmask

 

Subnet / IP Range                     10.10.110.0/24

 

Interface                                     example_wifi_if

 

Show in Address List               Enabled

 

 

To create a firewall address for WiFi users – CLI

config firewall address edit “wlan_user_net”

set associated-interface “example_wifi_if” set subnet 10.10.110.0 255.255.255.0

end

 

To create a security policy for WiFi users – web-based manager

1. Go to Policy & Objects > IPv4 Policyand select Create New.

2. Enter the following information and select OK:

 

Incoming Interface                   example_wifi_if

 

Source Address                        wlan_user_net

 

Outgoing Interface                   port1

 

Destination Address                 All

 

Schedule                                    always

 

Service                                       ALL

 

Action                                         ACCEPT

 

NAT                                             ON. Select Use Destination Interface Address (default).

 

Leave other settings at their default values.

 

To create a firewall policy for WiFi users – CLI

config firewall policy edit 0

set srcintf “example_wifi” set dstintf “port1”

set srcaddr “wlan_user_net” set dstaddr “all”

set schedule always set service ALL

set action accept set nat enable

end

 

Connecting the FortiAP units

You need to connect each FortiAP unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

 

To configure the interface for the AP unit – web-based manager

1. Go to Network > Interfaces and edit the port3 interface.

2. Set the Addressing mode to Dedicated to Extension Device and set the IP/Network Mask to 192.168.8.1/255.255.255.0.

3. Select OK.

This procedure automatically configures a DHCP server for the AP units.

 

To configure the interface for the AP unit – CLI

config system interface edit port3

set mode static

set ip 192.168.8.1 255.255.255.0 end

 

To configure the DHCP server for AP units – CLI

config system dhcp server edit 0

set interface port3 config exclude-range

edit 1

set end-ip 192.168.8.1 set start-ip 192.168.8.1

end

config ip-range edit 1

set end-ip 192.168.8.254 set start-ip 192.168.8.2

end

set netmask 255.255.255.0 set vci-match enable

set vci-string “FortiAP”

end

 

To connect a FortiAP unit – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.

2. Connect the FortiAP unit to port 3.

3. Periodically select Refresh while waiting for the FortiAP unit to be listed.

Recognition of the FortiAP unit can take up to two minutes.

If FortiAP units are connected but cannot be recognized, try disabling VCI-Match in the DHCP server settings.

4. When the FortiAP unit is listed, select the entry to edit it.

The Edit Managed Access Point window opens.

5. In State, select Authorize.

6. In FortiAP Profile, select the default profile for the FortiAP model.

7. Select OK.

8. Repeat Steps 2 through 8 for each FortiAP unit.

 

 

To connect a FortiAP unit – CLI

1. Connect the FortiAP unit to port 3.

2. Enter

config wireless-controller wtp

3. Wait 30 seconds, then enter get.

Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22B3U10600118 ]

wtp-id: FAP22B3U10600118

4. Edit the discovered FortiAP unit like this:

edit FAP22B3U10600118 set admin enable

end

5. Repeat Steps 2 through 4 for each FortiAP unit.

 

A more complex example

This example creates multiple networks and uses custom AP profiles.

 

Scenario

In this example, Example Co. provides two wireless networks, one for its employees and the other for customers or other guests of its business. Guest users have access only to the Internet, not to the company’s private network. The equipment for these WiFi networks consists of FortiAP-220B units controlled by a FortiGate unit.

The employee network operates in 802.11n mode on both the 2.4GHz and 5GHz bands. Client IP addresses are in the 10.10.120.0/24 subnet, with 10.10.120.1 the IP address of the WAP. The guest network also operates in 802.11n mode, but only on the 2.4GHz band. Client IP addresses are on the 10.10.115.0/24 subnet, with 10.10.115.1 the IP address of the WAP.

On FortiAP-220B units, the 802.11n mode also supports 802.11g and 802.11b clients on the 2.4GHz band and 802.11a clients on the 5GHz band.

The guest network WAP broadcasts its SSID, the employee network WAP does not.

The employees network uses WPA-Enterprise authentication through a FortiGate user group. The guest network features a captive portal. When a guest first tries to connect to the Internet, a login page requests logon credentials. Guests use numbered guest accounts authenticated by RADIUS. The captive portal for the guests includes a disclaimer page.

In this example, the FortiAP units connect to port 3 and are assigned addresses on the 192.168.8.0/24 subnet.

 

Configuration

To configure these wireless networks, you must:

  • Configure authentication for wireless users
  • Configure the SSIDs (network interfaces)
  • Configure the AP profile
  • Configure the WiFi LAN interface and a DHCP server
  • Configure firewall policies

 

Configuring authentication for employee wireless users

Employees have user accounts on the FortiGate unit. This example shows creation of one user account, but you can create multiple accounts and add them as members to the user group.

 

To configure a WiFi user – web-based manager

1. Go to User & Device > User Definition and select Create New.

2. Select Local User and then click Next.

3. Enter a User Name and Password and then click Next.

4. Click Next.

5. Make sure that Enable is selected and then click Create.

 

To configure the user group for employee access – web-based manager

1. Go to User & Device > User Groups and select Create New.

2. Enter the following information and then select OK:

 

Name                                           employee-group

 

Type                                            Firewall

 

Members                                    Add users.

 

 

To configure a WiFi user and the user group for employee access – CLI

config user user edit “user01”

set type password

set passwd “asdf12ghjk” end

config user group

edit “employee-group” set member “user01”

end

The user authentication setup will be complete when you select the employee-group in the SSID configuration.

 

Configuring authentication for guest wireless users

Guests are assigned temporary user accounts created on a RADIUS server. The RADIUS server stores each user’s group name in the Fortinet-Group-Name attribute. Wireless users are in the group named “wireless”.

The FortiGate unit must be configured to access the RADIUS server.

 

To configure the FortiGate unit to access the guest RADIUS server – web-based manager

1. Go to User & Device > RADIUS Servers and select Create New.

2. Enter the following information and select OK:

 

Name                                           guestRADIUS

 

Primary Server IP/Name           10.11.102.100

 

Primary Server Secret               grikfwpfdfg

 

Secondary Server IP/Name      Optional

 

Secondary Server Secret         Optional

 

Authentication Scheme            Use default, unless server requires otherwise.

 

Leave other settings at their default values.

 

 

 

To configure the FortiGate unit to access the guest RADIUS server – CLI

config user radius edit guestRADIUS

set auth-type auto

set server 10.11.102.100 set secret grikfwpfdfg

end

 

To configure the user group for guest access – web-based manager

1. Go to User & Device > User Groups and select Create New.

2. Enter the following information and then select OK:

 

Name                                           guest-group

 

Type                                            Firewall

 

Members                                    Leave empty.

3. Select Create new.

4. Enter:

 

Remote Server                           Select guestRADIUS.

 

Groups                                       Select wireless

 

5. Select OK.

 

 

To configure the user group for guest access – CLI

config user group edit “guest-group”

set member “guestRADIUS” config match

edit 0

set server-name “guestRADIUS” set group-name “wireless”

end

end

The user authentication setup will be complete when you select the guest-group user group in the SSID

configuration.

 

Configuring the SSIDs

First, establish the SSIDs (network interfaces) for the employee and guest networks. This is independent of the number of physical access points that will be deployed. Both networks assign IP addresses using DHCP.

 

To configure the employee SSID – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.

2. Enter the following information and select OK:

 

Interface Name                          example_inc

 

Traffic Mode                              Tunnel to Wireless Controller

 

IP/Netmask                                 10.10.120.1/24

 

Administrative Access             Ping (to assist with testing)

 

Enable DHCP                             Enable

 

Address Range                       10.10.120.2 – 10.10.120.199

 

Netmask                                   255.255.255.0

 

Default Gateway                      Same As Interface IP

 

DNS Server                              Same as System DNS

 

SSID                                            example_inc

 

Security Mode                           WPA/WPA2-Enterprise

 

Authentication                           Select Local, then select employee-group.

 

Leave other settings at their default values.

 

 

To configure the employee SSID – CLI

config wireless-controller vap edit example_inc

set ssid “example_inc”

set security wpa-enterprise set auth usergroup

set usergroup employee-group set schedule always

end

config system interface edit example_inc

set ip 10.10.120.1 255.255.255.0 end

config system dhcp server edit 0

set default-gateway 10.10.120.1 set dns-service default

set interface example_inc config ip-range

edit 1

set end-ip 10.10.120.199 set start-ip 10.10.120.2

end

set lease-time 7200

set netmask 255.255.255.0 end

 

 

To configure the example_guest SSID – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New.

2. Enter the following information and select OK:

 

Name                                           example_guest

 

IP/Netmask                                 10.10.115.1/24

 

Administrative Access             Ping (to assist with testing)

 

Enable DHCP                             Enable

 

Address Range                       10.10.115.2 – 10.10.115.50

 

Netmask                                   255.255.255.0

 

Default Gateway                      Same as Interface IP

 

DNS Server                              Same as System DNS

 

SSID                                            example_guest

 

Security Mode                           Captive Portal

 

Portal Type                                Authentication

 

Authentication Portal               Local

 

User Groups                              Select guestgroup

 

Leave other settings at their default values.

 

 

To configure the example_guest SSID – CLI

config wireless-controller vap edit example_guest

set ssid “example_guest”

set security captive-portal

set selected-usergroups guest-group set schedule always

end

config system interface edit example_guest

set ip 10.10.115.1 255.255.255.0 end

config system dhcp server edit 0

set default-gateway 10.10.115.1 set dns-service default

set interface “example_guest” config ip-range

edit 1

set end-ip 10.10.115.50 set start-ip 10.10.115.2

end

set lease-time 7200

set netmask 255.255.255.0 end

 

Configuring the FortiAP profile

The FortiAP Profile defines the radio settings for the networks. The profile provides access to both Radio 1 (2.4GHz) and Radio 2 (5GHz) for the employee virtual AP, but provides access only to Radio 1 for the guest virtual AP.

 

To configure the FortiAP Profile – web-based manager

1. Go to WiFi & Switch Controller > FortiAP Profiles and select Create New.

2. Enter the following information and select OK:

 

Name                                           example_AP

 

Platform                                      FAP220B

 

Radio 1

 

Mode                                        Access Point

 

Band                                         802.11n

 

Channel                                    Select 1, 6, and 11.

 

Tx Power                                  100%

 

SSID                                          Select SSIDs and select example_inc and example_guest.

 

Radio 2

 

Mode                                        Access Point

 

Band                                         802.11n_5G

 

Channel                                    Select all.

 

Tx Power                                  100%

 

SSID                                          Select SSIDs and select example_inc.

 

 

To configure the AP Profile – CLI

config wireless-controller wtp-profile edit “example_AP”

config platform set type 220B

end

config radio-1

set ap-bgscan enable set band 802.11n

set channel “1” “6” “11”

set vaps “example_inc” “example_guest” end

config radio-2

set ap-bgscan enable set band 802.11n-5G

set channel “36” “40” “44” “48” “149” “153” “157” “161” “165” set vaps “example_inc”

end

 

Configuring firewall policies

Identity-based firewall policies are needed to enable the WLAN users to access the Internet on Port1. First you create firewall addresses for employee and guest users, then you create the firewall policies.

 

To create firewall addresses for employee and guest WiFi users

1. Go to Policy & Objects > Addresses.

2. Select Create New, enter the following information and select OK.

 

Address Name                           employee-wifi-net

 

Type                                            Subnet / IP Range

 

Subnet / IP Range                     10.10.120.0/24

 

Interface                                     example_inc

 

 

3. Select Create New, enter the following information and select OK.

 

Address Name                           guest-wifi-net

 

Type                                            Subnet / IP Range

 

Subnet / IP Range                     10.10.115.0/24

 

Interface                                     example_guest

 

 

To create firewall policies for employee WiFi users – web-based manager

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information and select OK:

 

Incoming Interface                   example_inc

 

Source Address                        employee-wifi-net

 

Outgoing Interface                   port1

 

Destination Address                 all

 

Schedule                                    always

 

Service                                       ALL

 

Action                                         ACCEPT

 

NAT                                             Enable NAT

3. Optionally, select security profile for wireless users.

4. Select OK.

5. Repeat steps 1 through 4 but select Internal as the Destination Interface/Zone to provides access to the

ExampleCo private network.

 

 

To create firewall policies for employee WiFi users – CLI

config firewall policy edit 0

set srcintf “employee_inc” set dstintf “port1”

set srcaddr “employee-wifi-net” set dstaddr “all”

set action accept

set schedule “always” set service “ANY”

set nat enable

set schedule “always” set service “ANY”

next edit 0

set srcintf “employee_inc” set dstintf “internal”

set srcaddr “employee-wifi-net” set dstaddr “all”

set action accept

set schedule “always” set service “ANY”

set nat enable

set schedule “always” set service “ANY”

end

 

To create a firewall policy for guest WiFi users – web-based manager

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information and select OK:

 

Incoming Interface                   example_guest

 

Source Address                        guest-wifi-net

 

Outgoing Interface                   port1

 

Destination Address                 all

 

Schedule                                    always

 

Service                                       ALL

 

Action                                         ACCEPT

 

NAT                                             Enable NAT

3. Optionally, select UTM and set up UTM features for wireless users.

4. Select OK.

 

 

To create a firewall policy for guest WiFi users – CLI

config firewall policy edit 0

set srcintf “example_guest” set dstintf “port1”

set srcaddr “guest-wifi-net” set dstaddr “all”

set action accept

set schedule “always” set service “ANY”

set nat enable end

 

Connecting the FortiAP units

You need to connect each FortiAP-220A unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

 

To configure the interface for the AP unit – web-based manager

1. Go to Network > Interfaces and edit the port3 interface.

2. Set the Addressing mode to Dedicated to Extension Device and set the IP/Netmask to 192.168.8.1/255.255.255.0.

This step automatically configures a DHCP server for the AP units.

3. Select OK.

 

 

To configure the interface for the AP unit – CLI

config system interface edit port3

set mode static

set ip 192.168.8.1 255.255.255.0 end

 

To configure the DHCP server for AP units – CLI

config system dhcp server edit 0

set interface port3 config ip-range

edit 1

set end-ip 192.168.8.9 set start-ip 192.168.8.2

end

set netmask 255.255.255.0 set vci-match enable

set vci-string “FortiAP”

end

 

To connect a FortiAP-220A unit – web-based manager

1. Go to WiFi & Switch Controller > Managed FortiAPs.

2. Connect the FortiAP unit to port 3.

3. Periodically select Refresh while waiting for the FortiAP unit to be listed.

Recognition of the FortiAP unit can take up to two minutes.

If there is persistent difficulty recognizing FortiAP units, try disabling VCI-Match in the DHCP server settings.

4. When the FortiAP unit is listed, select the entry to edit it.

The Edit Managed Access Point window opens.

5. In State, select Authorize.

6. In the AP Profile, select [Change] and then select the example_AP profile.

7. Select OK.

8. Repeat Steps 2 through 8 for each FortiAP unit.

 

 

To connect a FortiAP-220A unit – CLI

1. Connect the FortiAP unit to port 3.

2. Enter:

config wireless-controller wtp

3. Wait 30 seconds, then enter get.

Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22A3U10600118 ]

wtp-id: FAP22A3U10600118

4. Edit the discovered FortiAP unit like this:

edit FAP22A3U10600118 set admin enable

set wtp-profile example_AP

end

5. Repeat Steps 2 through 4 for each FortiAP unit.

 

Configuring wireless network clients

Configuring wireless network clients

This chapter shows how to configure typical wireless network clients to connect to a wireless network with WPA- Enterprise security.

Windows XP client Windows 7 client Mac OS client Linux client Troubleshooting

 

Windows XP client

To configure the WPA-Enterprise network connection

1. In the Windows Start menu, go to Control Panel > Network Connections > Wireless Network Connection or select the wireless network icon in the Notification area of the Taskbar. A list of available networks is displayed.

If you are already connected to another wireless network, the Connection Status window displays. Select View Wireless Networks on the General tab to view the list.

If the network broadcasts its SSID, it is listed. But do not try to connect until you have completed the configuration step below. Because the network doesn’t use the Windows XP default security configuration, configure the client’s network settings manually before trying to connect.

2. You can configure the WPA-Enterprise network to be accessible from the View Wireless Networks window even if it does not broadcast its SSID.

3. Select Change Advanced Settings and then select the Wireless Networks tab.

 

Any existing networks that you have already configured are listed in the Preferred Networks list.

4. Select Add and enter the following information:

 

Network Name (SSID)               The SSID for your wireless network

Network Authentication           WPA2

Data Encryption                        AES

5. If this wireless network does not broadcast its SSID, select Connect even if this network is not broadcasting so that the network will appear in the View Wireless Networks list.

6. Select the Authentication tab.

7. In EAP Type, select Protected EAP (PEAP).

8. Make sure that the other two authentication options are not selected.

9. Select Properties.

10. Make sure that Validate server_certificate is selected.

11. Select the server certificate UTN-USERFirst-Hardware.

12. In Select Authentication Method, select Secured Password (EAP-MSCHAPv2).

13. Ensure that the remaining options are not selected.

14. Select Configure.

15. If your wireless network credentials are the same as your Windows logon credentials, select Automatically use my Windows logon name and password. Otherwise, make sure that this option is not selected.

16. Select OK. Repeat until you have closed all of the Wireless Network Connection Properties windows.

Wireless network monitoring

Wireless network monitoring

You can monitor both your wireless clients and other wireless networks that are available in your coverage area. Monitoring wireless clients

Monitoring rogue APs

Suppressing rogue APs

Monitoring wireless network health

 

Monitoring wireless clients

 

To view connected clients on a FortiWiFi unit

1. Go to Monitor > Client Monitor.

The following information is displayed:

SSID                                            The SSID that the client connected to.

FortiAP                                       The serial number of the FortiAP unit to which the client connected.

User                                            User name

IP                                                 The IP address assigned to the wireless client.

Device

Auth                                            The type of authentication used.

Channel                                      WiFi radio channel in use.

Bandwidth Tx/Rx                      Client received and transmitted bandwidth, in Kbps.

Signal Strength / Noise            The signal-to-noise ratio in deciBels calculated from signal strength and noise level.

Signal Strength

Association Time                      How long the client has been connected to this access point.

 

Results can be filtered. Select the filter icon on the column you want to filter. Enter the values to include or select NOT if you want to exclude the specified values.

 

Monitoring rogue APs

The access point radio equipment can scan for other available access points, either as a dedicated monitor or in idle periods during AP operation.

Discovered access points are listed in Monitor > Rogue AP Monitor. You can then mark them as either Accepted or Rogue access points. This designation helps you to track access points. It does not affect anyone’s ability to use these access points.

It is also possible to suppress rogue APs. See Monitoring rogue APs on page 894.

 

Onwire rogue AP detection technique

Other APs that are available in the same area as your own APs are not necessarily rogues. A neighboring AP that has no connection to your network might cause interference, but it is not a security threat. A rogue AP is an unauthorized AP connected to your wired network. This can enable unauthorized access. When rogue AP detection is enabled, the Onwire column in the Rogue AP Monitor list shows a green up-arrow on detected rogues.

Rogue AP monitoring of WiFi client traffic builds a table of WiFi clients and the Access Points that they are communicating through. The FortiGate unit also builds a table of MAC addresses that it sees on the LAN. The FortiGate unit’s on-wire correlation engine constantly compares the MAC addresses seen on the LAN to the MAC addresses seen on the WiFi network.

There are two methods of Rogue AP on-wire detection operating simultaneously: Exact MAC address match and MAC adjacency.

Protecting the WiFi Network

Protecting the WiFi Network

Wireless IDS

WiFi data channel encryption

Protected Management Frames support

 

Wireless IDS

The FortiGate Wireless Intrusion Detection System (WIDS) monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected the FortiGate unit records a log message.

 

You can create a WIDS profile to enable these types of intrusion detection:

  • Asleap Attack—ASLEAP is a tool used to perform attacks against LEAP authentication.
  • Association Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
  • Authentication Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
  • Broadcasting De-authentication—This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-athenticate, then re-authenticate with their AP.
  • EAPOL Packet Flooding—Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack. Several types of EAPOL packets are detected: EAPOL-FAIL, EAPOL-LOGOFF, EAPOL-START, EAPOL-SUCC.
  • Invalid MAC OUI—Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.
  • Long Duration Attack—To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200.
  • Null SSID Probe Response—When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.
  • Spoofed De-authentication—Spoofed de-authentication frames are a denial of service attack. They cause all clients to disconnect from the AP.
  • Weak WEP IV Detection—A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.
  • Wireless Bridge—WiFi frames with both the fromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.

You can enable wireless IDS by selecting a WIDS Profile in your FortiAP profile.

 

To create a WIDS Profile

1. Go to WiFi & Switch Controller > WIDS Profiles.

2. Select a profile to edit or select Create New.

3. Select the types of intrusion to protect against.

By default, all types are selected.

4. Select Apply.

You can also configure a WIDS profile in the CLI using the config wireless-controller wids- profile command.

 

Rogue AP detection

The WIDS profile includes settings for detection of unauthorized (rogue) access points in your wireless network. For more information, see Wireless network monitoring on page 894.

 

 

WiFi data channel encryption

Optionally, you can apply DTLS encryption to the data channel between the wireless controller and FortiAP units. This enhances security.

There are data channel encryption settings on both the FortiGate unit and the FortiAP units. At both ends, you can enable Clear Text, DTLS encryption, or both. The settings must agree or the FortiAP unit will not be able to join the WiFi network. By default, both Clear Text and DTLS-encrypted communication are enabled on the FortiAP unit, allowing the FortiGate setting to determine whether data channel encryption is used. If the FortiGate unit also enables both Clear Text and DTLS, Clear Text is used.

Data channel encryption settings are located in the FortiAP profile. By default, only Clear Text is supported.

Data channel encryption is software-based and can affect performance. Verify that the system meets your performance requirements with encryption enabled.

Using Remote WLAN FortiAPs

Using Remote WLAN FortiAPs

Remote WLAN FortiAP models enable you to provide a pre-configured WiFi access point to a remote or traveling employee. Once plugged in at home or in a hotel room, the FortiAP automatically discovers the enterprise FortiGate WiFi controller over the Internet and broadcasts the same wireless SSID used in the corporate office. Communication between the WiFi controller and the FortiAP is secure, eliminating the need for a VPN.

 

Split tunneling

By default, all traffic from the remote FortiAP is sent to the FortiGate WiFi controller. If split tunneling is configured, only traffic destined for the corporate office networks is routed to the FortiGate unit. Other general Internet traffic is routed unencrypted through the local gateway. Split tunneling avoids loading the FortiGate unit with unnecessary traffic and allows direct access to local private networks at the FortiAP’s location even if the connection to the WiFi controller goes down.

 

Note: Split tunneling in WiFi networks differs in implementation from split tunneling in VPN configurations.

By default, split tunneling options are not visible in the FortiGate GUI. You can make these options visible using the following CLI command:

config system settings

set gui-fortiap-split-tunneling enable end

Split tunneling is configured in the FortiAP Profile and enabled in the SSID.

 

 

Configuring the FortiGate for remote FortiAPs

This section assumes that you have already defined SSIDs and now want to make them available to remote

FortiAPs.

  • Create FortiAP profiles for the Remote LAN FortiAP models
  • If split tunneling will be used
  • enable Split Tunneling in the SSID
  • configure the split tunnel networks in the FortiAP profile

Combining WiFi and wired networks with a software switch

Combining WiFi and wired networks with a software switch

Combining WiFi and wired networks with a software switch

FortiAP local bridging (Private Cloud-Managed AP) Using bridged FortiAPs to increase scalability

 

Combining WiFi and wired networks with a software switch

A WiFi network can be combined with a wired LAN so that WiFi and wired clients are on the same subnet. This is a convenient configuration for users. Note that software switches are only available if your FortiGate is in Interface mode.

Wireless Mesh features cannot be used in conjunction with this configuration because they enable the FortiAP Local Bridge option.

To create the WiFi and wired LAN configuration, you need to:

  • Configure the SSID so that traffic is tunneled to the WiFi controller.
  • Configure a software switch interface on the FortiGate unit with the WiFi and internal network interface as members.
  • Configure Captive Portal security for the software switch interface.

 

To configure the SSID – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New.

2. Enter:

Interface name                           A name for the new WiFi interface, homenet_if for example.

Traffic Mode                              Tunnel to Wireless Controller

SSID                                            The SSID visible to users, homenet for example.

Security Mode Data Encryption Preshared Key

Configure security as you would for a regular WiFi network.

3. Select OK.

4. Go to WiFi & Switch Controller > Managed FortiAPs, select the FortiAP unit for editing.

5. Authorize the FortiAP unit.

The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.

 

To configure the SSID – CLI

This example creates a WiFi interface “homenet_if” with SSID “homenet” using WPA-Personal security, passphrase “Fortinet1”.

config wireless-controller vap

edit “homenet_if” set vdom “root”

set ssid “homenet”

set security wpa-personal set passphrase “Fortinet1”

end

config wireless-controller wtp edit FAP22B3U11005354

set admin enable

set vaps “homenet_if” end

 

To configure the FortiGate software switch – web-based manager

1. Go to Network > Interfaces and select Create New > Interface.

2. Enter:

 

  Interface Name A name for the new interface, homenet_nw for example.
Type Software Switch
Physical Interface Members Add homenet_if and the internal network interface.
Addressing mode Select Manual and enter an address, for example

172.16.96.32/255.255.255.0

DHCP Server Enable and configure an address range for clients.
Security Mode Select Captive Portal. Add the permitted User Groups.
 

3.

 

Select OK.

 

 

To configure the FortiGate unit – CLI

config system interface edit homenet_nw

set ip 172.16.96.32 255.255.255.0 set type switch

set security-mode captive-portal set security-groups “Guest-group”

end

config system interface edit homenet_nw

set member “homenet_if” “internal” end

 

VLAN configuration

If your environment uses VLAN tagging, you assign the SSID to a specific VLAN in the CLI. For example, to assign the homenet_if interface to VLAN 100, enter:

config wireless-controller vap edit “homenet_if”

set vlanid 100 end

 

Additional configuration

The configuration described above provides communication between WiFi and wired LAN users only. To provide access to other networks, create appropriate firewall policies between the software switch and other interfaces.

 

FortiAP local bridging (Private Cloud-Managed AP)

A FortiAP unit can provide WiFi access to a LAN, even when the wireless controller is located remotely. This configuration is useful for the following situations:

  • Installations where the WiFI controller is remote and most of the traffic is local or uses the local Internet gateway
  • Wireless-PCI compliance with remote WiFi controller
  • Telecommuting, where the FortiAP unit has the WiFi controller IP address pre-configured and broadcasts the office SSID in the user’s home or hotel room. In this case, data is sent in the wireless tunnel across the Internet to the office and you should enable encryption using DTLS.

 

Remotely-managed FortiAP providing WiFi access to local network

On the remote FortiGate wireless controller, the WiFi SSID is created with the Bridge with FortiAP Interface option selected. In this mode, no IP addresses are configured. The FortiAP unit’s WiFi and Ethernet interfaces behave as a switch. WiFi client devices obtain IP addresses from the same DHCP server as wired devices on the LAN.

The Local Bridge feature cannot be used in conjunction with Wireless Mesh features.

Block-Intra-SSID Traffic is not available in Bridge mode.

To configure a FortiAP local bridge – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.

2. Enter:

Interface name                           A name for the new WiFi interface.

Traffic Mode                              Local bridge with FortiAP’s Interface

SSID                                            The SSID visible to users.

Security Mode Data Encryption Preshared Key

Configure security as you would for a regular WiFi network.

3. Select OK.

4. Go to WiFi & Switch Controller > Managed FortiAPs and select the FortiAP unit for editing.

5. Authorize the FortiAP unit.

The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.

 

 

SSID configured for Local Bridge operation

 

To configure a FortiAP local bridge – CLI

This example creates a WiFi interface “branchbridge” with SSID “LANbridge” using WPA-Personal security, passphrase “Fortinet1”.

config wireless-controller vap edit “branchbridge”

set vdom “root”

set ssid “LANbridge”

set local-bridging enable set security wpa-personal set passphrase “Fortinet1”

end

config wireless-controller wtp edit FAP22B3U11005354

set admin enable

set vaps “branchbridge” end

 

Continued FortiAP operation when WiFi controller connection is down

The wireless controller, or the connection to it, might occasionally become unavailable. During such an outage, clients already associated with a bridge mode FortiAP unit continue to have access to the WiFi and wired networks. Optionally, the FortiAP unit can also continue to authenticate users if the SSID meets these conditions:

  • Traffic Mode is Local bridge with FortiAP’s Interface.

In this mode, the FortiAP unit does not send traffic back to the wireless controller.

  • Security Mode is WPA2 Personal.

These modes do not require the user database. In WPA2 Personal authentication, all clients use the same pre- shared key which is known to the FortiAP unit.

  • Allow New WiFi Client Connections When Controller is down is enabled.

This field is available only if the other conditions have been met.

The “LANbridge” SSID example would be configured like this in the CLI:

config wireless-controller vap edit “branchbridge”

set vdom “root”

set ssid “LANbridge”

set local-bridging enable set security wpa-personal set passphrase “Fortinet1”

set local-authentication enable end

 

 

Using bridged FortiAPs to increase scalability

The FortiGate wireless controller can support more FortiAP units in local bridge mode than in the normal mode. But this is only true if you configure some of your FortiAP units to operate in remote mode, which supports only local bridge mode SSIDs.

The Managed FortAP page (WiFi & Switch Controller > Managed FortiAPs) shows at the top right the current number of Managed FortiAPs and the maximum number that can be managed, “5/64” for example. The maximum number, however, is true only if all FortiAP units operate in remote mode. For more detailed information, consult the Maximum Values Table. For each FortiGate model, there are two maximum values for managed FortiAP units: the total number of FortiAPs and the number of FortiAPs that can operate in normal mode.

 

To configure FortiAP units for remote mode operation

1. Create at least one SSID with Traffic Mode set to Local bridge with FortiAP’s Interface.

2. Create a custom AP profile that includes only local bridge SSIDs.

3. Configure each managed FortiAP unit to use the custom AP profile. You also need to set the FortiAP unit’s wtp- mode to remote, which is possible only in the CLI. The following example uses the CLI both to set wtp-mode and select the custom AP profile:

config wireless-controller wtp

edit FAP22B3U11005354 set wtp-mode remote

set wtp-profile 220B_bridge end

 

Wireless Mesh

Wireless Mesh

The access points of a WiFi network are usually connected to the WiFi controller through Ethernet wiring. A wireless mesh eliminates the need for Ethernet wiring by connecting WiFi access points to the controller by radio. This is useful where installation of Ethernet wiring is impractical.

Overview of Wireless Mesh Configuring a meshed WiFi network Configuring a point-to-point bridge

 

Overview of Wireless Mesh

The figure below shows a wireless mesh topology.

A wireless mesh is a multiple AP network in which only one FortiAP unit is connected to the wired network. The other FortiAPs communicate with the controller over a separate backhaul SSID that is not available to regular WiFi clients. The AP that is connected to the network by Ethernet is called the Mesh Root node. The backhaul SSID carries CAPWAP discovery, configuration, and other communications that would usually be carried on an Ethernet connection.

The root node can be a FortiAP unit or the built-in AP of a FortiWiFi unit. APs that serve regular WiFi clients are called Leaf nodes. Leaf APs also carry the mesh SSID for more distant leaf nodes. A leaf node can connect to the mesh SSID directly from the root node or from any of the other leaf nodes. This provides redundancy in case of an AP failure.

All access points in a wireless mesh configuration must have at least one of their radios configured to provide mesh backhaul communication. As with wired APs, when mesh APs start up they can be discovered by a FortiGate or FortiWiFi unit WiFi controller and authorized to join the network.

The backhaul SSID delivers the best performance when it is carried on a dedicated radio. On a two-radio FortiAP unit, for example, the 5GHz radio could carry only the backhaul SSID while the 2.4GHz radio carries one or more SSIDs that serve users. Background WiFi scanning is possible in this mode.

The backhaul SSID can also share the same radio with SSIDs that serve users. Performance is reduced because the backhaul and user traffic compete for the available bandwidth. Background WiFi scanning is not available in this mode. One advantage of this mode is that a two-radio AP can offer WiFi coverage on both bands.

 

Wireless mesh deployment modes

There are two common wireless mesh deployment modes:

 

Wireless Mesh         Access points are wirelessly connected to a FortiGate or FortiWiFi unit WiFi controller.

WiFi users connect to wireless SSIDs in the same way as on non-mesh WiFi networks.

Wireless bridging

Two LAN segments are connected together over a wireless link (the backhaul SSID). On the leaf AP, the Ethernet connection can be used to provide a wired network. Both WiFi and wired users on the leaf AP are connected to the LAN segment to which the root AP is connected.

 

Firmware requirements

All FortiAP units that will be part of the wireless mesh network must be upgraded to FAP firmware version 5.0 build 003. FortiAP-222B units must have their BIOS upgraded to version 400012. The FortiWiFi or FortiGate unit used as the WiFi controller must be running FortiOS 5.0.

 

Types of wireless mesh

A WiFi mesh can provide access to widely-distributed clients. The root mesh AP which is directly connected to then WiFi controller can be either a FortiAP unit or the built-in AP of a FortiWiFi unit that is also the WiFi controller.

 

FortiAP units used as both mesh root AP and leaf AP

 

FortiWiFi unit as root mesh AP with FortiAP units as leaf APs

An alternate use of the wireless mesh functionality is as a point-to-point relay. Both wired and WiFi users on the leaf AP side are connected to the LAN segment on the root mesh side.

 

Pointtopoint wireless mesh

2.4GHz

FortiGate Unit

�,MeshSSID

,,, SGHz

Wired clients

Configuring a meshed WiFi network

You need to:

  • Create the mesh root SSID.
  • Create the FortiAP profile.
  • Configure mesh leaf AP units.
  • Configure the mesh root AP, either a FortiWiFi unit’s Local Radio or a FortiAP unit.
  • Authorize the mesh branch/leaf units when they connect to the WiFi Controller.
  • Create security policies.

This section assumes that the end-user SSIDs already exist.

 

Creating the mesh root SSID

The mesh route SSID is the radio backhaul that conveys the user SSID traffic to the leaf FortiAPs.

 

To configure the mesh root SSID

1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.

2. Enter a Name for the WiFi interface.

3. In Traffic Mode, select Mesh Downlink.

4. Enter the SSID.

5. Set Security Mode to WPA2 Personal and enter the Preshared key.

Remember the key, you need to enter it into the configurations of the leaf FortiAPs.

6. Select OK.

 

Creating the FortiAP profile

Create a FortiAP profile for the meshed FortiAPs. If more than one FortiAP model is involved, you need to create a profile for each model. Typically, the profile is configured so that Radio 1 (5GHz) carries the mesh backhaul SSID while Radio 2 (2.4GHz) carries the SSIDs to which users connect.

The radio that carries the backhaul traffic must not carry other SSIDs. Use the Select SSIDs option and choose only the backhaul SSID. Similarly, the radio that carries user SSIDs, should not carry the backhaul. Use the Select SSIDs option and choose the networks that you want to provide.

For more information, see Configuring a WiFi LAN on page 828.

 

Configuring the mesh root FortiAP

The mesh root AP can be either a FortiWiFi unit’s built-in AP or a FortiAP unit.

 

To enable a FortiWiFi unit’s Local Radio as mesh root – web-based manager

1. Go to WiFi Controller > Local WiFi Radio.

2. Select Enable WiFi Radio.

3. In SSID, select Select SSIDs, then select the mesh root SSID.

4. Optionally, adjust TX Power or select Auto Tx Power Control.

5. Select Apply.

 

In a network with multiple wireless controllers, make sure that each mesh root has a unique SSID. Other controllers using the same mesh root SSID might be detected as fake or rogue APs. Go to WiFi & Switch Controller > SSID to change the SSID.

 

To configure a network interface for the mesh root FortiAP unit

1. On the FortiGate unit, go to Network > Interfaces.

2. Select the interface where you will connect the FortiAP unit, and edit it.

3. Make sure that Role is LAN.

4. In Addressing mode, select Dedicated to Extension Device.

5. In IP/Network Mask, enter an IP address and netmask for the interface.

DHCP will provide addresses to connected devices. To maximize the number of available addresses, the interface address should end with 1, for example 192.168.10.1.

6. Select OK.

At this point you can connect the mesh root FortiAP, as described next. If you are going to configure leaf FortiAPs through the wireless controller (see “Configuring a meshed WiFi network” on page 873), it would be convenient to leave connecting the root unit for later.

 

To enable the root FortiAP unit

1. Connect the root FortiAP unit’s Ethernet port to the FortiGate network interface that you configured for it.

2. Go to WiFi & Switch Controller > Managed FortiAPs.

If the root FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the root FortiAP unit and try again.

3. Right-click the FortiAP entry and choose your profile from the Assign Profile submenu.

4. Right-click the FortiAP entry and select Authorize.

Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

5. Select OK.

You might need to select Refresh a few times before the FortiAP shows as Online.

 

Configuring the leaf mesh FortiAPs

The FortiAP units that will serve as leaf nodes must be preconfigured. This involves changing the FortiAP unit internal configuration.You can do this by direct connection or through the FortiGate wireless controller.

 

Method 1: Direct connection to the FortiAP

1. Connect a computer to the FortiAP unit’s Ethernet port. Configure the computer’s IP as 192.168.1.3.

2. Telnet to 192.168.1.2. Login as admin. By default, no password is set.

3. Enter the following commands, substituting your own SSID and password (pre-shared key):

cfg -a MESH_AP_TYPE=1
cfg -a MESH_AP_SSID=fortinet.mesh.root
cfg -a MESH_AP_PASSWD=hardtoguess
cfg -c  

exit

4. Disconnect the computer.

5. Power down the FortiAP.

6. Repeat the preceding steps for each branch FortiAP.

Access point deployment

Access point deployment

This chapter describes how to configure access points for your wireless network. Overview

Network topology for managed APs Discovering and authorizing APs Advanced WiFi controller discovery

Wireless client load balancing for high-density deployments

FortiAP Groups

LAN port options

Preventing IP fragmentation of packets in CAPWAP tunnels

LED options

 

Overview

FortiAP units discover WiFi controllers. The administrator of the WiFi controller authorizes the FortiAP units that the controller will manage.

In most cases, FortiAP units can find WiFi controllers through the wired Ethernet without any special configuration. Review the following section, Access point deployment on page 850, to make sure that your method of connecting the FortiAP unit to the WiFi controller is valid. Then, you are ready to follow the procedures in Access point deployment on page 850.

If your FortiAP units are unable to find the WiFi controller, refer to Access point deployment on page 850 for detailed information about the FortiAP unit’s controller discovery methods and how you can configure them.

 

Network topology for managed APs

The FortiAP unit can be connected to the FortiGate unit in any of the following ways:

 

Direct connection: The FortiAP unit is directly connected to the FortiGate unit with no switches between them. This configuration is common for locations where the number of FortiAP’s matches up with the number of ‘internal’ ports available on the FortiGate. In this configuration the FortiAP unit requests an IP address from the FortiGate unit, enters discovery mode and should quickly find the FortiGate WiFi controller. This is also known as a wirecloset deployment. See “Wirecloset and Gateway deployments” below.

 

Wirecloset deployment

Switched Connection: The FortiAP unit is connected to the FortiGate WiFi controller by an Ethernet switch operating in L2 switching mode or L3 routing mode. There must be a routable path between the FortiAP unit and the FortiGate unit and ports 5246 and 5247 must be open. This is also known as a gateway deployment. See Gateway Deployment below.

Gateway Deployment

Connection over WAN: The FortiGate WiFi controller is off-premises and connected by a VPN tunnel to a local FortiGate. In this method of connectivity its best to configure each FortiAP with the static IP address of the WiFi controller. Each FortiAP can be configured with three WiFi controller IP addresses for redundant failover. This is also known as a datacenter remote management deployment. See Remote deployment below.

 

Remote deployment

Discovering and authorizing APs

After you prepare your FortiGate unit, you can connect your APs to discover them using the discovery methods described earlier. To prepare the FortiGate unit, you need to

  • Configure the network interface to which the AP will connect.
  • Configure DHCP service on the interface to which the AP will connect.
  • Optionally, preauthorize FortiAP units. They will begin to function when connected.
  • Connect the AP units and let the FortiGate unit discover them.
  • Enable each discovered AP and configure it or assign it to an AP profile.

 

Configuring the network interface for the AP unit

The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled.

 

To configure the interface for the AP unit – web-based manager

1. Go to Network > Interfaces and edit the interface to which the AP unit connects.

2. Set Addressing Mode to Dedicate to Extension Device.

3. Enter the IP address and netmask to use.

This FortiGate unit automatically configures a DHCP server on the interface that will assign the remaining higher addresses up to .254 to FortiAP units. For example, if the IP address is 10.10.1.100, the FortiAP units will be assigned 10.10.1.101 to 10.10.1.254. To maximize the available addresses, use the .1 address for the interface:

10.10.1.1, for example.

4. Select OK.

 

To configure the interface for the AP unit – CLI

In the CLI, you must configure the interface IP address and DHCP server separately.

config system interface edit port3

set mode static

set ip 10.10.70.1 255.255.255.0 end

config system dhcp server edit 0

set interface “dmz” config ip-range

edit 1

set end-ip 10.10.70.254 set start-ip 10.10.70.2

end

set netmask 255.255.255.0 set vci-match enable

set vci-string “FortiAP” end

The optional vci-match and  vci-string fields ensure that the DHCP server will provide IP addresses only to FortiAP units.

 

Preauthorizing a FortiAP unit

If you enter the FortiAP unit information in advance, it is authorized and will begin to function when it is connected.

 

To pre-authorize a FortiAP unit

1. Go to WiFi & Switch Controller > Managed FortiAPs and select Create New.

On some models the WiFi Controller menu is called WiFi & Switch Controller.

2. Enter the Serial Number of the FortiAP unit.

3. Configure the Wireless Settings as required.

4. Select OK.

 

Enabling and configuring a discovered AP

Within two minutes of connecting the AP unit to the FortiGate unit, the discovered unit should be listed on WiFi Controller > Managed FortiAPs page. After you select the unit, you can authorize, edit or delete it.