Configuring a WiFi LAN

RADIUS Change of Authorization (CoA) support

The CoA feature enables the FortiGate to receive a client disconnect message from the RADIUS server. This is used to disconnect clients when their time, credit or bandwidth had been used up. Enable this on the RADIUS server using the CLI:

config user radius edit <name> set radius-coa enable

end

To configure WPA-Enterprise security – web-based manager

  1. Go to WiFi & Switch Controller > SSIDand edit your SSID entry.
  2. In Security Mode, select WPA2 Enterprise.
  3. In Authentication, do one of the following:
    • If you will use a RADIUS server for authentication, select RADIUS Server and then select the RADIUS server.
    • If you will use a local user group for authentication, select Local and then select the user group(s) permitted to use the wireless network.
  4. Select OK.

To configure WPA-Enterprise security – CLI

config wireless-controller vap edit example_wlan set security wpa2-enterprise set auth radius

set radius-server exampleRADIUS

end

Captive portal security

Captive portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

The captive portal can be hosted on the FortiGate unit, or externally. For details see

Configuring WiFi captive portal security – FortiGate captive portal on page 44

Configuring WiFi captive portal security – external server on page 44

For general information about captive portals, see the Captive Portal chapter of the Authentication Guide.

Adding a MAC filter

On each SSID, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

This is actually not as secure as it appears. Someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

To configure a MAC filter – web-based manager

  1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
  2. In the DHCP Server section, expand Advanced.
  3. In MAC Reservation + Access Control, double-click in the Unknown MAC Addresses line and select Assign IP or Block, as needed.

By default, unlisted MAC addresses are assigned an IP address automatically.

  1. In MAC Reservation + Access Control, select Create New.
  2. Enter a MAC address In the MAC
  3. In IP or Action, select one of:
    • Reserve IP — enter the IP address that is always assigned to this MAC address. l Assign IP — an IP address is assigned to this MAC address automatically.
    • Block — This MAC address will not be assigned an IP address.
  4. Repeat steps 4 through 6 for each additional MAC address that you want to add.
  5. Select OK.

To configure a MAC filter – CLI

  1. Enter config system dhcp server show
  2. Find the entry where interface is your WiFi interface. Edit that entry and configure the MAC filter. In this example, the MAC address 11:11:11:11:11:11will be excluded. Unlisted MAC addresses will be assigned an IP address automatically. edit 3 config reserved-address edit 1 set action block set mac 11:11:11:11:11:11

end

set mac-acl-default-action assign

end

Limiting the number of clients

You might want to prevent overloading of your access point by limiting the number of clients who can associate with it at the same time. Limits can be applied per SSID, per AP, or per radio.

To limit the number of clients per SSID – GUI

  1. Go to WiFi & Switch Controller > SSID and edit your SSID.
  2. Turn on Maximum Clients and enter the maximum number of clients in Limit Concurrent WiFi Clients.

To limit the number of clients per AP- CLI

Edit the wtp-profile (FortiAP profile), like this:

config wireless-controller wtp-profile edit “FAP221C-default” set max-clients 30

end

To limit the number of clients per radio – CLI

Edit the wtp-profile (FortiAP profile), like this:

config wireless-controller wtp-profile edit “FAP221C-default” config radio-1 set max-clients 10

end config radio-2 set max-clients 30

end

end

Multicast enhancement

FortiOS can translate multicast traffic into unicast traffic to send to clients, maintaining its own multicast client through IGMP snooping. You can configure this in the CLI:

config wireless-controller vap edit example_wlan set multicast-enhance enable set me-disable-thresh 32

end

If the number of clients on the SSID is larger than me-disable-thresh, multicast enhancement is disabled.

This entry was posted in Administration Guides, FortiGate, FortiOS, FortiOS 6, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “Configuring a WiFi LAN

  1. Tony

    Hi Mike,
    Since I know by following your posts that you are really good the Fortinet in general, please allow me to ask you a question. In a Fortigate, FortiAP and Radius scenario, can I dynamically assign the VLAN to the WIFI users based on their device type? More specifically, I would like to move any iOS/Android to a different VLAN than a normal Windows Client would get. Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.