Wireless Starter Kit 40 mr3 PDF

Wireless Starter Kit Guide
for FortiOS 4.0 MR3
Wireless Starter Kit Guide 11 March 2011 01-430-139115-20110311 for FortiOS 4.0 MR3 Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Wireless Starter Kit 5
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1 Key features of FortiOS 4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2 Minimum hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . 5 2 Equipment Setup . . . . . . . . . . . . . . . . . . 2.1 Step 1: Connecting the hardware . . . . . . 2.1.1 Power source . . . . . . . . . . . . . 2.2 Step 2: Checking the firmware . . . . . . . . 2.3 Step 3: Installing the default configuration file 2.3.1 Obtaining the configuration file. . . . . 2.3.2 Installing the configuration file . . . . . 2.4 Step 4: Checking Internet connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 6 6 6 9 9 10 11 12 12 12 13 13 14 15 15 16 17 18 18 18 19 20 21 21 21 22 22 23 23 24 24 28
3 DEMO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.1 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.2 SSID attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.3 Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Captive Portal Demo . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 WPA/WPA2 Authentication demo . . . . . . . . . . . . . . . . . . . . . 3.3.1 Scan for FAP-Contractor SSID . . . . . . . . . . . . . . . . . . . 3.4 WPA/WPA2-Enterprise Authentication demo . . . . . . . . . . . . . . . 3.4.1 WPA Client Setup in dealing with certificates . . . . . . . . . . . . 3.4.2 Username/password authentication via 802.1X (external RADIUS) . 3.4.3 Username/password authentication via 802.1X (local database) . . 3.5 Two-factor authentication demo . . . . . . . . . . . . . . . . . . . . . . 3.6 Policy setting and reporting . . . . . . . . . . . . . . . . . . . . . . . . 3.7 Visualization demo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.8 Rogue AP demo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.8.1 Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.8.2 Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appendix A . . . . . . . . . . . . . . . A.1 Configuration using AP profiles A.2 Wireless Planning and Survey . A.3 Fortinet Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendix B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.1 Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . B.2 How to convert the Starter Kit configuration file to match your platform . . . .
Wireless Starter Kit Guide 01-430-139115-20110311 http://docs.fortinet.com/ Feedback
Contents
Wireless Starter Kit Guide for FortiOS 4.0 MR3 01-430-139115-20110311 http://docs.fortinet.com/ Feedback
Wireless Starter Kit

1 Introduction
The purpose of the Wireless Starter Kit is to provide an effective and simplified way of showcasing the capability of FortiAP thin Wireless access points while managed by a wireless controller running FortiOS 4.3. The goal is not to produce a substitute for other Fortinet documents that provide a comprehensive picture of WLANs and pertinent products. This document applies to FortiOS 4.0 MR3 software and the following FortiAP models: FortiAP-210B FortiAP-220B
Success criteriaOnce you complete these scenarios, you should be able to navigate through the wireless controller management console, setup SSIDs, and customize user and group access. The initial setup portion of this document needs to only be completed once. Intended audienceThe assumption is that the reader is somewhat familiar with the general Fortinet systems configuration and WLAN concepts. This document is targeted at field system engineers, Fortinet channel partners and end customers who like to demo the Fortinet Wireless solutions. Target deploymentsFortinets WLAN solution is targeted for all customers sizes from distributed retail to large enterprise. The scalability attribute of solution allows you to add units and incorporate features as your business grows without the need to radically reconfigure the overall architecture. The default configuration in these examples assumes an educational institution as the target deployment. That can easily be modified to reflect other types of enterprises.
1.1 Key features of FortiOS 4.3

Wireless LAN Controller features are incorporated In FortiOS 4.3, and customer who acquire this version for the first time or upgrade to it may start configuring and managing their WLANs. Both FortiGate and FortiWiFi platforms running on 4.3 are capable of managing WLANs. It is important to remember than thin access points (FortiAP) require a controller to configure, manage and monitor them.
1.2 Minimum hardware requirements

One FortiAP 210B or 220B access point One FortiWiFi (or FortiGate) unit model 50A or higher One personal computer running Windows XP, Vista or 7 operating system with WiFi Capability Cables and other relevant accessories
2 Equipment Setup
2 Equipment Setup
2.1 Step 1: Connecting the hardware
Connect the hardware as depicted below.
2.1.1 Power source

All Fortinet access points can be powered via supplied AC power adaptor. That is the method we use in these demonstrations. For more information, please refer to Appendix B on page 24. You may also use Power Over Ethernet (PoE) as an alternate approach.
2.2 Step 2: Checking the firmware

Ensure that the FortiAP and/or FortiWiFi have the right firmware versions installed. We go through the steps to show how you can verify the version and update the firmware if needed. To verify the FortiGate unit firmware First check to see the version of firmware installed on your FortiWiFi controller: 1 Connect the units as in the above diagram. Before SSIDs are properly configured in the FortiWiFi unit, you need to use a network cable to connect the PC to the Wireless Controller. 2 If your FortiGate unit is set to factory defaults use your browser to connect to http://192.168.1.99 (this is a local connection, not an Internet site). 3 Log in with user name admin and blank password (default).
2 Equipment Setup
4 Go to System > Dashboard > Status and check the Firmware version under System Information.
5 Confirm that your FortiGate or FortiWiFi device is running FortiOS v4.0 MR3 version. If not, you must upgrade controllers firmware by following these steps: 1) Go to https://support.fortinet.com and login with your FortiCare login credentials. 2) Go to Download > Firmware Images > FortiGate.
3) Download the respective FortiOS 4.0MR3 firmware for your FortiGate unit to your computer. 4) On the FortiWiFi-80CMs console, go to Dashboard > Status and click on the [Update] link for Firmware Version under System Information.
5) Select Browse, find the firmware file that you downloaded and the select OK. 6) Wait till the process is completed and refreshing the screen indicates the right firmware. You should see the correct firmware version displayed: Version 4.0 MR3
2 Equipment Setup
To verify the FortiAP unit firmware 1 On the FortiWiFi-80CM unit, go to Wireless Controller > Managed Access Points> Managed FortiAP. 2 The FortiAP units should be listed. If necessary, select Refresh on the top of the FortiWiFi-80CM units main page. Confirm that the FortiAP state does not show Disconnected 3 Confirm that the OS Version column shows v4.0, build210.
4 If an OS upgrade is required, log on to the Support web site at https://support.fortinet.com/. 5 Go to Download > Firmware Images. 6 Select FortiAP > v4.00 > 4.0MR3.
7 Download the file that corresponds to your model (in our example, that is FAP22Bv4.0-build210, but yours might be different).
2 Equipment Setup
8 In order to upload the firmware to FortiAP, you need to set the permission to Authorized and then select Upgrade:
9 After successful completion of firmware download (you should see both PWR and STATUS lights on the FortiAP showing solid green). 10 From the FortiGate GUI, please confirm that the OS version has been successfully updated to show the new version.
2.3 Step 3: Installing the default configuration file

The Starter Kit includes a configuration file which simplifies entering the default configuration settings into your FortiWiFi WLAN controller unit.
2.3.1 Obtaining the configuration file

The configuration file is included with the zip file containing this document. If you do not have the configuration file please visit http://docs.fortinet.com/ to download the Fortinet Wireless Starter Kit zip file. 1 Expand the .zip file to obtain the configuration file FWF-80-Starter_Kit_20100907.conf. 2 If your device is not a FortiWiFi-80CM, please follow the instructions in the appendix to convert the supplied configuration file to fit your platform.
2 Equipment Setup
2.3.2 Installing the configuration file

1 Use the Restore function to install the configuration file in the system.
Note: The default configuration file is for a FortiWiFi 80CM controller. The same configuration file may be modified for installation in other Fortinet products. Please see the appendix for instructions.
2 Make sure your FortiAP access point has the correct demo profile.
10
2 Equipment Setup
2.4 Step 4: Checking Internet connectivity

On the FortiGate GUI System > Network > Interface, confirm that WAN1 has been provided with an IP address via DHCP. If not please consult your system administrator to assign you an IP address. Please refer to the FortiOS Administration Guide found at http://docs.fortinet.com/ for instructions.
11
3 DEMO
3 DEMO
3.1 Introduction 3.1.1 Goals
This demonstration has the following goals: To create and showcase a full featured wireless environment quickly, and demonstrate the capabilities of the FortiOS and FortiAP. Setup Distinct wireless networks for Employee, Guest, Contractor with different policies. Demonstration of various authentication options and authorization databases such as: Captive portal for guest authentication Captive Portal with two factor authentication WPA/WPA2 shared key (Personal Mode) WPA/WPA2 with Internal user database authentication (Enterprise Mode) WPA/WPA2 with External RADIUS authentication (Enterprise mode) If the configuration has been successful, you will see the following SSIDs when scanning for access points on your laptop. FAP-Guest FAP-Contractor FAP-Faculty FAP-Student
Each SSID is configured slightly differently to demonstrate the features and security Capabilities of the FortiGate and FortiOS software.
The following table illustrates the attributes of each group (SSID). Note that the IP addresses reflect the configuration file settings. Since the FortiOS is configured in the NAT mode, these network addresses will not interfere with your general network settings unless they are exactly the same subnets. In this situation please change the respective IP addresses to address any overlap conflict. The keywords in Red indicate key differences between settings.
12
3 DEMO
SSID IP address Authentication Authorization DB VLAN tagging Policy UTM DHCP DMZ interface WAN interface
FAP-Guest 172.16.1.x Captive Portal Local User DB N/A WAN only IPS Server NAT
FAP-Contractor 172.16.2.x
FAP-Faculty 172.16.3.x
FAP-Student 172.16.4.x
WPA/WPA2-PSK WPA/WPA2 RADIUS WPA/WPA2PSK Shared key N/A Everywhere IPS Server NAT External RADIUS N/A Everywhere IPS Server NAT Local User DB N/A Everywhere IPS Server NAT
3.1.2 SSID attributes

The following table illustrates the access grants between individual SSIDs. The assumptions made here only reflect one type of implementation and you may make changes as necessary.
To -> From FAP-Guest FAP-Contractor FAP-Faculty FAP-Student INTERNAL YES FAPGuest NO YES YES YES YES YES YES YES YES YES FAPFAPContractor Faculty FAPStudent WAN YES-NAT YES-NAT YES-NAT YES-NAT YES-NAT YES YES YES YES INTERNAL
3.1.3 Users and Groups

The sample configuration file contains 5 defined users, each with specific use cases and needs. These users in the sample configuration file are designed for an academic institution and consist of the following groups: faculty1 guest1 guest2 student1 token1
There are user groups and SSIDs associated with the above users.
13
3 DEMO
3.2 Captive Portal Demo

1 Open Wireless Configuration and connect to FAP-Guest SSID. 2 Once connected, open a browser and connect to your favorite website. 3 You will be redirected to the Captive Portal page for login. 4 Please login using: username: guest1 password: guest1
You will be redirected to your favorite website if login was successful
Note: Subsequent invocation of windows does not require re-authentication for the period specified on the console.
Caution: Incorrect permission settings in the controller and/or wrong data such as false DNS address will prevent a successful connection.
14
3 DEMO
3.3 WPA/WPA2 Authentication demo

Ensure that WPA and WPA2 modes are supported. If PC does not show WPA as an authentication option then either the NIC driver is not current or the required windows Service Pack 2 (SP2) patches are not installed.
3.3.1 Scan for FAP-Contractor SSID

Connect to the AP with WPA shared key: fortinet Validate that you have received an IP address in the range 172.16.x.x by typing ipconfig at the command line. Browse to your favorite website to demonstrate secure wireless connectivity
15
3 DEMO
3.4 WPA/WPA2-Enterprise Authentication demo

WPA Enterprise mode (aka 802.1X) enables user and password credential based authentication vs. a shared key authentication. Username and passwords are derived from your RADIUS server or the built in Directory Server on the Wireless Controller. 1 Configure your own RADIUS (DemoRadius). 2 Click on User > Remote > RADIUS. 3 Click on DemoRadius. 4 Change the IP address to reflect your Radius address. 5 Change the shared key to reflect your Radius authentication credential. 6 Connect with FAP-Faculty. 7 Enter user credentials from RADIUS. 8 Active Directory user database can be accessed in this mode as well
Caution: Make certain you specify the authentication mode in Windows. Otherwise, the RADIUS connection will fail.
16
3 DEMO
3.4.1 WPA Client Setup in dealing with certificates

The Extensible Authentication Protocol (EAP) is a provision of 802.1x that allows a variety of means of authenticating clients. This involves issuing potential client machines with digital certificates which have been signed by some authority. The access point achieves this by requesting the client's certificate and passing it to the Radius server, which then checks to validate the authenticity of the certificate and whether the named client is allowed access. These certificates are also used as a starting point for the cryptographic process.
17
3 DEMO
Note: This is applicable to FAP-Faculty and FAP-Student Enterprise authentication only.
3.4.2 Username/password authentication via 802.1X (external RADIUS)

To showcase the ability to support username/password authentication via 802.1X (only when External RADIUS is available) 1 Go to User > Remote > RADIUS > RadiusExternal. Change the Radius server IP address and secret to match your RADIUS server. 2 Scan for FAP-Faculty SSID 3 Connect to the AP with username: faculty1 / password: faculty1 4 Validate that you have received IP address in range 172.16.x.x 5 Browse to your favorite website to demonstrate secure wireless connectivity
3.4.3 Username/password authentication via 802.1X (local database)

To showcase the ability to support username/password authentication via 802.1x to a locally hosted database on the Wireless Controller 1 Scan for FAP-Student SSID 2 Connect to the AP with username: student1 / password: student1 3 Validate that you have received IP address in range 172.16.x.x 4 Browse to your favorite website to demonstrate secure wireless connectivity
3.5 Two-factor authentication demo

This part showcases two-factor authentication using FortiToken (FTK-200) and the captive portal. 1 Go to User > FortiToken >FortiToken and modify the serial number of your FortiToken. The Configuration file is populated with a serial number which needs to change to reflect your data. Default user token1 is already a member. 2 Make certain under User > Monitor > Firewall, there are no pre-authenticated users recorded.
3 Connect to the FAP-Guest with username: token1 / password: token1.
18
3 DEMO
4 You should see the 3rd dialog box pop-up where you may enter the token.
3.6 Policy setting and reporting

Forti-AP supports the creation of individual SSID profiles that are associated with a single, physical access point. To the wireless controller, each SSID appears as an independent interface that may be subject to standard firewall and application control policies. You can design and manage security policies for each SSID. FortiGate capabilities are at full display and the combination of broad WiFi features with in-depth UTM, IPS and traffic shaping attributes offer a powerful mix. FortiAP in that sense delegates fine-grain security and control to the wireless controller.
19
3 DEMO
3.7 Visualization demo

You may create a new dashboard and add from widget libraries to track specific data. In this case, we added Session History, Top Sessions, Per-IP Bandwidth Usage and Traffic History as our select widgets.
The configuration file ships with the following preconfigured Dashboard.
20
3 DEMO
3.8 Rogue AP demo 3.8.1 Detection

If Rogue AP detection is turned on, then Rogue APs can be monitored. Some of these APs belong to your neighbors, but others may be unauthorized APs connected to your wired network
3.8.2 Suppression
Rogue APs may be suppressed. The process is as follows: It determines whether an AP is indeed a Rogue device connected to your physical wired LAN network How it works Wireless Radio collects and reports wireless BSSID information FortiAP also collects Wired MAC addresses seen via ARP requests and sends them to FortiGate FortiGate compares collected Wireless MAC addresses to information collected on wire. If wireless traffic to non-Fortinet APs are also seen on the wire an on-wire alert is generated signaling an unauthorized WiFi device on the network. MAC address collection via FortiAP can be used to increase coverage across multiple L3 subnets Deauthentication Frames are sent to render unauthorized Rogue APs unusable by clients.
Rogue AP suppression techniques
21
Appendix A
Appendix A
A.1 Configuration using AP profiles
The FortiWiFi wireless controller configuration is composed of three types of objects, the SSID, the AP Profile and the physical Access Point. Physical AP Represents a FortiAP unit that the FortiWiFi unit has discovered. There is one access point definition for each FortiAP. Defines the security settings for your wireless network. This is similar to the WLAN interface settings on a FortiWiFi unit and it creates a virtual network interface. Defines the radio settings, such as band (802.11g for example) and channel selection
SSID
AP Profile
A single change to AP profiles propagates to all APs in that profile
22
Appendix A
A.2 Wireless Planning and Survey

Ekahau pre deployment planner can be used to identify the wireless coverage and signal fidelity for larger installations The tool also enables post installation site survey to validate that the installation meets the performance goals set for the wireless network. Contact your Reseller or Fortinet Rep for more information Please use version 5.0.9 or above
A.3 Fortinet Resources Sales

http://www.fortinet.com/contact_us/
Support
https://support.fortinet.com/
KnowledgeBase
http://www.fortinet.com/solutions/wireless.html
23
Appendix B
Appendix B
B.1 Frequently asked questions Q: What are the power configuration options?
A: Thin access points (FortiAP) use different adaptors than FortiWiFi/FortiGate. Make certain that you are using the correct power source for these units.
12V 1.5 Amp adaptor for FortiAP-210A/220B 12V 3.0 Amp adaptor for FortiGate/FortiWiFi-80C
Q: Where do I access the firmware for my access points and controllers?

You need to create an account with Fortinets customer service and support portal to download the firmware.
24
Appendix B
Q: Which platforms/devices support Rogue AP detection and suppression?

A: All wireless controllers support the feature; all thin access points support the feature as well. The only applicable limitation pertains to using a wireless client capability of a Thick AP which in that case only FWF-60C supports the feature.
Q: How do I know that the traffic across all SSIDs is enabled?

A: By default all SSID traffic that is set as firewall policy is active. To make certain, go to Firewall >Policy >Policy and observe that all the boxes in the status column are checked:
Q: How do I make changes to the configuration settings?

A: The sample configuration file maybe superseded by manual configuration of groups and policies. It can also be modified in the System Dashboard to correctly reflect the nature of organization using the solution. For example, Faculty may change to Manager and Student to Employee in an enterprise setting.
Q: How do I revert to factory default settings on wireless controller?

A: If for any reason you need to reset the FortiWiFi-80CM configuration to factory default, follow these steps: If you have access to the CLI console (in System > Dashboard), enter exec factoryreset to bring the unit back to factory default:
25
Appendix B
If the management console is hard to reach, you may download and use PuTTY, the connection manager which is available for free from several sources. You need to specify the IP address of the controller to reach its management CLI. For example, the following case shows 172.16.2.1 which is the IP address of FAP-Faculty. The CLI Console under System > Dashboard > Status will also provide another input method.
Q: How do I customize a particular set of attributes like UTM?

A: You may navigate through wireless controller menu in order to make changes to the default configuration or create custom profiles for a given SSID. Typically a good place to start is the SSID section. The configuration file that you downloaded has not set any attributes for the UTM or similar features. To make changes, you need to use the dashboard and navigate to the right section to make changes.
Q: How do I set authentication timeout for sessions?

A: Under User > User > Authentication, the timeout can be set. Case in point: when captive portal is used and a user is authenticated, subsequent sessions do not require reauthentication if the given timeout window has not expired. The shorter the window, the stricter the security would be.
26
Appendix B
Q: Where can I observe traffic data?

A: Under System > Dashboard you may observe specific widgets that are either included in the configuration file or may be customized.
Q: How do I turn on custom profiles

A: Custom profiles are turned off by default on desktop model FortiGate units. Use the following command to enable them. config system global set gui-ap-profile enable end
27
Appendix B
B.2 How to convert the Starter Kit configuration file to match your platform
1 Backup the configuration of your current platform. 2 Open the configuration file in WordPad. 3 Copy the first 3 lines of the configuration file. 4 Paste them into the supplied configuration file. #config-version=FW80CM-4.00-FW-build422110216:opmode=0:vdom=0:user=admin #conf_file_ver=12487487194791228822 #buildno=0422 #global_vdom=1
28

Wireless Starter Kit 40 mr3 PDF

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Wireless Starter Kit 40 mr3 PDF

Transféré par

Droits d'auteur :

Formats disponibles

Wireless Starter Kit Guide

for FortiOS 4.0 MR3

Wireless Starter Kit Guide 01-430-139115-20110311 http://docs.fortinet.com/ Feedback