Category Archives: FortiAP

Captive portals

Captive portals

A captive portal is a convenient way to authenticate web users on wired or WiFi networks.

This section describes:

  • Introduction to Captive portals l Configuring a captive portal l Customizing captive portal pages
  • Configuration example – Captive portal WiFi access control

Introduction to Captive portals

You can authenticate your users on a web page that requests the user’s name and password. Until the user authenticates successfully, the authentication page is returned in response to any HTTP request. This is called a captive portal.

After successful authentication, the user accesses the requested URL and can access other web resources, as permitted by security policies. Optionally, the captive portal itself can allow web access to only the members of specified user group.

The captive portal can be hosted on the FortiGate unit or on an external authentication server. You can configure captive portal authentication on any network interface, including WiFi and VLAN interfaces.

When a captive portal is configured on a WiFi interface, the access point initially appears open. The wireless client can connect to the access point with no security credentials, but sees only the captive portal authentication page.

WiFi captive portal types:

  • Authentication — until the user enters valid credentials, no communication beyond the AP is permitted.
  • Disclaimer + Authentication — immediately after successful authentication, the portal presents the disclaimer page—an acceptable use policy or other legal statement—to which the user must agree before proceeding.
  • Disclaimer Only — the portal presents the disclaimer page—an acceptable use policy or other legal statement— to which the user must agree before proceeding. The authentication page is not presented.
  • Email Collection — the portal presents a page requesting the user’s email address, for the purpose of contacting the person in future. This is often used by businesses who provide free WiFi access to their customers. The authentication page is not presented.

Configuring a captive portal

Captive portals are configured on network interfaces. A WiFi interface does not exist until the WiFi SSID is created. You can configure a WiFi captive portal at the time that you create the SSID. Afterwards, the captive portal settings will also be available by editing the WiFi network interface in System > Network > Interfaces. On a physical (wired) network interface, you edit the interface configuration in System > Network > Interfaces and set Security Mode to Captive Portal.

Configuring a

To configure a WiFi Captive Portal – web-based manager:

  1. Go to WiFi Controller > WiFi Network > SSID and create your SSID.

If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in System > Network > Interfaces.

  1. In Security Mode, select Captive Portal.
  2. Enter
Portal Type The portal can provide authentication and/or disclaimer, or perform user email address collection. See Introduction to Captive portals on page 28.
Authentication Portal Local – portal hosted on the FortiGate unit.

Remote – enter FQDN or IP address of external portal.

User Groups Select permitted user groups.
Exempt List Select exempt lists whose members will not be subject to captive portal authentication.
Customize Portal Messages Click the link of the portal page that you want to modify. See “Captive portals” on page 30.
  1. Select OK.

To configure a wired Captive Portal – web-based manager:

  1. Go to System > Network > Interfaces and edit the interface to which the users connect.
  2. In Security Mode select Captive Portal.
  3. Enter
Authentication Portal Local – portal hosted on the FortiGate unit.

Remote – enter FQDN or IP address of external portal.

User Groups Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

Use Groups from Policies is not available in WiFi captive portals.

Exempt List Select exempt lists whose members will not be subject to captive portal authentication.
Customize Portal Messages Enable, then select Edit. See Customizing captive portal pages on page 30.
  1. Select OK.

Exemption from the captive portal

A captive portal requires all users on the interface to authenticate. But some devices are not able to authenticate. You can create an exemption list of these devices. For example, a printer might need to access the Internet for firmware upgrades. Using the CLI, you can create an exemption list to exempt all printers from authentication.

config user security-exempt-list edit r_exempt config rule edit 1 set devices printer

end end

Customizing captive portal pages

These pages are defined in replacement messages. Defaults are provided. In the web-based manager, you can modify the default messages in the SSID configuration by selecting Customize Portal Messages. Each SSID can have its own unique portal content.

The captive portal contains the following default web pages:

l Login page—requests user credentials

 

Typical modifications for this page would be to change the logo and modify some of the text.

You can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters.

There is an exception to this rule. The line “Please enter your credentials to continue” is provided by the %%QUESTION%% tag. You can replace this tag with text of your choice. Except for this item, you should not remove any tags because they may carry information that the FortiGate unit needs. l Login failed page—reports that the entered credentials were incorrect and enables the user to try again.

The Login failed page is similar to the Login page. It even contains the same login form. You can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters.

There is an exception to this rule. The line “Firewall authentication failed. Please try again.” is provided by the %%FAILED_MESSAGE%% tag. You can replace this tag with text of your choice. Except for this item, you should not remove any tags because they may carry information that the FortiGate unit needs.

  • Disclaimer page—is a statement of the legal responsibilities of the user and the host organization to which the

user must agree before proceeding.(WiFi or SSL VPN only)

  • Declined disclaimer page—is displayed if the user does not agree to the statement on the Disclaimer page. Access is denied until the user agrees to the disclaimer.

Changing images in portal messages

You can replace the default Fortinet logo with your organization’s logo. First, import the logo file into the FortiGate unit and then modify the Login page code to reference your file.

To import a logo file:

  1. Go to System > Config > Replacement Messages and select Manage Images.
  2. Select Create New.
  3. Enter a Name for the logo and select the appropriate Content Type. The file must not exceed 24 Kilo bytes.
  4. Select Browse, find your logo file and then select Open.
  5. Select OK.

To specify the new logo in the replacement message:

  1. Go to System > Network > Interfaces and edit the interface. The Security Mode must be Captive Portal.
  2. Select the portal message to edit.
    • In SSL VPN or WiFi interfaces, in Customize Portal Messages click the link to the portal messages that you want to edit.
    • In other interfaces, make sure that Customize Portal Messages is selected, select the adjacent Edit icon, then select the message that you want to edit.
  3. In the HTML message text, find the %%IMAGE tag.

By default it specifies the Fortinet logo: %%IMAGE:logo_fw_auth%%

  1. Change the image name to the one you provided for your logo. The tag should now read, for example, %%IMAGE:mylogo%%
  2. Select Save.
  3. Select OK.

Modifying text in portal messages

Generally, you can change any text that is not part of the HTML code nor a special tag enclosed in double percent (%) characters. You should not remove any tags because they may carry information that the FortiGate unit needs. See the preceding section for any exceptions to this rule for particular pages.

To modify portal page text

  1. Go to System > Network > Interfaces and edit the interface. The SSID Security Mode must be Captive Portal.
  2. Select the portal message to edit.
    • In SSL VPN or WiFi interfaces, in Customize Portal Messages click the link to the portal messages that you want to edit.
    • In other interfaces, make sure that Customize Portal Messages is selected, select the adjacent Edit icon, then select the message that you want to edit.
  3. Edit the HTML message text, then select Save.
  4. Select OK.

Configuring disclaimer page for ethernet interface captive portals

While you can customize a disclaimer page for captive portals that connect via WiFi, the same can be done for wired connections. However, this can only be configured on the CLI Console, and only without configuring user groups.

When configuring a captive portal through the CLI, you may set security-groups to a specific user group. The result of this configuration will show an authentication form to users who wish to log in to the captive portal— not a disclaimer page. If you do not set any security-groups in your configuration, an “Allow all” status will be in effect, and the disclaimer page will be displayed for users.

The example CLI configuration below shows setting up a captive portal interface without setting security-groups, resulting in a disclaimer page for users:

config system interface edit “port1” set vdom “root” set ip 172.16.101.1 255.255.255.0 set allowaccess ping https ssh snmp http set type physical set explicit-web-proxy enable set alias “LAN”

set security-mode captive-portal

set snmp-index 1

next

end

Roaming support

Client devices can maintain captive portal authentication as they roam across different APs. By maintaining a consistent authentication, uninterrupted access to latency sensitive applications such as VoIP is ensured.

 

Configuration example – Captive portal WiFi access control

The Cloud will push a random per-AP Network encryption key to the AP. The key is 32 bytes in length, and is used in captive portal fast roaming. All APs of an AP Network will use the same encryption key. This key is randomly

generated, and will be updated daily.

Configuration example – Captive portal WiFi access control

In this scenario, you will configure the FortiGate for captive portal access so users can log on to your WiFi network.

You will create a user account (rgreen), add it to a user group (employees), create a captive portal SSID (example-staff), and configure a FortiAP unit. When the user attempts to browse the Internet, they will be redirected to the captive portal login page and asked to enter their username and password.

Configuration example – Captive portal WiFi access control

1. Enabling HTTPS authentication

Go to User & Device > Authentication Settings.

Under Protocol Support, enable Redirect HTTP Challenge to a Secure Channel (HTTPS). This will make sure that user credentials are communicated securely through the captive portal.

2. Creating the user

Go to User & Device > User Definition and create a Local user (rgreen).

Create additional users if needed, and assign any authentication methods.

3. Creating the user group

Go to User & Device > User Groups and create a user group (employees).

Add rgreen to the group.

4. Creating the SSID

Go to WiFi & Switch Controller > SSID and configure the wireless network.

Some FortiGate models may show the GUI path as WiFi & Switch Controller.

Enter an Interface Name (example-wifi) and IP/Network Mask.

An address range under DHCP Server will be automatically configured.

Configuration example – Captive portal WiFi access control

Under WiFi Settings, enter an SSID name (example-staff), set Security Mode to Captive Portal, and add the employees user group.

5. Creating the security policy

Go to Policy & Objects > Addresses and create a new address for the SSID (example-wifi-net).

Set Subnet/IP Range to the same range set on the DHCP server in the previous step.

Set Interface to the SSID interface.

Go to Policy & Objects > IPv4 Policy and create a new policy for WiFi users to connect to the Internet.

Add both the example-wifi-net address and employees user group to Source.

6. Connecting and authorizing the FortiAP

Go to Network > Interfaces and edit an available interface.

Under Address, set Addressing mode to Dedicated to Extension Device and assign it an IP address.

Connect the FortiAP unit to the configured interface, then go to WiFi & Switch Controller > Managed FortiAPs.

The FortiAP is listed, but its State shows a greyed-out question mark — this is because it is waiting for authorization.

Highlight the FortiAP and select Authorize.

The question mark is now replaced by a red down-arrow — this is because it is authorized, but still offline.

Configuration example – Captive portal WiFi access control

Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile.

For each radio, enable Radio Resource Provision and select your SSID.

Go back to WiFi & Switch Controller > Managed FortiAPs to verify that the FortiAP unit is online.

7. Results

When a user attempts to connect to the wireless network, they will be redirected to the captive portal login screen.

Members of the employees group must enter their Username and Password. The user will then be redirected to the URL originally requested.

On the FortiGate, go to Monitor > WiFi Client Monitor to verify that the user is authenticated.

 

Introduction to wireless networking

Introduction to wireless networking

This chapter introduces some concepts you should understand before working with wireless networks, describes Fortinet’s wireless equipment, and then describes the factors you need to consider in planning deployment of a wireless network.

Wireless concepts

Security

Authentication

Wireless networking equipment

Automatic Radio Resource Provisioning

Wireless concepts

Wireless networking is radio technology, subject to the same characteristics and limitations as the familiar audio and video radio communications. Various techniques are used to modulate the radio signal with a data stream.

Bands and channels

Depending on the wireless protocol selected, you have specific channels available to you, depending on what region of the world you are in.

l IEEE 802.11b and g protocols provide up to 14 channels in the 2.400-2.500 GHz Industrial, Scientific and Medical (ISM) band. l IEEE 802.11a,n (5.150-5.250, 5.250-5.350, 5.725–5.875 GHz, up to 16 channels) in portions of Unlicensed National Information Infrastructure (U-NII) band

Note that the width of these channels exceeds the spacing between the channels. This means that there is some overlap, creating the possibility of interference from adjacent channels, although less severe than interference on the same channel. Truly non-overlapping operation requires the use of every fourth or fifth channel, for example ISM channels 1, 6 and 11.

The capabilities of your wireless clients is the deciding factor in your choice of wireless protocol. If your clients support it, 5GHz protocols have some advantages. The 5GHz band is less used than 2.4GHz and its shorter wavelengths have a shorter range and penetrate obstacles less. All of these factors mean less interference from other access points, including your own.

When configuring your WAP, be sure to correctly select the Geography setting to ensure that you have access only to the channels permitted for WiFi use in your part of the world.

For detailed information about the channel assignments for wireless networks for each supported wireless protocol, see Reference on page 176.

Security

Power

Wireless LANs operate on frequencies that require no license but are limited by regulations to low power. As with other unlicensed radio operations, the regulations provide no protection against interference from other users who are in compliance with the regulations.

Power is often quoted in dBm. This is the power level in decibels compared to one milliwatt. 0dBm is one milliwatt, 10dBm is 10 milliwatts, 27dBm, the maximum power on Fortinet FortiAP equipment, is 500 milliwatts. The FortiGate unit limits the actual power available to the maximum permitted in your region as selected by the WiFi controller country setting.

Received signal strength is almost always quoted in dBm because the received power is very small. The numbers are negative because they are less than the one milliwatt reference. A received signal strength of -60dBm is one millionth of a milliwatt or one nanowatt.

Antennas

Transmitted signal strength is a function of transmitter power and antenna gain. Directional antennas concentrate the signal in one direction, providing a stronger signal in that direction than would an omnidirectional antenna.

FortiWiFi units have detachable antennas. However, these units receive regulatory approvals based on the supplied antenna. Changing the antenna might cause your unit to violate radio regulations.

Security

There are several security issues to consider when setting up a wireless network.

Whether to broadcast SSID

It is highly recommended to broadcast the SSID. This makes connection to a wireless network easier because most wireless client applications present the user with a list of network SSIDs currently being received. This is desirable for a public network.

Attempting to obscure the presence of a wireless network by not broadcasting the SSID does not improve network security. The network is still detectable with wireless network “sniffer” software. Clients search for SSIDs that they know, leaking the SSID. Refer to RFC 3370. Also, many of the latest Broadcom drivers do not support hidden SSID for WPA2.

Encryption

Wireless networking supports the following security modes for protecting wireless communication, listed in order of increasing security.

None — Open system. Any wireless user can connect to the wireless network.

WEP64 — 64-bit Web Equivalent Privacy (WEP). This encryption requires a key containing 10 hexadecimal digits.

WEP128 — 128-bit WEP. This encryption requires a key containing 26 hexadecimal digits.

Introduction to wireless networking                                                                                                              Security

WPA — 256-bit WiFi Protected Access (WPA) security. This encryption can use either the TKIP or AES encryption algorithm and requires a key of either 64 hexadecimal digits or a text phrase of 8 to 63 characters. It is also possible to use a RADIUS server to store a separate key for each user.

WPA2 — WPA with security improvements fully meeting the requirements of the IEEE 802.11i standard. Configuration requirements are the same as for WPA.

For best security use the WPA2 with AES encryption and a RADIUS server to verify individual credentials for each user. WEP, while better than no security at all, is an older algorithm that is easily compromised. With either WEP or WAP, changing encryption passphrases on a regular basis further enhances security.

Separate access for employees and guests

Wireless access for guests or customers should be separate from wireless access for your employees. This does not require additional hardware. Both FortiWiFi units and FortiAP units support multiple wireless LANs on the same access point. Each of the two networks can have its own SSID, security settings, firewall policies, and user authentication.

A good practice is to broadcast the SSID for the guest network to make it easily visible to users, but not to broadcast the SSID for the employee network.

Two separate wireless networks are possible because multiple virtual APs can be associated with an AP profile. The same physical APs can provide two or more virtual WLANs.

Captive portal

As part of authenticating your users, you might want them to view a web page containing your acceptable use policy or other information. This is called a captive portal. No matter what URL the user initially requested, the portal page is returned. Only after authenticating and agreeing to usage terms can the user access other web resources.

For more information about captive portals, see the Captive portals chapter of the FortiOS Authentication Guide.

Power

Reducing power reduces unwanted coverage and potential interference to other WLANs. Areas of unwanted coverage are a potential security risk. There are people who look for wireless networks and attempt to access them. If your office WLAN is receivable out on the public street, you have created an opportunity for this sort of activity.

Monitoring for rogue APs

It is likely that there are APs available in your location that are not part of your network. Most of these APs belong to neighboring businesses or homes. They may cause some interference, but they are not a security threat. There is a risk that people in your organization could connect unsecured WiFi-equipped devices to your wired network, inadvertently providing access to unauthorized parties. The optional On-Wire Rogue AP Detection Technique compares MAC addresses in the traffic of suspected rogues with the MAC addresses on your network. If wireless traffic to non-Fortinet APs is also seen on the wired network, the AP is a rogue, not an unrelated AP.

Decisions about which APs are rogues are made manually on the Rogue AP monitor page. For detailed information, see Wireless network monitoring on page 111.

Authentication

Suppressing rogue APs

When you have declared an AP to be a rogue, you have the option of suppressing it. To suppress and AP, the FortiGate WiFi controller sends reset packets to the rogue AP. Also, the MAC address of the rogue AP is blocked in the firewall policy. You select the suppression action on the Rogue AP monitor page. For more information, see Wireless network monitoring on page 111.

Wireless Intrusion Detection (WIDS)

You can create a WIDS profile to enable several types of intrusion detection:

l Unauthorized Device Detection l Rogue/Interfering AP Detection l Ad-hoc Network Detection and Containment l Wireless Bridge Detection l Misconfigured AP Detection l Weak WEP Detection l Multi Tenancy Protection l MAC OUI Checking

For more information, see Protecting the WiFi Network on page 108.

Authentication

Wireless networks usually require authenticated access. FortiOS authentication methods apply to wireless networks the same as they do to wired networks because authentication is applied in the firewall policy.

The types of authentication that you might consider include:

l user accounts stored on the FortiGate unit l user accounts managed and verified on an external RADIUS, LDAP or TACACS+ server l Windows Active Directory authentication, in which users logged on to a Windows network are transparently authenticated to use the wireless network.

This Wireless chapter of the FortiOS Handbook will provide some information about each type of authentication, but more detailed information is available in the Authentication chapter.

What all of these types of authentication have in common is the use of user groups to specify who is authorized. For each wireless LAN, you will create a user group and add to it the users who can use the WLAN. In the identitybased firewall policies that you create for your wireless LAN, you will specify this user group.

Some access points, including FortiWiFi units, support MAC address filtering. You should not rely on this alone for authentication. MAC addresses can be “sniffed” from wireless traffic and used to impersonate legitimate clients.

Introduction to wireless networking                                                                             Wireless networking equipment

Wireless networking equipment

Fortinet produces two types of wireless networking equipment:

  • FortiWiFi units, which are FortiGate units with a built-in wireless access point/client
  • FortiAP units, which are wireless access points that you can control from any FortiGate unit that supports the WiFi Controller feature.

FortiWiFi units

A FortiWiFi unit can:

l Provide an access point for clients with wireless network cards. This is called Access Point mode, which is the default mode.

or

l Connect the FortiWiFi unit to another wireless network. This is called Client mode. A FortiWiFi unit operating in client mode can only have one wireless interface.

or

l Monitor access points within radio range. This is called Monitoring mode. You can designate the detected access points as Accepted or Rogue for tracking purposes. No access point or client operation is possible in this mode. But, you can enable monitoring as a background activity while the unit is in Access Point mode.

The Products section of the Fortinet web site (www.fortinet.com) provides detailed information about the FortiWiFi models that are currently available.

FortiAP units

FortiAP units are thin wireless access points are controlled by either a FortiGate unit or FortiCloud service.

FortiAP is a family of Indoor, Outdoor and Remote Access Point models supporting the latest single, dual, and triple stream MIMO 802.11ac and 802.11n technology, as well as 802.11g and 802.11a.

For large deployments, some FortiAP models support a mesh mode of operation in which control and data backhaul traffic between APs and the controller are carried on a dedicated WiFi network. Users can roam seamlessly from one AP to another.

In dual-radio models, each radio can function as an AP or as a dedicated monitor. The monitoring function is also available during AP operation, subject to traffic levels.

The Products section of the Fortinet web site (www.fortinet.com) provides detailed information about the FortiAP models that are currently available.

Automatic Radio Resource Provisioning

To prevent interference between APs, the FortiOS WiFi Controller includes the Distributed Automatic Radio Resource Provisioning (DARRP) feature. Through DARRP, each FortiAP unit autonomously and periodically determines the channel that is best suited for wireless communications. FortiAP units to select their channel so Automatic Radio Resource Provisioning

that they do not interfere with each other in large-scale deployments where multiple access points have overlapping radio ranges.

To enable ARRP – GUI

  1. Go to WiFi Controller > FortiAP Profiles and edit the profile for your device.
  2. In the Radio sections (Radio 1, Radio 2, etc.), enable Radio Resource Provision.
  3. Click OK.

To enable ARRP – CLI

In this example, ARRP is enabled for both radios in the FAP321C-default profile:

config wireless-controller wtp-profile edit FAP321C-default config radio-1 set darrp enable

end config radio-2 set darrp enable

end

end

Setting ARRP timing

By default, ARRP optimization occurs at a fixed interval of 1800 seconds (30 minutes). You can change this interval in the CLI. For example, to change the interval to 3600 seconds enter:

config wireless-controller timers set darrp-optimize 3600

end

Optionally, you can schedule optimization for fixed times. This enables you to confine ARRP activity to a lowtraffic period. Setting darrp-optimize to 0, makes darrp-day and darrp-time available. For example, here’s how to set DARRP optimization for 3:00am every day:

config wireless-controller timers set darrp-optimize 0

set darrp-day sunday monday tuesday wednesday thursday friday saturday set darrp-time 03:00

end

Both darrp-day and darrp-time can accept multiple entries.

 

FortiWIFI & FortiAP What’s new in FortiOS 5.6

What’s new in FortiOS 5.6

The following section describes new WiFi features added to FortiOS 5.6.0.

Captive Portal Authentication with FortiAP in Bridge Mode (408915)

The FortiGate can operate as a web captive portal server to serve the captive portal local bridge mode.

A new CLI command has been added under config wireless-controller vap to set the captive portal type to CMCC, a wireless cipher.

CLI syntax

config wireless-controller vap edit <name> set portal-type { … | cmcc}

next

end

802.11kv(r) support (405498, 395037)

New CLI commands have been added under config wireless-controller vap to set various 802.11kvr settings, or Voice Enterprise (802.11kv) and Fast Basic Service Set (BSS) Transition (802.11r), to provide faster and more intelligent roaming for the client.

CLI syntax

config wireless-controller vap edit <name> set voice-enterprise {enable | disable} set fast-bss-transition {enable | disable} set ft-mobility-domain set ft-r0-key-lifetime [1-65535] set ft-over-ds {enable | disable}

next

end

External Captive Portal authentication with FortiAP in Bridge Mode (403115, 384872)

New CLI commands have been added under config wireless-controller vap to set various options for external captive portal with FortiAP in Bridge Mode. The commands set the standalone captive portal server category, the server’s domain name or IP address, secret key to access the RADIUS server, and the standalone captive portal Access Controller (AC) name.

Note that these commands are only available when local-standalone is set to enable and security is set to captive-portal.

CLI syntax

config wireless-controller vap edit <name>

 

set captive-portal-category {FortiCloud | CMCC} Default is FortiCloud. set captive-portal-radius-server <server> set captive-portal-radius-secret <password> set captive-portal-ac-name <name>

next

end

Japan DFS support for FAP-421E/423E/S421E/S423E (402287, 401434)

Korea and Japan Dynamic Frequency Selection (DFS) certification has been added for FAP-

421E/423E/S421E/S423E. DFS is a mechanism that allows WLANs to select a frequency that does not interfere with certain radar systems while operating in the 5 GHz band.

802.3az support on WAVE2 WiFi APs (400558)

A new CLI command has been added under config wireless-controller wtp-profile to enable or disable use of Energy-Efficient Ethernet (EEE) on WTP, allowing for less power consumption during periods of low data activity.

CLI syntax

config wireless-controller wtp-profile edit <profile-name> set energy-efficient-ethernet {enable|disable}

end

CLI command update made in wids-profile (400263)

The CLI command rogue-scan under config wireless-controller wids-profile has been changed to sensor-mode and allows easier configuration of radio sensor mode. Note that while foreign enables radio sensor mode on foreign channels only, both enables the feature on foreign and home channels.

CLI syntax

config wireless-controller wids-profile edit <example> set sensor-mode {disable|foreign|both}

end

Channel utilization, FortiPresence support on AP mode, QoS enhancement for voice (399134, 377562)

A new CLI command has been added, config wireless-controller qos-profile, to configure

quality of service (QoS) profiles where you can add WiFi multi-media (WMM) control and Differentiated Services Code Point (DSCP) mapping.

Note that:

  • call-capacity and bandwidth-admission-control are only available when call-admissioncontrol is set to enable. l bandwidth-capacity is only available when bandwidth-admission-control is set to enable. l All DSCP mapping options are only available when dscp-wmm-mapping is set to enable.
  • wmm is already set to enable by default. If wmm is set to disable, the following entries are not available: wmm-

uapsd, call-admission-control, and dscp-wmm-mapping.

CLI syntax

config wireless-controller qos-profile edit <example> set comment <comment> set uplink [0-2097152] Default is 0 Kbps. set downlink [0-2097152] Default is 0 Kbps. set uplink-sta [0-2097152] Default is 0 Kbps. set downlink-sta [0-2097152] Default is 0 Kbps. set burst {enable|disable} Default is disable. set wmm {enable|disable} Default is enable. set wmm-uapsd {enable|disable} Default is enable.

set call-admission-control {enable|disable} Default is disable. set call-capacity [0-60] Default is 10 phones.

set bandwidth-admission-control {enable|disable} Default is disable.

set bandwidth-capacity [1-600000] Default is 2000 Kbps. set dscp-wmm-mapping {enable|disable} Default is disable. set dscp-wmm-vo [0-63] Default is 48 56. set dscp-wmm-vi [0-63] Default is 32 40. set dscp-wmm-be [0-63] Default is 0 24. set dscp-wmm-bk [0-63] Default is 8 16.

QoS profiles can be assigned under the config wireless-controller vap command using qosprofile.

FortiCloud managed APs can now be applied a bandwidth restriction or rate limitation based on SSID. For instance if guest and employee SSIDs are available, you can rate limit guest access to a certain rate to accommodate for employees. This feature also applies a rate limit based on the application in use, as APs are application aware.

FAP-U421E and FAP-U423E support (397900)

Two Universal FortiAP models support FortiOS 5.6. Their default profiles are added under config wirelesscontroller wtp-profiles, as shown below:

CLI syntax

config wireless-controller wtp-profile edit “FAPU421E-default” config platform set type U421E

end set ap-country US config radio-1 set band 802.11n

end config radio-2 set band 802.11ac

end

next

end config wireless-controller wtp-profile edit “FAPU423E-default” config platform set type U423E

end set ap-country US config radio-1 set band 802.11n

end config radio-2 set band 802.11ac

end

next

end

Minor reorganization of WiFi GUI entries (396497)

WiFi & Switch Controller GUI entries Managed FortiAPs, SSID, FortiAP Profiles, and WIDS Profiles have been reorganized.

Multiple PSK support for WPA personal (393320, 264744)

New CLI commands have been added, under config wireless-controller vap, to configure multiple WiFi Protected Access Pre-Shared Keys (WPA-PSKs), as PSK is more secure without all devices having to share the same PSK.

Note that, for the following multiple PSK related commands to become available, vdom, ssid, and passhphrase all have to be set first.

CLI syntax

config wireless-controller vap edit <example> set mpsk {enable|disable} set mpsk-concurrent-clients [0-65535] Default is 0. config mpsk-key edit key-name <example> set passphrase <wpa-psk> set concurrent-clients [0-65535] Default is empty. set comment <comments>

next

end

end

Use the mpsk-concurrent-clients entry to set the maximum number of concurrent connected clients for each mpsk entry. Use the mpsk-key configuration method to configure multiple mpsk entries.

Table size of qos-profile has VDOM limit (388070)

The command config wireless-controller qos-profile now has VDOM table limit; there is no longer an unlimited number of entries within each VDOM.

Add “dhcp-lease-time” setting to local-standalone-nat VAP (384229)

When a Virtual Access Point (VAP) has been configured for a FortiAP, a DHCP server is automatically configured on the FortiAP side with a hard lease time. A new CLI command under config wireless-controller vap has been added to customize the DHCP lease time for NAT IP address. This is to solve issues where the DHCP IP pool was exhausted when the number of clients grew too large for the lease time span.

Note that the new command, dhcp-lease-time, is only available when local-standalone is set to enable, then setting local-standalone-nat to enable.

CLI syntax

config wireless-controller vap edit <example> set local-standalone {enable|disable} set local-standalone-nat {enable|disable} set dhcp-lease-time [300-8640000] Default is 2400 seconds.

end

New CLI command to configure LDPC for FortiAP (383864)

Previously, LDPC value on FortiAP could only be changed on FortiAP local CLI. Syntax has been added in FortiOS CLI under the ‘wireless-controller.vap’ entry to configure the LDPC value on FortiAP.

CLI Syntax

configure wireless-controller vap edit 1 set ldpc [enable|rx|tx|disable]

end

New region code/SKU for Indonesia (382926)

A new country region code, F, has been added to meet Indonesia’s WiFi channel requirements. Indonesia previously belonged to region code W.

FortiAP RMA support added (381936)

New CLI command fortiap added under exe replace-device to replace an old FortiAP’s serial number with a new one.

CLI Syntax execute replace-device fortiap <old-fortiap-id> <new-fortiap-id>

Support fixed-length 64-hex digit for WPA-Personal passphrase (381030)

WPA-Personal passphrase now supports a fixed-length of 64 hexadecimal digits.

Allow FortiGates to manage cloud-based FortiAPs (380150)

FortiGates can now manage cloud-based FortiAPs using the new fapc-compatibility command under wireless-controller setting.

If enabled, default FAP-C wtp-profiles will be added. If disabled, FAP-C related CMDB configurations will be removed: wtp-group in vap’s vlan-pool, wtp-group, ws, wtp, wtp-profile.

CLI syntax

config wireless-controller setting set country CN

set fapc-compatibility [enable|disable] end

You will receive an error message when trying to change country while fapccompatibility is enabled. You need to disable fapc-compatibility before changing to an FAPC unsupported country.

Use IPsec instead of DTLS to protect CAPWAP tunnels (379502)

This feature is to utilize FortiAP hardware to improve the throughput of tunneled data traffic by using IPsec when data security is enabled.

“AES-256-CBC & SHA256” algorithm and “dh_group 15” are used for both CAPWAP IPsec phase1 and phase 2.

FAP320B will not support this feature due to its limited capacity of free flash.

New option added to support only one IP per one endpoint association (378207)

When users change configuration, the radiusd will reset all configurations and refresh all logons in the kernel. All these actions are done in the one loop. A CLI option has been added to enable/disable replacement of an old IP address with a new IP address for the same endpoint on RADIUS accounting start.

CLI Syntax

configure user radius edit radius-root set rsso-ep-one-ip-only [enable|disable]

next

end

FAP-222C-K DFS support (377795)

Dynamic Frequency Selection (DFS) bands can now be configured for FortiAP 222C-K.

Note that this FortiAP model has the Korean region code (K), but ap-country under config wirelesscontroller wtp-profile still needs to be set to KR.

CLI syntax config wireless-controller wtp-profile edit <K-FAP222C> config platform set type <222C>

end set ap-country KR config radio-2 set band <802.11ac> set vap-all <disable> set vaps “vap-vd-07”

set channel “52” “56” “60” “64” “100” “104” “108” “112” “116” “120” “124” “128”

“132” “136” “140” end

next

end

Dynamic VLAN support in standalone mode (377298)

Dynamic VLAN is now supported in standalone mode. Previously, dynamic VLAN only worked in local bridge mode.

CLI-only features added to GUI (376891)

Previously CLI-only features have been added to the GUI under FortiAP Profiles, Managed FortiAPs, and SSID. Also fixed issue where the correct value is displayed when viewing the WIDS Profile notification icon under FortiAP Profiles.

Managed AP GUI update (375376)

Upgraded Managed FortiAPs dialog page to a newer style, including icons for SSID and LAN port.

Bonjour gateway support (373659)

Bonjour gateway now supported for WiFi networks.

Syntax

config wireless-controller bonjour-profile edit 0 set comment “comment” config policy-list edit 1 set description “description” set from-vlan [0-4094] Default is 0. set to-vlan [0-4094|all] Default is all.

set services [all|airplay|afp|bittorrent|ftp|ichat|itunes|printers|samba|scanners|ssh|chromecast]

next

end

next end

FAP421E/423E wave2 support (371374)

Previously removed wave2 FAP421E and FAP423E models have been reinstated and are now supported again. The models are available again through the CLI and GUI. These models are listed under the Platform dropdown menu when creating a new FortiAP Profile under WiFi & Switch Controller > FortiAP Profiles.

CLI syntax

config wireless-controller wtp-profile edit <example> config platform set type <…|421E|423E>

end

end

WiFi Health Monitor GUI changes (308317)

The Wifi Health Monitor page has been improved, including the following changes:

  • Flowchart used for diagrams l Chart used for interference and AP clients l Removed spectrum analysis l Added functionality to upgrade FortiAP firmware
  • Added option to view both 2.4GHz and 5GHz data simultaneously

AP Profile GUI page updates (298266)

The AP Profile GUI page has been upgraded to a new style including AngularJS code.

1+1 Wireless Controller HA (294656)

Instances of failover between FortiAP units was too long and lead to extended periods of time where WiFi users were without network connection. Because WiFi is considered a primary network connection in today’s verticals (including enterprise, retail, education, warehousing, healthcare, government, and more), it is necessary for successful failover to occur as fast as possible.

You can now define the role of the primary and secondary controllers on the FortiAP unit, allowing the unit to decide the order in which the FortiAP selects the FortiGate. This process was previously decided on load-based detection, but can now be defined by each unit’s pre-determined priority. In addition, heartbeat intervals have been lowered to further improve FortiAP awareness and successful failover.

Syntax

config wireless-controller inter-controller set inter-controller-mode {disable | l2-roaming | 1+1} Default is disable. set inter-controller-key <password> set inter-controller-pri {primary | secondary} Default is primary. set fast-failover-max [3-64] Default is 10. set fast-failover-wait [10-86400] Default is 10. config inter-controller-peer edit <name> set peer-ip <ip-address>

set peer-port [1024-49150] Default is 5246.

set peer-priority {primary | secondary} Default is primary. next

end

end

Support for duplicate SSID names on tunnel and bridge mode interfaces (278955)

When duplicate-ssid is enabled in the CLI, this feature allows VAPs to use the same SSID name in the same VDOM. When disabled, all SSIDs in WLAN interface will be checked—if duplicate SSIDs exist, an error message will be displayed. When duplicate-ssid is enabled in the CLI, duplicate SSID check is removed in “Edit SSID” GUI page.

Syntax

config wireless-controller setting set duplicate-ssid [enable|disable] next

end

Controlled failover between wireless controllers (249515)

Instances of failover between FortiAP units was too long and lead to extended periods of time where WiFi users were without network connection. Because WiFi is considered a primary network connection in today’s verticals (including enterprise, retail, education, warehousing, healthcare, government, and more), it is necessary for successful failover to occur as fast as possible.

Administrators can now define the role of the primary and secondary controllers on the FortiAP unit, allowing the unit to decide the order in which the FortiAP selects the FortiGate. This process was decided on load-based detection, but can now be defined by each unit’s pre-determined priority. In addition, heartbeat intervals have been lowered to further improve FortiAP awareness and successful failover.

 

FortiWIFI and FortiAP Configuration Guide

Introduction

Welcome and thank you for selecting Fortinet products for your network protection. This document describes how to configure wireless networks with FortiWiFi, FortiGate, and FortiAP units.

This chapter contains the following topics:

l Before you begin l How this guide is organized

Before you begin

Before you begin using this guide, please ensure that:

l You have administrative access to the web-based manager and/or CLI. l The FortiGate unit is integrated into your network. l The operation mode has been configured. l The system time, DNS settings, administrator password, and network interfaces have been configured. l Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed. l FortiGuard Analysis & Management Service is properly configured.

While using the instructions in this guide, note that administrators are assumed to be super_admin administrators unless otherwise specified. Some restrictions will apply to other administrators.

How this guide is organized

This FortiOS Handbook chapter contains the following sections:

Introduction to wireless networking explains the basic concepts of wireless networking and how to plan your wireless network.

Configuring a WiFi LAN explains how to set up a basic wireless network, prior to deploying access point hardware.

Access point deployment explains how to deploy access point hardware and add it to your wireless network configuration.

Wireless Mesh explains how to configure a Wi-Fi network where access points are connected to the Wi-Fi controller wirelessly instead of by Ethernet.

Combining WiFi and wired networks with a software switch shows how to use the FortiAP Wi-Fi-Ethernet bridge feature.

Protecting the WiFi Network explains the Wireless Intrusion Detection System (WIDS).

Wireless network monitoring explains how to monitor your wireless clients and how to monitor other wireless access points, potentially rogues, in your coverage area.

Introduction                                                                                                                 How this guide is organized

Configuring wireless network clients explains how to configure typical wireless clients to work with a WPAEnterprise protected network.

Wireless network examples provides two examples. The first is a simple Wi-Fi network using automatic configuration. The second is a more complex example of a business with two Wi-Fi networks, one for employees and another for guests or customers.

Using a FortiWiFi unit as a client explains how to use a FortiWiFi unit as a wireless client to connect to other Wi-Fi networks. This connection can take the place of an Ethernet connection where wired access to a network or to the Internet is not available.

Support for location-based services explains how Fortinet supports location-based services that collect information about devices near FortiGate-managed access points, even if the devices don’t associate with the network.

Reference provides information about Wi-Fi radio channels.

FortiAP 5.4.2 Release Notes

Introduction

This document provides the following information for FortiAP version 5.4.2:

l Supported models l What’s new in FortiAP 5.4.2 l Upgrade Information l Product Integration and Support l Resolved Issues

For more information on upgrading your FortiAP device, see the Deploying Wireless Networks for FortiOS 5.4 guide in the Fortinet Document Library.

Supported models

FortiAP version 5.4.2 supports the following models:

Model support

Model Build
FAP-11C, FAP-14C, FAP-21D, FAP-24D, FAP-25D, FAP-112B,

FAP-112D, FAP-221B, FAP-221C, FAP-222B, FAP-222C,

FAP-223B, FAP-223C, FAP-224D, FAP-320B, FAP-320C,

FAP-321C, FAP-CAM-214B

0354

What’s new in FortiAP 5.4.2

The following is a list of new features and enhancements in FortiAP version 5.4.2:

  • Support for DFS channels on more FAP SKUs:
  • FAP-321C-S, l FAP-222C-K l FAP-221B-I, FAP-221C-I, FAP-222C-I, FAP-223C-I, FAP-320B-I, FAP-320C-I, FAP-321C-I
  • Support for 64-digit hexadecimal passphrase in WPA2-Personal SSID

The following features require FortiCloud 3.1.0:

  • OKC support for FortiCloud WPA2-Enterprise SSID with RADIUS authentication l Dynamic VLAN support for FortiCloud WPA2-Enterprise SSID l Support for time zone and day-light-saving settings from FortiCloud l During firmware upgrade, FAP can download firmware image from a HTTPS server as instructed by FortiCloud.

What’s new in FortiAP 5.4.2                                                                                                                Introduction

The following features require FortiGate running FortiOS 5.6.0:

  • PMF support for local-standalone SSID with WPA2-Personal/Enterprise security
  • New security option for CAPWAP data channel: IPsec VPN

Note: FAP-320B cannot support this feature due to its flash limit. l Support for QoS Profile (rate limits per SSID and per client IP) l Add “lease-time” setting to NAT-mode local-standalone VAP

6

Upgrade Information

Upgrading from FortiAP version 5.4.1

FortiAP 5.4.2 supports upgrading from 5.4.1.

Downgrading to previous firmware versions

FortiAP 5.4.2 does not support downgrading to previous firmware versions.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Supported Upgrade Paths

To view all previous FortiAP versions, build numbers, and their supported upgrade pathways, see the following Fortinet Cookbook link:

http://cookbook.fortinet.com/supported-upgrade-paths-fortiap/

Product Integration and Support

FortiAP 5.4.2 support

The following table lists FortiAP version 5.4.2 product integration and support information.

FortiAP 5.4.2 support

Web Browsers l     Microsoft Internet Explorer version 11 l Mozilla Firefox version 41 l Google Chrome version 47

l     Safari 8

Other web browsers may function correctly, but are not supported by Fortinet.

FortiOS 5.4.2 and later
FortiExplorer (Windows/MAC) 2.6.0 (model FAP-11C only)
FortiExplorer iOS 2.0.0 (models FAP-11C, 21D, 24D, 112D, 320B, and 320C only)

8

Resolved Issues

The following issues have been fixed in version 5.4.2. For inquires about a particular bug, please contact Customer Service & Support.

Bug ID Description
206429 FAP WIDS function could not detect spoofed de-authentication attack to its operating SSID.
300277 The NAT setting in FAP was not cleared correctly when VAP configuration in FortiGate has localstandalone disabled. (FortiGate will have the fix in FortiOS 5.6.0.)
369467 In FortiCloud captive-portal SSID setup, Social Media login page might become inaccessible due to DNS load balancing or rotation.
375543 FAP reported excess event logs about operating channel and Tx Power on 2.4 GHz radio.
307852 In FAP GUI, FortiCloud Account field now allows up to 50 characters.
381375 BPDU frames got truncated by FAP LAN to tunnel SSID when CAPWAP-data is plain text.
381602 Country code “AUSTRALIA” should be supported by FAP with region code “N “.
390947 Country code “SAUDI ARABIA” should be supported by FAP with region code “E “.
382926 Country code “INDONESIA” now is supported by a new region code “F “.
380931 Schedule of local-standalone SSID did not work when FAP lost connection with FortiCloud.
374626 Memory usage of IP pool of DHCP server in NAT-mode local-standalone SSID has been improved.
369162 For dual-radio FAP platforms, when both radios have the same NAT-mode local-standalone SSID configured, they can use the same IP and subnet mask settings now.
379123 Local-standalone SSID can support pre-authentication now.
391677 FAP-320C had lower TX power than expected.
281684 FAP sometimes encountered “PN check failed” issue.
395016 FAP-320C-E 2.4GHz Radio had inconsistent TX power when configured 1 dBm.
395010 FAP-320C-E 5Ghz Radio TX power was stuck at 0 once cwWtpd was killed.
395244 Improvement. Now FAP sends WTP ID information packet to FortiPresence Server more frequently.

Resolved Issues

Bug ID Description
389205 FortiAP 5.4.2 is no longer vulnerable to the following CVE Reference: 2016-6308, 2016-6307, 2016-6306, 2016-6305, 2016-6304, 2016-6303, 2016-6302, 2016-2183, 2016-2182, 2016-2181, 2016-2180, 2016-2179, 2016-2178, 2016-2177.

Visit https://fortiguard.com/psirt for more information.

10

Known Issues

The following issues have been identified in version 5.4.2. For inquires about a particular bug or to report a bug, please contact Customer Service & Support.

Bug ID Description
301726 Sniffer mode does not work on 802.11ac radios. Sniffer will be stuck in INIT(0) state and no packets will be captured.
300081 FortiAPs may encounter high CPU usage intermittently after a FortiGate wireless controller pushes a local-authentication virtual AP (VAP) configuration to them.
245323 Spectrum analysis may result in high CPU usage on some FortiAP models including the FAP221B, FAP-223B, and FAP-221C.
236312 Split-tunneling SSIDs do not support VLANs.