Configuring security
Using the web-based manager, you can configure Captive Portal security or WiFi Protected Access version 2 (WPA2) security modes WPA2-Personal and WPA2-Enterprise. Using the CLI, you can also choose WPA/WPA2 modes that support both WPA version 1 and WPA version 2.
WPA2 security with a pre-shared key for authentication is called WPA2-Personal. This can work well for one person or a small group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.
A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes possible Role-Based Access Control (RBAC).
By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP) . You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accomodate clients with either TKIP or AES, enter:
config wireless-controller vap edit example_wlan set security wpa-personal set passphrase “hardtoguess” set encrypt TKIP-AES
end
Captive Portal security connects users to an open web portal defined in replacement messages. To navigate to any location beyond the web portal, the user must pass FortiGate user authentication.
WPA-Personal security
WPA2-Personal security setup requires only the preshared key that you will provide to your clients.
To configure WPA2-Personal security – web-based manager
- Go to WiFi & Switch Controller > SSID and edit your SSID entry.
- In Security Mode, select WPA2 Personal.
- In Pre-shared Key, enter a key between 8 and 63 characters long.
- Select OK.
To configure WPA2-Personal security – CLI
config wireless-controller vap edit example_wlan set security wpa2-personal set passphrase “hardtoguess”
end
WPA-Enterprise security
If you will use FortiOS user groups for authentication, go to User & Device > User > User Groups and create those groups first. The groups should be Firewall groups.
If you will use a RADIUS server to authenticate wireless clients, you must first configure the FortiGate unit to access the RADIUS server.
To configure FortiGate unit access to the RADIUS server – web-based manager
- Go to User & Device > RADIUS Servers and select Create New.
- Enter a Name for the server.
- In Primary Server Name/IP, enter the network name or IP address for the server.
- In Primary Server Secret, enter the shared secret used to access the server.
- Optionally, enter the information for a secondary or backup RADIUS server.
- Select OK.
To configure the FortiGate unit to access the RADIUS server – CLI
config user radius edit exampleRADIUS set auth-type auto set server 10.11.102.100 set secret aoewmntiasf
end
RADIUS Change of Authorization (CoA) support
The CoA feature enables the FortiGate to receive a client disconnect message from the RADIUS server. This is used to disconnect clients when their time, credit or bandwidth had been used up. Enable this on the RADIUS server using the CLI:
config user radius edit <name> set radius-coa enable
end
To configure WPA-Enterprise security – web-based manager
- Go to WiFi & Switch Controller > SSIDand edit your SSID entry.
- In Security Mode, select WPA2 Enterprise.
- In Authentication, do one of the following:
l If you will use a RADIUS server for authentication, select RADIUS Server and then select the RADIUS server. l If you will use a local user group for authentication, select Local and then select the user group(s) permitted to use the wireless network.
- Select OK.
To configure WPA-Enterprise security – CLI
config wireless-controller vap edit example_wlan set security wpa2-enterprise set auth radius
set radius-server exampleRADIUS
end
Captive Portal security
Captive Portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.
The captive portal can be hosted on the FortiGate unit, or externally. For details see
Configuring WiFi captive portal security – FortiGate captive portal on page 53
Configuring WiFi captive portal security – external server on page 54
For general information about captive portals, see the Captive Portal chapter of the Authentication Guide.
Adding a MAC filter
On each SSID, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.
This is actually not as secure as it appears. Someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.
To configure a MAC filter – web-based manager
- Go to WiFi & Switch Controller > SSID and edit your SSID entry.
- In the DHCP Server section, expand Advanced.
- In MAC Reservation + Access Control, double-click in the Unknown MAC Addresses line and select Assign IP or Block, as needed.
By default, unlisted MAC addresses are assigned an IP address automatically.
- In MAC Reservation + Access Control, select Create New.
- Enter a MAC address In the MAC
- In IP or Action, select one of:
- Reserve IP — enter the IP address that is always assigned to this MAC address. l Assign IP — an IP address is assigned to this MAC address automatically.
- Block — This MAC address will not be assigned an IP address.
- Repeat steps 4 through 6 for each additional MAC address that you want to add.
- Select OK.
To configure a MAC filter – CLI
- Enter config system dhcp server show
- Find the entry where interface is your WiFi interface. Edit that entry and configure the MAC filter. In this example, the MAC address 11:11:11:11:11:11will be excluded. Unlisted MAC addresses will be assigned an IP address automatically. edit 3 config reserved-address edit 1 set action block set mac 11:11:11:11:11:11
end
set mac-acl-default-action assign
end