Course 203 - Fortinet Wireless

Module 3 Device Identification

Fortinet Wireless Course 203

Module 3 Device Identification

2012 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet.

Objectives Identify the device Identification features of FortiOS and describe device identification techniques Describe how to apply device identification features to a VAP interface Configure to control access of wireless clients based on device type in a hands-on lab

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 3 Device Identification

Device identification (BYOD) Bring Your Own Device (BYOD)

Trend where employees and visitors prefer to use their own mobile devices for work and expect to be able to connect these devices to the corporate network. network

Device Identification by traffic analysis:

MAC addresses (Fortinet Devices only) Signature based detection of device types DHCP VCI OS identification based on TCP traffic analysis OS and dh host t id identification tifi ti b based d on web b and d email il protocol t l commands d and d headers
For example HTTP UserAgent and POP3 USER

Device identification (BYOD) Device detection is dependent on the being enabled in the interface via the device-identification command.
co config g syste system interface te ace
edit "port1 set device-identification (enable|disable*) set device-user-identification (enable*|disable)

Per-vdom settings on what to detect

config system network-visibility.

Global setting of the device types FortiOS detects is hardcoded System process src-vis (device identification) Discovered devices are periodically saved to flash and are restored at boot
4

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 3 Device Identification

Device identification (BYOD) Devices can be manually identified in the config:

config user device
edit me me set mac-address set type type name set user user name

end

Once the device is created it can be added to a device group

config user device-group. device group

Device identification (BYOD) User & Devices > Device > device
diag user device list.

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 3 Device Identification

Access List Device access lists:

config user device-access-list edit "name name set default-action <accept*|deny> config device-list edit 0 set action <accept|deny*> set device "name ... end end

Access List Device access lists may be assigned to interfaces to control inbound access
config system interface edit port1 set device-access-list "name end

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 3 Device Identification

Device-identity Policy Each device-identity policy entry may have one or more devices, device-groups or device categories specified. 3 possible actions
accept (the default) deny Captive portal

UTM options are only available when the action is 'accept'.

Device-identity Policy 3 Captive portal Options

device-identification (default) email-collection email collection (attach an email to the device) forticlient-download (force FortiClient install)

10

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 3 Device Identification

Device-identity Policy Device-identify

Identifies the device through the HTTP user-agent

11

Device-identity Policy email-collection

Used in conjunction with device type collected emails collects an email to be associated with the device

12

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 3 Device Identification

Device-identity Policy

config sys setting set email-portal-check-dns [enable|disable] end

13

Device-identity Policy Enforce FortiClient compliance

Forces the use of Endpoint control

14

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 3 Device Identification

Logging Traffic log with portal and device information

15

Wi-Fi Device Monitor and Enforcement

Use device access list to deny/allow station association request
Apply your device-access-list on VAP interface
config system interface edit "EAP-Test EAP Test set device-identification enable set device-access-list "Android"
config user device-access-list edit "Android" set default-action allow config device-list edit 1 set device "Android Phone set action deny

STATION denied due to BYOD-ACL on association

16

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 3 Device Identification

Wi-Fi Device Monitor and Enforcement

diagnose wireless-controller wlac -c byod_detected INDEX VFID MAC ACT TYPE USER

-------------wlan(root/0, EAP-Test) acl (Android)----------------------0 0 00:0b:7d:26:2b:4d accept Windows PC wifi 1 0 00:25:bc:45:a5:55 accept iPhone 2 0 00:c0:ca:65:f1:ff accept Linux PC 3 0 18:34:51:43:12:52 accept iPhone 4 0 40:a6:d9:70:c5:28 accept iPhone 5 0 48:60:bc:10:c5:2f accept iPhone 6 0 58:94:6b:53:9f:80 accept Windows PC eric 7 0 a0:0b:ba:b5:ed:2c deny Android Phone 8 0 b4:07:f9:0b:58:cd deny Android Phone 9 0 d0:23:db:35:46:12 accept iPhone 10 0 e0:b9:a5:6f:f4:20 deny Android Phone -------------wlan(root/0, FAP_Test) acl (none)-----------------------------------wlan(root/0, guest) acl (none)-----------------------------------wlan(root/0, wlan(root/0 hotel) acl (none)----------------------(none) -------------wlan(root/0, mesh.root) acl (none)-----------------------------------wlan(root/0, test) acl (none)-----------------------------------wlan(root/0, vlan40) acl (none)-----------------------

ACL in action

17

Lab Device Identification on a Virtual Access Point interface

18

01-05002-RevA-0203-20130520