FortiWLC – WAPI Configuration

WAPI Configuration

The WLAN Authentication and Privacy Infrastructure (WAPI) is a Chinese national standard for WLANs. There are two authentication models used for WAPI functionality: certificatebased and PSK-based. For WAPI certificate configurations, the controller must have the IP and port communication details for the central Authentication Service Unit (ASU), which will verify that the wireless communication is permitted.

FortiWLC (SD) implements WAPI configurations in release 5.2 and later.

WAPI Configuration

Specifying WAPI Authentication Mode

As mentioned above, users can specify whether the deployment will use certificate-based or PSK-based WAPI authentication. This is done via the Security Profile configuration.

  1. From the WebUI, navigate to Configuration > Security > Profile.
  2. Create a new profile by clicking the Add button.
  3. In the L2 Modes Allowed section, specify the desired WAPI option:
    • WAI: for certificate-based models
    • WAI-PSK: for PSK models
  4. Make the remaining selections as desired. If using the PSK option, be sure to set an appropriate entry in the Pre-shared Key field.

If your deployment is making use of the WAI option (certificate-based), you will need to configure a WAPI server and import a WAPI certificate as well. Proceed to the following sections for these details.

Importing a WAPI Certificate

In order to properly authenticate WAPI communications, a certificate must be imported into the system. Follow the instructions below.

  1. From the WebUI, navigate to Configuration > Certificates > Controller Certificates.
  2. Click WAPI Cert Import.
  3. Browse to the location of the WAPI certificate and click Import. Note that the system only supports one WAPI certificate to be configured at any given time.
  4. After the certificate is imported, click the WebTerm link to open a CLI console.
  5. Log into the console and execute the reload-wapi command to reload WAPI service.
  6. Proceed to the next section in order to configure communication with the WAPI Authentication Service Unit.
Configuring a WAPI Server

The WAPI server needs to be configured only when using certificate-based WAI authentication. This configuration is used to authenticate the WAPI certificate after it has been imported into the system.

To configure the WAPI Server:

  1. From the WebUI, navigate to Configuration > Security > WAPI Server.

WAPI Configuration

  1. Enter the following information:
  • WAPI Server IP—The IP address for the Authentication Service Unit. WAPI Server Port—Enter the port number used for WAPI communication (default:

3810).

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.