VLAN assignment by VLAN pool

In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN pool can

• assign a specific VLAN based on the AP’s FortiAP Group, usually for network configuration reasons, or
• assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)

 

To assign a VLAN by FortiAP Group – CLI

In this example, VLAN 101, 102, or 103 is assigned depending on the AP’s FortiAP Group.

config wireless-controller vap edit wlan

set vlan-pooling wtp-group config vlan-pool

edit 101

set wtp-group wtpgrp1 next

edit 102

set wtp-group wtpgrp2 next

edit 101

set wtp-group wtpgrp3 end

end end

 

Load balancing

There are two VLAN pooling methods used for load balancing:

The choice of VLAN can be based on any one of the following criteria:

• round–robin – from the VLAN pool, choose the VLAN with the smallest number of clients
• hash – choose a VLAN from the VLAN pool based on a hash of the current number of SSID clients and the number of entries in the VLAN pool

If the VLAN pool contains no valid VLAN ID, the SSID’s static VLAN ID setting is used.

 

To assign a VLAN by round-robin selection – CLI

In this example, VLAN 101, 102, or 103 is assigned using the round-robin method:

config wireless-controller vap edit wlan

set vlan-pooling round-robin config vlan-pool

edit 101 next

edit 102 next

edit 103 end

end end

 

To assign a VLAN by hash-based selection – CLI

In this example, VLAN 101, 102, or 103 is assigned using the hash method:

config wireless-controller vap edit wlan

set vlan-pooling hash config vlan-pool

edit 101 next

edit 102 next

edit 103 end

end end

 

Configuring user authentication

You can perform user authentication when the wireless client joins the wireless network and when the wireless user communicates with another network through a firewall policy. WEP and WPA-Personal security rely on legitimate users knowing the correct key or passphrase for the wireless network. The more users you have, the more likely it is that the key or passphrase will become known to unauthorized people. WPA-Enterprise and captive portal security provide separate credentials for each user. User accounts can be managed through FortiGate user groups or an external RADIUS authentication server.

 

WPA2 Enterprise authentication

Enterprise authentication can be based on the local FortiGate user database or on a remote RADIUS server. Local authentication is essentially the same for WiFi users as it is for wired users, except that authentication for WiFi users occurs when they associate their device with the AP. Therefore, enterprise authentication must be configured in the SSID. WiFi users can belong to user groups just the same as wired users and security policies will determine which network services they can access.

If your WiFi network uses WPA2 Enterprise authentication verified by a RADIUS server, you need to configure the FortiGate unit to connect to that RADIUS server.

 

Configuring connection to a RADIUS server – web-based manager

1. Go to User & Device > RADIUS Servers and select Create New.

2. Enter a Name for the server.

This name is used in FortiGate configurations. It is not the actual name of the server.

3. In Primary Server Name/IP, enter the network name or IP address for the server.

4. In Primary Server Secret, enter the shared secret used to access the server.

5. Optionally, enter the information for a secondary or backup RADIUS server.

6. Select OK.

 

 

To configure the FortiGate unit to access the RADIUS server – CLI

config user radius edit exampleRADIUS

set auth-type auto

set server 10.11.102.100 set secret aoewmntiasf

end

To implement WPA2 Enterprise security, you select this server in the SSID security settings. See Configuring user authentication on page 845.

To use the RADIUS server for authentication, you can create individual FortiGate user accounts that specify the authentication server instead of a password, and you then add those accounts to a user group. Or, you can add the authentication server to a FortiGate user group, making all accounts on that server members of the user group.

 

Creating a wireless user group

Most wireless networks require authenticated access. To enable creation of firewall policies specific to WiFi users, you should create at least one WiFi user group. You can add or remove users later. There are two types of user group to consider:

• A Firewall user group can contain user accounts stored on the FortiGate unit or external authentication servers such as RADIUS that contain and verify user credentials.
• A Fortinet Single Sign-On (FSSO) user group is used for integration with Windows Active Directory or Novell eDirectory. The group can contain Windows or Novell user groups who will be permitted access to the wireless LAN.

 

WiFi Single Sign-On (WSSO) authentication

WSSO is RADIUS-based authentication that passes the user’s user group memberships to the FortiGate. For each user, the RADIUS server must provide user group information in the Fortinet-Group-Name attribute. This information is stored in the server’s database. After the user authenticates, security policies provide access to network services based on user groups.

1. Configure the RADIUS server to return the Fortinet-Group-Name attribute for each user.

2. Configure the FortiGate to access the RADIUS server, as described in WPA2 Enterprise authentication on page 845.

3. Create firewall user groups on the FortiGate with the same names as the user groups listed in the RADIUS database. Leave the groups empty.

4. In the SSID choose WPA2-Enterprise authentication. In the Authentication field, select RADIUS Server and choose the RADIUS server that you configured.

5. Create security policies as needed, using user groups (Source User(s) field) to control access.

 

When a user authenticates by WSSO, the firewall monitor Monitor > Firewall Monitor) shows the authentication method as WSSO.

 

Assigning WiFi users to VLANs dynamically

Some enterprise networks use Virtual LANs (VLANs) to separate traffic. In this environment, to extend network access to WiFi users might appear to require multiple SSIDs. But it is possible to automatically assign each user to their appropriate VLAN from a single SSID. To accomplish this requires RADIUS authentication that passes the appropriate VLAN ID to the FortiGate by RADIUS attributes. Each user’s VLAN assignment is stored in the user database of the RADIUS server.

1. Configure the RADIUS server to return the following attributes for each user: Tunnel-Type (value: VLAN)

Tunnel-Medium-Type (value: IEEE-802)

Tunnel_Private-Group-Id (value: the VLAN ID for the user’s VLAN)

2. Configure the FortiGate to access the RADIUS server.

3. Configure the SSID with WPA2-Enterprise authentication. In the Authentication field, select RADIUS Server

and choose the RADIUS server that you will use.

4. Create VLAN subinterfaces on the SSID interface, one for each VLAN. Set the VLAN ID of each as appropriate.

You can do this on the Network > Interfaces page.

5. Enable Dynamic VLAN assignment for the SSID. For example, if the SSID interface is “office”, enter:

config wireless-controller vap edit office

set dynamic-vlan enable end

6. Create security policies for each VLAN. These policies have a WiFI VLAN subinterface as Incoming Interface and allow traffic to flow to whichever Outgoing Interface these VLAN users will be allowed to access.

 

MAC–based authentication

Wireless clients can also be supplementally authenticated by MAC address. A RADIUS server stores the allowed MAC address for each client and the wireless controller checks the MAC address independently of other authentication methods.

MAC-based authentication must be configured in the CLI. In the following example, MAC-based authentication is added to an existing access point “vap1” to use RADIUS server hq_radius (configured on the FortiGate):

 

config wireless-controller vap edit vap1

set radius-mac-auth enable

set radius-mac-auth-server hq_radius end

 

Authenticating guest WiFi users

The FortiOS Guest Management feature enables you to easily add guest accounts to your FortiGate unit. These accounts are authenticate guest WiFi users for temporary access to a WiFi network managed by a FortiGate unit. To implement guest access, you need to

1. Go to User & Device > User Groups and create one or more guest user groups.

2. Go to User & Device > Guest Management to create guest accounts. You can print the guest account credentials or send them to the user as an email or SMS message.

3. Go to WiFi & Switch Controller > SSID and configure your WiFi SSID to use captive portal authentication.

Select the guest user group(s) that you created.

Guest users can log into the WiFi captive portal with their guest account credentials until the account expires. For more detailed information about creating guest accounts, see “Managing Guest Access” in the Authentication chapter of the FortiOS Handbook.

 

 

Configuring firewall policies for the SSID

For users on the WiFi LAN to communicate with other networks, firewall policies are required. This section describes creating a WiFi network to Internet policy.

Before you create firewall policies, you need to define any firewall addresses you will need.

 

To create a firewall address for WiFi users – web-based manager

1. Go to Policy & Objects > Addresses.

2. Select Create New, enter the following information and select OK.

Name                                           Enter a name for the address, wifi_net for example.

Type                                            Select Subnet.

Subnet / IP Range                     Enter the subnet address, 10.10.110.0/24 for example.

Interface                                     Select the interface where this address is used, e.g., example_wifi

 

To create a firewall address for WiFi users – CLI

config firewall address edit “wifi_net”

set associated-interface “example_wifi” set subnet 10.10.110.0 255.255.255.0

end

 

To create a firewall policy – web-based manager

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. In Incoming Interface, select the wireless interface.

3. In Source Address, select the address of your WiFi network, wifi_net for example.

4. In Outgoing Interface, select the Internet interface, for example, port1.

5. In Destination Address, select All.

6. In Service, select ALL, or select the particular services that you want to allow, and then select the right arrow button to move the service to the Selected Services list.

7. In Schedule, select always, unless you want to define a schedule for limited hours.

8. In Action, select ACCEPT.

9. Select Enable NAT.

10. Optionally, set up UTM features for wireless users.

11. Select OK.

 

 

To create a firewall policy – CLI

config firewall policy edit 0

set srcintf “example_wifi” set dstintf “port1”

set srcaddr “wifi_net” set dstaddr “all”

set action accept

set schedule “always” set service “ANY”

set nat enable end

 

Configuring the built-in access point on a FortiWiFi unit

Both FortiGate and FortiWiFi units have the WiFi controller feature. If you configure a WiFi network on a FortiWiFi unit, you can also use the built-in wireless capabilities in your WiFi network as one of the access points.

If Virtual Domains are enabled, you must select the VDOM to which the built-in access point belongs. You do this in the CLI. For example:

config wireless-controller global set local-radio-vdom vdom1

end

 

To configure the FortiWiFi unit’s built-in WiFi access point

1. Go to WiFi Controller > Local WiFi Radio.

2. Make sure that Enable WiFi Radio is selected.

3. In SSID, if you do not want this AP to carry all SSIDs, select Select SSIDs and then select the required SSIDs.

4. Optionally, adjust the TX Power slider.

If you have selected your location correctly (see Configuring the built-in access point on a FortiWiFi unit on page

849), the 100% setting corresponds to the maximum power allowed in your region.

5. If you do not want the built-in WiFi radio to be used for rogue scanning, select Do not participate in Rogue AP

scanning.

6. Select OK.

If you want to connect external APs, such as FortiAP units, see the next chapter, Access point deployment.