To configure WPA-Enterprise security – CLI

config wireless-controller vap edit example_wlan

set security wpa2-enterprise set auth radius

set radius-server exampleRADIUS

end

 

Captive Portal security

Captive Portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

The captive portal can be hosted on the FortiGate unit, or externally. For details see

Configuring WiFi captive portal security – FortiGate captive portal on page 840

Configuring WiFi captive portal security – external server on page 841

For general information about captive portals, see the Captive Portal chapter of the Authentication Guide.

 

Adding a MAC filter

On each SSID, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

This is actually not as secure as it appears. Someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

 

To configure a MAC filter – web-based manager

1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.

2. In the DHCP Server section, expand Advanced.

3. In MAC Reservation + Access Control, double-click in the Unknown MAC Addresses line and select

Assign IP or Block, as needed.

By default, unlisted MAC addresses are assigned an IP address automatically.

4. In MAC Reservation + Access Control, select Create New.

5. Enter a MAC address In the MAC field.

6. In IP or Action, select one of:

• Reserve IP — enter the IP address that is always assigned to this MAC address.
• Assign IP — an IP address is assigned to this MAC address automatically.
• Block — This MAC address will not be assigned an IP address.

7. Repeat steps 4 through 6 for each additional MAC address that you want to add.

8. Select OK.

 

 

To configure a MAC filter – CLI

1. Enter

config system dhcp server show

2. Find the entry where interface is your WiFi interface. Edit that entry and configure the MAC filter. In this example, the MAC address 11:11:11:11:11:11will be excluded. Unlisted MAC addresses will be assigned an IP address automatically.

edit 3

config reserved-address edit 1

set action block

set mac 11:11:11:11:11:11 end

set mac-acl-default-action assign end

 

Limiting the number of clients

You might want to prevent overloading of your access point by limiting the number of clients who can associate with it at the same time. Limits can be applied per SSID, per AP, or per radio.

 

To limit the number of clients per SSID – GUI

1. Go to WiFi & Switch Controller > SSID and edit your SSID.

2. Turn on Maximum Clients and enter the maximum number of clients in Limit Concurrent WiFi Clients.

 

 

To limit the number of clients per AP- CLI

Edit the wtp-profile (FortiAP profile), like this:

config wireless-controller wtp-profile edit “FAP221C-default”

set max-clients 30 end

 

To limit the number of clients per radio – CLI

Edit the wtp-profile (FortiAP profile), like this:

config wireless-controller wtp-profile edit “FAP221C-default”

config radio-1

set max-clients 10 end

config radio-2

set max-clients 30 end

end

 

Multicast enhancement

FortiOS can translate multicast traffic into unicast traffic to send to clients, maintaining its own multicast client through IGMP snooping. You can configure this in the CLI:

config wireless-controller vap edit example_wlan

set multicast-enhance enable set me-disable-thresh 32

end

If the number of clients on the SSID is larger than me-disable-thresh, multicast enhancement is disabled.

 

Configuring WiFi captive portal security – FortiGate captive portal

The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.

 

To configure a WiFi Captive Portal – web-based manager:

1. Go to WiFi & Switch Controller > SSID and create your SSID.

If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.

2. In Security Mode, select Captive Portal.

3. Enter

Portal Type                                 The portal can provide authentication and/or disclaimer, or perform user email address collection. See Defining a wireless network interface (SSID) on page 832.

Authentication Portal                Local

User Groups                               Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

Exempt List                                Select exempt lists whose members will not be subject to captive portal authentication.

Customize Portal Messages     Click the link of the portal page that you want to modify. For more inform- ation see the Captive Portal chapter of the Authentication Guide.

4. Select OK.

 

Configuring WiFi captive portal security – external server

An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.

On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data magic=session_id&username=<username>&password=<password>.

(The magic value was provided in the initial FortiGate request to the web server.)

To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

config user setting

set auth-secure-http enable end

 

To configure use of an external WiFi Captive Portal – web-based manager:

1. Go to WiFi & Switch Controller > SSIDand create your SSID.

If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.

2. In Security Mode, select Captive Portal.

3. Enter

 

Portal Type                                 The portal can provide authentication and/or disclaimer, or perform user email address collection.

Authentication Portal                External – enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.

User Groups                               Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

Exempt List                                Select exempt lists whose members will not be subject to captive portal authentication.

Redirect after Captive Portal    Original Request

Specific URL – enter URL

4. Select OK.