Deploying Wireless Networks. FortiOS Handbook v2 for FortiOS 4.0 MR2

Transcription

1 Deploying Wireless Networks FortiOS Handbook v2 for FortiOS 4.0 MR2

2 FortiOS Handbook: Deploying Wireless Networks v2 19 October for FortiOS 4.0 MR2 Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

3 Contents Introduction 7 Before you begin How this guide is organized Document conventions IP addresses Example Network configuration Cautions, Notes and Tips Typographical conventions CLI command syntax conventions Entering FortiOS configuration data Entering text strings (names) Entering numeric values Selecting options from a list Enabling or disabling options Registering your Fortinet product Fortinet products End User License Agreement Training Documentation Fortinet Tools and Documentation CD Fortinet Knowledge Base Comments on Fortinet technical documentation Customer service and technical support Introduction to wireless networking 17 Wireless concepts Bands and channels Power Antennas Security Whether to broadcast SSID Encryption Separate access for employees and guests Captive portal Power Authentication FortiOS Handbook v2: Deploying Wireless Networks

4 Contents Wireless networking equipment FortiWiFi units Using a FortiWiFi unit as a managed WAP FortiAP units Third-party WAPs Deployment considerations Types of wireless deployment Deployment methodology Evaluating the coverage area environment Positioning access points Selecting access point hardware Single access point networks Multiple access point networks Fast Roaming Configuring a wireless LAN 25 Overview of wireless controller configuration Creating a virtual access point (wireless controller) More about security modes Creating an AP Profile (wireless controller) Adding a MAC filter Configuring a WLAN interface (standalone FortiWiFi unit) Configuring MAC filtering Configuring the WLAN interface (wireless controller) Configuring DHCP on the WLAN Configuring user authentication Creating a wireless user group Configuring firewall policies for the WLAN Customizing the captive portal Adding a disclaimer page to the captive portal Modifying the Disclaimer page Modifying the Declined Disclaimer page Enabling the disclaimer page Access point deployment 39 Network topology for managing APs Attaching an AP unit as a WAP Controller discovery methods Broadcast request Multicast request Deploying Wireless Networks for FortiOS 4.0 MR

5 Contents Static IP configuration DHCP Connecting to the FortiAP CLI Configuring a FortiWiFi unit as a WAP Discovering and adding APs Configuring the network interface for the AP unit Configure the DHCP server for the AP unit Enabling the discovered APs Wireless network monitoring 45 Monitoring wireless clients Monitoring rogue APs Monitoring with a FortiWiFi unit Monitoring with a FortiGate wireless controller Configuring wireless network clients 49 Windows XP client Windows 7 client Mac OS client Linux client Troubleshooting Checking that the client has received IP address and DNS server information.. 57 Wireless network example 59 Scenario Configuration Configuring the virtual access points Configuring the AP profile Configuring the wireless LAN interfaces Configuring authentication for employee wireless users Configuring authentication for guest wireless users Configuring firewall policies Customizing the captive portal Connecting the FortiAP units Reference 69 Wireless radio channels FortiOS Handbook v2: Deploying Wireless Networks

6 Contents Index 73 Deploying Wireless Networks for FortiOS 4.0 MR

7 Introduction Before you begin Welcome and thank you for selecting Fortinet products for your network protection. This document describes how to configure wireless networks with FortiWiFi, FortiGate, and FortiAP units. This chapter contains the following topics: Before you begin Document conventions Entering FortiOS configuration data Registering your Fortinet product Fortinet products End User License Agreement Training Documentation Customer service and technical support Before you begin using this guide, please ensure that: You have administrative access to the web-based manager and/or CLI. The FortiGate unit is integrated into your network. The operation mode has been configured. The system time, DNS settings, administrator password, and network interfaces have been configured. Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed. FortiGuard Analysis & Management Service is properly configured. While using the instructions in this guide, note that administrators are assumed to be super_admin administrators unless otherwise specified. Some restrictions will apply to other administrators. How this guide is organized This FortiOS Handbook chapter contains the following sections: Introduction to wireless networking explains the basic concepts of wireless networking and how to plan your wireless network. Configuring a wireless LAN explains how to set up a basic wireless network, prior to deploying access point hardware. Access point deployment explains how to deploy access point hardware and add it to your wireless network configuration. Wireless network monitoring explains how to monitor your wireless clients and how to monitor other wireless access points, potentially rogues, in your coverage area. Configuring wireless network clients explains how to configure typical wireless clients to work with a WPA-Enterprise protected network. FortiOS Handbook v2: Deploying Wireless Networks

8 Document conventions Document conventions IP addresses Fortinet technical documentation uses the conventions described below. To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at Most of the examples in this document use the following IP addressing: IP addresses are made up of A.B.C.D A - can be one of 192, 172, or 10 - the non-public addresses covered in RFC B - 168, or the branch / device / virtual device number. Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other. Device or virtual device - allows multiple FortiGate units in this address space (VDOMs). Devices can be from x01 to x99. C - interface - FortiGate units can have up to 40 interfaces, potentially more than one on the same subnet physical address ports, and non -virtual interfaces VLANs, tunnels, aggregate links, redundant links, vdom-links, etc. D - usage based addresses, this part is determined by what device is doing The following gives 16 reserved, 140 users, and 100 servers in the subnet reserved for networking hardware, like routers, gateways, etc DHCP range - users FortiGate devices - typically only use servers in general (see later for details) static range - users reserved (255 is broadcast, 000 not used) The D segment servers can be farther broken down into: servers Web servers Syslog servers Authentication (RADIUS, LDAP, TACACS+, FSAE, etc) VoIP / SIP servers / managers FortiAnalyzers FortiManagers Other Fortinet products (FortiScan, FortiDB, etc.) Other non-fortinet servers (NAS, SQL, DNS, DDNS, etc.) Fortinet products, non-fortigate, are found from FortiOS 4.0 MR

9 Document conventions The following table shows some examples of how to choose an IP number for a device based on the information given. For internal and dmz, it is assumed in this case there is only one interface being used. Table 1: Examples of the IP numbering Location and device Internal Dmz External Head Office, one FortiGate Head Office, second FortiGate Branch Office, one FortiGate Office 7, one FortiGate with VDOMs Office 3, one FortiGate, web n/a n/a server Bob in accounting on the corporate user network (dhcp) at Head Office, one FortiGate n/a n/a Router outside the FortiGate n/a n/a FortiOS Handbook v

10 Document conventions Example Network configuration The network configuration shown in Figure 1 or variations on it is used for many of the examples in this document. In this example, the network is equivalent to the Internet. The network consists of a head office and two branch offices. Figure 1: Example network configuration WLAN: SSID: example.com Password: supermarine DHCP range: Linux PC IN 10 T FortiWiFi-80CM Windows PC Internal network P 10 ort FortiAnalyzer-100B 10 Switch Po 1.1 rt 2 02 P 17 ort (s 0. 1 n i ff 20 er FortiGate-82C.14 mo 1 de.10 Po 1.1 rt Por 1.1 t 1 10 P 17 ort FortiGate-620B HA cluster.14 FortiMail-100C 1 f rt 8 r o Po mirro ( Po an rt 2 d3 Po ) p s ort 2a nd 3) rt 1 Switch He P 10 ort FortiGate-3810A 01 Linux PC rt 1 1 Po Bra 17 nch o ff Bra ice nch 2.2 o ff 0.1 ice ad o ff ice 20 WAN I 10 ntern.31 al FortiGate-51B Windows PC FortiManager-3000B rt 4 Po Cluster Port 1: FortiGate-5005FA2 Port 1: FortiGate-5005FA2 Port 1: FortiSwitch-5003A Port 1: FortiGate-5050-SM Port 1: Engineering network FortiOS 4.0 MR

11 Document conventions Cautions, Notes and Tips Fortinet technical documentation uses the following guidance and styles for cautions, notes and tips. Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment. Note: Presents useful information, but usually focused on an alternative, optional method, such as a shortcut, to perform a step. Tip: Highlights useful additional information, often tailored to your workplace activity. FortiOS Handbook v

12 Document conventions Typographical conventions Fortinet documentation uses the following typographical conventions: Table 2: Typographical conventions in Fortinet technical documentation Convention Button, menu, text box, field, or check box label CLI input CLI output Emphasis File content Hyperlink Keyboard entry Navigation Publication Example From Minimum log level, select Notification. config system dns set primary <address_ipv4> FGT # get system settings comments : (null) opmode : nat HTTP connections are not secure and can be intercepted by a third party. <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</h4> Visit the Fortinet Technical Support web site, Type a name for the remote VPN peer or client, such as Central_Office_1. Go to VPN > IPSEC > Auto Key (IKE). For details, see the FortiOS Handbook. CLI command syntax conventions This guide uses the following conventions to describe the syntax to use when entering commands in the Command Line Interface (CLI). Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input. Table 3: Command syntax notation Convention Square brackets [ ] Description A non-required word or series of words. For example: [verbose {1 2 3}] indicates that you may either omit or type both the verbose word and its accompanying option, such as: verbose 3 FortiOS 4.0 MR

13 Document conventions Table 3: Command syntax notation (Continued) Convention Angle brackets < > Description A word constrained by data type. To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example: <retries_int> indicates that you should enter a number of retries, such as 5. Data types include: <xxx_name>: A name referring to another part of the configuration, such as policy_a. <xxx_index>: An index number referring to another part of the configuration, such as 0 for the first static route. <xxx_pattern>: A regular expression or word with wild cards that matches possible variations, such as *@example.com to match all addresses ing <xxx_fqdn>: A fully qualified domain name (FQDN), such as mail.example.com. <xxx_ >: An address, such as [email protected]. <xxx_url>: A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as <xxx_ipv4>: An IPv4 address, such as <xxx_v4mask>: A dotted decimal IPv4 netmask, such as <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask separated by a space, such as <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash, such as such as /24. <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234. <xxx_v6mask>: An IPv6 netmask, such as /96. <xxx_ipv6mask>: An IPv6 address and netmask separated by a space. <xxx_str>: A string of characters that is not another data type, such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences. <xxx_int>: An integer number that is not another data type, such as 15 for the number of minutes. FortiOS Handbook v

14 Entering FortiOS configuration data Table 3: Command syntax notation (Continued) Convention Curly braces { } Options delimited by vertical bars Options delimited by spaces Description A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces. You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ]. Mutually exclusive options. For example: {enable disable} indicates that you must enter either enable or disable, but must not enter both. Non-mutually exclusive options. For example: {http https ping snmp ssh telnet} indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as: ping https ssh Note: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type: ping https snmp ssh If the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted. Entering FortiOS configuration data The configuration of a FortiGate unit is stored as a series of configuration settings in the FortiOS configuration database. To change the configuration you can use the web-based manager or CLI to add, delete or change configuration settings. These configuration changes are stored in the configuration database as they are made. Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed options, or on/off (enable/disable). Entering text strings (names) Text strings are used to name entities in the configuration. For example, the name of a firewall address, administrative user, and so on. You can enter any character in a FortiGate configuration text string except, to prevent Cross-Site Scripting (XSS) vulnerabilities, text strings in FortiGate configuration names cannot include the following characters: " (double quote), & (ampersand), ' (single quote), < (less than) and < (greater than) You can determine the limit to the number of characters that are allowed in a text string by determining how many characters the web-based manager or CLI allows for a given name field. From the CLI, you can also use the tree command to view the number of characters that are allowed. For example, firewall address names can contain up to 64 characters. When you add a firewall address to the web-based manager you are limited to entering 64 characters in the firewall address name field. From the CLI you can do the following to confirm that the firewall address name field allows 64 characters. config firewall address tree -- [address] --*name (64) - subnet - type - start-ip - -ip FortiOS 4.0 MR

15 Registering your Fortinet product - fqdn (256) - cache-ttl (0,86400) - wildcard - comment (64 xss) - associated-interface (16) +- color (0,32) Note that the tree command output also shows the number of characters allowed for other firewall address name settings. For example, the fully-qualified domain name (fqdn) field can contain up to 256 characters. Entering numeric values Numeric values are used to configure various sizes, rates, numeric addresses, or other numeric values. For example, a static routing priority of 10, a port number of 8080, or an IP address of Numeric values can be entered as a series of digits without spaces or commas (for example, 10 or 64400), in dotted decimal format (for example the IP address ) or as in the case of MAC or IPv6 addresses separated by colons (for example, the MAC address 00:09:0F:B7:37:00). Most numeric values are standard base-10 numbers, but some fields (again such as MAC addresses) require hexadecimal numbers. Most web-based manager numeric value configuration fields limit the number of numeric digits that you can add or contain extra information to make it easier to add the acceptable number of digits and to add numbers in the allowed range. CLI help includes information about allowed numeric value ranges. Both the web-based manager and the CLI prevent you from entering invalid numbers. Selecting options from a list If a configuration field can only contain one of a number of selected options, the web-based manager and CLI present you a list of acceptable options and you can select one from the list. No other input is allowed. From the CLI you must spell the selection name correctly. Enabling or disabling options If a configuration field can only be on or off (enabled or disabled) the web-based manager presents a check box or other control that can only be enabled or disabled. From the CLI you can set the option to enable or disable. Registering your Fortinet product Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration. For more information, see the Fortinet Knowledge Center article Registration Frequently Asked Questions. Fortinet products End User License Agreement See the Fortinet products End User License Agreement. FortiOS Handbook v

16 Training Training Documentation Fortinet Training Services provides courses that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide. To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at or [email protected]. The Fortinet Technical Documentation web site, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes. In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Center. Fortinet Tools and Documentation CD Many Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, Fortinet Knowledge Base The Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Base at Comments on Fortinet technical documentation Please s information about any errors or omissions in this or any Fortinet technical document to [email protected]. Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet products install quickly, configure easily, and operate reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article FortiGate Troubleshooting Guide - Technical Support Requirements. FortiOS 4.0 MR

17 Introduction to wireless networking Wireless concepts Bands and channels This chapter introduces some concepts you should understand before working with wireless networks, describes Fortinet s wireless equipment, and then describes the factors you need to consider in planning deployment of a wireless network. The following topics are included in this section: Wireless concepts Security Authentication Wireless networking equipment Deployment considerations Wireless networking is radio technology, subject to the same characteristics and limitations as the familiar audio and video radio communications. Various techniques are used to modulate the radio signal with a data stream. Deping on the wireless protocol selected, you have specific channels available to you, deping on what region of the world you are in. IEEE a,b,and g protocols provide up to 14 channels in the GHz Industrial, Scientific and Medical (ISM) band. IEEE a,n ( , , GHz, up to 16 channels) in portions of Unlicensed National Information Infrastructure (U-NII) band Note that the width of these channels exceeds the spacing between the channels. This means that there is some overlap, creating the possibility of interference from adjacent channels, although less severe than interference on the same channel. Truly nonoverlapping operation requires the use of every fourth or fifth channel, for example ISM channels 1, 6 and 11. The capabilities of your wireless clients is the deciding factor in your choice of wireless protocol. If your clients support it, 5GHz protocols have some advantages. The 5GHz band is less used than 2.4GHz and its shorter wavelengths have a shorter range and penetrate obstacles less. All of these factors mean less interference from other access points, including your own. When configuring your WAP, be sure to correctly select the Geography setting to ensure that you have access only to the channels permitted for WiFi use in your part of the world. For detailed information about the channel assignments for wireless networks for each supported wireless protocol, see Wireless radio channels on page 69. FortiOS Handbook v2: Deploying Wireless Networks

18 Security Introduction to wireless networking Power Antennas Wireless LANs operate on frequencies that require no license but are limited by regulations to low power. As with other unlicensed radio operations, the regulations provide no protection against interference from other users who are in compliance with the regulations. Power is often quoted in dbm. This is the power level in decibels compared to one milliwatt. 0dBm is one milliwatt, 10dBm is 10 milliwatts, 17dBm, the maximum setting on Fortinet WiFi equipment, is 50 milliwatts. Received signal strength is almost always quoted in dbm because the received power is very small. The numbers are negative because they are less than the one milliwatt reference. A received signal strength of -60dBm is one millionth of a milliwatt or one nanowatt. Transmitted signal strength is a function of transmitter power and antenna gain. Directional antennas concentrate the signal in one direction, providing a stronger signal in that direction than would an omnidirectional antenna. FortiWiFi units have detachable antennas. However, these units receive regulatory approvals based on the supplied antenna. Changing the antenna might cause your unit to violate radio regulations. Security There are several security issues to consider when setting up a wireless network. Whether to broadcast SSID Encryption Users who want to use a wireless network must configure their computers with the wireless service set identifier (SSID) or network name. Broadcasting the SSID makes connection to a wireless network easier because most wireless client applications present the user with a list of network SSIDs currently being received. This is desirable for a public network. To obscure the presence of a wireless network, do not broadcast the SSID. This does not prevent attempts at unauthorized access, however, because the network is still detectable with wireless network sniffer software. Wireless networking supports the following security modes for protecting wireless communication, listed in order of increasing security. None Open system. Any wireless user can connect to the wireless network. WEP64 64-bit Web Equivalent Privacy (WEP). This encryption requires a key containing 10 hexadecimal digits. WEP bit WEP. This encryption requires a key containing 26 hexadecimal digits. WPA 256-bit Wi-Fi Protected Access (WPA) security. This encryption can use either the TKIP or AES encryption algorithm and requires a key of either 64 hexadecimal digits or a text phrase of 8 to 63 characters. It is also possible to use a RADIUS server to store a separate key for each user. WPA2 WPA with security improvements fully meeting the requirements of the IEEE i standard. Configuration requirements are the same as for WPA. Deploying Wireless Networks for FortiOS 4.0 MR

19 Introduction to wireless networking Authentication For best security use the WPA2 with AES encryption and a RADIUS server to verify individual credentials for each user. WEP, while better than no security at all, is an older algorithm that is easily compromised. With either WEP or WAP, changing encryption passphrases on a regular basis further enhances security. Separate access for employees and guests Captive portal Wireless access for guests or customers should be separate from wireless access for your employees. This does not require additional hardware. Both FortiWiFi units and FortiAP units support multiple wireless LANs on the same access point. Each of the two networks can have its own SSID, security settings, firewall policies, and user authentication. A good practice is to broadcast the SSID for the guest network to make it easily visible to users, but not to broadcast the SSID for the employee network. Two separate wireless networks are possible because multiple virtual APs can be associated with an AP profile. The same physical APs can provide two or more virtual WLANs. As part of authenticating your users, you might want them to view a web page containing your acceptable use policy or other information. This is called a captive portal. No matter what URL the user initially requested, the portal page is returned. Only after authenticating and agreeing to usage terms can the user access other web resources. For information about setting up a captive portal, see Adding a disclaimer page to the captive portal on page 34. Power Reducing power reduces unwanted coverage and potential interference to other WLANs. Areas of unwanted coverage are a potential security risk. There are people who look for wireless networks and attempt to access them. If your office WLAN is receivable out on the public street, you have created an opportunity for this sort of activity. Authentication Wireless networks usually require authenticated access. FortiOS authentication methods apply to wireless networks the same as they do to wired networks because authentication is applied in the firewall policy. The types of authentication that you might consider include: user accounts stored on the FortiGate unit user accounts managed and verified on an external RADIUS, LDAP or TACACS+ server Windows Active Directory authentication, in which users logged on to a Windows network are transparently authenticated to use the wireless network. This Wireless chapter of the FortiOS Handbook will provide some information about each type of authentication, but more detailed information is available in the Authentication chapter. What all of these types of authentication have in common is the use of user groups to specify who is authorized. For each wireless LAN, you will create a user group and add to it the users who can use the WLAN. In the identity-based firewall policies that you create for your wireless LAN, you will specify this user group. FortiOS Handbook v2: Deploying Wireless Networks

20 Wireless networking equipment Introduction to wireless networking Some access points, including FortiWiFi units, support MAC address filtering. You should not rely on this alone for authentication. MAC addresses can be sniffed from wireless traffic and used to impersonate legitimate clients. Wireless networking equipment FortiWiFi units Fortinet produces two types of wireless networking equipment: FortiWiFi units, which are FortiGate units with a built-in wireless access point/client FortiAP units, which are wireless access points compliant with the CAPWAP standard that you can control from any FortiGate unit that supports the Wireless Controller feature. FortiWiFi units support the following wireless network standards: IEEE a (5-GHz Band) (except FortiWiFi models 30B and 50B) IEEE b (2.4-GHz Band) IEEE g (2.4-GHz Band) IEEE n (5-GHz and 2.4-GHz Band) (except FortiWiFi models 30B, 50B) WEP64 and WEP128 Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA), WPA2 and WPA2 Auto using pre-shared keys or individual keys stored on a RADIUS server FortiWiFi models 30B and 50B do not operate on the 5GHz band and do not support n, even in the 2.4GHz band. FortiWiFi units support up to four wireless interfaces with four different SSIDs. Each wireless interface can have different security settings. FortiAP units support two wireless interfaces. You can configure the FortiWiFi unit to: Provide an access point that clients with wireless network cards can connect to. This is called Access Point mode, which is the default mode. All FortiWiFi units can have up to 4 wireless interfaces. or Connect the FortiWiFi unit to another wireless network. This is called Client mode. A FortiWiFi unit operating in client mode can only have one wireless interface. or Monitor access points within radio range. This is called Monitoring mode. You can designate the detected access points as Accepted or Rogue for tracking purposes. No access point or client operation is possible in this mode. But, you can enable monitoring as a background activity while the unit is in Access Point mode. Using a FortiWiFi unit as a managed WAP To use a FortiWiFi unit as a managed WAP, you need to switch it to wireless terminal mode by using the CLI as follows: config system global set wireless-terminal enable Deploying Wireless Networks for FortiOS 4.0 MR

21 Introduction to wireless networking Deployment considerations FortiAP units The wireless functionality of a FortiWiFi unit in wireless terminal mode cannot be controlled from the unit itself. If there are firewall devices between the wireless controller Fortinet unit and the managed FortiWiFi units, make sure that ports 5246 and 5247 are open. These ports carry, respectively, the encrypted control channel data and the wireless network data. If needed, you can change these ports in the CLI: config system global set wireless-controller-port <port_int> (access controller) set wireless-terminal-port <port_int> (access point) These commands set the control channel port. The data channel port is always the control port plus one. The port setting must match on the access controller and all access points. The FortiAP-220 unit is a wireless access point that is controlled by a FortiGate unit over Ethernet. It has the same radio capabilities as FortiWiFi models 60B and higher. Third-party WAPs FortiOS implements the CAPWAP standard. Deployment considerations Several factors need to be considered when planning a wireless deployment. Types of wireless deployment This Handbook chapter describes two main types of wireless deployment: single WAP and multiple WAP. You will know which type of deployment you need after you have evaluated the coverage area environment. Deployment methodology 1 Evaluate the coverage area environment. 2 Position access point(s). 3 Select access point hardware. 4 Install and configure the equipment. 5 Test and tune the network. Evaluating the coverage area environment Consider the following factors: Size of coverage area Even under ideal conditions, reliable wireless service is unlikely beyond 100 metres outdoors or 30 metres indoors. Indoor range can be further diminished by the presence of large metal objects that absorb or reflect radio frequency energy. If wireless users are located on more than one floor of a building, a minimum of one WAP for each floor will be needed. FortiOS Handbook v2: Deploying Wireless Networks

22 Deployment considerations Introduction to wireless networking Bandwidth required Wireless interface data rates are between 11 and 150 Mb/s, deping on the protocol that is used. This bandwidth is shared amongst all users of the wireless data stream. If wireless clients run network-intensive applications, fewer of them can be served satisfactorily by a single WAP. Note that on some FortiWiFi units you can define up to four wireless interfaces, increasing the available total bandwidth. Client wireless capabilities The n protocol provides the highest data rates and has channels in the less interference-prone 5GHz band, but it is supported only on the latest consumer devices. The g protocol is more common but offers lower bandwidth. Some older wireless client equipment supports only b with a maximum data rate of 11Mb/s. WAP radios support the protocol that you select with backward compatibility to older modes. For example, if you select n, clients can also connect using g or b. The most important conclusion from these considerations is whether more than one WAP is required. Positioning access points When placing the access point, your main concern is providing a strong signal to all users. A strong signal ensures a fast connection and efficient data transfer. A weaker signal means a greater chance of data transmission errors and the need to re-s information, slowing down data transfer. Consider the following guidelines when placing access points: Physical barriers can impede the radio signals. Solid objects such as walls, furniture and people absorb radio waves, weakening the signal. Be aware of the physical barriers in your office space that may reduce a signal. If there is enough physical interference, you may encounter dead spots that receive no signal. Ensure the access point is located in a prominent location within a room for maximum coverage, rather than in a corner. Construction materials used in a building can also weaken radio signals. Rooms with walls of concrete or metal can affect the signal strength. If you cannot avoid some of these impediments due to the shape of the office or building materials used, you may need to use multiple access points to help distribute the radio signal around the room. Figure 2 shows how positioning two FortiAP-220A units within a uniquely shaped office space helps to distribute signals around the area. Deploying Wireless Networks for FortiOS 4.0 MR

23 Introduction to wireless networking Deployment considerations Figure 2: Using multiple APs to provide a constant strong signal. Stairs Elevator Washrooms This sample office has washrooms, a stairwell and an elevator shaft in the center of the building, making it impossible to use a single access point effectively. The elevator shaft and multiple metal stalls in the washrooms can cause signal degradation. However, placing access points in diagonally opposite areas of the office provides maximum coverage. When using multiple access points, set each access point to a different channel to avoid interference in areas where signals from both access points can be received. Selecting access point hardware For a single WAP installation, you could deploy a single FortiWiFi unit. If the site already has a FortiGate unit that supports the wireless controller feature, adding a FortiAP unit is the most economical solution. For a multiple WAP deployment you need a FortiGate unit as a wireless controller and multiple FortiAP units. A FortiWiFi unit can be used as a managed WAP, but it is more expensive. The FortiAP unit offers more flexible placement. FortiWiFi units either sit on a shelf or are rack mounted. FortiAP units can be attached to any wall or ceiling, enabling you to locate them where they will provide the best coverage. Single access point networks A single access point is appropriate for a limited number of users in a small area. For example, you might want to provide wireless access for a group of employees in one area on one floor of an office building. A good rule of thumb is that one access point for can serve 3000 to 4000 square feet of space, with no user more than 60 feet from the access point. Walls and floors reduce the coverage further, deping on the materials from which they are made. Multiple access point networks To cover a larger area, such as multiple floors of a building, or multiple buildings, multiple access points are required. FortiOS Handbook v2: Deploying Wireless Networks

24 Deployment considerations Introduction to wireless networking In the wireless controller, you configure a single virtual access point, but the controller manages multiple physical access points that share the same configuration. A feature known as fast roaming enables users to move from one physical access point coverage area to another while retaining their authentication. Fast Roaming Users in a multi-ap network, especially with mobile devices, can move from one AP coverage area to another. But, the process of re-authentication can often take seconds to complete and this can impair wireless voice traffic and time sensitive applications. The FortiAP fast roaming feature solves this problem and is available only when moving between FortiAP units managed by the same FortiGate unit. Fast roaming uses two standards-based techniques: Pairwise Master Key (PMK) Caching enables a RADIUS-authenticated user to roam away from an AP and then roam back without having to re-authenticate. To accomplish this, the FortiGate unit stores in a cache a master key negotiated with the first AP. This enables the i-specified method of fast roam-back. Pre-authentication or fast-associate in advance enables an AP associated to a client to bridge to other APs over the wired network and pre-authenticate the client to the next AP to which the client might roam. This enables the PMK to be derived in advance of a roam and cached. When the client does roam, it will already have negotiated authentication in advance and will use its cached PMK to quickly associate to the next AP. This capability will ensure that wireless clients that support Preauthentication to continue the data transfer without noticeable connection issues. Deploying Wireless Networks for FortiOS 4.0 MR

25 Configuring a wireless LAN When working with a FortiGate wireless controller, you can configure your wireless network before you install any access points. If you are working with a standalone FortiWiFi unit, the access point hardware is already present but the configuration is quite similar. Both are covered in this section. The following topics are included in this section: Overview of wireless controller configuration Creating a virtual access point (wireless controller) Creating an AP Profile (wireless controller) Configuring a WLAN interface (standalone FortiWiFi unit) Configuring the WLAN interface (wireless controller) Configuring DHCP on the WLAN Configuring user authentication Configuring firewall policies for the WLAN Customizing the captive portal Overview of wireless controller configuration The FortiGate wireless controller configuration is composed of three types of object, the Virtual AP, the AP Profile and the physical Access Point. Figure 3: Conceptual view of FortiGate wireless controller configuration Security settings Virtual AP 1 Virtual AP 2 Radio settings AP Profile 1 Physical AP units AP 1 AP 2 AP 3 AP 4 FortiOS Handbook v2: Deploying Wireless Networks

26 Creating a virtual access point (wireless controller) Configuring a wireless LAN Virtual AP defines the security settings for your wireless network. This is similar to the wlan interface settings on a FortiWiFi unit and it creates a virtual network interface. You need only one virtual access point definition for a wireless network, regardless how many physical access points are provided. AP Profile defines the radio settings, such as band (802.11g for example) and channel selection. The AP Profile names the virtual APs to which it applies. Access Points represent the FortiAP units that the FortiGate unit has discovered. There is one access point definition for each FortiAP unit. An access point definition names the AP Profile that provides its settings. One reason to have more than one virtual access point is to provide different levels of service to different groups of users. Because each virtual AP creates its own virtual network interface, the firewall policies and authentication are separate, even though the radio facility defined in the AP Profile is the same. To set up your wireless network, you will need to perform the following steps. On a FortiGate wireless controller Configure the Virtual Access Point (VAP), defining the security settings for your wireless LAN (WLAN). Configure an Access Point (AP) profile, specifying the radio settings and the VAP to which they apply. On a standalone FortiWiFi unit, configure the radio and security settings for your WLAN interface. Configure DHCP to assign addresses to wireless clients. Configure DNS settings. Configure routing for the wireless LAN. Configure the user group and users for authentication on the WLAN. Configure the firewall policy for the WLAN. Configure the captive portal for authentication. After completing these steps, your standalone FortiWiFi unit is ready for use. If you are configuring a wireless controller, you will need to connect and enable your physical AP units. This is covered in the next sections, Access point deployment and Multi-AP deployments. Creating a virtual access point (wireless controller) A virtual AP defines the SSID and security settings that can be applied to one or more physical APs. On the FortiGate unit, this creates a virtual network interface with the virtual AP s name. With this interface you can define the DHCP services, firewall policies, and other settings for your wireless LAN. To configure a virtual access point - web-based manager 1 Go to Wireless Controller > Configuration > Virtual AP and select Create New. 2 Enter a Name for the Virtual AP. This will also be the name of the virtual network interface for your WLAN. 3 Enter the SSID for your WLAN and choose whether to enable SSID Broadcast or not. For more information, see Whether to broadcast SSID on page 18. Deploying Wireless Networks for FortiOS 4.0 MR

27 Configuring a wireless LAN Creating a virtual access point (wireless controller) 4 Select the Security Mode and configure the encryption key or select the RADIUS server. For more information, see More about security modes, below. 5 Optionally, set the Maximum Clients limit. The default of 0 sets no limit on the number of clients. 6 Select OK. to configure the SSID and security settings for your network. Each Virtual AP that you create is a wireless interface that establishes a wireless LAN. Go to System > Network > Interface to configure its IP address. To configure a virtual access point - CLI config wireless-controller vap edit example_wlan set ssid "example" set broadcast-ssid enable set security WPA2 set passphrase "hardtoguess More about security modes The FortiGate wireless controller supports both Wireless Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) security. WPA support includes WPA2, which has additional security improvements. WEP security uses an encryption key between the wireless device and the access point. WEP64 uses a key of ten hexadecimal digits. WEP128 keys are 26 digits long. WEP security is relatively easy to break. Wherever possible, use WPA security instead. WPA security offers more robust encryption that is much more difficult to break. WPA provides two methods of authentication: through RADIUS (802.1X) authentication or by pre-shared key. When WPA with a RADIUS server is used, the server stores the encryption key, which the administrator can change regularly to further increase security. WPA with RADIUS is also known as WPA-Enterprise. In a network setup where a RADIUS server is not a viable option, WPA also provides authentication with preshared keys using either Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES). AES is the preferred encryption, but some older wireless clients do not support it. WPA with pre-shared key is also known as WPA- Personal. To configure WPA-Personal (pre-shared key) security - web-based manager 1 Go to Wireless Controller > Configuration > Virtual AP. 2 Edit an existing Virtual AP or select Create New. 3 In Security Mode, select WPA2_Auto. 4 In Data Encryption, select AES. If some of your wireless clients do not support AES, select TKIP. 5 In Authentication, select Pre-shared Key and then enter a key between 8 and 63 characters long. 6 Select OK. FortiOS Handbook v2: Deploying Wireless Networks

28 Creating an AP Profile (wireless controller) Configuring a wireless LAN To configure FortiGate unit access to the RADIUS server - web-based manager 1 Go to User > Remote > RADIUS and select Create New. 2 Enter a Name for the server. 3 In Primary Server Name/IP, enter the network name or IP address for the server. 4 In Primary Server Secret, enter the shared secret used to access the server. 5 Optionally, enter the information for a secondary or backup RADIUS server. 6 Select OK. To configure the FortiGate unit to access the RADIUS server - CLI config user radius edit exampleradius set auth-type auto set server set secret aoewmntiasf To configure WPA-Enterprise security - web-based manager 1 Go to Wireless Controller > Configuration > Virtual AP. 2 Edit an existing Virtual AP or select Create New. 3 In Security Mode, select WPA2_Auto. 4 In Data Encryption, select AES. If some of your wireless clients do not support AES, select TKIP. 5 In Authentication, select RADIUS and then select the RADIUS server. 6 Select OK. Creating an AP Profile (wireless controller) An AP Profile configures radio settings, and selects the Virtual APs to which the settings apply. FortiAP units contain two radio transceivers, making it possible, for example, to provide both g and n service from the same access point. FortiAP units also provide a monitoring function for the Rogue AP feature. To configure an AP Profile - web-based manager 1 Go to Wireless Controller > Configuration > AP Profile and select Create New. 2 Enter a Name for the AP Profile. 3 Select your region from the Geography list. This is important for regulatory compliance. 4 In Mode, select Access Point. 5 Optionally, select Background Scan to support the Rogue AP feature. For more information see Wireless network monitoring on page 45. Deploying Wireless Networks for FortiOS 4.0 MR

29 Configuring a wireless LAN Configuring a WLAN interface (standalone FortiWiFi unit) Adding a MAC filter 6 In Band, select the wireless protocol that you want to support. Note that there are two choices for n. Select n for 2.4GHz operation or n_5G for 5GHz operation. 7 Optionally, select a Channel. The default Auto setting is usually the best option. 8 Leave the TX Power at its default setting. You can adjust this later. 9 In Virtual AP, select use the arrow buttons to move the Virtual APs (wireless LANs) to which these settings apply into the Selected list. 10 Repeat steps 4 though 9 for Radio 2, if required. Note that on the FortiAP-220 unit Radio 1 is 2.4GHz and Radio 2 is 5GHz. 11 Select OK. To configure an AP Profile - CLI This example configures only Radio 1 for g operation with automatic channel selection, applied to virtual AP example_wlan. config wireless-controller wtp-profile edit guest_prof config radio-1 set mode ap set band g set channel 0 set vaps example_wlan Optionally, you can create a list of MAC addresses that are not permitted to access the wireless access point. This is available only in the CLI. For example, config wireless-controller wtp-profile edit guest_prof config deny-mac-list edit 1 set mac 11:11:11:11:11:11 next Note: Do not rely on MAC filtering alone for your security. Malicious parties can modify their MAC address to circumvent MAC filtering. Configuring a WLAN interface (standalone FortiWiFi unit) As the standalone FortiWiFi unit contains and controls its own AP hardware, there are no virtual APs or AP Profiles. There is a single set of radio settings and the security settings are part of the wireless virtual network interface configuration. To configure the radio settings - web-based manager 1 Go to System > Wireless > Radio Settings. FortiOS Handbook v2: Deploying Wireless Networks

30 Configuring a WLAN interface (standalone FortiWiFi unit) Configuring a wireless LAN 2 Make sure that In Operation Mode is set to Access Point. 3 In Band, select the wireless protocol that you want to support. Note that there are two choices for n. Select n for 2.4GHz operation or n_5G for 5GHz operation. 4 Select your region from the Geography list. This is important for regulatory compliance. 5 Optionally, select a Channel. The default Auto setting is usually the best option. 6 Leave the TX Power and Beacon Interval at their default settings. You can adjust them later. 7 Select Apply. To configure the radio settings - CLI config system wireless settings set geography Americas set mode AP set band g set channel 0 To configure the security settings - web-based manager 1 Go to System > Wireless > Radio Settings and select wlan from the list of wireless interfaces. wlan is the default WLAN interface. Optionally, you can create up to three more wireless network interfaces in System > Network > Interface. These will be added to the list on the radio settings page. All wireless interfaces use the same radio settings. 2 Enter the IP/Netmask for your wireless network. 3 Select Enable DNS Query and select Recursive. 4 Enter the SSID for your WLAN and choose whether to enable SSID Broadcast or not. For more information, see Whether to broadcast SSID on page Select the Security Mode and configure the encryption key. For more information, see Encryption on page Select OK. To configure the security settings - CLI config system interface edit wlan set mode static set ip set dns-query recursive set wifi-security WPA-PSK set wifi-encrypt AES set wifi-passphrase hardtoguess set wifi-ssid fortinet set wifi-broadcast-ssid enable Deploying Wireless Networks for FortiOS 4.0 MR

31 Configuring a wireless LAN Configuring the WLAN interface (wireless controller) Configuring MAC filtering On FortiWiFi units, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses. This is actually not as secure as it appears. Someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption. To create a list of permitted MAC addresses - web-based manager 1 Go to System > Wireless > MAC Filter. 2 In List Access, select Allow. 3 Enter a MAC address In the MAC Address field and select Add. Repeat for each additional MAC address to allow on the network. 4 Select OK. To create a list of permitted MAC addresses - CLI config system interface edit wlan set wifi-mac-filter enable set wifi-acl allow config wifi-mac-list edit 0 set mac <address> next Configuring the WLAN interface (wireless controller) When you configure a virtual AP, you create a virtual network interface with the same name. Like any other network interface, it requires configuration, such as assignment of an IP address. To configure the WLAN interface - web-based manager 1 Go to System > Network > Interface, and edit the virtual AP interface. 2 Set the Addressing Mode to Manual and enter the IP address for the interface. 3 Select the Enable DNS Query check box and select Recursive. 4 In Administrative Access, select Ping. Ping is useful for testing. For security it is better not to enable access for administration. 5 Select OK. To configure the WLAN interface - CLI config system interface edit wlan set mode static set ip set dns-query recursive FortiOS Handbook v2: Deploying Wireless Networks

32 Configuring DHCP on the WLAN Configuring a wireless LAN Configuring DHCP on the WLAN Wireless clients need to have IP addresses. If you use RADIUS authentication, each user s IP address can be stored in the Framed-IP-Address attribute. Otherwise, you need to configure a DHCP server on the WLAN interface to assign IP addresses to wireless clients. To configure a DHCP server for WLAN clients - web-based manager 1 Go to System > DHCP Server > Service and select Create New. 2 Select your WLAN interface (same name as your virtual AP) from the Interface Name list. 3 In Mode, select Server. 4 Ensure that the Enable check box is selected. 5 Set Type to Regular. 6 Enter the IP Range and Netmask that is assigned to clients. The address range needs to be in the same subnet as the WLAN interface IP address, but not include that address. 7 Set the Default Gateway to the WLAN interface IP address. 8 Set DNS Service to Use System DNS Setting. 9 Select OK. To configure a DHCP server for WLAN clients - CLI config system dhcp server edit 0 set default-gateway set dns-service default set interface "FortiWAP" config ip-range edit 1 set -ip set start-ip set lease-time 1800 set netmask Configuring user authentication You can perform user authentication when the wireless client joins the wireless network and when the wireless user communicates with another network through a firewall policy. WEP and WPA-Personal security rely on legitimate users knowing the correct key or passphrase for the wireless network. The more users you have, the more likely it is that the key or passphrase will become known to unauthorized people. WPA-Enterprise relies on a RADIUS server for user authentication, providing separate credentials for each user. Deploying Wireless Networks for FortiOS 4.0 MR

33 Configuring a wireless LAN Configuring firewall policies for the WLAN Whether you use WPA-Enterprise or RADIUS-based firewall authentication, you need to configure the FortiGate unit to connect to the RADIUS server. Configuring connection to a RADIUS server - web-based manager 1 Go to User > Remote > RADIUS and select Create New. 2 Enter a Name for the server. This name is used in FortiGate configurations. It is not the actual name of the server. 3 In Primary Server Name/IP, enter the network name or IP address for the server. 4 In Primary Server Secret, enter the shared secret used to access the server. 5 Optionally, enter the information for a secondary or backup RADIUS server. 6 Select OK. To configure the FortiGate unit to access the RADIUS server - CLI config user radius edit exampleradius set auth-type auto set server set secret aoewmntiasf To implement WPA-Enterprise security, you select this server in the Virtual AP security settings. See More about security modes on page 27. To use the RADIUS server for firewall authentication, you can create individual user accounts that specify the authentication server instead of a password, and you then add those accounts to a user group. Or, you can add the authentication server to the user group, making all accounts on the server members of the user group. Creating a wireless user group Most wireless networks require authenticated access. To enable creation of identity-based firewall policies, you should create at least one user group for your wireless users. You can add or remove users later. There are two types of user group to consider: A Firewall user group can contain user accounts stored on the FortiGate unit or external authentication servers such as RADIUS that contain and verify user credentials. A Directory Services user group is used for integration with Windows Active Directory or Novell edirectory. The group can contain Windows or Novell user groups who will be permitted access to the wireless LAN. FSAE must be installed on the network. Configuring firewall policies for the WLAN For users on the wireless LAN to communicate with other networks, firewall policies are required. If authentication is required, as is usually the case, identity-based firewall policies are needed. The following procedure assumes that you need a policy to allow wireless users authenticated access to the Internet on port 1. To create a firewall policy - web-based manager 1 Go to Firewall > Policy and select Create New. 2 In Source Interface/Zone, select the wireless LAN interface. FortiOS Handbook v2: Deploying Wireless Networks

34 Customizing the captive portal Configuring a wireless LAN 3 In Source Address, select All. 4 In Destination Interface/Zone, select the Internet interface, for example, port1. 5 In Destination Address, select All. 6 In Action, select ACCEPT. 7 In NAT, select Enable NAT. 8 Select Enable Identity Based Policy. 9 Select Add. 10 In Available User Groups, select the wireless user group that you created earlier and then select the right arrow button to move the user group to the Selected User Groups list. 11 In Service, select ANY, or select the particular services that you want to allow, and then select the right arrow button to move the service to the Selected Services list. 12 In Schedule, select Always, unless you want to define a schedule for limited hours. 13 Optionally, select UTM and set up UTM features for wireless users. 14 Select OK. 15 Select OK. To create a firewall policy - CLI config firewall policy edit 0 set srcintf "wlan" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set identity-based enable set nat enable config identity-based-policy edit 1 set schedule "always" set groups "wireless_users" set service "ANY" Customizing the captive portal Adding a disclaimer page to the captive portal The term captive portal is often used to describe the authentication challenge page that users see when first connecting to the wireless network. The FortiGate unit also provides a optional disclaimer page in which you can present your acceptable use policy, perhaps even requiring the user to indicate agreement with it. FortiOS provides a disclaimer page option in identity-based firewall policies. The disclaimer page is a replacement message that you can modify to suit your organization s needs. Deploying Wireless Networks for FortiOS 4.0 MR

35 Configuring a wireless LAN Customizing the captive portal After accepting the disclaimer and authenticating, the user is redirected to the page originally requested, or optionally to a redirect page that you specified. To present a disclaimer, you need to: Modify the User Authentication Disclaimer to suit your organization s needs. Optionally, modify the Declined Disclaimer page. Enable the disclaimer page in the identity-based firewall policy that controls the WLAN s traffic and optionally specify a redirect URL. Modifying the Disclaimer page The default Disclaimer page contains an example of the kind of terms of use agreement that you might use. The Disclaimer Agreement is an HTML form that appears centred in the browser window. Figure 4: Default Disclaimer page The visible disclaimer is formatted as a table. Preceding this table are form INPUT fields containing special tags enclosed in double percentage (%) marks, %%ANSWERID%%, for example. These hidden fields should not be removed or modified. The title and disclaimer text are easily modified. The text on the two buttons can be altered. One button must call the agree() function and the other must call the decline() function and the code for the two Javascript functions at the bottom of the page must be retained unaltered. To modify the Disclaimer page - web-based manager 1 Go to System > Config > Replacement Message. 2 Expand Authentication and select the Edit button for Disclaimer page. 3 Make the desired modifications in the Message Text box and select OK. If major changes are needed, it might be easier to copy the message HTML content to an external editor for modification and then paste the modified content into the Message Text box. FortiOS Handbook v2: Deploying Wireless Networks

36 Customizing the captive portal Configuring a wireless LAN To modify the Disclaimer page - CLI Modifying replacement messages through the CLI is more difficult than using the webbased manager. The page content is contained in the buffer field. It is unformatted text that might run past the edge of your screen or wrap around, deping on your terminal. 1 Enter the following CLI command: config system replacemsg auth auth-disclaimer-page-1 get 2 Copy the content of the buffer field to another editor for modification. 3 Use the set buffer command to enter the new page content. Paste the page content into the command as a quoted string. Do not modify the other fields. 4 Enter the command. The buffer field of auth-disclaimer-page-1 is limited to bytes, which can accommodate the default page. If your replacement page is longer, you can enter the remainder of the content into the buffer field of auth-disclaimer-page-2 and, if necessary, auth-disclaimer-page-3. Modifying the Declined Disclaimer page If a user selects the No button on the Disclaimer page, the Declined Disclaimer page is displayed. This HTML page informs the user that network access requires acceptance of the disclaimer. Figure 5: Default Declined Disclaimer page Optionally, you can modify this page. You must preserve: the FORM declaration and INPUT fields at the beginning of the page body, the INPUT type=submit field for the Return to Disclaimer button, although you can change the button label, the /FORM closing tag. To modify the Disclaimer page - web-based manager 1 Go to System > Config > Replacement Message. 2 Expand Authentication and select the Edit button for Declined disclaimer page. 3 Make the desired modifications in the Message Text box and select OK. Deploying Wireless Networks for FortiOS 4.0 MR

37 Configuring a wireless LAN Customizing the captive portal To modify the Disclaimer page - CLI Modifying replacement messages through the CLI is more difficult than using the webbased manager. The page content is contained in the buffer field. It is unformatted text that might run past the edge of your screen or wrap around, deping on your terminal. 1 Enter the following CLI command: config system replacemsg auth auth-reject-page get 2 Copy the content of the buffer field to another editor for modification. 3 Use the set buffer command to enter the new page content. Paste the page content into the command as a quoted string. Do not modify the other fields. 4 Enter the command. Enabling the disclaimer page The disclaimer page is enabled in the firewall policy. To enable the disclaimer - web-based manager 1 Go to Firewall > Policy > Policy. 2 Find the policy for your wireless network and open it for editing. 3 Scroll down to the Identity-based policy section. 4 Select the Enable Disclaimer and Redirect URL check box. 5 Optionally, enter a redirect URL. To enable the disclaimer - CLI In this example, policy 1 is the wireless network to Internet policy. config firewall policy edit 1 set disclaimer enable set redirect-url " FortiOS Handbook v2: Deploying Wireless Networks

38 Customizing the captive portal Configuring a wireless LAN Deploying Wireless Networks for FortiOS 4.0 MR

39 Access point deployment This chapter describes how to configure access points for your wireless network. The following topics are included in this section: Network topology for managing APs Attaching an AP unit as a WAP Configuring a FortiWiFi unit as a WAP Discovering and adding APs Network topology for managing APs The FortiAP unit can be connected to the FortiGate unit using the following methods. Direct connection: The FortiAP unit is directly connected to the FortiGate unit with no switches between them. This configuration is common for locations where the number of FortiAP s matches up with the number of internal ports available on the FortiGate. In this configuration the FortiAP unit requests an IP address from the FortiGate unit, enters discovery mode and should quickly find the FortiGate wireless controller. This is also known as a wirecloset deployment. See Figure 6, below. Switched Connection: The FortiAP unit is connected to the FortiGate wireless controller by an Ethernet switch operating in L2 switching mode or L3 routing mode. There must be a routable path between the FortiAP unit and the FortiGate unit and that ports 5246 and 5247 are open. This is also known as a gateway deployment. See Figure 6, below Connection over WAN: The FortiGate wireless controller is off-premises and connected by a VPN tunnel to a local FortiGate. In this method of connectivity its best to configure each FortiAP with the static IP address of the WLC. Each FortiAP can be configured with three WLC IP addresses for redundant failover. This is also known as a datacenter remote management deployment. See Figure 7, below. FortiOS Handbook v2: Deploying Wireless Networks

40 Attaching an AP unit as a WAP Access point deployment Figure 6: Wirecloset and Gateway deployments Figure 7: Remote deployment Attaching an AP unit as a WAP Unless your FortiGate unit has built-in wireless capabilities (FortiWiFi or FortiGate80CM, for example), you need to connect a FortiAP unit. The FortiGate unit s wireless controller feature will manage the FortiAP unit. Both FortiAP and FortiWiFi units configured as APs can be directly connected to the FortiGate unit or connected through the network. By default, FortiAP units cycle through all four of the discovery methods described below. When configuring a FortiWiFi unit to act as an AP, you must choose which discovery method it will use. Deploying Wireless Networks for FortiOS 4.0 MR

41 Access point deployment Attaching an AP unit as a WAP Controller discovery methods A FortiAP or FortiWiFi unit can use any of four methods to locate a controller. Broadcast request The AP unit broadcasts a discovery request message to the network and the controller replies. The AP and the controller must be in the same broadcast domain. Multicast request The AP unit ss a multicast discovery request and the controller replies with a unicast discovery response message. The AP and the controller do not need to be in the same broadcast domain if multicast routing is properly configured. The default multicast destination address is It can be changed through the CLI. The address must be same on the controller and AP. For information about connecting to the FortiAP CLI, see Connecting to the FortiAP CLI on page 42. To change the multicast address on the controller config wireless-controller global set discovery-mc-addr To change the multicast address on a FortiAP unit cfg a AC_DISCOVERY_MC_ADDR= To change the multicast address on a FortiWiFi unit used as an AP config system global set wireless-terminal enable config wireless-controller global set discovery-mc-addr Static IP configuration DHCP If FortiAP and the controller are not in the same subnet, broadcast and multicast packets cannot reach the controller. The admin can specify the controller s static IP on the AP unit. The AP unit ss a discovery request message in unicast to the controller. Routing must be properly configured in both directions. To specify the controller s IP address on a FortiAP unit cfg a AC_IPADDR_1= If you use DHCP to assign an IP address to your FortiAP unit, you can also provide the wireless controller IP address at the same time. This is useful if the AP is located remotely from the wireless controller and other discovery techniques will not work. When you configure the DHCP server, configure Option 138 to specify the wireless controller IP address. You need to convert the address into hexadecimal. Convert each octet value separately from left to right and concatenate them. For example, converts to C0A FortiOS Handbook v2: Deploying Wireless Networks

42 Discovering and adding APs Access point deployment If Option 138 is used for some other purpose on your network, you can use a different option number if you configure the AP units to match. To change the FortiAP DHCP option code To use option code 139 for example, enter cfg a AC_DISCOVERY_DHCP_OPTION_CODE=139 For information about connecting to the FortiAP CLI, see Connecting to the FortiAP CLI below. Connecting to the FortiAP CLI The FortiAP unit has a CLI through which some configuration options can be set. To access the FortiAP unit CLI 1 Connect your computer to the FortiAP directly with a cross-over cable or through a separate switch or hub. 2 Change your computer s IP address to Telnet to IP address Ensure that FortiAP is in a private network with no DHCP server for the static IP address to be accessible. 4 Login with user name admin and no password. 5 Enter commands as needed. 6 Save the configuration by entering the following command: cfg c. 7 Unplug the FortiAP and plug it back in order for the configuration to take effect. Configuring a FortiWiFi unit as a WAP In the CLI, enter config system global set wireless-terminal enable The rest of the configuration is in config wireless-controller and is similar to the FortiGate wireless controller configuration. Discovering and adding APs After you prepare your FortiGate unit, you can connect your APs to discover them using the discovery methods described earlier. To prepare the FortiGate unit, you need to configure the network interface to which the AP will connect configure DHCP service on the interface to which the AP will connect connect the AP units and let the FortiGate unit discover them enable each discovered AP and assign it to an AP profile Configuring the network interface for the AP unit The interface to which you connect your wireless access point needs an IP address. No administrative access, DNS Query service or authentication should be enabled. Deploying Wireless Networks for FortiOS 4.0 MR

43 Access point deployment Discovering and adding APs To configure the interface for the AP unit - web-based manager 1 Go to System > Network > Interface and edit the interface to which the AP unit connects. 2 Set Addressing Mode to Manual and enter the IP address and netmask to use. 3 Select OK. To configure the interface for the AP unit - CLI config system interface edit port3 set mode static set ip Configure the DHCP server for the AP unit Whatever method AP units use to discover the controller, they must first be assigned an IP address. To configure the DHCP server for AP unit - web-based manager 1 Go to System > DHCP Server > Service and select Create New. 2 Select the interface to which the AP unit connects from the Interface Name list. 3 In Mode, select Server. 4 Ensure that the Enable check box is selected. 5 Set Type to Regular. 6 Enter the IP Range and Netmask that is assigned to AP units. The address range needs to be in the same subnet as the interface IP address, but not include that address. 7 Select OK. To configure the DHCP server for AP unit - CLI config system dhcp server edit 0 set default-gateway set dns-service default set interface "FortiWAP" config ip-range edit 1 set -ip set start-ip set lease-time 1800 set netmask FortiOS Handbook v2: Deploying Wireless Networks

44 Discovering and adding APs Access point deployment Enabling the discovered APs Within two minutes of connecting the AP unit to the FortiGate unit, the discovered unit should be listed on Wireless Controller > Configuration > Access Points page. Figure 8: Discovered access point unit To add the discovered AP unit - web-based manager 1 On the Wireless Controller > Configuration > Access Points page, select the access point and then select Edit. 2 Optionally, enter a Name. Otherwise, the unit will be identified by serial number. 3 Select the AP Profile that you created earlier. 4 Change Admin from Discovered to Enabled. 5 Select OK. The physical access point is now added to the system. If the Join Time column shows N/A, the access point was not added. Check that your AP Profile settings are compatible with the access point hardware. A common error is selecting the wrong bands for the FortiAP-220 radios. Radio 1 is for 2.4GHz only, Radio 2 is for 5GHz only. If the rest of the configuration is complete, it should be possible to connect to the wireless network through the AP. To add the discovered AP unit - CLI First get a list of the discovered access point unit serial numbers: get wireless-controller wtp Add a discovered unit and associate it with AP-profile1, for example: config wireless-controller wtp edit FAP22A3U set admin enable set wtp-profile AP-profile1 To view the status of the added AP unit config wireless-controller wtp edit FAP22A3U get The join-time field should show a time, not N/A. See the preceding web-based manager procedure for more information. Deploying Wireless Networks for FortiOS 4.0 MR

45 Wireless network monitoring Monitoring wireless clients You can monitor both your wireless clients and other wireless networks that are available in your coverage area. The following topics are included in this section: Monitoring wireless clients Monitoring rogue APs To view connected clients on a FortiWiFi unit On a FortiWiFi unit, go to System > Wireless > Monitor. Look at the Clients list. On a FortiGate wireless controller, go to Wireless Controller > Monitor > Wireless Clients. FortiWiFi wireless client list information MAC Address IP Address AP Name The MAC address of the connected wireless client. The IP address assigned to the connected wireless client. The name of the wireless interface that the client is connected to. FortiGate wireless controller client list information Association Time Bandwidth Rx Bandwidth Tx Bandwidth Tx/Rx Idle Time IP MAC Manufacturer Physical AP Rate Signal Strength/Noise Virtual AP How long the client has been connected to this access point. Received bandwidth used by the client, in Kbps. Transmit bandwidth used by the client, in Kbps. Bandwidth Rx + Bandwidth Tx. The total time this session that the client was idle. The IP address assigned to the wireless client. The MAC address of the wireless client. The name of the physical access point with which the client is associated. The signal-to-noise ratio in decibels calculated from signal strength and noise level. The name of the virtual access point with which the client is associated. FortiOS Handbook v2: Deploying Wireless Networks

46 Monitoring rogue APs Wireless network monitoring Monitoring rogue APs The access point radio equipment can scan for other available access points, either as a dedicated monitor or as a background scan performed while the access point is idle. Discovered access points are listed in the Unknown Access Points list until you mark them as either Accepted or Rogue access points. This designation helps you to track access points. It does not affect anyone s ability to use these access points. You need to: Enable either dedicated monitoring or background scanning on the radio. View the list of detected access points. Designate the unknown access points as either Accepted or Rogue. The procedures for doing this differ slightly between FortiWiFi units and FortiGate wireless controllers. Monitoring with a FortiWiFi unit To enable the monitoring mode 1 Go to System > Wireless > Settings. 2 Select Change beside the current operation mode. 3 Select Monitoring and then select OK. 4 Select OK to confirm the mode change. 5 Select Apply. To enable background scanning 1 While in Access Point mode, go to System > Wireless > Settings. 2 Enable Background Rogue AP Scan and then select Apply. To view discovered access points Go to System > Wireless > Rogue AP to view detected access points. To designate APs as Rogue or Accepted Monitoring with a FortiGate wireless controller To enable monitoring 1 Go to Wireless Controller > Configuration > AP Profile and edit the AP Profile. 2 For the radio that you will use for monitoring, change the Mode to Dedicated Monitor. 3 Select OK. To enable background scanning 1 Go to Wireless Controller > Configuration > AP Profile and edit the AP Profile. 2 For the radio that you will use for monitoring, select Background Scan. The radio Mode must be Access Point. 3 Select OK. Deploying Wireless Networks for FortiOS 4.0 MR

47 Wireless network monitoring Monitoring rogue APs To view discovered access points Go to Wireless Controller > Wireless Client > Wireless Client to view information about the wireless clients of your managed access points. To designate APs as Rogue or Accepted In the rightmost column of the Unknown Access Points, Rogue Access Points, and Accepted Access Points lists, there are icons to manage designating access points: Mark as Rogue AP. Move the AP to the Rogue AP list. Mark as Accepted AP. Move AP to the Accepted AP list. Forget AP. Return the AP to the Unknown Access Points list. FortiOS Handbook v2: Deploying Wireless Networks

48 Monitoring rogue APs Wireless network monitoring Deploying Wireless Networks for FortiOS 4.0 MR

49 Configuring wireless network clients Windows XP client This chapter shows how to configure typical wireless network clients to connect to a wireless network with WPA-Enterprise security. The following topics are included in this section: Windows XP client Windows 7 client Mac OS client Linux client Troubleshooting To configure the WPA-Enterprise network connection 1 In the Windows Start menu, go to Control Panel > Network Connections > Wireless Network Connection or select the wireless network icon in the Notification area of the Taskbar. A list of available networks is displayed. If you are already connected to another wireless network, the Connection Status window displays, select View Wireless Networks on the General tab to view the list. If the network broadcasts its SSID, it is listed. But do not try to connect until you have completed the configuration step below. Because the network doesn t use the Windows XP default security configuration, configure the client s network settings manually before trying to connect. FortiOS Handbook v2: Deploying Wireless Networks

50 Windows XP client Configuring wireless network clients 2 You can configure the WPA-Enterprise network to be accessible from the View Wireless Networks window even if it does not broadcast its SSID. 3 Select Change Advanced Settings and then select the Wireless Networks tab. Any existing networks that you have already configured are listed in the Preferred Networks list. 4 Select Add and enter the following information: Network Name (SSID) Network Authentication Data Encryption The SSID for your wireless network WPA2 AES Deploying Wireless Networks for FortiOS 4.0 MR

51 Configuring wireless network clients Windows XP client 5 If this wireless network does not broadcast its SSID, select Connect even if this network is not broadcasting so that the network will appear in the View Wireless Networks list. 6 Select the Authentication tab. 7 In EAP Type, select Protected EAP (PEAP). 8 Make sure that the other two authentication options are not selected. 9 Select Properties. 10 Make sure that Validate server_certificate is not selected. 11 In Select Authentication Method, select Secured Password (EAP-MSCHAPv2). FortiOS Handbook v2: Deploying Wireless Networks

52 Windows XP client Configuring wireless network clients 12 Ensure that the remaining options are not selected. 13 Select Configure. 14 If your wireless network credentials are the same as your Windows logon credentials, select Automatically use my Windows logon name and password. Otherwise, make sure that this option is not selected. 15 Select OK. Repeat until you have closed all of the Wireless Network Connection Properties windows. To connect to the WPA-Enterprise wireless network 1 Select the wireless network icon in the Notification area of the Taskbar. 2 In the View Wireless Networks list, select the network you just added and then select Connect. You might need to log off of your current wireless network and refresh the list. 3 When the following popup displays, click on it. 4 In the Enter Credentials window, enter your wireless network User name, Password, and Logon domain (if applicable). Then, select OK. In future, Windows will automatically s your credentials when you log on to this network. Deploying Wireless Networks for FortiOS 4.0 MR

53 Configuring wireless network clients Windows 7 client Windows 7 client 1 In the Windows Start menu, go to Control Panel > Network and Sharing Center > Manage Wireless Networks or select the wireless network icon in the Notification area of the Taskbar. A list of available networks is displayed. 2 Do one of the following: If the wireless network is listed (it broadcasts its SSID), select it from the list. Select Add > Manually create a network profile. 3 Enter the following information and select Next. Network name Security type Encryption type Start this connection automatically Connect even if the network is not broadcasting. Enter the SSID of the wireless network. (Required only if you selected Add.) WPA2-Enterprise AES Select Select The Wireless Network icon will display a popup requesting that you click to enter credentials for the network. Click on the popup notification. 4 In the Enter Credentials window, enter your wireless network User name, Password, and Logon domain (if applicable). Then, select OK. FortiOS Handbook v2: Deploying Wireless Networks

54 Mac OS client Configuring wireless network clients Mac OS client To configure the WPA-Enterprise network connection 1 Select the AirPort icon in the toolbar. 2 Do one of the following: If the network is listed, select the network from the list. Select Connect to Other Network. One of the following windows opens, deping on your selection. 3 Enter the following information and select OK or Join: Network name Enter the SSID of your wireless network. (Other network only) Wireless Security WPA Enterprise 802.1X Automatic Inner authentication MSCHAPv2 Username Enter your logon credentials for the wireless network. Password Remember this network Select. You are connected to the wireless network. Deploying Wireless Networks for FortiOS 4.0 MR

55 Configuring wireless network clients Linux client Linux client This example is based on the Ubuntu Linux wireless client. To connect to a WPA-Enterprise network 1 Select the Network Manager icon to view the Wireless Networks menu. Wireless networks that broadcast their SSID are listed in the Available section of the menu. If the list is long, it is continued in the More Networks submenu. 2 Do one of the following: Select the network from the list (also check More Networks). Select Connect to Hidden Wireless Network. One of the following windows opens, deping on your selection. FortiOS Handbook v2: Deploying Wireless Networks

56 Linux client Configuring wireless network clients 3 Enter the following information and select Connect: Connection Network name Wireless Security Authentication Anonymous identity CA Certificate PEAP version Inner authentication Username Password Leave as New. (Hidden network only) Enter the SSID of your wireless network. (Hidden network only) WPA & WPA2 Enterprise Protected EAP (PEAP) This is not required. (None) Automatic MSCHAPv2 Enter your logon credentials for the wireless network. 4 When asked to select a certificate authority, select Ignore. You are connected to the wireless network. To connect to a WPA-Enterprise network 1 Select the Network Manager icon to view the Wireless Networks menu. 2 Select the network from the list (also check More Networks). If your network is not listed (but was configured), select Connect to Hidden Wireless Network, select your network from the Connection drop-down list, and then select Connect. Deploying Wireless Networks for FortiOS 4.0 MR

57 Configuring wireless network clients Troubleshooting Troubleshooting Using tools provided in your operating system, you can find the source of common wireless networking problems. Checking that the client has received IP address and DNS server information Windows XP 1 Double-click the network icon in the taskbar to display the Wireless Network Connection Status window. Check that the correct network is listed in the Connection section. 2 Select the Support tab. Check that the Address Type is Assigned by DHCP. Check that the IP Address, Subnet Mask, and Default Gateway values are valid. 3 Select Details to view the DNS server addresses. The listed address should be the DNS serves that were assigned to the WAP. Usually a wireless network that provides access to the private LAN is assigned the same DNS servers as the wired private LAN. A wireless network that provides guest or customer users access to the Internet is usually assigned public DNS servers. 4 If any of the addresses are missing, select Repair. If the repair procedure doesn t correct the problem, check your network settings. Mac OS 1 From the Apple menu, open System Preferences > Network. 2 Select AirPort and then select Configure. 3 On the Network page, select the TCP/IP tab. 4 If there is no IP address or the IP address starts with 169, select Renew DHCP Lease. 5 To check DNS server addresses, open a terminal window and enter the following command: cat /etc/resolv.conf Check the listed nameserver addresses. A network for employees should us the wired private LAN DNS server. A network for guests should specify a public DNS server. FortiOS Handbook v2: Deploying Wireless Networks

58 Troubleshooting Configuring wireless network clients Linux This example is based on the Ubuntu Linux wireless client. 1 Right-click the Network Manager icon and select Connection Information. 2 Check the IP address, and DNS settings. If they are incorrect, check your network settings. Deploying Wireless Networks for FortiOS 4.0 MR

59 Wireless network example Scenario Configuration This chapter provides an example wireless network configuration. The following topics are included in this section: Scenario Configuration In this example, Example Co. provides two wireless networks, one for its employees and the other for customers or other guests of its business. The equipment for these networks consists of FortiAP-220A units controlled by a FortiGate unit. The employee network operates in n mode on both the 2.4GHz and 5GHz bands. Client IP addresses are in the /24 subnet, with the IP address of the WAP. The guest network also operates in n mode, but only on the 2.4GHz band. Client IP addresses are on the /24 subnet, with the IP address of the WAP. On FortiAP-220A units, the n mode also supports g and b clients on the 2.4GHz band and a clients on the 5GHz band. The guest network WAP broadcasts its SSID, the employee network WAP does not. Both employees and guests are authenticated by RADIUS. Guests use numbered guest accounts on a different database than the employees. The captive portal for the guests includes a disclaimer page. In this example, the FortiAP units connect to port 3 and are assigned addresses on the /24 subnet. To configure these wireless networks, you must: Configure the virtual access points Configure the AP profile Configure the wireless LAN interface Configure authentication for wireless users Configure firewall policies Customize the captive portal Configuring the virtual access points First, establish the virtual access points for the employee and guest networks. This is indepent of the number of physical access points that will be deployed. To configure the example_guest virtual access point - web-based manager 1 Go to Wireless Controller > Configuration > Virtual AP and select Create New. 2 Enter the following information and select OK: FortiOS Handbook v2: Deploying Wireless Networks

60 Configuration Wireless network example Name wlan_guest SSID example_guest SSID Broadcast Enable Security Mode WPA2 Data Encryption AES Authentication RADIUS Server, select server name guestsradius. Maximum Clients 0 To configure the example employee virtual access point - web-based manager 1 Go to Wireless Controller > Configuration > Virtual AP and select Create New. 2 Enter the following information and select OK: Name wlan_employee SSID example_guest SSID Broadcast Disabled Security Mode WPA2 Data Encryption AES Authentication RADIUS Server, select server name exampleradius. Maximum Clients 0 Configuring the AP profile The AP Profile defines the radio settings for the networks. The profile provides access to both Radio 1 (2.4GHz) and Radio 2 (5GHz) for the employee virtual AP, but provides access only to Radio 1 for the guest virtual AP. To configure the AP Profile - web-based manager 1 Go to Wireless Controller > Configuration > AP Profile and select Create New. 2 Enter the following information and select OK: Name example_ap Geography Select your region from the list. Radio 1 Mode Access Point Background Scan Enable Band n Short Guard Interval Not enabled. 20/40 MHz Channel Width Not enabled. Channel Auto (?) Tx Power 17 dbm Virtual AP Select wlan_guest and wlan_employee. Radio 2 Mode Access Point Background Scan Enable Deploying Wireless Networks for FortiOS 4.0 MR

61 Wireless network example Configuration Band n_5G Short Guard Interval Not enabled. 20/40 MHz Channel Width Not enabled. Channel Auto (?) Tx Power 17 dbm Virtual AP Select wlan_employee. Configuring the wireless LAN interfaces Configuring a virtual AP creates a virtual interface. You need to configure the IP address and DNS settings of each wireless interface. To configure the WLAN interface - web-based manager 1 If VDOMs are enabled, select Global as the Current VDOM. 2 Go to System > Network > Interface. 3 Edit the wlan_guest interface, enter the following information and select OK: Addressing mode Manual IP/Netmask /24 Enable DNS Query recursive Administrative Access Ping (to assist with testing) Leave other settings at their default values. 4 Edit the wlan_employee interface, enter the following information and select OK. Addressing mode Manual IP/Netmask /24 Enable DNS Query recursive Administrative Access Ping (to assist with testing) Leave other settings at their default values. To configure the WLAN interface - CLI config system interface edit wlan_guest set mode static set ip set dns-query recursive next edit wlan_employee set mode static set ip set dns-query recursive Configuring authentication for employee wireless users Employees have user accounts on a RADIUS server. The RADIUS server stores each user s assigned IP address in the Framed-IP-Address attribute and group name in the Fortinet-Group-Name attribute. Wireless users are in the group named wireless. FortiOS Handbook v2: Deploying Wireless Networks

62 Configuration Wireless network example The FortiGate unit must be configured to access the RADIUS server. To configure the FortiGate unit to access the employee RADIUS server - web-based manager 1 Go to User > Remote > RADIUS and select Create New. 2 Enter the following information and select OK: Name exampleradius Primary Server Name / IP Primary Server Secret aoewmntiasf Secondary Server Name / IP Optional Secondary Server Secret Optional Authentication Scheme Use default, unless server requires otherwise. Leave other settings at their default values. To configure the FortiGate unit to access the employee RADIUS server - CLI config user radius edit exampleradius set auth-type auto set server set secret aoewmntiasf To configure the user group for employee access - web-based manager 1 Go to User > User Group and select Create New. 2 Enter the following information and then select OK: Name wlan_employee_users Type Firewall Allow SSL-VPN Access Disabled Available Users/Groups / Move exampleradius to the Members list. Members Match one of these group Select Add and fill in the following fields: names Remote Server Select exampleradius. Group Name Enter wireless To configure the user group for employee access - CLI config user group edit "wlan_employee_users" set member "exampleradius" config match edit 0 set server-name "exampleradius" set group-name "wireless" Deploying Wireless Networks for FortiOS 4.0 MR

63 Wireless network example Configuration Configuring authentication for guest wireless users Guests have user accounts on a RADIUS server. The RADIUS server stores each user s assigned IP address in the Fortinet-Group-Name attribute and their group name in the Fortinet-Group-Name attribute. Wireless users are in the group named wireless. The FortiGate unit must be configured to access the RADIUS server. To configure the FortiGate unit to access the guest RADIUS server - web-based manager 1 Go to User > Remote > RADIUS and select Create New. 2 Enter the following information and select OK: Name guestradius Primary Server Name / IP Primary Server Secret grikfwpfdfg Secondary Server Name / IP Optional Secondary Server Secret Optional Authentication Scheme Use default, unless server requires otherwise. Leave other settings at their default values. To configure the FortiGate unit to access the guest RADIUS server - CLI config user radius edit guestradius set auth-type auto set server set secret grikfwpfdfg To configure the user group for guest access - web-based manager 1 Go to User > User Group and select Create New. 2 Enter the following information and then select OK: Name wlan_guest_users Type Firewall Allow SSL-VPN Access Disabled Available Users/Groups / Move guestradius to the Members list. Members Match one of these group Select Add and fill in the following fields: names Remote Server Select guestradius. Group Name Enter wireless To configure the user group for guest access - CLI config user group edit "wlan_guest_users" set member "guestradius" config match edit 0 set server-name "guestradius" FortiOS Handbook v2: Deploying Wireless Networks

64 Configuration Wireless network example set group-name "wireless" Configuring firewall policies Identity-based firewall policies are needed to enable the WLAN users to access the Internet on Port1. First you create firewall addresses for employee and guest users, then you create the firewall policies. To create firewall addresses for WLAN users 1 Go to Firewall > Address > Address. 2 Select Create New, enter the following information and select OK. Address Name wlan_guest_net Type Subnet / IP Range Subnet / IP Range /24 Interface wlan_guest 3 Select Create New, enter the following information and select OK. Address Name wlan_employee_net Type Subnet / IP Range Subnet / IP Range /24 Interface wlan_employee To create a firewall policy for guest WLAN users - web-based manager 1 Go to Firewall > Policy and select Create New. 2 Enter the following information and select OK: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Action NAT wlan_guest wlan_guest_net port1 All ACCEPT Enable NAT 3 Select Enable Identity Based Policy. 4 Select Add and move wlan_guest_users to the Selected User Groups list. 5 In Service, select ANY, or select the particular services that you want to allow, and then select the right arrow button to move the service to the Selected Services list. 6 In Schedule, select Always, unless you want to define a schedule for limited hours. 7 Optionally, select UTM and set up UTM features for wireless users. 8 Select OK. 9 Select OK. Deploying Wireless Networks for FortiOS 4.0 MR

65 Wireless network example Configuration To create a firewall policy for guest WLAN users - CLI config firewall policy edit 0 set srcintf "wlan_guest" set dstintf "port1" set srcaddr "wlan_guest_net" set dstaddr "all" set action accept set identity-based enable set nat enable config identity-based-policy edit 1 set schedule "always" set groups "wlan_guest_users" set service "ANY" To create a firewall policy for employee WLAN users - web-based manager 1 Go to Firewall > Policy and select Create New. 2 Enter the following information and select OK: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Action NAT wlan_employee wlan_employee_net port1 All ACCEPT Enable NAT 3 Select Enable Identity Based Policy. 4 Select Add and move wlan_employee_users to the Selected User Groups list. 5 In Service, select ANY, or select the particular services that you want to allow, and then select the right arrow button to move the service to the Selected Services list. 6 In Schedule, select Always, unless you want to define a schedule for limited hours. 7 Optionally, select UTM and set up UTM features for wireless users. 8 Select OK. 9 Select OK. To create a firewall policy for employee WLAN users - CLI config firewall policy edit 0 set srcintf "wlan_employee" set dstintf "port1" set srcaddr "wlan_emplyee_net" set dstaddr "all" set action accept set identity-based enable set nat enable config identity-based-policy FortiOS Handbook v2: Deploying Wireless Networks

66 Configuration Wireless network example Customizing the captive portal edit 1 set schedule "always" set groups "wlan_employee_users" set service "ANY" The captive portal is the page that requests the user s name and password. In this example, a title is added, Example Co. Employee Login. To customize the login page 1 Go to System > Config > Replacement Message. 2 Expand the Authentication category and open Login page for editing. 3 In the Message Text field, click to put the insertion point at the beginning of the text that says: <TR height=30 bgcolor="#008080"><td><b><font size=2 face="verdana" color="#ffffff">authentication Required</font></b></TD></TR> 4 Paste the following line into the field: <TR height=30 bgcolor="#008080"><td><b><font size=4 face="verdana" color="#ffffff">example Co. Employee Login</font></b></TD></TR> 5 Select OK. Connecting the FortiAP units You need to connect each FortiAP-220A unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses. In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the /24 network. To configure the interface for the AP unit - web-based manager 1 Go to System > Network > Interface and edit the port3 interface. 2 Set Addressing Mode to DHCP. 3 Select OK. To configure the interface for the AP unit - CLI config system interface edit port3 set mode static set ip To configure the DHCP server for AP units - web-based manager 1 Go to System > DHCP Server > Service and select Create New. 2 Select the port3 interface. 3 In Mode, select Server. 4 Ensure that the Enable check box is selected. Deploying Wireless Networks for FortiOS 4.0 MR

67 Wireless network example Configuration 5 Set Type to Regular. 6 In IP Range enter In Network Mask, enter In Default Gateway, enter Select OK. To configure the DHCP server for AP units - CLI config system dhcp server edit 0 set default-gateway set interface port3 config ip-range edit 1 set -ip set start-ip To connect a FortiAP-220A unit - web-based manager 1 Go to Wireless Controller > Configuration > Access Points. 2 Connect the FortiAP unit to port 3. 3 Periodically select Refresh while waiting for the FortiAP unit to be listed. Recognition of the FortiAP unit can take up to two minutes. 4 When the FortiAP unit is listed, select it and then select Edit. 5 In AP Profile, select example_ap. 6 Change Admin from Discovered to Enabled. 7 Select OK. 8 Repeat Steps 2 through 7 for each FortiAP unit. To connect a FortiAP-220A unit - CLI 1 Connect the FortiAP unit to port 3. 2 Enter config wireless-controller wtp 3 Wait 30 seconds, then enter get. Retry the get command every 15 seconds or so until a unit is listed, like this: == [ FAP22A3U ] wtp-id: FAP22A3U Edit the discovered FortiAP unit like this: edit FAP22A3U set wtp-profile example_ap set admin enable 5 Repeat Steps 2 through 4 for each FortiAP unit. FortiOS Handbook v2: Deploying Wireless Networks

68 Configuration Wireless network example Deploying Wireless Networks for FortiOS 4.0 MR

69 Reference Wireless radio channels This chapter provides some reference information pertaining to wireless networks. The following topics are included in this section: Wireless radio channels IEEE a/n channels Table 4 lists the channels supported on FortiWiFi products that support the IEEE a and n wireless standards a is available on FortiWiFi models 60B and higher n is available on FortiWiFi models 80CM and higher. All channels are restricted to indoor usage except in the Americas, where both indoor and outdoor use is permitted on channels 52 through 64 in the United States. Table 4: IEEE a (5-GHz Band) channel numbers Channel Frequency Regulatory Areas number (MHz) Americas Europe Taiwan Singapore Japan FortiOS Handbook v2: Deploying Wireless Networks

70 Wireless radio channels Reference IEEE b channel numbers Table 5 lists IEEE b channels. All FortiWiFi units support b. Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure that the channel number complies with the regulatory standards of Mexico. Table 5: IEEE b (2.4-Ghz Band) channel numbers Channel Frequency Regulatory Areas number (MHz) Americas EMEA Israel Japan Deploying Wireless Networks for FortiOS 4.0 MR

71 Reference Wireless radio channels IEEE g channel numbers Table 6 lists IEEE g channels. All FortiWiFi products support g. Table 6: IEEE g (2.4-GHz Band) channel numbers Channel Frequency Regulatory Areas number (MHz) Americas EMEA Israel Japan CCK ODFM CCK ODFM CCK ODFM CCK ODFM FortiOS Handbook v2: Deploying Wireless Networks

72 Wireless radio channels Reference Deploying Wireless Networks for FortiOS 4.0 MR

73 Index Numerics wireless protocols, 17 A access point adding, 42 enabling, 44 antenna, 18 AP profile creating, 28 described, 26 AP unit attaching, 40 authentication, 19 B band radio bands for wireless LANs, 17 bandwidth, 22 C captive portal, 19 creating, 34 certification, 16 channels for a, 69 for b, 70 for g, 71 for n 5GHz, 69 radio channels for wireless LANs, 17 CLI syntax conventions, 12 comments, documentation, 16 conventions, 8 coverage, 21 Cross-Site Scripting protection from, 14 customer service, 16 D Declined Disclaimer page modifying, 36 default password, 7 deployment, 21 DHCP for WLAN, 32 DHCP server for AP unit control channel, 43 Disclaimer page enabling, 37 modifying, 35 document conventions CLI syntax, 12 documentation, 16 commenting on, 16 conventions, 8 Fortinet, 16 E encryption types, 18 equipment FortiAP unit, 21 FortiWiFi unit, 20 wireless, 20 F FAQ, 16 fast roaming, 24 firewall policies, 33 FortiAP unit, 21 connecting to CLI, 42 FortiGate documentation commenting on, 16 FortiGuard Antispam, 7 Antivirus, 7, 15 services, 15 Fortinet Knowledge Center, 16 Technical Documentation, 16 Technical Documentation, conventions, 8 Technical Support, 16 Technical Support, registering with, 15 Technical Support, web site, 15 Training Services, 16 Fortinet customer service, 16 Fortinet documentation, 16 Fortinet Knowledge Center, 16 FortiWiFi unit, 20 configuring as an AP unit, 42 G glossary, 16 guest network, 19 H how-to, 16 I IEEE a, channels, 69 IEEE b, channels, 70 IEEE g, channels, 71 FortiOS Handbook v2: Deploying Wireless Networks

74 Index interface wireless, 20 WLAN, 20 introduction Fortinet documentation, 16 IP address private network, 8 J join time of access point, 44 K Knowledge Center, 16 M MAC filter, wireless, 29 mode operation, 7 monitoring rogue APs, 46 wireless clients, 45 N network topologies, 39 O operation mode, 7 P password administrator, 7 PMK caching, 24 power security consideration, 19 WLAN power level, 18 pre-authentication, 24 product registration, 15 R registering with Fortinet Technical Support, 15 RFC 1918, 8 S security, 18 SSID whether to broadcast, 18 T technical documentation, 16 documentation conventions, 8 notes, 16 support, 16 technical support, 16 TKIP, 27 Training Services, 16 U user group for wireless users, 33 V virtual AP creating, 26 described, 26 vulnerability Cross-Site Scripting, 14 XSS, 14 W WEP128, 20 WEP64, 20 wireless interface, 20 wireless controller discovery methods, 41 WLAN configuring DHCP, 32 firewall policies, 33 interface, 20 WLAN interface configuration standalone FortiWiFi, 29 wireless controller, 31 WPA, 20 WPA2, 20 WPA2 Auto, 20 X XSS vulnerability protection from, 14 Deploying Wireless Networks for FortiOS 4.0 MR