Académique Documents
Professionnel Documents
Culture Documents
Wireless Starter Kit Guide 11 March 2011 01-430-139115-20110311 for FortiOS 4.0 MR3 Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Wireless Starter Kit 5
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1 Key features of FortiOS 4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2 Minimum hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . 5 2 Equipment Setup . . . . . . . . . . . . . . . . . . 2.1 Step 1: Connecting the hardware . . . . . . 2.1.1 Power source . . . . . . . . . . . . . 2.2 Step 2: Checking the firmware . . . . . . . . 2.3 Step 3: Installing the default configuration file 2.3.1 Obtaining the configuration file. . . . . 2.3.2 Installing the configuration file . . . . . 2.4 Step 4: Checking Internet connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 6 6 6 9 9 10 11 12 12 12 13 13 14 15 15 16 17 18 18 18 19 20 21 21 21 22 22 23 23 24 24 28
3 DEMO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.1 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.2 SSID attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1.3 Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Captive Portal Demo . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 WPA/WPA2 Authentication demo . . . . . . . . . . . . . . . . . . . . . 3.3.1 Scan for FAP-Contractor SSID . . . . . . . . . . . . . . . . . . . 3.4 WPA/WPA2-Enterprise Authentication demo . . . . . . . . . . . . . . . 3.4.1 WPA Client Setup in dealing with certificates . . . . . . . . . . . . 3.4.2 Username/password authentication via 802.1X (external RADIUS) . 3.4.3 Username/password authentication via 802.1X (local database) . . 3.5 Two-factor authentication demo . . . . . . . . . . . . . . . . . . . . . . 3.6 Policy setting and reporting . . . . . . . . . . . . . . . . . . . . . . . . 3.7 Visualization demo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.8 Rogue AP demo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.8.1 Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.8.2 Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appendix A . . . . . . . . . . . . . . . A.1 Configuration using AP profiles A.2 Wireless Planning and Survey . A.3 Fortinet Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appendix B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.1 Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . B.2 How to convert the Starter Kit configuration file to match your platform . . . .
Contents
Wireless Starter Kit Guide for FortiOS 4.0 MR3 01-430-139115-20110311 http://docs.fortinet.com/ Feedback
Success criteriaOnce you complete these scenarios, you should be able to navigate through the wireless controller management console, setup SSIDs, and customize user and group access. The initial setup portion of this document needs to only be completed once. Intended audienceThe assumption is that the reader is somewhat familiar with the general Fortinet systems configuration and WLAN concepts. This document is targeted at field system engineers, Fortinet channel partners and end customers who like to demo the Fortinet Wireless solutions. Target deploymentsFortinets WLAN solution is targeted for all customers sizes from distributed retail to large enterprise. The scalability attribute of solution allows you to add units and incorporate features as your business grows without the need to radically reconfigure the overall architecture. The default configuration in these examples assumes an educational institution as the target deployment. That can easily be modified to reflect other types of enterprises.
2 Equipment Setup
2 Equipment Setup
2.1 Step 1: Connecting the hardware
Connect the hardware as depicted below.
Wireless Starter Kit Guide for FortiOS 4.0 MR3 01-430-139115-20110311 http://docs.fortinet.com/ Feedback
2 Equipment Setup
4 Go to System > Dashboard > Status and check the Firmware version under System Information.
5 Confirm that your FortiGate or FortiWiFi device is running FortiOS v4.0 MR3 version. If not, you must upgrade controllers firmware by following these steps: 1) Go to https://support.fortinet.com and login with your FortiCare login credentials. 2) Go to Download > Firmware Images > FortiGate.
3) Download the respective FortiOS 4.0MR3 firmware for your FortiGate unit to your computer. 4) On the FortiWiFi-80CMs console, go to Dashboard > Status and click on the [Update] link for Firmware Version under System Information.
5) Select Browse, find the firmware file that you downloaded and the select OK. 6) Wait till the process is completed and refreshing the screen indicates the right firmware. You should see the correct firmware version displayed: Version 4.0 MR3
2 Equipment Setup
To verify the FortiAP unit firmware 1 On the FortiWiFi-80CM unit, go to Wireless Controller > Managed Access Points> Managed FortiAP. 2 The FortiAP units should be listed. If necessary, select Refresh on the top of the FortiWiFi-80CM units main page. Confirm that the FortiAP state does not show Disconnected 3 Confirm that the OS Version column shows v4.0, build210.
4 If an OS upgrade is required, log on to the Support web site at https://support.fortinet.com/. 5 Go to Download > Firmware Images. 6 Select FortiAP > v4.00 > 4.0MR3.
7 Download the file that corresponds to your model (in our example, that is FAP22Bv4.0-build210, but yours might be different).
Wireless Starter Kit Guide for FortiOS 4.0 MR3 01-430-139115-20110311 http://docs.fortinet.com/ Feedback
2 Equipment Setup
8 In order to upload the firmware to FortiAP, you need to set the permission to Authorized and then select Upgrade:
9 After successful completion of firmware download (you should see both PWR and STATUS lights on the FortiAP showing solid green). 10 From the FortiGate GUI, please confirm that the OS version has been successfully updated to show the new version.
2 Equipment Setup
Note: The default configuration file is for a FortiWiFi 80CM controller. The same configuration file may be modified for installation in other Fortinet products. Please see the appendix for instructions.
2 Make sure your FortiAP access point has the correct demo profile.
10
Wireless Starter Kit Guide for FortiOS 4.0 MR3 01-430-139115-20110311 http://docs.fortinet.com/ Feedback
2 Equipment Setup
11
3 DEMO
3 DEMO
3.1 Introduction 3.1.1 Goals
This demonstration has the following goals: To create and showcase a full featured wireless environment quickly, and demonstrate the capabilities of the FortiOS and FortiAP. Setup Distinct wireless networks for Employee, Guest, Contractor with different policies. Demonstration of various authentication options and authorization databases such as: Captive portal for guest authentication Captive Portal with two factor authentication WPA/WPA2 shared key (Personal Mode) WPA/WPA2 with Internal user database authentication (Enterprise Mode) WPA/WPA2 with External RADIUS authentication (Enterprise mode) If the configuration has been successful, you will see the following SSIDs when scanning for access points on your laptop. FAP-Guest FAP-Contractor FAP-Faculty FAP-Student
Each SSID is configured slightly differently to demonstrate the features and security Capabilities of the FortiGate and FortiOS software.
The following table illustrates the attributes of each group (SSID). Note that the IP addresses reflect the configuration file settings. Since the FortiOS is configured in the NAT mode, these network addresses will not interfere with your general network settings unless they are exactly the same subnets. In this situation please change the respective IP addresses to address any overlap conflict. The keywords in Red indicate key differences between settings.
12
Wireless Starter Kit Guide for FortiOS 4.0 MR3 01-430-139115-20110311 http://docs.fortinet.com/ Feedback
3 DEMO
SSID IP address Authentication Authorization DB VLAN tagging Policy UTM DHCP DMZ interface WAN interface
FAP-Guest 172.16.1.x Captive Portal Local User DB N/A WAN only IPS Server NAT
FAP-Contractor 172.16.2.x
FAP-Faculty 172.16.3.x
FAP-Student 172.16.4.x
WPA/WPA2-PSK WPA/WPA2 RADIUS WPA/WPA2PSK Shared key N/A Everywhere IPS Server NAT External RADIUS N/A Everywhere IPS Server NAT Local User DB N/A Everywhere IPS Server NAT
There are user groups and SSIDs associated with the above users.
13
3 DEMO
Note: Subsequent invocation of windows does not require re-authentication for the period specified on the console.
Caution: Incorrect permission settings in the controller and/or wrong data such as false DNS address will prevent a successful connection.
14
Wireless Starter Kit Guide for FortiOS 4.0 MR3 01-430-139115-20110311 http://docs.fortinet.com/ Feedback
3 DEMO
15
3 DEMO
Caution: Make certain you specify the authentication mode in Windows. Otherwise, the RADIUS connection will fail.
16
Wireless Starter Kit Guide for FortiOS 4.0 MR3 01-430-139115-20110311 http://docs.fortinet.com/ Feedback
3 DEMO
17
3 DEMO
18
Wireless Starter Kit Guide for FortiOS 4.0 MR3 01-430-139115-20110311 http://docs.fortinet.com/ Feedback
3 DEMO
4 You should see the 3rd dialog box pop-up where you may enter the token.
19
3 DEMO
20
Wireless Starter Kit Guide for FortiOS 4.0 MR3 01-430-139115-20110311 http://docs.fortinet.com/ Feedback
3 DEMO
3.8.2 Suppression
Rogue APs may be suppressed. The process is as follows: It determines whether an AP is indeed a Rogue device connected to your physical wired LAN network How it works Wireless Radio collects and reports wireless BSSID information FortiAP also collects Wired MAC addresses seen via ARP requests and sends them to FortiGate FortiGate compares collected Wireless MAC addresses to information collected on wire. If wireless traffic to non-Fortinet APs are also seen on the wire an on-wire alert is generated signaling an unauthorized WiFi device on the network. MAC address collection via FortiAP can be used to increase coverage across multiple L3 subnets Deauthentication Frames are sent to render unauthorized Rogue APs unusable by clients.
21
Appendix A
Appendix A
A.1 Configuration using AP profiles
The FortiWiFi wireless controller configuration is composed of three types of objects, the SSID, the AP Profile and the physical Access Point. Physical AP Represents a FortiAP unit that the FortiWiFi unit has discovered. There is one access point definition for each FortiAP. Defines the security settings for your wireless network. This is similar to the WLAN interface settings on a FortiWiFi unit and it creates a virtual network interface. Defines the radio settings, such as band (802.11g for example) and channel selection
SSID
AP Profile
22
Wireless Starter Kit Guide for FortiOS 4.0 MR3 01-430-139115-20110311 http://docs.fortinet.com/ Feedback
Appendix A
Support
https://support.fortinet.com/
KnowledgeBase
http://www.fortinet.com/solutions/wireless.html
23
Appendix B
Appendix B
B.1 Frequently asked questions Q: What are the power configuration options?
A: Thin access points (FortiAP) use different adaptors than FortiWiFi/FortiGate. Make certain that you are using the correct power source for these units.
12V 1.5 Amp adaptor for FortiAP-210A/220B 12V 3.0 Amp adaptor for FortiGate/FortiWiFi-80C
24
Wireless Starter Kit Guide for FortiOS 4.0 MR3 01-430-139115-20110311 http://docs.fortinet.com/ Feedback
Appendix B
25
Appendix B
If the management console is hard to reach, you may download and use PuTTY, the connection manager which is available for free from several sources. You need to specify the IP address of the controller to reach its management CLI. For example, the following case shows 172.16.2.1 which is the IP address of FAP-Faculty. The CLI Console under System > Dashboard > Status will also provide another input method.
26
Wireless Starter Kit Guide for FortiOS 4.0 MR3 01-430-139115-20110311 http://docs.fortinet.com/ Feedback
Appendix B
27
Appendix B
B.2 How to convert the Starter Kit configuration file to match your platform
1 Backup the configuration of your current platform. 2 Open the configuration file in WordPad. 3 Copy the first 3 lines of the configuration file. 4 Paste them into the supplied configuration file. #config-version=FW80CM-4.00-FW-build422110216:opmode=0:vdom=0:user=admin #conf_file_ver=12487487194791228822 #buildno=0422 #global_vdom=1
28
Wireless Starter Kit Guide for FortiOS 4.0 MR3 01-430-139115-20110311 http://docs.fortinet.com/ Feedback