2012 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet.
Objectives List the components and advantages of the FortiGate integrated wireless controller and the wireless solution Identify the key configuration requirements of an SSID Describe the purpose of the Virtual Access Point in the FortiOS configuration Describe the configuration of security and authentication settings for a wireless LAN Identify the purpose of MAC filtering Identify the managed AP topologies Identify the goals and describe the main phases of the CAPWAP protocol
2
01-05002-RevA-0203-20130520
Objectives Describe the basic access point configuration settings for a simple wireless LAN deployment Perform a wireless network deployment using equipment in a handshands on lab
Enterprise-Class feature set Dedicated built-in in air monitoring Internal or External Antenna design Highest value at competitive price
FortiGates as Controllers
20+ platforms to meet any requirement Leverages same models already on the market 10Mbps 40Gbps wireless LAN Capacity Programmable control & data planes, Hardware-based Cryptography Centralized management
01-05002-RevA-0203-20130520
Corporate Wi-Fi
Examines wireless traffic to remove threats Identify applications and destinations of interest True stateful firewall controls users/applications pp Ensures Business traffic has right of way Reports on policy violations, application usage, destinations and PCI DSS
01-05002-RevA-0203-20130520
FortiWiFi
Standalone Thick AP WiFi radio physically integrated into FortiGate device One WiFi Radio - targeted as AP with background scan or dedicated rogue AP monitor IEEE 802.11 a/b/g/n on 60,80 Runs full FortiOS with VPN Ideal for distributed office Space < 300 sq meters
FortiAP Models
Centrally Managed Thin AP Requires separate FortiGate as wireless controller Single or Dual WiFi radio for simultaneous communication on 2.4Ghz and 5Ghz bands or Simultaneous Air Monitor and AP or Mesh a/b/g/n bands standard Runs thin OS Ideal for larger indoor or outdoor installations, or existing customers looking for WiFi capability from existing FortiGates
01-05002-RevA-0203-20130520
2x2:2
Performance
FAP-210B
1x1:1
FAP-11C Personal
9
Bands
802.3af 1x1, Single stream, 65 Mbps 1 internal 2x FE (one LAN and one WAN)
10
01-05002-RevA-0203-20130520
FAP-11C
11
FAP-14C
FAP-28C
Wireless Controller Configuration Make sure the FortiGate wireless controller is configured for your geographic location Optionally configure a custom Access Point (AP) profile Configure one or more SSIDs for your wireless network Optionally, configure the user group and users for authentication on the WLAN Configure the firewall policy for the WLAN p y, customize the captive p p portal Optionally, Configure access points.
12
01-05002-RevA-0203-20130520
Security Settings
Radio Settings
13
Configuring SSIDs The Virtual Access Point (VAP) interface is the interface used for traffic tunneled back to the wireless controller and it includes network settings of the interface. interface
14
01-05002-RevA-0203-20130520
Configuring SSIDs The SSID defined is associated with the VAP interface created.
Security mode of the SSID is defined here.
15
Encrypt communications
Advance Encryption Standard (AES) Temporal Key Integrity Protocol (TKIP)
16
01-05002-RevA-0203-20130520
Wireless Authentication Authentication methods apply to wireless networks the same as they do for wired
User can also be authenticated against local user groups on FortiGate device External authentication servers (RADIUS, LDAP and TACAS+, Windows Active Directory) also available For each wireless LAN, create a user group(s) and add the users who can access the WLAN
17
MAC Filtering Permit or exclude a list of clients based on the MAC address of their computer Should be used in conjunction with other security measures
Unauthorized users could capture MAC addresses from network traffic and use them to impersonate legitimate users
Configured on a SSID/VAP interface basis Used for devices that cannot perform a user authentication, such as a printer or a games console
18
01-05002-RevA-0203-20130520
Virtual Access Points (VAP) A Virtual Access Point defines the security settings that can be applied to one or more physical Access Points Each VAP creates its own a virtual network interface on the FortiGate unit Define DHCP services, firewall policies and other settings for the wireless LAN
19
This interface can then be used for firewalling, traffic inspection ,QoS,
20
01-05002-RevA-0203-20130520
Intra-SSID Privacy This feature benefits Hotspot users by keeping their traffic private from other users on the same SSID Prevents Man-in-middle Man in middle attacks from other PCs on the same network Undesirable when you have other devices in the SSID you connect to, such as a wireless printer
21
Switched Connection
FortiAP unit is connected to the wireless controller on the FortiGate unit by an Ethernet switch Must be a routable path between FortiAP device and the FortiGate unit
Distributed
WLAN mesh model WTP repeat traffic over wireless neighbor nodes
22
01-05002-RevA-0203-20130520
Full Mesh
23
24
01-05002-RevA-0203-20130520
Full Mesh Mesh SSID replaces wired distribution network between root and leaf APs
Usually backhaul SSID uses a dedicated radio but shared radio is also supported Default SSID fortinet.mesh.vdom The mesh SSID is bridged with the Ethernet port on the root AP
The root AP has a wired connection back to the wireless controller When tunneling traffic back to the FortiGate the leaf APs use the mesh SSID to reach the controller.
25
Full Mesh Automatically created VAP interface and SSID that is dedicated to the backhaul The mesh SSID is enabled on an AP then it will accept requests from other APs configured to use it Wireless clients cannot connect to the mesh-backhaul SSID The default mesh SSID may be deleted and replaced with a new configuration.
26
01-05002-RevA-0203-20130520
27
Local Bridge Local bridge mode allows SSIDs to be centrally managed without backhauling the traffic to the wireless controller Traffic from the wireless is bridged to the local Ethernet port
VLAN support increases number of bridges from one
Also it is possible to bridge an SSID to local port at the FortiGate device using a softswitch configuration
28
01-05002-RevA-0203-20130520
29
30
01-05002-RevA-0203-20130520
31
Discover and Authorize FortiAP Configure the FortiGate ethernet interface to which the AP will connect Configure DHCP service on the interface to which the AP will connect, if providing APs addresses via DHCP The AP requires its own address, independent of any wireless device connecting to the VAP (SSID) Connect the AP units and let the FortiGate unit discover them Authorize each discovered AP if you want to manage it from that controller, edit to change its automatic settings or create a custom AP profile.
32
01-05002-RevA-0203-20130520
Multicast request
Controller and AP do not need to in the same broadcast domain if multicast routing is configured The default multicast destination IP address is 224.0.1.140
Static IP address
Administrator specifies the controllers static IP address on the FortiAP unit Routing must be configured in both directions
DHCP
Identifies controller address when APs IP address is assigned Useful when the AP is on a remote site IP address of the controller must be converted into hexadecimal in the DHCP option field
33
Configuring FortiAP using CLI The FortiAP unit has a CLI through which some configuration options can be set Login with user name admin and no password Display help
cfg h
34
01-05002-RevA-0203-20130520
CAPWAP Wireless Controller and FortiAP Configuration A FortiAP unit can use any of four methods to locate a controller By default, FortiAP units cycle through all four of the discovery method In I most t cases th there iis no need d to t make k configuration fi ti changes h on the th FortiAP unit The next few slides look at these four methods.
35
36
01-05002-RevA-0203-20130520
Broadcast The AP unit broadcasts a discovery request message to the network and the controller replies The AP and the controller must be in the same broadcast domain domain. No configuration adjustments are required.
37
Multicast The AP unit sends a multicast discovery request and the controller replies with a unicast discovery response message The AP and the controller do not need to be in the same broadcast domain if multicast routing is properly configured The default multicast destination address is 224.0.1.140
It can be changed through the CLI The address must be same on the controller and AP.
38
01-05002-RevA-0203-20130520
39
DHCP If you use DHCP to assign an IP address to your FortiAP unit, you can also provide the WiFi controller IP address at the same time. When you configure the DHCP server, server configure Option 138 to specify the WiFi controller IP address. You need to convert the address into hexadecimal. Convert each octet value separately from left to right and concatenate them.
For example, 10.10.10.31 converts to 0A0A0A1F.
40
01-05002-RevA-0203-20130520
DHCP If Option 138 is used for some other purpose on your network, you can use a different option number if you configure the AP units to match. To change the FortiAP DHCP option code
To use option code 139 for example, enter cfg a AC_DISCOVERY_DHCP_OPTION_CODE=139
41
DHCP
42
01-05002-RevA-0203-20130520
43
44
01-05002-RevA-0203-20130520
FortiAP GUI Simplified provisioning for FortiAP with the addition of a GUI
45
Configuring a FortiWiFi unit as a WiFi AP FortiWiFi running FortiOS 4.3 units can also be deployed as managed APs controlled by a FortiGate unit wireless controller.
In the CLI, CLI enter:
config system global set wireless-mode wtp end
The feature was removed in FortiOS 5.0 Unlike FortiAP units, a FortiWiFi unit deployed as an AP does not cycle through y methods. You must select one discovery y method to use. the discovery
config wireless-controller global set ac-discovery-type dhcp
46
01-05002-RevA-0203-20130520
CAPWAP Protocol Overview The CAPWAP protocol is a generic protocol defining AC (Wireless Controller) and WTP (FortiAP) control and data plane communication via a CAPWAP protocol transport mechanism CAPWAP stands for Control and Provisioning of Wireless Access Points CAPWAP carries control and data traffic via two channels CAPWAP Control messages, and optionally CAPWAP Data messages, are secured using Datagram Transport Layer Security (DTLS) (DTLS).
47
Goals of CAPWAP Centralize the authentication and policy enforcement functions for a wireless network Reduced cost and increase efficiency by applying the capabilities of network processing to the wireless network Move higher-level protocol processing from the WTP (FortiAP) Leave the time-critical applications of wireless control and access in the WTP (FortiAP) The emergence of centralized IEEE 802.11 Wireless Local Area Network (WLAN) architectures Simple IEEE 802.11 WTPs are managed by an Access Controller (FortiOS Wireless Controller).
48
01-05002-RevA-0203-20130520
The Wireless Controller and FortiAP exchange is complete and the FortiAP is enabled
In tunnel mode client data frames are encapsulated between the FortiAP and the Wireless Controller
49
50
01-05002-RevA-0203-20130520