Category Archives: FortiOS 5.6

Troubleshooting FortiAP shell command through CAPWAP control tunnel

FortiAP shell command through CAPWAP control tunnel

Very often, the FortiAP in the field is behind a NAT device, and access to the FortiAP through Telnet or SSH is not available. As a troubleshooting enhancement, this feature allows an AP shell command up to 127-bytes sent to

the FAP, and FAP will run this command, and return the results to the controller using the CAPWAP tunnel.

The maximum output from a command is limited to 4M, and the default output size is set to 32K.

The FortiAP will only report running results to the controller after the command is finished. If a new command is sent to the AP before the previous command is finished, the previous command will be canceled.

Enter the following:

diag w-c wlac wtpcmd wtp_ip wtp_port cmd [cmd-to-ap] cmd: run,show,showhex,clr,r&h,r&sh

  • cmd-to-ap: any shell commands, but AP will not report results until the command is finished on the AP l run: controller sends the ap-cmd to the FAP to run l show: show current results reported by the AP in text l showhex: show current results reported by the AP in hex l clr: clear reported results

 

Signal strength

  • r&s: run/show l r&sh: run/showhex

Support for location-based services

Support for location-based services

FortiOS supports location-based services by collecting information about WiFi devices near FortiGate-managed access points, even if the devices don’t associate with the network.

Overview

Configuring location tracking

Viewing device location data on the FortiGate unit

Overview

WiFi devices broadcast packets as they search for available networks. The FortiGate WiFi controller can collect information about the interval, duration, and signal strength of these packets. The Euclid Analytics service uses this information to track the movements of the device owner. A typical application of this technology is to analyze shopper behavior in a shopping center. Which stores do people walk past? Which window displays do they stop to look at? Which stores do they enter and how long do they spend there? The shoppers are not personally identified, each is known only by the MAC address of their WiFi device.

After enabling location tracking on the FortiGate unit, you can confirm that the feature is working by using a specialized diagnostic command to view the raw tracking data. The Euclid Analytics service obtains the same data in its proprietary format using a JSON inquiry through the FortiGate unit’s web-based manager interface.

Configuring location tracking

You can enable location tracking in any FortiAP profile, using the CLI. Location tracking is part of location-based services. Set the station-locate field to enable. For example:

config wireless-controller wtp-profile edit “FAP220B-locate” set ap-country US config platform set type 220B

end config lbs set station-locate enable

end

end

Automatic deletion of outdated presence data

The FortiGate generates a log entry only the first time that station-locate detects a mobile client. No log is generated for clients that have been detected before. To log repeat client visits, previous station presence data must be deleted (flushed). The sta-locate-timer can flush this data periodically. The default period is 1800 seconds (30 minutes). The timer can be set to any value between 1 and 86400 seconds (24 hours). A setting of 0 disables the flush, meaning a client is logged only on the very first visit.

The timer is one of the wireless controller timers and it can be set in the CLI. For example:

Viewing device location data on the FortiGate unit                                                  Support for location-based services

config wireless-controller timers set sta-locate-timer 1800

end

The sta-locate-timer should not be set to less than the sta-capability-timer (default 30 seconds) because that could cause duplicate logs to be generated.

FortiPresence push REST API

When the FortiGate is located on a private IP network, the FortiPresence server cannot poll the FortiGate for information. Instead, the FortiGate must be configured to push the information to the FortiPresence server.

Enter the following command:

config wireless-controller wtp-profile edit “FP223B-GuestWiFi” config lbs set fortipresence {enable | disable} set fortipresence-server <ip-address> Default is 3000. set fortipresence-port <port> set fortipresence-secret <password> set fortipresence-project <name> set fortipresence-frequency <5-65535> Default is 30. set fortipresence-rogue {enable | disable} Enable/disable reporting of Rogue APs. set fortipresence-unassoc {enable | disable} Enable/disable reporting of unassociated devices.

end

end

Viewing device location data on the FortiGate unit

You can use the FortiGate CLI to list located devices. This is mainly useful to confirm that the location data feature is working, You can also reset device location data.

To list located devices diag wireless-controller wlac -c sta-locate

To reset device location data diag wireless-controller wlac -c sta-locate-reset

Example output

The following output shows data for three WiFi devices.

FWF60C3G11004319 # diagnose wireless-controller wlac -c sta-locate sta_mac vfid rid base_mac freq_lst frm_cnt frm_fst frm_last intv_sum intv2_sum intv3_ sum intv_min intv_max signal_sum signal2_sum signal3_sum sig_min sig_max sig_fst sig_last ap

00:0b:6b:22:82:61 0

FAP22B3U11005354 0 0 00:09:0f:f1:bb:e4 5745 257 708 56 651 1836 6441 0 12 -21832

1855438 -157758796 -88 -81 -84 -88 0

Support for location-based services                                                  Viewing device location data on the FortiGate unit

00:db:df:24:1a:67 0

FAP22B3U11005354 0 0 00:09:0f:f1:bb:e4 5745 42 1666 41 1625 97210 5831613 0 60 -3608 310072 -26658680 -90 -83 -85 -89 0

10:68:3f:50:22:29 0

FAP22B3U11005354 0 0 00:09:0f:f1:bb:e4 5745 102 1623 58 1565 94136 5664566 0 60 -8025 631703 -49751433 -84 -75 -78 -79 0

The output for each device appears on two lines. The first line contains only the device MAC address and the VLAN ID. The second line begins with the ID (serial number) of the FortiWiFi or FortiAP unit that detected the device, the AP’s MAC address, and then the fields that the Euclid service uses. Because of its length, this line wraps around and displays as multiple lines.

Using a FortiWiFi unit as a client

Using a FortiWiFi unit as a client

A FortiWiFi unit by default operates as a wireless access point. But a FortiWiFi unit can also operate as a wireless client, connecting the FortiGate unit to another wireless network.

Use of client mode Configuring client mode

Use of client mode

In client mode, the FortiWiFi unit connects to a remote WiFi access point to access other networks or the Internet. This is most useful when the FortiWiFi unit is in a location that does not have a wired infrastructure.

For example, in a warehouse where shipping and receiving are on opposite sides of the building, running cables might not be an option due to the warehouse environment. The FortiWiFi unit can support wired users using its Ethernet ports and can connect to another access point wirelessly as a client. This connects the wired users to the network using the 802.11 WiFi standard as a backbone.

Note that in client mode the FortiWiFi unit cannot operate as an AP. WiFi clients cannot see or connect to the FortiWifi unit in Client mode.

Using a FortiWiFi unit as a client                                                                                                 Use of client mode

FortiWiFi unit in Client mode

Configuring client mode                                                                                          Using a FortiWiFi unit as a client

Configuring client mode

To set up the FortiAP unit as a WiFi client, you must use the CLI. Before you do this, be sure to remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and so on.

To configure wireless client mode

  1. Change the WiFi mode to client.

In the CLI, enter the following commands:

config system global set wireless-mode client

end

Respond “y” when asked if you want to continue. The FortiWiFi unit will reboot.

  1. Configure the WiFi interface settings.

For example, to configure the client for WPA-Personal authentication on the our_wifi SSID with passphrase justforus, enter the following in the CLI:

config system interface edit wifi set mode dhcp config wifi-networks edit 0 set wifi-ssid our_wifi set wifi-security wpa-personal set wifi-passphrase “justforus”

end

end

The WiFi interface client_wifi will receive an IP address using DHCP.

  1. Configure a wifi to port1 policy.

You can use either CLI or web-based manager to do this. The important settings are:

Incoming Interface (srcintf) wifi
Source Address (srcaddr) all
Outgoing Interface (dstintf) port1
Destination Address (dstaddr) all
Schedule always
Service ALL
Action ACCEPT
Enable NAT Selected

Managing a FortiAP with FortiCloud

Managing a FortiAP with FortiCloud

This chapter provides a few FortiCloud-managed FortiAP configuration examples.

FortiCloud-managed FortiAP WiFi

FortiCloud-managed FortiAP WiFi without a key

You can register for a free FortiCloud account at www.forticloud.com.

For a video tutorial of how to configure and manage a FortiAP-S device from FortiCloud, follow the link below:

l How to configure and Manage FortiAP-S from FortiCloud

FortiCloud-managed FortiAP WiFi

In this example, you use FortiCloud to configure a single FortiAP-221C, creating a working WiFi network without a FortiGate unit.

FortiCloud remote management is supported on FortiAP models 221C and 320C.

For this configuration, the FortiAP-221C unit is running version 5.2 firmware. You will create a simple network that uses WPA-Personal authentication.

You can register for a free FortiCloud account at www.forticloud.com.

To create the WiFi network without a FortiGate unit, you must:

l Add your FortiAP to FortiCloud l Configure the SSID l Configure the AP platform profile l Deploy the AP with the profile

Adding your FortiAP to FortiCloud

You need to add the FortiAP unit to your FortiCloud account. This is done through a unique key that can be found under the FortiAP unit.

To add a FortiAP to FortiCloud

  1. Connect the FortiAP Ethernet interface to a network that provides access to the Internet.
  2. Open a web browser and navigate to the FortiCloud main page and select + AP Network.
  3. Enter an AP Network Name and AP Password. This password is used to locally log in to the AP as the administrator. It will be set to all APs in this AP network.
  4. Set the correct Time Zone and select Submit.

Configuring the SSID

You must establish the SSID (network interface) for the WiFi network.

FortiCloud-managed FortiAP WiFi without a key                                                    Managing a FortiAP with FortiCloud

To configure the SSID

  1. Select the FortiAP you just created from the home page. You will then be prompted to add an SSID for the AP Network.

In the interface, this is under Configure > SSIDs.

  1. In Access Control, enter the name of your SSID, set Authentication to WPA2-Personal, enter the Preshared Key, and select Next.
  2. In Security, enable security features as required (select from AntiVirus, Intrusion Prevention, Block Botnet, Web Access, and Application Control) and select Next.
  3. In Availability, make sure to leave 5 GHz enabled, configure a schedule as required, and select Next.
  4. Review your SSID in Preview, then select Apply.

Configuring the AP platform profile

The radio portion of the FortiAP configuration is contained in the FortiAP platform profile. By default, there is a profile for each platform (FortiAP model). The SSID needs to be specified in the profile.

To configure the AP profile

  1. Go to Configure > AP Profile and edit the AP Profile for your FortiAP model (mouse-over the AP Profile to reveal the Edit button).
  2. Enable the SSID configured earlier for both Radio 1 and Radio 2, for 5GHz coverage.

Deploying the AP with the platform profile

With the SSID and platform profile configured, you must deploy the AP by entering the FortiCloud key for the FortiAP.

To deploy the AP

  1. Go to Configure > Deploy APs. Here you will be prompted to enter the FortiCloud key, which can be found on the same label as the FortiAP unit’s serial number, and select Submit.

If you have a FortiAP model that does not include a FortiCloud key, you can still add the device to the network. To learn how, see the FortiCloud-managed FortiAP WiFi without a key configuration.

  1. In Set Platform Profiles, select the platform profile you created earlier and select Next.
  2. Follow the rest of the deployment wizard. Select Submit when completed.

You will now be able to connect to the wireless network and browse the Internet. On the FortiCloud website, go to Monitor > Report where you can view monitoring information such as Traffic by Period, Client Count by Period, and more.

FortiCloud-managed FortiAP WiFi without a key

You can manage your FortiAP-based wireless network with FortiCloud even if your FortiAP has no FortiCloud key.

Managing a FortiAP with FortiCloud                                                    FortiCloud-managed FortiAP WiFi without a key

For this example, you will need to have already pre-configured your FortiAP unit with your FortiCloud account credentials. For more information on how to do this, or if your FortiAP has a FortiCloud key (on the serial number label), see the FortiCloud-managed FortiAP WiFi configuration.

You can register for a free FortiCloud account at www.forticloud.com.

To create the WiFi network without a FortiCloud key, you must:

l Configure the FortiAP unit l Add the FortiAP unit to your FortiCloud account l Configure the FortiAP

Configuring the FortiAP unit

You need to connect and configure the FortiAP unit through the web-based manager of the FortiGate.

To configure the FortiAP unit – web-based manager

  1. Connect your computer to the FortiAP Ethernet port. The FortiAP’s default IP address is 192.168.1.2. The computer should have an address on the same subnet, 192.168.1.3 for example.
  2. Using a browser, log in to the FortiAP as admin. Leave the password field empty.
  3. In WTP-Configuration, select FortiCloud and enter your FortiCloud credentials. Select Apply.

The FortiAP is now ready to connect to FortiCloud via the Internet.

Adding the FortiAP unit to your FortiCloud account

The FortiAP must be added to the FortiCloud account that has a WiFi network already configured for it.

For an example of creating a WiFi network on FortiCloud, see FortiCloud-managed FortiAP WiFi on page 148.

To add the FortiAP to FortiCloud

  1. Connect the FortiAP Ethernet cable to a network that connects to the Internet.

Restore your computer to its normal network configuration and log on to FortiCloud.

  1. From the Home screen, go to Inventory > AP Inventory. Your FortiAP should be listed.
  2. Then go back to the Home screen, select your AP network, and go to Deploy APs.
  3. Select your listed FortiAP and select Next.
  4. Make sure your platform profile is selected from the dropdown menu, and select Next.
  5. In Preview, select Deploy.

The device will now appear listed under Access Points.

You will now be able to connect to the wireless network and browse the Internet. On the FortiCloud website, go to Monitor > Report where you can view monitoring information such as Traffic by Period, Client Count by Period, and more.

Wireless network examples

Wireless network examples

This chapter provides an example wireless network configuration.

Basic wireless network A more complex example

Basic wireless network

This example uses automatic configuration to set up a basic wireless network.

To configure this wireless network, you must:

l Configure authentication for wireless users l Configure the SSID (WiFi network interface) l Add the SSID to the FortiAP Profile l Configure the firewall policy l Configure and connect FortiAP units

Configuring authentication for wireless users

You need to configure user accounts and add the users to a user group. This example shows only one account, but multiple accounts can be added as user group members.

To configure a WiFi user – web-based manager

  1. Go to User & Device > User Definition and select Create New.
  2. Select Local User and then click Next.
  3. Enter a User Name and Password and then click Next.
  4. Click
  5. Make sure that Enable is selected and then click Create.

To configure the WiFi user group – web-based manager

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name wlan_users
Type Firewall
Members Add users.

To configure a WiFi user and the WiFi user group – CLI

config user user edit “user01”

Basic wireless network

set type password set passwd “asdf12ghjk”

end

config user group edit “wlan_users” set member “user01”

end

Configuring the SSID

First, establish the SSID (network interface) for the network. This is independent of the number of physical access points that will be deployed. The network assigns IP addresses using DHCP.

To configure the SSID – web-based manager

  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter the following information and select OK:
Interface Name                                  example_wifi_if
Traffic Mode                                      Tunnel to Wireless Controller
IP/Network Mask                                10.10.110.1/24
Administrative Access                      Ping (to assist with testing)
DHCP Server                                     Enable
Address Range 10.10.110.2 – 10.10.110.199
Netmask 255.255.255.0
Default Gateway Same As Interface IP
DNS Server Same as System DNS
SSID                                                 example_wifi
Security Mode                                   WPA2 Enterprise
Authentication                                  Local, select wlan_users user group.
Leave other settings at their default values.

To configure the SSID – CLI

config wireless-controller vap edit example_wifi_if set ssid “example_wifi” set broadcast-ssid enable set security wpa-enterprise set auth usergroup set usergroup wlan_users set schedule always

end config system interface

Basic wireless network

edit example_wifi_if set ip 10.10.110.1 255.255.255.0

end

config system dhcp server edit 0 set default-gateway 10.10.110.1

set dns-service default set interface “example_wifi_if” config ip-range edit 1 set end-ip 10.10.110.199 set start-ip 10.10.110.2

end

set netmask 255.255.255.0

end

Adding the SSID to the FortiAP Profile

The radio portion of the FortiAP configuration is contained in the FortiAP Profile. By default, there is a profile for each platform (FortiAP model). You can create additional profiles if needed. The SSID needs to be specified in the profile.

To add the SSID to the FortiAP Profile – web-based manager

  1. Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile for your model of FortiAP unit.
  2. In Radio 1 and Radio 2, add example_wifi in SSID.
  3. Select OK.

Configuring security policies

A security policy is needed to enable WiFi users to access the Internet on port1. First you create firewall address for the WiFi network, then you create the example_wifi to port1 policy.

To create a firewall address for WiFi users – web-based manager

  1. Go to Policy & Objects > Addresses.
  2. Select Create New > Address, enter the following information and select OK.
Name wlan_user_net
Type IP/Netmask
Subnet / IP Range 10.10.110.0/24
Interface example_wifi_if
Show in Address List Enabled

To create a firewall address for WiFi users – CLI

config firewall address edit “wlan_user_net” set associated-interface “example_wifi_if”

Basic wireless network

set subnet 10.10.110.0 255.255.255.0

end

To create a security policy for WiFi users – web-based manager

  1. Go to Policy & Objects > IPv4 Policyand select Create New.
  2. Enter the following information and select OK:
Incoming Interface                  example_wifi_if
Source Address                      wlan_user_net
Outgoing Interface                  port1
Destination Address                All
Schedule                                always
Service                                   ALL
Action                                    ACCEPT
NAT                                       ON. Select Use Destination Interface Address (default).
Leave other settings at their default values.

To create a firewall policy for WiFi users – CLI

config firewall policy edit 0 set srcintf “example_wifi” set dstintf “port1” set srcaddr “wlan_user_net” set dstaddr “all” set schedule always set service ALL set action accept set nat enable

end

Connecting the FortiAP units

You need to connect each FortiAP unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

To configure the interface for the AP unit – web-based manager

  1. Go to Network > Interfaces and edit the port3 interface.

2. Set the Addressing mode to Dedicated to Extension Device and set the IP/Network Mask to

Basic wireless network

192.168.8.1/255.255.255.0.

  1. Select OK.

This procedure automatically configures a DHCP server for the AP units.

To configure the interface for the AP unit – CLI

config system interface edit port3 set mode static

set ip 192.168.8.1 255.255.255.0

end

To configure the DHCP server for AP units – CLI

config system dhcp server edit 0 set interface port3 config exclude-range edit 1 set end-ip 192.168.8.1 set start-ip 192.168.8.1

end

config ip-range edit 1 set end-ip 192.168.8.254 set start-ip 192.168.8.2

end set netmask 255.255.255.0 set vci-match enable set vci-string “FortiAP”

end

To connect a FortiAP unit – web-based manager

  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Connect the FortiAP unit to port 3.
  3. Periodically select Refresh while waiting for the FortiAP unit to be listed.

Recognition of the FortiAP unit can take up to two minutes.

If FortiAP units are connected but cannot be recognized, try disabling VCI-Match in the DHCP server settings.

  1. When the FortiAP unit is listed, select the entry to edit it. The Edit Managed Access Point window opens.
  2. In State, select
  3. In FortiAP Profile, select the default profile for the FortiAP model.
  4. Select OK.
  5. Repeat Steps 2 through 8 for each FortiAP unit.

To connect a FortiAP unit – CLI

  1. Connect the FortiAP unit to port 3.
  2. Enter config wireless-controller wtp

 

  1. Wait 30 seconds, then enter get.

Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22B3U10600118 ] wtp-id: FAP22B3U10600118

  1. Edit the discovered FortiAP unit like this:

edit FAP22B3U10600118 set admin enable

end

  1. Repeat Steps 2 through 4 for each FortiAP unit.

A more complex example

This example creates multiple networks and uses custom AP profiles.

Scenario

In this example, Example Co. provides two wireless networks, one for its employees and the other for customers or other guests of its business. Guest users have access only to the Internet, not to the company’s private network. The equipment for these WiFi networks consists of FortiAP-220B units controlled by a FortiGate unit.

The employee network operates in 802.11n mode on both the 2.4GHz and 5GHz bands. Client IP addresses are in the 10.10.120.0/24 subnet, with 10.10.120.1 the IP address of the WAP. The guest network also operates in 802.11n mode, but only on the 2.4GHz band. Client IP addresses are on the 10.10.115.0/24 subnet, with 10.10.115.1 the IP address of the WAP.

On FortiAP-220B units, the 802.11n mode also supports 802.11g and 802.11b clients on the 2.4GHz band and 802.11a clients on the 5GHz band.

The guest network WAP broadcasts its SSID, the employee network WAP does not.

The employees network uses WPA-Enterprise authentication through a FortiGate user group. The guest network features a captive portal. When a guest first tries to connect to the Internet, a login page requests logon credentials. Guests use numbered guest accounts authenticated by RADIUS. The captive portal for the guests includes a disclaimer page.

In this example, the FortiAP units connect to port 3 and are assigned addresses on the 192.168.8.0/24 subnet.

Configuration

To configure these wireless networks, you must:

  • Configure authentication for wireless users l Configure the SSIDs (network interfaces) l Configure the AP profile l Configure the WiFi LAN interface and a DHCP server
  • Configure firewall policies

Configuring authentication for employee wireless users

Employees have user accounts on the FortiGate unit. This example shows creation of one user account, but you can create multiple accounts and add them as members to the user group.

To configure a WiFi user – web-based manager

  1. Go to User & Device > User Definition and select Create New.
  2. Select Local User and then click Next.
  3. Enter a User Name and Password and then click Next.
  4. Click Next.
  5. Make sure that Enable is selected and then click Create.

To configure the user group for employee access – web-based manager

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name employee-group
Type Firewall
Members Add users.

To configure a WiFi user and the user group for employee access – CLI

config user user edit “user01” set type password set passwd “asdf12ghjk”

end

config user group edit “employee-group” set member “user01”

end

The user authentication setup will be complete when you select the employee-group in the SSID configuration.

Configuring authentication for guest wireless users

Guests are assigned temporary user accounts created on a RADIUS server. The RADIUS server stores each user’s group name in the Fortinet-Group-Name attribute. Wireless users are in the group named “wireless”.

The FortiGate unit must be configured to access the RADIUS server.

To configure the FortiGate unit to access the guest RADIUS server – web-based manager

  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter the following information and select OK:
Name                                     guestRADIUS
Primary Server IP/Name          10.11.102.100
Primary Server Secret             grikfwpfdfg
Secondary Server IP/Name      Optional
Secondary Server Secret         Optional
Authentication Scheme          Use default, unless server requires otherwise.
Leave other settings at their default values.

To configure the FortiGate unit to access the guest RADIUS server – CLI

config user radius

edit guestRADIUS

set auth-type auto set server 10.11.102.100 set secret grikfwpfdfg

end

To configure the user group for guest access – web-based manager

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name guest-group
Type Firewall
Members Leave empty.
  1. Select Create new.
  2. Enter:
Remote Server Select guestRADIUS.
Groups Select wireless
  1. Select OK.

To configure the user group for guest access – CLI

config user group

edit “guest-group” set member “guestRADIUS” config match

edit 0

set server-name “guestRADIUS” set group-name “wireless”

end end

The user authentication setup will be complete when you select the guest-group user group in the SSID configuration.

Configuring the SSIDs

First, establish the SSIDs (network interfaces) for the employee and guest networks. This is independent of the number of physical access points that will be deployed. Both networks assign IP addresses using DHCP.

To configure the employee SSID – web-based manager

  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter the following information and select OK:
Interface Name                       example_inc
Traffic Mode                           Tunnel to Wireless Controller
IP/Netmask                             10.10.120.1/24
Administrative Access            Ping (to assist with testing)
Enable DHCP                          Enable
  Address Range                     10.10.120.2 – 10.10.120.199
  Netmask                               255.255.255.0
  Default Gateway                   Same As Interface IP
  DNS Server                           Same as System DNS
SSID                                       example_inc
Security Mode                        WPA/WPA2-Enterprise
Authentication                        Select Local, then select employee-group.
Leave other settings at their default values.

To configure the employee SSID – CLI

config wireless-controller vap edit example_inc set ssid “example_inc” set security wpa-enterprise set auth usergroup set usergroup employee-group set schedule always

end

config system interface edit example_inc set ip 10.10.120.1 255.255.255.0

end

config system dhcp server edit 0

set default-gateway 10.10.120.1 set dns-service default set interface example_inc config ip-range

edit 1

set end-ip 10.10.120.199 set start-ip 10.10.120.2

end

set lease-time 7200 set netmask 255.255.255.0

end

To configure the example_guest SSID – web-based manager

  1. Go to WiFi & Switch Controller > SSID and select Create New.
  2. Enter the following information and select OK:
Name                                     example_guest
IP/Netmask                             10.10.115.1/24
Administrative Access            Ping (to assist with testing)
Enable DHCP                          Enable
  Address Range                     10.10.115.2 – 10.10.115.50
  Netmask                               255.255.255.0
  Default Gateway                    Same as Interface IP
  DNS Server                           Same as System DNS
SSID                                       example_guest
Security Mode                        Captive Portal
Portal Type                             Authentication
Authentication Portal              Local
User Groups                           Select guest-group
Leave other settings at their default values.

To configure the example_guest SSID – CLI

config wireless-controller vap edit example_guest

set ssid “example_guest” set security captive-portal set selected-usergroups guest-group set schedule always

end

config system interface

edit example_guest

set ip 10.10.115.1 255.255.255.0

end

config system dhcp server edit 0 set default-gateway 10.10.115.1 set dns-service default set interface “example_guest” config ip-range

edit 1 set end-ip 10.10.115.50 set start-ip 10.10.115.2

end

set lease-time 7200 set netmask 255.255.255.0

end

Configuring the FortiAP profile

The FortiAP Profile defines the radio settings for the networks. The profile provides access to both Radio 1 (2.4GHz) and Radio 2 (5GHz) for the employee virtual AP, but provides access only to Radio 1 for the guest virtual AP.

To configure the FortiAP Profile – web-based manager

  1. Go to WiFi & Switch Controller > FortiAP Profiles and select Create New.
  2. Enter the following information and select OK:
Name example_AP
Platform FAP220B
Radio 1
  Mode Access Point
  Band 802.11n
  Channel Select 1, 6, and 11.
  Tx Power 100%
  SSID Select SSIDs and select example_inc and example_guest.
Radio 2
  Mode Access Point
  Band 802.11n_5G
  Channel Select all.
  Tx Power 100%
  SSID Select SSIDs and select example_inc.

To configure the AP Profile – CLI

config wireless-controller wtp-profile edit “example_AP” config platform set type 220B

end config radio-1 set ap-bgscan enable set band 802.11n set channel “1” “6” “11” set vaps “example_inc” “example_guest”

end config radio-2 set ap-bgscan enable set band 802.11n-5G

set channel “36” “40” “44” “48” “149” “153” “157” “161” “165” set vaps “example_inc” end

Configuring firewall policies

Identity-based firewall policies are needed to enable the WLAN users to access the Internet on Port1. First you create firewall addresses for employee and guest users, then you create the firewall policies.

To create firewall addresses for employee and guest WiFi users

  1. Go to Policy & Objects > Addresses.
  2. Select Create New, enter the following information and select OK.
Address Name employee-wifi-net
Type Subnet / IP Range
Subnet / IP Range 10.10.120.0/24
Interface example_inc
  1. Select Create New, enter the following information and select OK.
Address Name guest-wifi-net
Type Subnet / IP Range
Subnet / IP Range 10.10.115.0/24
Interface example_guest

To create firewall policies for employee WiFi users – web-based manager

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK:
Incoming Interface example_inc
Source Address employee-wifi-net
Outgoing Interface port1
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT Enable NAT
  1. Optionally, select security profile for wireless users.
  2. Select OK.
  3. Repeat steps 1 through 4 but select Internal as the Destination Interface/Zone to provides access to the ExampleCo private network.

To create firewall policies for employee WiFi users – CLI

config firewall policy edit 0 set srcintf “employee_inc” set dstintf “port1” set srcaddr “employee-wifi-net” set dstaddr “all” set action accept set schedule “always” set service “ANY” set nat enable set schedule “always” set service “ANY”

next edit 0 set srcintf “employee_inc” set dstintf “internal” set srcaddr “employee-wifi-net” set dstaddr “all” set action accept set schedule “always” set service “ANY” set nat enable set schedule “always” set service “ANY”

end

To create a firewall policy for guest WiFi users – web-based manager

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and select OK:
Incoming Interface example_guest
Source Address guest-wifi-net
Outgoing Interface port1
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT Enable NAT
  1. Optionally, select UTM and set up UTM features for wireless users.
  2. Select OK.

To create a firewall policy for guest WiFi users – CLI

config firewall policy edit 0 set srcintf “example_guest” set dstintf “port1” set srcaddr “guest-wifi-net” set dstaddr “all” set action accept set schedule “always” set service “ANY” set nat enable

end

Connecting the FortiAP units

You need to connect each FortiAP-220A unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.

In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 192.168.8.0/24 network.

To configure the interface for the AP unit – web-based manager

  1. Go to Network > Interfaces and edit the port3 interface.

2. Set the Addressing mode to Dedicated to Extension Device and set the IP/Netmask to

192.168.8.1/255.255.255.0.

This step automatically configures a DHCP server for the AP units.

  1. Select OK.

To configure the interface for the AP unit – CLI

config system interface edit port3

set mode static

set ip 192.168.8.1 255.255.255.0

end

To configure the DHCP server for AP units – CLI

config system dhcp server edit 0 set interface port3 config ip-range

edit 1 set end-ip 192.168.8.9 set start-ip 192.168.8.2

end

set netmask 255.255.255.0 set vci-match enable set vci-string “FortiAP”

end

To connect a FortiAP-220A unit – web-based manager

  1. Go to WiFi & Switch Controller > Managed FortiAPs.
  2. Connect the FortiAP unit to port 3.
  3. Periodically select Refresh while waiting for the FortiAP unit to be listed.

Recognition of the FortiAP unit can take up to two minutes.

If there is persistent difficulty recognizing FortiAP units, try disabling VCI-Match in the DHCP server settings.

  1. When the FortiAP unit is listed, select the entry to edit it. The Edit Managed Access Point window opens.
  2. In State, select
  3. In the AP Profile, select [Change] and then select the example_AP
  4. Select OK.
  5. Repeat Steps 2 through 8 for each FortiAP unit.

To connect a FortiAP-220A unit – CLI

  1. Connect the FortiAP unit to port 3.
  2. Enter:

config wireless-controller wtp

  1. Wait 30 seconds, then enter get.

Retry the get command every 15 seconds or so until the unit is listed, like this:

== [ FAP22A3U10600118 ] wtp-id: FAP22A3U10600118

  1. Edit the discovered FortiAP unit like this:

edit FAP22A3U10600118 set admin enable set wtp-profile example_AP

end

  1. Repeat Steps 2 through 4 for each FortiAP unit.

 

Configuring wireless network clients

Configuring wireless network clients

This chapter shows how to configure typical wireless network clients to connect to a wireless network with WPAEnterprise security.

Windows XP client

Windows 7 client

Mac OS client

Linux client

Troubleshooting

Windows XP client

To configure the WPA-Enterprise network connection

  1. In the Windows Start menu, go to Control Panel > Network Connections > Wireless Network Connection or select the wireless network icon in the Notification area of the Taskbar. A list of available networks is displayed.

Windows XP

If you are already connected to another wireless network, the Connection Status window displays. Select View Wireless Networks on the General tab to view the list.

If the network broadcasts its SSID, it is listed. But do not try to connect until you have completed the configuration step below. Because the network doesn’t use the Windows XP default security configuration, configure the client’s network settings manually before trying to connect.

  1. You can configure the WPA-Enterprise network to be accessible from the View Wireless Networks window even if it does not broadcast its SSID.
  2. Select Change Advanced Settings and then select the Wireless Networks

Any existing networks that you have already configured are listed in the Preferred Networks list.

Windows XP client

  1. Select Add and enter the following information:
Network Name (SSID) The SSID for your wireless network
Network Authentication WPA2
Data Encryption AES
  1. If this wireless network does not broadcast its SSID, select Connect even if this network is not broadcasting so that the network will appear in the View Wireless Networks

Windows XP

  1. Select the Authentication
  2. In EAP Type, select Protected EAP (PEAP).
  3. Make sure that the other two authentication options are not selected.

Windows XP client

  1. Select Properties.
  2. Make sure that Validate server certificate is selected.
  3. Select the server certificate Entrust Root Certification Authority.
  4. In Select Authentication Method, select Secured Password (EAP-MSCHAPv2).
  5. Ensure that the remaining options are not selected.
  6. Select Configure.
  7. If your wireless network credentials are the same as your Windows logon credentials, select Automatically use my Windows logon name and password. Otherwise, make sure that this option is not selected.
  8. Select OK. Repeat until you have closed all of the Wireless Network Connection Properties

Windows 7

To connect to the WPA-Enterprise wireless network

  1. Select the wireless network icon in the Notification area of the Taskbar.
  2. In the View Wireless Networks list, select the network you just added and then select Connect. You might need to log off of your current wireless network and refresh the list.
  3. When the following popup displays, click on it.
  4. In the Enter Credentials window, enter your wireless network User name, Password, and Logon domain (if applicable). Then, select OK.

In future, Windows will automatically send your credentials when you log on to this network.

Windows 7 client

  1. In the Windows Start menu, go to Control Panel > Network and Internet > Network and Sharing Center > Manage Wireless Networks or select the wireless network icon in the Notification area of the Taskbar. A list of available networks is displayed.

Windows 7 client

  1. Do one of the following:

l If the wireless network is listed (it broadcasts its SSID), select it from the list. l Select Add > Manually create a network profile.

Windows 7

  1. Enter the following information and select Next.
Network name Enter the SSID of the wireless network. (Required only if you selected Add.)
Security type WPA2-Enterprise
Encryption type AES
Start this connection automatically Select
Connect even if the network is not broadcasting. Select

The Wireless Network icon will display a popup requesting that you click to enter credentials for the network. Click on the popup notification.

  1. In the Enter Credentials window, enter your wireless network User name, Password, and Logon domain (if applicable). Then, select OK.
  2. Select Change connection settings.
  3. On the Connection tab, select Connect automatically when this network is in range.
  4. On the Security tab, select the Microsoft PEAP authentication method and then select Settings.

Windows 7 client

  1. Make sure that Validate server certificate is selected.
  2. Select the server certificate Entrust Root Certification Authority.
  3. In Select Authentication Method, select Secured Password (EAP-MSCHAPv2).
  4. Select Configure.
  5. If your wireless network credentials are the same as your Windows logon credentials, select Automatically use my Windows logon name and password. Otherwise, make sure that this option is not selected.
  6. Ensure that the remaining options are not selected.
  7. Select OK. Repeat until you have closed all of the Wireless Network Properties

Mac OS

Mac OS client

To configure network preferences

  1. Right-click the AirPort icon in the toolbar and select Open Network Preferences.
  2. Select Advanced and then select the 1X tab.
  3. If there are no Login Window Profiles in the left column, select the + button and then select Add Login Window

Profile.

  1. Select the Login Window Profile and then make sure that both TTLS and PEAP are selected in Authentication.

To configure the WPA-Enterprise network connection

  1. Select the AirPort icon in the toolbar.
  2. Do one of the following:

l If the network is listed, select the network from the list. l Select Connect to Other Network.

Mac OS client

One of the following windows opens, depending on your selection.

  1. Enter the following information and select OK or Join:
Network name Enter the SSID of your wireless network. (Other network only)
Wireless Security WPA Enterprise
802.1X Automatic
Username Password Enter your logon credentials for the wireless network.
Remember this network Select.

You are connected to the wireless network.

Linux

Linux client

This example is based on the Ubuntu 10.04 Linux wireless client.

To connect to a WPA-Enterprise network

  1. Select the Network Manager icon to view the Wireless Networks menu.

Wireless networks that broadcast their SSID are listed in the Available section of the menu. If the list is long, it is continued in the More Networks submenu.

  1. Do one of the following:
    • Select the network from the list (also check More Networks).
    • Select Connect to Hidden Wireless Network.

One of the following windows opens, depending on your selection.

Linux client

  1. Enter the following information:
Connection Leave as New. (Hidden network only)
Network name Enter the SSID of your wireless network. (Hidden network only)
Wireless Security WPA & WPA2 Enterprise
Authentication Protected EAP (PEAP) for RADIUS-based authentication

Tunneled TLS for TACACS+ or LDAP-based authentication

Anonymous identity This is not required.
CA Certificate If you want to validate the AP’s certificate, select the Entrust Root Certification Authority root certificate. The default location for the certificate is /usr/share/ca-certificates/mozilla/.
PEAP version Automatic (applies only to PEAP)
Inner authentication MSCHAPv2 for RADIUS-based authentication

PAP or CHAP for TACACS+ or LDAP-based authentication

Username Password Enter your logon credentials for the wireless network.

 

Troubleshooting

  1. If you did not select a CA Certificate above, you are asked to do so. Select Ignore.
  2. Select You are connected to the wireless network.

To connect to a WPA-Enterprise network

  1. Select the Network Manager icon to view the Wireless Networks menu.
  2. Select the network from the list (also check More Networks).

If your network is not listed (but was configured), select Connect to Hidden Wireless Network, select your network from the Connection drop-down list, and then select Connect.

Troubleshooting

Using tools provided in your operating system, you can find the source of common wireless networking problems.

Checking that client received IP address and DNS server information

Windows XP

  1. Double-click the network icon in the taskbar to display the Wireless Network Connection Status

Check that the correct network is listed in the Connection section.

  1. Select the Support

Check that the Address Type is Assigned by DHCP. Check that the IP Address, Subnet Mask, and Default Gateway values are valid.

  1. Select Details to view the DNS server addresses.

The listed address should be the DNS serves that were assigned to the WAP. Usually a wireless network that provides access to the private LAN is assigned the same DNS servers as the wired private LAN. A wireless network that provides guest or customer users access to the Internet is usually assigned public DNS servers.

  1. If any of the addresses are missing, select Repair.

If the repair procedure doesn’t correct the problem, check your network settings.

Troubleshooting

Mac OS

  1. From the Apple menu, open System Preferences > Network.
  2. Select AirPort and then select Configure.
  3. On the Network page, select the TCP/IP
  4. If there is no IP address or the IP address starts with 169, select Renew DHCP Lease.
  5. To check DNS server addresses, open a terminal window and enter the following command:

cat /etc/resolv.conf

Check the listed nameserver addresses. A network for employees should us the wired private LAN DNS server. A network for guests should specify a public DNS server.

Linux

This example is based on the Ubuntu 10.04 Linux wireless client.

Troubleshooting

  1. Right-click the Network Manager icon and select Connection Information.
  2. Check the IP address, and DNS settings. If they are incorrect, check your network settings.

 

Monitoring wireless network health

Monitoring wireless network health

The Wireless Health Dashboard provides a comprehensive view of the health of your network’s wireless infrastructure. The dashboard includes widgets to display

  • AP Status – Active, Down or missing, up for over 24 hours, rebooted in past 24 hours l Client Count Over Time – viewable for past hour, day, or 30 days l Top Client Count Per-AP – separate widgets for 2.4GHz and 5GHz bands l Top Wireless Interference – separate widgets for 2.4GHz and 5GHz bands, requires spectrum analysis to be enabled on the radios
  • Login Failures Information

To view the Wireless Health dashboard, go to Monitor > Wireless Health Monitor.

 

Suppressing rogue APs

Suppressing rogue APs

In addition to monitoring rogue APs, you can actively prevent your users from connecting to them. When suppression is activated against an AP, the FortiGate WiFi controller sends deauthentication messages to the rogue AP’s clients, posing as the rogue AP, and also sends deauthentication messages to the rogue AP, posing as its clients. This is done using the monitoring radio.

To enable rogue AP suppression, you must enable monitoring of rogue APs with the on-wire detection technique. See “Monitoring rogue APs”. The monitoring radio must be in the Dedicated Monitor mode.

To activate AP suppression against a rogue AP

  1. Go to Monitor > Rogue AP Monitor.
  2. When you see an AP listed that is a rogue detected “on-wire”, select it and then select Mark > Mark Rogue.
  3. To suppress an AP that is marked as a rogue, select it and then select Suppress AP.

To deactivate AP suppression

  1. Go to Monitor > Rogue AP Monitor.
  2. Select the suppressed rogue AP and then select Suppress AP > Unsuppress AP.