Category Archives: FortiAP

Managing a FortiAP with FortiCloud

Managing a FortiAP with FortiCloud

This chapter provides a few FortiCloud-managed FortiAP configuration examples.

FortiCloud-managed FortiAP WiFi

FortiCloud-managed FortiAP WiFi without a key

You can register for a free FortiCloud account at www.forticloud.com.

For a video tutorial of how to configure and manage a FortiAP-S device from FortiCloud, follow the link below:

l How to configure and Manage FortiAP-S from FortiCloud

FortiCloud-managed FortiAP WiFi

In this example, you use FortiCloud to configure a single FortiAP-221C, creating a working WiFi network without a FortiGate.

FortiCloud remote management is supported on FortiAP models 221C and 320C.

For this configuration, the FortiAP-221C unit is running version 5.2 firmware. You will create a simple network that uses WPA-Personal authentication.

You can register for a free FortiCloud account at www.forticloud.com.

To create the WiFi network without a FortiGate unit, you must:

l Add your FortiAP to FortiCloud l Configure the SSID l Configure the AP platform profile l Deploy the AP with the profile

Adding your FortiAP to FortiCloud

You need to add the FortiAP unit to your FortiCloud account. This is done through a unique key that can be found under the FortiAP unit.

To add a FortiAP to FortiCloud

  1. Connect the FortiAP Ethernet interface to a network that provides access to the Internet.
  2. Open a web browser and navigate to the FortiCloud main page and select + AP Network.
  3. Enter an AP Network Name and AP Password. This password is used to locally log in to the AP as the administrator. It will be set to all APs in this AP network.
  4. Set the correct Time Zone and select Submit.

Configuring the SSID

You must establish the SSID (network interface) for the WiFi network.

153 FortiOS™ Handbook – FortiWiFi and FortiAP Configuration Guide Fortinet Technologies Inc.

Managing a FortiAP with FortiCloud                                                    FortiCloud-managed FortiAP WiFi without a key

To configure the SSID

  1. Select the FortiAP you just created from the home page. You will then be prompted to add an SSID for the AP Network.

In the interface, this is under Configure > SSIDs.

  1. In Access Control, enter the name of your SSID, set Authentication to WPA2-Personal, enter the Preshared Key, and select Next.
  2. In Security, enable security features as required (select from AntiVirus, Intrusion Prevention, Block Botnet, Web Access, and Application Control) and select Next.
  3. In Availability, make sure to leave 5 GHz enabled, configure a schedule as required, and select Next.
  4. Review your SSID in Preview, then select Apply.

Configuring the AP platform profile

The radio portion of the FortiAP configuration is contained in the FortiAP platform profile. By default, there is a profile for each platform (FortiAP model). The SSID needs to be specified in the profile.

To configure the AP profile

  1. Go to Configure > AP Profile and edit the AP Profile for your FortiAP model (mouse-over the AP Profile to reveal the Edit button).
  2. Enable the SSID configured earlier for both Radio 1 and Radio 2, for 5GHz coverage.

Deploying the AP with the platform profile

With the SSID and platform profile configured, you must deploy the AP by entering the FortiCloud key for the FortiAP.

To deploy the AP

  1. Go to Configure > Deploy APs. Here you will be prompted to enter the FortiCloud key, which can be found on the same label as the FortiAP unit’s serial number, and select Submit.

If you have a FortiAP model that does not include a FortiCloud key, you can still add the device to the network. To learn how, see the FortiCloud-managed FortiAP WiFi without a key configuration.

  1. In Set Platform Profiles, select the platform profile you created earlier and select Next.
  2. Follow the rest of the deployment wizard. Select Submit when completed.

You will now be able to connect to the wireless network and browse the Internet. On the FortiCloud website, go to Monitor > Report where you can view monitoring information such as Traffic by Period, Client Count by Period, and more.

FortiCloud-managed FortiAP WiFi without a key

You can manage your FortiAP-based wireless network with FortiCloud even if your FortiAP has no FortiCloud key.

FortiOS™ Handbook – FortiWiFi and FortiAP Configuration Guide                                                                         154

Fortinet Technologies Inc.

FortiCloud-managed FortiAP WiFi without a key                                                    Managing a FortiAP with FortiCloud

For this example, you will need to have already pre-configured your FortiAP unit with your FortiCloud account credentials. For more information on how to do this, or if your FortiAP has a FortiCloud key (on the serial number label), see the FortiCloud-managed FortiAP WiFi configuration.

You can register for a free FortiCloud account at www.forticloud.com.

To create the WiFi network without a FortiCloud key, you must:

l Configure the FortiAP unit l Add the FortiAP unit to your FortiCloud account l Configure the FortiAP

Configuring the FortiAP unit

You need to connect and configure the FortiAP unit through the web-based manager of the FortiGate.

To configure the FortiAP unit – web-based manager

  1. Connect your computer to the FortiAP Ethernet port. The FortiAP’s default IP address is 192.168.1.2. The computer should have an address on the same subnet, 192.168.1.3 for example.
  2. Using a browser, log in to the FortiAP as admin. Leave the password field empty.
  3. In WTP-Configuration, select FortiCloud and enter your FortiCloud credentials. Select Apply.

The FortiAP is now ready to connect to FortiCloud via the Internet.

Adding the FortiAP unit to your FortiCloud account

The FortiAP must be added to the FortiCloud account that has a WiFi network already configured for it.

For an example of creating a WiFi network on FortiCloud, see FortiCloud-managed FortiAP WiFi on page 153.

To add the FortiAP to FortiCloud

  1. Connect the FortiAP Ethernet cable to a network that connects to the Internet.

Restore your computer to its normal network configuration and log on to FortiCloud.

  1. From the Home screen, go to Inventory > AP Inventory. Your FortiAP should be listed.
  2. Then go back to the Home screen, select your AP network, and go to Deploy APs.
  3. Select your listed FortiAP and select Next.
  4. Make sure your platform profile is selected from the dropdown menu, and select Next.
  5. In Preview, select Deploy.

The device will now appear listed under Access Points.

You will now be able to connect to the wireless network and browse the Internet. On the FortiCloud website, go to Monitor > Report where you can view monitoring information such as Traffic by Period, Client Count by Period, and more.

155 FortiOS™ Handbook – FortiWiFi and FortiAP Configuration Guide Fortinet Technologies Inc.

 

Wireless network examples

Wireless network examples

This chapter provides an example wireless network configuration.

Basic wireless network A more complex example

Basic wireless network

This example uses automatic configuration to set up a basic wireless network.

To configure this wireless network, you must:

l Configure authentication for wireless users l Configure the SSID (WiFi network interface) l Add the SSID to the FortiAP Profile l Configure the firewall policy l Configure and connect FortiAP units

Configuring authentication for wireless users

You need to configure user accounts and add the users to a user group. This example shows only one account, but multiple accounts can be added as user group members.

To configure a WiFi user – web-based manager

  1. Go to User & Device > User Definition and select Create New.
  2. Select Local User and then click Next.
  3. Enter a User Name and Password and then click Next.
  4. Click
  5. Make sure that Enable is selected and then click Create.

To configure the WiFi user group – web-based manager

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name wlan_users
Type Firewall
Members Add users.

To configure a WiFi user and the WiFi user group – CLI

config user user edit “user01”

Basic wireless network

set type password set passwd “asdf12ghjk”

end

config user group edit “wlan_users” set member “user01”

end

Configuring the SSID

First, establish the SSID (network interface) for the network. This is independent of the number of physical access points that will be deployed. The network assigns IP addresses using DHCP.

To configure the SSID – web-based manager

  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter the following information and select OK:
Interface Name                                  example_wifi_if
Traffic Mode                                      Tunnel to Wireless Controller
IP/Network Mask                                10.10.110.1/24
Administrative Access                      Ping (to assist with testing)
DHCP Server                                     Enable
  Address Range 10.10.110.2 – 10.10.110.199
Netmask 255.255.255.0
Default Gateway Same As Interface IP
DNS Server Same as System DNS
SSID                                                 example_wifi
Security Mode                                   WPA2 Enterprise
Authentication                                  Local, select wlan_users user group.
Leave other settings at their default values.

To configure the SSID – CLI

config wireless-controller vap edit example_wifi_if set ssid “example_wifi” set broadcast-ssid enable set security wpa-enterprise set auth usergroup set usergroup wlan_users set schedule always

end config system interface

Basic wireless network

edit example_wifi_if set ip 10.10.110.1 255.255.255.0

end

config system dhcp server edit 0 set default-gateway 10.10.110.1

set dns-service default set interface “example_wifi_if” config ip-range edit 1 set end-ip 10.10.110.199 set start-ip 10.10.110.2

end

set netmask 255.255.255.0

end

Adding the SSID to the FortiAP Profile

The radio portion of the FortiAP configuration is contained in the FortiAP Profile. By default, there is a profile for each platform (FortiAP model). You can create additional profiles if needed. The SSID needs to be specified in the profile.

To add the SSID to the FortiAP Profile – web-based manager

  1. Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile for your model of FortiAP unit.
  2. In Radio 1 and Radio 2, add example_wifi in SSID.
  3. Select OK.

Configuring security policies

A security policy is needed to enable WiFi users to access the Internet on port1. First you create firewall address for the WiFi network, then you create the example_wifi to port1 policy.

To create a firewall address for WiFi users – web-based manager

  1. Go to Policy & Objects > Addresses.
  2. Select Create New > Address, enter the following information and select OK.
Name wlan_user_net
Type IP/Netmask
Subnet / IP Range 10.10.110.0/24
Interface example_wifi_if
Show in Address List Enabled

To create a firewall address for WiFi users – CLI

config firewall address edit “wlan_user_net” set associated-interface “example_wifi_if” set subnet 10.10.110.0 255.255.255.0

Basic wireless network

end

To create a security policy for WiFi users – web-based manager

  1. Go to Policy & Objects > IPv4 Policyand select Create New.
  2. Enter the following information and select OK:
Incoming Interface                  example_wifi_if
Source Address                      wlan_user_net
Outgoing Interface                  port1
Destination Address                All
Schedule                                always
Service                                   ALL
Action                                    ACCEPT
NAT                                       ON. Select Use Destination Interface Address (default).
Leave other settings at their default values.

To create a firewall policy for WiFi users – CLI

config firewall policy edit 0 set srcintf “example_wifi” set dstintf “port1” set srcaddr “wlan_user_net” set dstaddr “all” set schedule always set service ALL set action accept set nat enable

end

Connecting the FortiAP units

You need to connect each FortiAP unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

To configure the interface for the AP unit – web-based manager

  1. Go to Network > Interfaces and edit the port3 interface.
  2. Set the Addressing mode to Dedicated to Extension Device and set the IP/Network Mask to 168.8.1/255.255.255.0.
  3. Select OK.

Basic wireless network

This procedure automatically configures a DHCP server for the AP units.

To configure the interface for the AP unit – CLI

config system interface edit port3 set mode static

set ip 192.168.8.1 255.255.255.0

end

To configure the DHCP server for AP units – CLI

config system dhcp server edit 0 set interface port3 config exclude-range edit 1 set end-ip 192.168.8.1 set start-ip 192.168.8.1

end

config ip-range edit 1 set end-ip 192.168.8.254 set start-ip 192.168.8.2

end set netmask 255.255.255.0 set vci-match enable set vci-string “FortiAP”

end

To connect a FortiAP unit – web-based manager

  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Connect the FortiAP unit to port 3.
  3. Periodically select Refresh while waiting for the FortiAP unit to be listed.

Recognition of the FortiAP unit can take up to two minutes.

If FortiAP units are connected but cannot be recognized, try disabling VCI-Match in the DHCP server settings.

  1. When the FortiAP unit is listed, select the entry to edit it. The Edit Managed Access Point window opens.
  2. In State, select
  3. In FortiAP Profile, select the default profile for the FortiAP model.
  4. Select OK.
  5. Repeat Steps 2 through 8 for each FortiAP unit.

To connect a FortiAP unit – CLI

  1. Connect the FortiAP unit to port 3.
  2. Enter config wireless-controller wtp
  3. Wait 30 seconds, then enter get.

Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22B3U10600118 ]

 

wtp-id: FAP22B3U10600118

  1. Edit the discovered FortiAP unit like this:

edit FAP22B3U10600118 set admin enable

end

  1. Repeat Steps 2 through 4 for each FortiAP unit.

A more complex example

This example creates multiple networks and uses custom AP profiles.

Scenario

In this example, Example Co. provides two wireless networks, one for its employees and the other for customers or other guests of its business. Guest users have access only to the Internet, not to the company’s private network. The equipment for these WiFi networks consists of FortiAP-220B units controlled by a FortiGate unit.

The employee network operates in 802.11n mode on both the 2.4GHz and 5GHz bands. Client IP addresses are in the 10.10.120.0/24 subnet, with 10.10.120.1 the IP address of the WAP. The guest network also operates in 802.11n mode, but only on the 2.4GHz band. Client IP addresses are on the 10.10.115.0/24 subnet, with 10.10.115.1 the IP address of the WAP.

On FortiAP-220B units, the 802.11n mode also supports 802.11g and 802.11b clients on the 2.4GHz band and 802.11a clients on the 5GHz band.

The guest network WAP broadcasts its SSID, the employee network WAP does not.

The employees network uses WPA-Enterprise authentication through a FortiGate user group. The guest network features a captive portal. When a guest first tries to connect to the Internet, a login page requests logon credentials. Guests use numbered guest accounts authenticated by RADIUS. The captive portal for the guests includes a disclaimer page.

In this example, the FortiAP units connect to port 3 and are assigned addresses on the 192.168.8.0/24 subnet.

Configuration

To configure these wireless networks, you must:

l Configure authentication for wireless users l Configure the SSIDs (network interfaces) l Configure the AP profile l Configure the WiFi LAN interface and a DHCP server l Configure firewall policies

Configuring authentication for employee wireless users

Employees have user accounts on the FortiGate unit. This example shows creation of one user account, but you can create multiple accounts and add them as members to the user group.

To configure a WiFi user – web-based manager

  1. Go to User & Device > User Definition and select Create New.
  2. Select Local User and then click Next.
  3. Enter a User Name and Password and then click Next.
  4. Click Next.
  5. Make sure that Enable is selected and then click Create.

To configure the user group for employee access – web-based manager

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name employee-group
Type Firewall
Members Add users.

To configure a WiFi user and the user group for employee access – CLI

config user user edit “user01” set type password set passwd “asdf12ghjk”

end

config user group edit “employee-group” set member “user01”

end

The user authentication setup will be complete when you select the employee-group in the SSID configuration.

Configuring authentication for guest wireless users

Guests are assigned temporary user accounts created on a RADIUS server. The RADIUS server stores each user’s group name in the Fortinet-Group-Name attribute. Wireless users are in the group named “wireless”.

The FortiGate unit must be configured to access the RADIUS server.

To configure the FortiGate unit to access the guest RADIUS server – web-based manager

  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter the following information and select OK:
Name guestRADIUS
Primary Server IP/Name 10.11.102.100
Primary Server Secret grikfwpfdfg
Secondary Server IP/Name Optional
Secondary Server Secret         Optional
Authentication Scheme          Use default, unless server requires otherwise.
Leave other settings at their default values.

To configure the FortiGate unit to access the guest RADIUS server – CLI

config user radius edit guestRADIUS set auth-type auto set server 10.11.102.100 set secret grikfwpfdfg

end

To configure the user group for guest access – web-based manager

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name guest-group
Type Firewall
Members Leave empty.
  1. Select Create new.
  2. Enter:
Remote Server Select guestRADIUS.
Groups Select wireless
  1. Select OK.

To configure the user group for guest access – CLI

config user group edit “guest-group” set member “guestRADIUS” config match

edit 0 set server-name “guestRADIUS” set group-name “wireless”

end

end

The user authentication setup will be complete when you select the guest-group user group in the SSID configuration.

Configuring the SSIDs

First, establish the SSIDs (network interfaces) for the employee and guest networks. This is independent of the number of physical access points that will be deployed. Both networks assign IP addresses using DHCP.

To configure the employee SSID – web-based manager

  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter the following information and select OK:
Interface Name                       example_inc
Traffic Mode                           Tunnel to Wireless Controller
IP/Netmask                             10.10.120.1/24
Administrative Access            Ping (to assist with testing)
Enable DHCP                          Enable
  Address Range                     10.10.120.2 – 10.10.120.199
  Netmask                               255.255.255.0
  Default Gateway                   Same As Interface IP
  DNS Server                           Same as System DNS
SSID                                       example_inc
Security Mode                        WPA/WPA2-Enterprise
Authentication                        Select Local, then select employee-group.
Leave other settings at their default values.

To configure the employee SSID – CLI

config wireless-controller vap edit example_inc set ssid “example_inc” set security wpa-enterprise set auth usergroup set usergroup employee-group set schedule always

end

config system interface edit example_inc set ip 10.10.120.1 255.255.255.0

end

config system dhcp server edit 0 set default-gateway 10.10.120.1 set dns-service default set interface example_inc

config ip-range

edit 1

set end-ip 10.10.120.199 set start-ip 10.10.120.2

end

set lease-time 7200 set netmask 255.255.255.0

end

To configure the example_guest SSID – web-based manager

  1. Go to WiFi & Switch Controller > SSID and select Create New.
  2. Enter the following information and select OK:
Name                                     example_guest
IP/Netmask                             10.10.115.1/24
Administrative Access            Ping (to assist with testing)
Enable DHCP                          Enable
  Address Range                     10.10.115.2 – 10.10.115.50
  Netmask                               255.255.255.0
  Default Gateway                    Same as Interface IP
  DNS Server                           Same as System DNS
SSID                                       example_guest
Security Mode                        Captive Portal
Portal Type                             Authentication
Authentication Portal              Local
User Groups                           Select guest-group
Leave other settings at their default values.

To configure the example_guest SSID – CLI

config wireless-controller vap edit example_guest

set ssid “example_guest” set security captive-portal set selected-usergroups guest-group set schedule always

end

config system interface

edit example_guest

set ip 10.10.115.1 255.255.255.0

end

config system dhcp server

edit 0

set default-gateway 10.10.115.1 set dns-service default set interface “example_guest” config ip-range

edit 1 set end-ip 10.10.115.50 set start-ip 10.10.115.2

end

set lease-time 7200 set netmask 255.255.255.0

end

Configuring the FortiAP profile

The FortiAP Profile defines the radio settings for the networks. The profile provides access to both Radio 1 (2.4GHz) and Radio 2 (5GHz) for the employee virtual AP, but provides access only to Radio 1 for the guest virtual AP.

To configure the FortiAP Profile – web-based manager

  1. Go to WiFi & Switch Controller > FortiAP Profiles and select Create New.
  2. Enter the following information and select OK:
Name example_AP
Platform FAP220B
Radio 1  
  Mode Access Point
  Band 802.11n
  Channel Select 1, 6, and 11.
  Tx Power 100%
  SSID Select SSIDs and select example_inc and example_guest.
Radio 2  
  Mode Access Point
  Band 802.11n_5G
  Channel Select all.
  Tx Power 100%
  SSID Select SSIDs and select example_inc.

To configure the AP Profile – CLI

config wireless-controller wtp-profile edit “example_AP” config platform

set type 220B

end config radio-1 set ap-bgscan enable set band 802.11n set channel “1” “6” “11” set vaps “example_inc” “example_guest”

end config radio-2 set ap-bgscan enable set band 802.11n-5G

set channel “36” “40” “44” “48” “149” “153” “157” “161” “165” set vaps “example_inc” end

Configuring firewall policies

Identity-based firewall policies are needed to enable the WLAN users to access the Internet on Port1. First you create firewall addresses for employee and guest users, then you create the firewall policies.

To create firewall addresses for employee and guest WiFi users

  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information and select OK.
Address Name   employee-wifi-net
Type   Subnet / IP Range
Subnet / IP Range   10.10.120.0/24
Interface   example_inc
  1. Select Create New, enter the following information and select OK.
Address Name guest-wifi-net
Type Subnet / IP Range
Subnet / IP Range 10.10.115.0/24
Interface example_guest

To create firewall policies for employee WiFi users – web-based manager

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK:
Incoming Interface example_inc
Source Address employee-wifi-net
Outgoing Interface port1
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT Enable NAT
  1. Optionally, select security profile for wireless users.
  2. Select OK.
  3. Repeat steps 1 through 4 but select Internal as the Destination Interface/Zone to provides access to the ExampleCo private network.

To create firewall policies for employee WiFi users – CLI

config firewall policy edit 0 set srcintf “employee_inc” set dstintf “port1” set srcaddr “employee-wifi-net” set dstaddr “all” set action accept set schedule “always” set service “ANY” set nat enable set schedule “always” set service “ANY”

next edit 0 set srcintf “employee_inc” set dstintf “internal” set srcaddr “employee-wifi-net” set dstaddr “all” set action accept set schedule “always” set service “ANY” set nat enable set schedule “always” set service “ANY”

end

To create a firewall policy for guest WiFi users – web-based manager

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK:
Incoming Interface example_guest
Source Address guest-wifi-net
Outgoing Interface port1
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT Enable NAT
  1. Optionally, select UTM and set up UTM features for wireless users.
  2. Select OK.

To create a firewall policy for guest WiFi users – CLI

config firewall policy edit 0 set srcintf “example_guest” set dstintf “port1” set srcaddr “guest-wifi-net” set dstaddr “all” set action accept set schedule “always” set service “ANY” set nat enable

end

Connecting the FortiAP units

You need to connect each FortiAP-220A unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

To configure the interface for the AP unit – web-based manager

  1. Go to Network > Interfaces and edit the port3 interface.
  2. Set the Addressing mode to Dedicated to Extension Device and set the IP/Netmask to

192.168.8.1/255.255.255.0.

This step automatically configures a DHCP server for the AP units.

  1. Select OK.

To configure the interface for the AP unit – CLI

config system interface edit port3 set mode static

set ip 192.168.8.1 255.255.255.0 end

To configure the DHCP server for AP units – CLI

config system dhcp server edit 0 set interface port3 config ip-range

edit 1 set end-ip 192.168.8.9 set start-ip 192.168.8.2

end

set netmask 255.255.255.0 set vci-match enable set vci-string “FortiAP”

end

To connect a FortiAP-220A unit – web-based manager

  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Connect the FortiAP unit to port 3.
  3. Periodically select Refresh while waiting for the FortiAP unit to be listed.

Recognition of the FortiAP unit can take up to two minutes.

If there is persistent difficulty recognizing FortiAP units, try disabling VCI-Match in the DHCP server settings.

  1. When the FortiAP unit is listed, select the entry to edit it. The Edit Managed Access Point window opens.
  2. In State, select
  3. In the AP Profile, select [Change] and then select the example_AP
  4. Select OK.
  5. Repeat Steps 2 through 8 for each FortiAP unit.

To connect a FortiAP-220A unit – CLI

  1. Connect the FortiAP unit to port 3.
  2. Enter:

config wireless-controller wtp

  1. Wait 30 seconds, then enter get.

Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22A3U10600118 ] wtp-id: FAP22A3U10600118

  1. Edit the discovered FortiAP unit like this:

edit FAP22A3U10600118 set admin enable set wtp-profile example_AP

end

  1. Repeat Steps 2 through 4 for each FortiAP unit.

 

Configuring wireless network clients

Configuring wireless network clients

This chapter shows how to configure typical wireless network clients to connect to a wireless network with WPAEnterprise security.

Windows XP client

Windows 7 client

Mac OS client

Linux client

Troubleshooting

Windows XP client

To configure the WPA-Enterprise network connection

  1. In the Windows Start menu, go to Control Panel > Network Connections > Wireless Network Connection or select the wireless network icon in the Notification area of the Taskbar. A list of available networks is displayed.

Windows XP

If you are already connected to another wireless network, the Connection Status window displays. Select View Wireless Networks on the General tab to view the list.

If the network broadcasts its SSID, it is listed. But do not try to connect until you have completed the configuration step below. Because the network doesn’t use the Windows XP default security configuration, configure the client’s network settings manually before trying to connect.

  1. You can configure the WPA-Enterprise network to be accessible from the View Wireless Networks window even if it does not broadcast its SSID.
  2. Select Change Advanced Settings and then select the Wireless Networks

Any existing networks that you have already configured are listed in the Preferred Networks list.

 

Windows XP client

  1. Select Add and enter the following information:
Network Name (SSID) The SSID for your wireless network
Network Authentication WPA2
Data Encryption AES
  1. If this wireless network does not broadcast its SSID, select Connect even if this network is not broadcasting so that the network will appear in the View Wireless Networks

Windows XP

  1. Select the Authentication
  2. In EAP Type, select Protected EAP (PEAP).
  3. Make sure that the other two authentication options are not selected.

Windows XP client

  1. Select Properties.
  2. Make sure that Validate server certificate is selected.
  3. Select the server certificate Entrust Root Certification Authority.
  4. In Select Authentication Method, select Secured Password (EAP-MSCHAPv2).
  5. Ensure that the remaining options are not selected.
  6. Select Configure.
  7. If your wireless network credentials are the same as your Windows logon credentials, select Automatically use my Windows logon name and password. Otherwise, make sure that this option is not selected.
  8. Select OK. Repeat until you have closed all of the Wireless Network Connection Properties

Windows 7

To connect to the WPA-Enterprise wireless network

  1. Select the wireless network icon in the Notification area of the Taskbar.
  2. In the View Wireless Networks list, select the network you just added and then select Connect. You might need to log off of your current wireless network and refresh the list.
  3. When the following popup displays, click on it.
  4. In the Enter Credentials window, enter your wireless network User name, Password, and Logon domain (if applicable). Then, select OK.

In future, Windows will automatically send your credentials when you log on to this network.

Windows 7 client

  1. In the Windows Start menu, go to Control Panel > Network and Internet > Network and Sharing Center > Manage Wireless Networks or select the wireless network icon in the Notification area of the Taskbar. A list of available networks is displayed.

Windows 7 client

  1. Do one of the following:

l If the wireless network is listed (it broadcasts its SSID), select it from the list. l Select Add > Manually create a network profile.

Windows 7

  1. Enter the following information and select Next.
Network name Enter the SSID of the wireless network. (Required only if you selected Add.)
Security type WPA2-Enterprise
Encryption type AES
Start this connection automatically Select
Connect even if the network is not broadcasting. Select

The Wireless Network icon will display a popup requesting that you click to enter credentials for the network. Click on the popup notification.

  1. In the Enter Credentials window, enter your wireless network User name, Password, and Logon domain (if applicable). Then, select OK.
  2. Select Change connection settings.
  3. On the Connection tab, select Connect automatically when this network is in range.
  4. On the Security tab, select the Microsoft PEAP authentication method and then select Settings.

Windows 7 client

  1. Make sure that Validate server certificate is selected.
  2. Select the server certificate Entrust Root Certification Authority.
  3. In Select Authentication Method, select Secured Password (EAP-MSCHAPv2).
  4. Select Configure.
  5. If your wireless network credentials are the same as your Windows logon credentials, select Automatically use my Windows logon name and password. Otherwise, make sure that this option is not selected.
  6. Ensure that the remaining options are not selected.
  7. Select OK. Repeat until you have closed all of the Wireless Network Properties

Mac OS

Mac OS client

To configure network preferences

  1. Right-click the AirPort icon in the toolbar and select Open Network Preferences.
  2. Select Advanced and then select the 1X tab.
  3. If there are no Login Window Profiles in the left column, select the + button and then select Add Login Window

Profile.

  1. Select the Login Window Profile and then make sure that both TTLS and PEAP are selected in Authentication.

To configure the WPA-Enterprise network connection

  1. Select the AirPort icon in the toolbar.
  2. Do one of the following:

l If the network is listed, select the network from the list. l Select Connect to Other Network.

One of the following windows opens, depending on your selection.

Mac OS client

  1. Enter the following information and select OK or Join:
Network name Enter the SSID of your wireless network. (Other network only)
Wireless Security WPA Enterprise
802.1X Automatic
Username Password Enter your logon credentials for the wireless network.
Remember this network Select.

You are connected to the wireless network.

Linux

Linux client

This example is based on the Ubuntu 10.04 Linux wireless client.

To connect to a WPA-Enterprise network

  1. Select the Network Manager icon to view the Wireless Networks menu.

Wireless networks that broadcast their SSID are listed in the Available section of the menu. If the list is long, it is continued in the More Networks submenu.

  1. Do one of the following:
    • Select the network from the list (also check More Networks).
    • Select Connect to Hidden Wireless Network.

One of the following windows opens, depending on your selection.

Linux client

  1. Enter the following information:
Connection Leave as New. (Hidden network only)
Network name Enter the SSID of your wireless network. (Hidden network only)
Wireless Security WPA & WPA2 Enterprise
Authentication Protected EAP (PEAP) for RADIUS-based authentication

Tunneled TLS for TACACS+ or LDAP-based authentication

Anonymous identity This is not required.
CA Certificate If you want to validate the AP’s certificate, select the Entrust Root Certification Authority root certificate. The default location for the certificate is /usr/share/ca-certificates/mozilla/.
PEAP version Automatic (applies only to PEAP)
Inner authentication MSCHAPv2 for RADIUS-based authentication

PAP or CHAP for TACACS+ or LDAP-based authentication

Username Password Enter your logon credentials for the wireless network.

 

Troubleshooting

  1. If you did not select a CA Certificate above, you are asked to do so. Select Ignore.
  2. Select You are connected to the wireless network.

To connect to a WPA-Enterprise network

  1. Select the Network Manager icon to view the Wireless Networks menu.
  2. Select the network from the list (also check More Networks).

If your network is not listed (but was configured), select Connect to Hidden Wireless Network, select your network from the Connection drop-down list, and then select Connect.

Troubleshooting

Using tools provided in your operating system, you can find the source of common wireless networking problems.

Checking that client received IP address and DNS server information

Windows XP

  1. Double-click the network icon in the taskbar to display the Wireless Network Connection Status

Check that the correct network is listed in the Connection section.

  1. Select the Support

Check that the Address Type is Assigned by DHCP. Check that the IP Address, Subnet Mask, and Default Gateway values are valid.

  1. Select Details to view the DNS server addresses.

The listed address should be the DNS serves that were assigned to the WAP. Usually a wireless network that provides access to the private LAN is assigned the same DNS servers as the wired private LAN. A wireless network that provides guest or customer users access to the Internet is usually assigned public DNS servers.

  1. If any of the addresses are missing, select Repair.

If the repair procedure doesn’t correct the problem, check your network settings.

Mac OS

  1. From the Apple menu, open System Preferences > Network.
  2. Select AirPort and then select Configure.

Troubleshooting

  1. On the Network page, select the TCP/IP
  2. If there is no IP address or the IP address starts with 169, select Renew DHCP Lease.
  3. To check DNS server addresses, open a terminal window and enter the following command:

cat /etc/resolv.conf

Check the listed nameserver addresses. A network for employees should us the wired private LAN DNS server. A network for guests should specify a public DNS server.

Linux

This example is based on the Ubuntu 10.04 Linux wireless client.

Troubleshooting

  1. Right-click the Network Manager icon and select Connection Information.
  2. Check the IP address, and DNS settings. If they are incorrect, check your network settings.

 

Wireless network monitoring

Wireless network monitoring

You can monitor both your wireless clients and other wireless networks that are available in your coverage area.

Monitoring wireless clients

Monitoring rogue APs

Suppressing rogue APs

Monitoring wireless network health

Monitoring wireless clients

To view connected clients on a FortiWiFi unit

  1. Go to Monitor > Client Monitor.

The following information is displayed:

SSID The SSID that the client connected to.
FortiAP The serial number of the FortiAP unit to which the client connected.
User User name
IP The IP address assigned to the wireless client.
Device  
Auth The type of authentication used.
Channel WiFi radio channel in use.
Bandwidth Tx/Rx Client received and transmitted bandwidth, in Kbps.
Signal Strength / Noise The signal-to-noise ratio in deciBels calculated from signal strength and noise level.
Signal Strength  
Association Time How long the client has been connected to this access point.

Results can be filtered. Select the filter icon on the column you want to filter. Enter the values to include or select NOT if you want to exclude the specified values.

Monitoring rogue APs

The access point radio equipment can scan for other available access points, either as a dedicated monitor or in idle periods during AP operation.

Discovered access points are listed in Monitor > Rogue AP Monitor. You can then mark them as either Accepted or Rogue access points. This designation helps you to track access points. It does not affect anyone’s ability to use these access points.

It is also possible to suppress rogue APs. See Monitoring rogue APs on page 115.

On-wire rogue AP detection technique

Other APs that are available in the same area as your own APs are not necessarily rogues. A neighboring AP that has no connection to your network might cause interference, but it is not a security threat. A rogue AP is an unauthorized AP connected to your wired network. This can enable unauthorized access. When rogue AP detection is enabled, the On-wire column in the Rogue AP Monitor list shows a green up-arrow on detected rogues.

Rogue AP monitoring of WiFi client traffic builds a table of WiFi clients and the Access Points that they are communicating through. The FortiGate unit also builds a table of MAC addresses that it sees on the LAN. The FortiGate unit’s on-wire correlation engine constantly compares the MAC addresses seen on the LAN to the MAC addresses seen on the WiFi network.

There are two methods of Rogue AP on-wire detection operating simultaneously: Exact MAC address match and MAC adjacency.

Exact MAC address match

If the same MAC address is seen on the LAN and on the WiFi network, this means that the wireless client is connected to the LAN. If the AP that the client is using is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue. This scheme works for non-NAT rogue APs.

MAC adjacency

If an access point is also a router, it applies NAT to WiFi packets. This can make rogue detection more difficult.

However, an AP’s WiFi interface MAC address is usually in the same range as its wired MAC address. So, the MAC adjacency rogue detection method matches LAN and WiFi network MAC addresses that are within a defined numerical distance of each other. By default, the MAC adjacency value is 7. If the AP for these matching MAC addresses is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue.

Limitations

On-wire rogue detection has some limitations. There must be at least one WiFi client connected to the suspect AP and continuously sending traffic. If the suspect AP is a router, its WiFi MAC address must be very similar to its Ethernet port MAC address.

Logging

Information about detected rogue APs is logged and uploaded to your FortiAnalyzer unit, if you have one. By default, rogue APs generate an alert level log, unknown APs generate a warning level log. This log information can help you with PCI-DSS compliance requirements.

Rogue AP scanning as a background activity

Each WiFi radio can perform monitoring of radio channels in its operating band while acting as an AP. It does this by briefly switching from AP to monitoring mode. By default, a scan period starts every 300 seconds. Each second rogue APs

a different channel is monitored for 20ms until all channels have been checked.

During heavy AP traffic, it is possible for Spectrum Analysis background scanning to cause lost packets when the radio switches to monitoring. To reduce the probability of lost packets, you can set the CLI ap-bgscan-idle field to delay the switch to monitoring until the AP has been idle for a specified period. This means that heavy AP traffic may slow background scanning.

The following CLI example configures default background rogue scanning operation except that it sets apbgscan-idle to require 100ms of AP inactivity before scanning the next channel.

config wireless-controller wtp-profile edit ourprofile config radio-1 set wids-profile ourwidsprofile set spectrum-analysis enable

end

end

config wireless-controller wids-profile edit ourwidsprofile set ap-scan enable set rogue-scan enable set ap-bgscan-period 300 set ap-bgscan-intv 1 set ap-bgscan-duration 20 set ap-bgscan-idle 100

end

Configuring rogue scanning

All APs using the same FortiAP Profile share the same rogue scanning settings, unless override is configured.

To enable rogue AP scanning with on-wire detection – web-based manager

  1. Go to WiFi & Switch Controller > WIDS Profiles.

On some models, the menu is WiFi & Switch Controller.

  1. Select an existing WIDS Profile and edit it, or select Create New.
  2. Make sure that Enable Rogue AP Detection is selected.
  3. Select Enable On-Wire Rogue AP Detection.
  4. Optionally, enable Auto Suppress Rogue APs in Foreground Scan.
  5. Select OK.

To enable the rogue AP scanning feature in a custom AP profile – CLI

config wireless-controller wids-profile edit FAP220B-default set ap-scan enable set rogue-scan enable

end

Exempting an AP from rogue scanning

By default, if Rogue AP Detection is enabled, it is enabled on all managed FortiAP units. Optionally, you can exempt an AP from scanning. You should be careful about doing this if your organization must perform scanning to meet PCI-DSS requirements.

To exempt an AP from rogue scanning

  1. Go to WiFi & Switch Controller > WIDS Profiles.
  2. Create a new WIDS profile and disable Rogue AP detection.
  3. Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile you wish to exempt from rogue scanning.
  4. Assign the WIDS profile created in step 2.

MAC adjacency

You can adjust the maximum WiFi to Ethernet MAC difference used when determining whether an suspect AP is a rogue.

To adjust MAC adjacency

For example, to change the adjacency to 8, enter

config wireless-controller global set rogue-scan-mac-adjacency 8 end

Using the Rogue AP Monitor

Go to Monitor > Rogue AP Monitor to view the list of other wireless access points that are receivable at your location.

Information Columns

Actual columns displayed depends on Column Settings.

Rogue AP — Use this status for unauthorized APs that On-wire status indicates are attached to your wired networks.

Accepted AP — Use this status for APs that are an authorized part of your network or

Stateare neighboring APs that are not a security threat. To see accepted APs in the list, select Show Accepted.

Unclassified — This is the initial status of a discovered AP. You can change an AP back to unclassified if you have mistakenly marked it as Rogue or Accepted.

OnlineActive AP

Status

Inactive AP

Active ad-hoc WiFi device

Inactive ad-hoc WiFi device

SSID            The wireless service set identifier (SSID) or network name for the wireless interface.
Security           The type of security currently being used. Type
Channel       The wireless radio channel that the access point uses.
MAC     The MAC address of the Wireless interface. Address
Vendor

The name of the vendor.

Info

Signal  The relative signal strength of the AP. Mouse over the symbol to view the signal-to-noise Strength           ratio.
Detected

The name or serial number of the AP unit that detected the signal. By

On-wire         A green up-arrow indicates a suspected rogue, based on the on-wire detection technique. A red down-arrow indicates AP is not a suspected rogue.
First Seen     How long ago this AP was first detected.

 

Last Seen How long ago this AP was last detected.
Rate Data rate in bps.

To change the Online Status of an AP, right-click it and select Mark Accepted or Mark Rogue.

Suppressing rogue APs

In addition to monitoring rogue APs, you can actively prevent your users from connecting to them. When suppression is activated against an AP, the FortiGate WiFi controller sends deauthentication messages to the rogue AP’s clients, posing as the rogue AP, and also sends deauthentication messages to the rogue AP, posing as its clients. This is done using the monitoring radio.

To enable rogue AP suppression, you must enable monitoring of rogue APs with the on-wire detection technique. See “Monitoring rogue APs”. The monitoring radio must be in the Dedicated Monitor mode.

To activate AP suppression against a rogue AP

  1. Go to Monitor > Rogue AP Monitor.
  2. When you see an AP listed that is a rogue detected “on-wire”, select it and then select Mark > Mark Rogue.
  3. To suppress an AP that is marked as a rogue, select it and then select Suppress AP.

To deactivate AP suppression

  1. Go to Monitor > Rogue AP Monitor.
  2. Select the suppressed rogue AP and then select Suppress AP > Unsuppress AP.

Monitoring wireless network health

To view the wireless health dashboard, go to Monitor > WiFi Health Monitor.

The wireless health dashboard provides a comprehensive view of the health of your network’s wireless infrastructure. The dashboard includes widgets to display: l AP Status

Active, Down or missing, up for over 24 hours, rebooted in past 24 hours l Client Count Over Time

Viewable for past hour, day, or 30 days l Top Client Count Per-AP

Separate widgets for 2.4GHz and 5GHz bands health

l Top Wireless Interference

Separate widgets for 2.4GHz and 5GHz bands, requires spectrum analysis to be enabled on the radios l Login Failures Information l WiFi Channel Utilization

Three views allowing users to view top 10-20 Most and Least utilized channels for each AP radio and a third histogram view showing counts for utilization

The list of active clients also shows MAC address entries (similar to the WiFi Client Monitor page), making client information easy to view when opening the Active Client widget.

Protecting the WiFi network

Protecting the WiFi network

Wireless IDS

WiFi data channel encryption

Protected Management Frames and Opportunisitc Key Caching support

Preventing local bridge traffic from reaching the LAN

FortiAP-S UTM support

DHCP snooping and option 82 (circuit -id) options for wireless access points

Wireless IDS

The FortiGate Wireless Intrusion Detection System (WIDS) monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected the FortiGate unit records a log message.

You can create a WIDS profile to enable these types of intrusion detection:

  • Asleap Attack—ASLEAP is a tool used to perform attacks against LEAP authentication.
  • Association Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
  • Authentication Frame Flooding—A Denial of Service attack using a large number of association requests. The default detection threshold is 30 requests in 10 seconds.
  • Broadcasting De-authentication—This is a type of Denial of Service attack. A flood of spoofed de-authentication frames forces wireless clients to de-athenticate, then re-authenticate with their AP.
  • EAPOL Packet Flooding—Extensible Authentication Protocol over LAN (EAPOL) packets are used in WPA and WPA2 authentication. Flooding the AP with these packets can be a denial of service attack. Several types of EAPOL packets are detected: EAPOL-FAIL, EAPOL-LOGOFF, EAPOL-START, EAPOL-SUCC.
  • Invalid MAC OUI—Some attackers use randomly-generated MAC addresses. The first three bytes of the MAC address are the Organizationally Unique Identifier (OUI), administered by IEEE. Invalid OUIs are logged.
  • Long Duration Attack—To share radio bandwidth, WiFi devices reserve channels for brief periods of time. Excessively long reservation periods can be used as a denial of service attack. You can set a threshold between 1000 and 32 767 microseconds. The default is 8200. l Null SSID Probe Response—When a wireless client sends out a probe request, the attacker sends a response with a null SSID. This causes many wireless cards and devices to stop responding.
  • Spoofed De-authentication—Spoofed de-authentication frames are a denial of service attack. They cause all clients to disconnect from the AP.
  • Weak WEP IV Detection—A primary means of cracking WEP keys is by capturing 802.11 frames over an extended period of time and searching for patterns of WEP initialization vectors (IVs) that are known to be weak. WIDS detects known weak WEP IVs in on-air traffic.
  • Wireless Bridge—WiFi frames with both the fromDS and ToDS fields set indicate a wireless bridge. This will also detect a wireless bridge that you intentionally configured in your network.

You can enable wireless IDS by selecting a WIDS Profile in your FortiAP profile.

To create a WIDS Profile

  1. Go to WiFi & Switch Controller > WIDS Profiles.
  2. Select a profile to edit or select Create New.
  3. Select the types of intrusion to protect against. By default, all types are selected.
  4. Select Apply.

You can also configure a WIDS profile in the CLI using the config wireless-controller widsprofile command.

Rogue AP detection

The WIDS profile includes settings for detection of unauthorized (rogue) access points in your wireless network. For more information, see Wireless network monitoring on page 115.

WIDS client deauthentication rate for DoS attacks

As part of mitigating a Denial of Service (DoS) attack, the FortiGate sends deauthentication packets to unknown clients. In an aggressive attack, this deauthentication activity can prevent the processing of packets from valid clients. A WIDS Profile option in the CLI limits the deauthentication rate.

config wireless-controller wids-profile edit default set deauth-unknown-src-thresh <1-65535>

end

The value set is a measure of the number of deathorizations per second. 0 means no limit. The default is 10.

WiFi data channel encryption

Optionally, you can apply DTLS encryption to the data channel between the wireless controller and FortiAP units. This enhances security.

There are data channel encryption settings on both the FortiGate unit and the FortiAP units. At both ends, you can enable Clear Text, DTLS encryption, or both. The settings must agree or the FortiAP unit will not be able to join the WiFi network. By default, both Clear Text and DTLS-encrypted communication are enabled on the FortiAP unit, allowing the FortiGate setting to determine whether data channel encryption is used. If the FortiGate unit also enables both Clear Text and DTLS, Clear Text is used.

Data channel encryption settings are located in the FortiAP profile. By default, only Clear Text is supported.

Configuring encryption on the FortiGate unit

You can use the CLI to configure data channel encryption.

Enabling encryption

In the CLI, the wireless wtp-profile command contains a new field, dtls-policy, with options clear-text and dtls-enabled. To enable encryption in profile1 for example, enter:

config wireless-controller wtp-profile edit profile1 set dtls-policy dtls-enabled

end

Configuring encryption on the FortiAP unit

The FortiAP unit has its own settings for data channel encryption.

Enabling CAPWAP encryption – FortiAP web-based manager

  1. On the System Information page, in WTP Configuration > AC Data Channel Security, select one of:

l Clear Text l DTLS Enabled l Clear Text or DTLS Enabled (default)

  1. Select Apply.

Enabling encryption – FortiAP CLI

You can set the data channel encryption using the AP_DATA_CHAN_SEC variable: ‘clear’, or ‘ipsec’, or ‘dtls’.

For example, to set security to DTLS and then save the setting, enter:

cfg -a AP_DATA_CHAN_SEC=dtls cfg -c

Protected Management Frames and Opportunisitc Key Caching support

Protected Management Frames (PMF) protect some types of management frames like deauthorization, disassociation and action frames. This feature, now mandatory on WiFi certified 802.1ac devices, prevents attackers from sending plain deauthorization/disassociation frames to disrupt or tear down a connection/association. PMF is a Wi-Fi Alliance specification based on IEEE 802.11w.

To facilitate faster roaming client roaming, you can enable Opportunistic Key Caching (OKC) on your WiFi network. When a client associates with an AP, its PMK identifier is sent to all other APs on the network. This eliminates the need for an already-authenticated client to repeat the full EAP exchange process when it roams to another AP on the same network.

Use of PMF and OKC on an SSID is configurable only in the CLI:

config wireless-controller vap edit <vap_name> set pmf {disable | enable | optional} set pmf-assoc-comeback-timeout <integer> set pmf-sa-query-retry-timeout <integer>

set okc {disable | enable}

next end

Protected Management Frames and Opportunisitc Key Caching support

When pmf is set to optional, it is considered enabled, but will allow clients that do not use PMF. When pmf is set to enable, PMF is required by all clients.

Bluetooth Low Energy (BLE) Scan

The FortiGate can configure FortiAP Bluetooth Low Energy (BLE) scan, incorporating Google’s BLE beacon profile known as Eddystone, used to identify groups of devices and individual devices.

Use the following syntax to configure BLE profiles, configure BLE report intervals, and assign BLE profiles to WTP profiles.

CLI syntax – Configure BLE profiles

config wireless-controller ble-profile edit <name> set comment <comment>

set advertising {ibeacon | eddystone-uid | eddystone-url} set ibeacon-uuid <uuid> set major-id <0 – 65535> – (default = 1000) set minor-id <0 – 65535> – (default = 1000) set eddystone-namespace <10-byte namespace> set eddystone-instance <device id> set eddystone-url <url> set txpower <0 – 12> – (default = 0) set beacon-interval <40 – 3500> – (default = 100) set ble-scanning {enable | disable} – (default = disable)

next

end

Note that txpower determines the transmit power level on a scale of 0-12:

0: -21 dBm 1: -18 dBm 2: -15 dBm 3: -12 dBm 4: -9 dBm
5: -6 dBm 6: -3 dBm 7: 0 dBm 8: 1 dBm 9: 2 dBm
10: 3 dBm 11: 4 dBm 12: 5 dBm    

CLI syntax – Configure BLE report intervals

config wireless-controller timers set ble-scan-report-intv – (default = 30 sec)

end

CLI syntax – Assign BLE profiles to WTP profiles

config wireless-controller wtp-profile edit <name> set ble-profile <name> next

end

Preventing local bridge traffic from reaching the LAN

The following command can be enabled so that when a client connects to a VAP, and its traffic is not tunneled to the controller, the admin can control whether the client can access the local network.

Note that this entry is only available when local-standalone-nat is set to enable.

Syntax:

config wireless-controller vap edit <name> set local-lan {allow | deny}

next

end

FortiAP-S UTM support

When a FortiAP-S is managed by a FortiGate in Bridge mode, support is provided for the following UTM functions: AntiVirus, IPS, Botnet, Web Filtering, and Application Control.

config wireless-controller utm-profile edit <name> set comment “Default configuration for offloading WiFi traffic.” set ips-sensor “wifi-default” set application-list “wifi-default” set antivirus-profile “wifi-default” set webfilter-profile “wifi-default”

set firewall-profile-protocol-options “wifi-default” set firewall-ssl-ssh-profile “wifi-default”

next

end

config wireless-controller vap edit <name> set utm-profile

end

end

DHCP snooping and option 82 (circuit -id) options for wireless access points

New commands are available to enable or disable (by default) DHCP 82 option insertion for wireless access points. DHCP snooping is used to prevent rogue DHCP servers from offering IP addresses to DHCP clients.

Syntax

config wireless-controll vap edit wifi set dhcp-option82-insertion {enable | disable}

set dhcp-option82-circuit-id-insertion {style-1 | style-2 | disable}

DHCP snooping and option 82 (circuit -id) options for wireless access points

set dhcp-option82-remote-id-insertion {style-1 | disable}

next end

Access point deployment

Access point deployment

Overview

FortiAP units discover WiFi controllers. The administrator of the WiFi controller authorizes the FortiAP units that the controller will manage.

In most cases, FortiAP units can find WiFi controllers through the wired Ethernet without any special configuration. Review the following section, Access point deployment on page 55, to make sure that your method of connecting the FortiAP unit to the WiFi controller is valid. Then, you are ready to follow the procedures in Access point deployment on page 55.

If your FortiAP units are unable to find the WiFi controller, refer to Access point deployment on page 55 for detailed information about the FortiAP unit’s controller discovery methods and how you can configure them.

Network topology for managed APs

The FortiAP unit can be connected to the FortiGate unit in any of the following ways:

Direct connection: The FortiAP unit is directly connected to the FortiGate unit with no switches between them.

This configuration is common for locations where the number of FortiAP’s matches up with the number of

‘internal’ ports available on the FortiGate. In this configuration the FortiAP unit requests an IP address from the FortiGate unit, enters discovery mode and should quickly find the FortiGate WiFi controller. This is also known as a wirecloset deployment. See “Wirecloset and Gateway deployments” below.

 

Wirecloset deployment

Switched Connection: The FortiAP unit is connected to the FortiGate WiFi controller by an Ethernet switch operating in L2 switching mode or L3 routing mode. There must be a routable path between the FortiAP unit and the FortiGate unit and ports 5246 and 5247 must be open. This is also known as a gateway deployment. See Gateway Deployment below.

Gateway Deployment

Network topology for managed

Connection over WAN: The FortiGate WiFi controller is off-premises and connected by a VPN tunnel to a local FortiGate. In this method of connectivity its best to configure each FortiAP with the static IP address of the WiFi controller. Each FortiAP can be configured with three WiFi controller IP addresses for redundant failover. This is also known as a datacenter remote management deployment. See Remote deployment below.

Remote deployment

FortiAP-S Open Ports

FortiAP-S Open Ports

FortiAP-S Open Ports

Outgoing Ports

Purpose

Protocol/Port
FortiGuard FortiGuard Queries UDP/53, UDP/8888
Syslog, OFTP, Registration, Quarantine, Log & Report TCP/514
Event Logs UDP/5246*

* – Only FortiAP models, not FortiAP-S.

Incoming Ports

Purpose

Protocol/Port
FortiClient SSO Mobility Agent, FSSO TCP/8001
FortiGate LDAP, PKI Authentication TCP or UDP/389
RADIUS UDP/1812
FSSO TCP/8000

Reference

Reference

This chapter provides some reference information pertaining to wireless networks.

FortiAP web-based manager

Wireless radio channels

WiFi event types

FortiAP CLI

FortiAP web-based manager

FortiAP web-based manager

You can access the FortiAP unit’s built-in web-based manager. This is useful to adjust settings that are not available through the FortiGate unit’s WiFi Controller. Logging into the FortiAP web-based manager is similar to logging into the FortiGate web-based manager.

System Information

Status

The Status section provides information about the FortiAP unit.

You can:

  • Select Change to change the Host Name. l Select Update in Firmware Version to upload a new FortiAP firmware file from your computer.
  • Select Change Password to change the administrator password. l Select Backup to save the current FortiAP configuration as a file on your computer. l Select Restore to load a configuration into your FortiAP unit from a file on your computer.

Network Configuration

Select DHCP or select Static and specify the IP address, netmask, and gateway IP address. Administrative Access settings affect access after the FortiAP has been authorized. By default, HTTP access needed to access the FortiAP web-based manager is enabled, but Telnet access is not enabled.

Connectivity

These settings determine how the FortiAP unit connects to the FortiGate WiFi controller.

FortiAP web-based manager

Uplink Ethernet – wired connection to the FortiGate unit (default)

Mesh – WiFi mesh connection

Ethernet with mesh backup support

Mesh AP SSID Enter the SSID of the mesh root. Default: fortinet.mesh.root
Mesh AP Password Enter password for the mesh SSID.
Ethernet Bridge Bridge the mesh SSID to the FortiAP Ethernet port.

This is available only whe Uplink is Mesh.

WTP Configuration

AC Discovery Type settings affect how the FortiAP unit discovers a FortiGate WiFi controller. By default, this is set to Auto which causes the FortiAP unit to cycle through all of the discovery methods until successful. For more information see Controller discovery methods.

AC Discovery Type Static, DHCP, DNS, Broadcast, Multicast, Auto
AC Control Port Default port is 5246.
AC IP Address 1

AC IP Address 2

AC IP Address 3

You enter up to three WiFi controller IP addresses for static discovery. Routing must be properly configured in both directions.
AC Host Name 1

AC Host Name 2

AC Host Name 3

As an alternetive to AC IP addresses, you can enter their fully qualified domain names (FQDNs).
AC Discovery

Multicast

Address

224.0.1.140
AC Discovery

DHCP Option

Code

When using DHCP discovery, you can configure the DHCP server to provide the controller address. By default the FortiAP unit expects this in option 138.

AC Data Channel Security by default accepts either DTLS-encrypted or clear text data communication with the WiFi controller. You can change this setting to require encryption or to use clear text only.

Wireless Information

The Wireless Information page provides current information about the operation of the radios and the type Uplink in use.

Wireless radio channels

Wireless radio channels

IEEE 802.11a/n channels

The following table lists the channels supported on FortiWiFi products that support the IEEE 802.11a and 802.11n wireless standards. 802.11a is available on FortiWiFi models 60B and higher. 802.11n is available on FortiWiFi models 80CM and higher.

All channels are restricted to indoor usage except in the Americas, where both indoor and outdoor use is permitted on channels 52 through 64 in the United States.

IEEE 802.11a/n (5-GHz Band) channel numbers

Channel number Frequency (MHz) Regulatory Areas

Americas Europe

Taiwan Singapore Japan
34 5170
36 5180          •               •
38 5190
40 5200          •               •           •                •
42 5210
44 5220          •               •           •                •
46 5230
48 5240          •               •           •                •
149 5745
153 5765
157 5785
161 5805
165 5825

IEEE 802.11b/g/n channel numbers

The following table lists IEEE 802.11b/g/n channels. All FortiWiFi units support 802.11b and 802.11g. Newer models also support 802.11n.

Wireless radio channels

Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure that the channel number complies with the regulatory standards of Mexico.

IEEE 802.11b/g/n (2.4-GHz Band) channel numbers
Channel number Frequency (MHz) Regulatory Areas

Americas EMEA

Israel Japan
1 2412          •                   • indoor
2 2417          •                   • indoor
3 2422          •                   • indoor
4 2427          •                   • indoor
5 2432          •                   •
6 2437          •                   •
7 2442          •                   •
8 2447          •                   •
9 2452          •                   •
10 2457          •                   •
11 2462          •                   •
12 2467
13 2472
14 2484 b only

View all Country & Regcodes/Regulatory Domains

The following CLI command can be entered to view a list of the Country & Regcodes/Regulatory Domains supported by Fortinet:

cw_diag -c all-countries

Below is a table showing a sample of the list displayed by entering this command:

Country-code Region-code Domain ISO-name Name
0                      A                    FCC3 & FCCA                      NA             NO_COUNTRY_SET

WiFi event types

Country-code Region-code Domain ISO-name Name
8                        W                   NULL1 & WORLD AL              ALBANIA
12                      W                   NULL1 & WORLD DZ              ALGERIA
16                      A                    FCC3 & FCCA AS              AMERICAN SAMOA
              …                    …                               …         …                             …

WiFi event types

Event type Description
rogue-ap-detected A rogue AP has been detected (generic).
rogue-ap-off-air A rogue AP is no longer detected on the RF side.
rogue-ap-on-wire A rogue AP has been detected on wire side (connected to AP or controller L2 network).
rogue-ap-off-wire A rogue AP is no longer detected on wire.
rogue-ap-on-air A rogue AP has been detected on the RF side.
fake-ap-detected A rogue AP broadcasting on the same SSIDs that you have in your managed APs has been detected.
fake-ap-on-air The above fake AP was detected on the RF side.

FortiAP CLI

The FortiAP CLI controls radio and network operation through the use of variables manipulated with the cfg command. There are also diagnostic commands.

The cfg command include the following

cfg -s List variables.
cfg -a var=value Add or change a variable value.
cfg -c Commit the change to flash.
cfg -x Reset settings to factory defaults.

 

cfg -r var Remove variable.
cfg -e Export variables.
cfg -h Display help for all commands.

The configuration variables are:

Var Description and Values
AC_CTL_PORT WiFi Controller control (CAPWAP) port. Default 5246.
AC_DATA_CHAN_SEC Data channel security.

0 – Clear text

1 – DTLS (encrypted)

2 – Accept either DTLS or clear text (default)

AC_DISCOVERY_TYPE 1 – Static. Specify WiFi Controllers

2 – DHCP

3 – DNS

5 – Broadcast

6 – Multicast

0 – Cycle through all of the discovery types until successful.

AP_IPADDR

AP_NETMASK

IPGW

These variables set the FortiAP unit IP address, netmask and default gateway when ADDR_MODE is STATIC.

Default 192.168.1.2 255.255.255.0, gateway 192.168.1.1.

AC_HOSTNAME_1

AC_HOSTNAME_2

AC_HOSTNAME_3

WiFi Controller host names for static discovery.
AC_IPADDR_1

AC_IPADDR_2

AC_IPADDR_3

WiFi Controller IP addresses for static discovery.
AC_DISCOVERY_DHCP_OPTION_CODE Option code for DHCP server. Default 138.
AC_DISCOVERY_MC_ADDR Multicast address for controller discovery. Default 224.0.1.140.

 

Var Description and Values
ADDR_MODE How the FortiAP unit obtains its IP address and netmask.

DHCP – FortiGate interface assigns address.

STATIC – Specify in AP_IPADDR and AP_NETMASK.

Default is DHCP.

ADMIN_TIMEOUT Administrative timeout in minutes. Applies to Telnet and web-based manager sessions. Default is 5 minutes.
AP_MGMT_VLAN_ID Non-zero value applies VLAN ID for unit management.

Default: 0.

AP_MODE FortiAP operating mode.

0 – Thin AP (default)

2 – Unmanaged Site Survey mode. See SURVEY variables.

BAUD_RATE Console data rate: 9600, 19200, 38400, 57600, or 115200 baud.
DNS_SERVER DNS Server for clients. If ADDR_MODE is DHCP the DNS server is automatically assigned.
FIRMWARE_UPGRADE Default is 0.
HTTP_ALLOW Access to FortiAP web-based manager 1 – Yes (default), 0 – No.
LED_STATE Enable/disable status LEDs.

0 – LEDs enabled, 1 – LEDs disabled, 2 – follow AC setting.

LOGIN_PASSWD Administrator login password. By default this is empty.
STP_MODE Spanning Tree Protocol. 0 is off. 1 is on.
TELNET_ALLOW By default (value 0), Telnet access is closed when the FortiAP unit is authorized. Set value to 1 to keep Telnet always available.
WTP_LOCATION Optional string describing AP location.
Mesh variables

 

Var Description and Values
MESH_AP_BGSCAN Enable or disable background mesh root AP scan.

0 – Disabled

1 – Enabled

MESH_AP_BGSCAN_RSSI If the root AP’s signal is weak, and lower than the received signal strength indicator (RSSI) threshold, the WiFi driver will immediately start a new round scan and ignore the configured MESH_AP_BGSCAN_PERIOD delays. Set the value between 0-127.

After the new round scan is finished, a scan done event is passed to wtp daemon to trigger roaming.

MESH_AP_BGSCAN_PERIOD Time in seconds that a delay period occurs between scans. Set the value between 1-3600.
MESH_AP_BGSCAN_IDLE Time in milliseconds. Set the value between 0-1000.
MESH_AP_BGSCAN_INTV Time in milliseconds between channel scans. Set the value between 200-16000.
MESH_AP_BGSCAN_DUR Time in milliseconds that the radio will continue scanning the channel. Set the value between 10-200.
MESH_AP_SCANCHANLIST Specify those channels to be scanned.
MESH_AP_TYPE Type of communication for backhaul to controller:

0 – Ethernet (default)

1 – WiFi mesh

2 – Ethernet with mesh backup support

MESH_AP_SSID SSID for mesh backhaul. Default: fortinet.mesh.root
MESH_AP_BSSID WiFi MAC address
MESH_AP_PASSWD Pre-shared key for mesh backhaul.
MESH_ETH_BRIDGE 1 – Bridge mesh WiFi SSID to FortiAP Ethernet port. This can be used for point-to-point bridge configuration. This is available only when MESH_AP_TYPE =1.

0 – No WiFi-Ethernet bridge (default).

Var                                                                 Description and Values
MESH_MAX_HOPS                      Maximum number of times packets can be passed from node to node on the mesh. Default is 4.
The following factors are summed and the FortiAP associates with the lowest scoring mesh AP.
MESH_SCORE_HOP_WEIGHT                Multiplier for number of mesh hops from root. Default 50.
MESH_SCORE_CHAN_WEIGHT              AP total RSSI multiplier. Default 1.
MESH_SCORE_RATE_WEIGHT              Beacon data rate multiplier. Default 1.
 Band weight (0 for 2.4GHz, 1 for 5GHz) multiplier. Default

MESH_SCORE_BAND_WEIGHT

100.

MESH_SCORE_RSSI_WEIGHT              AP channel RSSI multiplier. Default 100.
Survey variables
SURVEY_SSID                        SSID to broadcast in site survey mode (AP_MODE=2).
SURVEY_TX_POWER                     Transmitter power in site survey mode (AP_MODE=2).
SURVEY_CH_24                        Site survey transmit channel for the 2.4Ghz band (default

6).

Site survey transmit channel for the 5Ghz band (default

SURVEY_CH_50

36).

SURVEY_BEACON_INTV                  Site survey beacon interval. Default 100msec.
cw_diag help Display help for all diagnose commands.
cw_diag uptime Show daemon uptime.
cw_diag –tlog <on|off> Turn on/off telnet log message.
cw_diag –clog <on|off> Turn on/off console log message.
cw_diag 38400 | baudrate [9600 | 19200 | 57600 | 115200] Set the console baud rate.

Previously, FortiAP accepted Telnet and HTTP connection to any virtual interfaces that have an IP address. For security reasons, Telnet and HTTP access are now limited to br0 or br.vlan for AP_MGMT_VLAN_ID.

Diagnose commands include:

 

cw_diag plain-ctl [0|1] Show or change current plain control setting.
cw_diag sniff-cfg ip port Set sniff server ip and port.
cw_diag sniff [0|1|2] Enable/disable sniff packet.
cw_diag stats wl_intf Show wl_intf status.
cw_diag admin-timeout [30] Set shell idle timeout in minutes.
cw_diag -c wtp-cfg Show current wtp config parameters in control plane.
cw_diag -c radio-cfg Show current radio config parameters in control plane.
cw_diag -c vap-cfg Show current vaps in control plane.
cw_diag -c ap-rogue Show rogue APs pushed by AC for on-wire scan.
cw_diag -c sta-rogue Show rogue STAs pushed by AC for on-wire scan.
cw_diag -c arp-req Show scanned arp requests.
cw_diag -c ap-scan Show scanned APs.
cw_diag -c sta-scan Show scanned STAs.
cw_diag -c sta-cap Show scanned STA capabilities.
cw_diag -c wids Show scanned WIDS detections.
cw_diag -c darrp Show darrp radio channel.
cw_diag -c mesh Show mesh status.
cw_diag -c mesh-veth-acinfo Show mesh veth ac info, and mesh ether type.
cw_diag -c mesh-veth-vap Show mesh veth vap.
cw_diag -c mesh-veth-host Show mesh veth host.
cw_diag -c mesh-ap Show mesh ap candidates.
cw_diag -c scan-clr-all Flush all scanned AP/STA/ARPs.
cw_diag -c ap-suppress Show suppressed APs.
cw_diag -c sta-deauth De-authenticate an STA.

Link aggregation can also be set in the CLI. Link aggregation is used to combine multiple network connections in parallel in order to increase throughput beyond what a single connection could sustain.

  • FortiAP 320B and 320C models are supported. l FortiAP 112B and 112D models cannot support link aggregation.
  • NPI FAP-S3xxCR and “wave2” FAP/FAP-S models will have link aggregation feature via synchronization with regular FortiAP trunk build.