LAB SETUP ............................................................................................................................... 2 LAB 1: FORTIGATE WIRELESS CONFIGURATION USING A FORTIAP DEVICE ................................ 4 Exercise 1 Configuring a wireless LAN ......................................................................................................................................... 4 LAB 2: DEVICE IDENTIFICATION ................................................................................................ 8 Exercise 1 BYOD configuration for a VAP ................................................................................................................................... 8 LAB 3: IMPROVING WIRELESS SECURITY WITH WPA-ENTERPRISE SECURITY ........................... 10 Exercise 1 PEAP using local user group .................................................................................................................................... 10 Exercise 2 Captive Portal ................................................................................................................................................................. 11 LAB 4: CUSTOM AP PROFILES ................................................................................................. 12 Exercise 1 Configuring rogue AP detection ............................................................................................................................. 12 LAB 5: PUTTING IT ALL TOGETHER .......................................................................................... 14 Exercise 1: Using FortiAuthenticator for PEAP authentication ....................................................................................... 14 Exercise 2: Setting up Full Mesh Wireless on FortiGate Unit Using Two FortiAP Units ....................................... 16
LAB 1: FORTIGATE WIRELESS CONFIGURATION USING A FORTIAP DEVICE ................................ 4 Exercise 1 Configuring a wireless LAN ......................................................................................................................................... 4
LAB 2: DEVICE IDENTIFICATION ................................................................................................ 8 Exercise 1 BYOD configuration for a VAP ................................................................................................................................... 8
LAB 3: IMPROVING WIRELESS SECURITY WITH WPA-ENTERPRISE SECURITY ........................... 10 Exercise 1 PEAP using local user group .................................................................................................................................... 10 Exercise 2 Captive Portal ................................................................................................................................................................. 11
LAB 4: CUSTOM AP PROFILES ................................................................................................. 12 Exercise 1 Configuring rogue AP detection ............................................................................................................................. 12
LAB 5: PUTTING IT ALL TOGETHER .......................................................................................... 14 Exercise 1: Using FortiAuthenticator for PEAP authentication ....................................................................................... 14 Exercise 2: Setting up Full Mesh Wireless on FortiGate Unit Using Two FortiAP Units ....................................... 16
Lab Setup
2
Please note that the following information is for reference only, this setup will have been completed by the instructor.
The following instruction assumes a FortiGate VM01 and FortiAP per student. You may adapt the instruction to use a physical FortiGate device if you prefer. The FortiAP device used in this training is the 220B however you may also use a different device and adapt the instruction accordingly. You also require a FortiAuthenticator VM per student however you may use the inbuilt trial license.
For desktop virtualization we use VMware Player in this instruction.
First install the VMware Player application on your PC. You will require administrator privileges to do this.
Next copy the FortiGate and FortiAuthenticator VMs, in OVF format, which will be used for this class and open and import both VMs with the VMware Player application.
We use two interfaces on the FGT: one as the default route and wireless AP distribution system and one for the internal network. Note this setup relies on DHCP being available on the network the laptops and APs connect to. The FortiAP 220B has Power-over-Ethernet interfaces therefore you may use a PoE switch however the mesh lab does require a power supply for the AP connecting to the wireless mesh.
The setup used in this training uses the Ethernet port of the laptop.
The Virtual Network Editor (vmnetcfg.exe) is required for this setup and is not included in VMware Player by default, therefore you need to install VMware Workstation on another system and copy this file from the Programs File directory on the source system to the target system with the VMware Player. Note that you must use the version of Workstation compatible with your version of player.
The FortiGate uses the following VMware vmnet interfaces:
Vmnet1 (host-only) which maps to port2.
Vmnet0 (bridged) which maps to port1.
From the Virtual Network Editor, edit interface Vmnet1 (host-only) and change the subnet IP to 10.0.1.0/24 and disable the DHCP service on this interface.
From VMware Player edit the FGT VM settings and choose vmnet0 for port1 (the first interface in the list) and vmnet1 for port2.
From VMware Player edit the FortiAuth VM settings and choose vmnet1 for port1 (the first interface in the list).
Configure the PC vmnet1 interface as 10.0.1.10/24.
Start up the FGT VM and connect to the console and format the log disk, this is required for local logging and for other services to function.
Lab Setup
3
When the FGT restarts connect to the CLI set the port1 and port2:
config system interface
edit port1
set mode dhcp
set defaultgw enable
next
edit port2
set ip 10.0.l.254/24
set allowaccess http https ping ssh
end
Disable the PC firewall as this will interfere with traffic to and from the guest OS.
Connect to the FortiGate GUI, http://10.0.1.254. Connect via http first because without the license installed only weak encryption is supported with the VM inbuilt evaluation license. If you cannot connect to the GUI check the previous settings.
Install the VL license and configure the firewall with an accept policy for port2 to port1 and enable NAT.
Lab 1: FortiGate Wireless Configuration using a FortiAP Device
4
This lab supports the learning objectives for module 2. You will configure a basic wireless network using WPA and pre-shared key. You will manage an AP device to work with your wireless controller and configure firewall policies for the wireless clients.
1. Connect to FGT GUI and to the CLI (10.0.1.254/24).
2. Set your FortiGate system time and date correctly, this step is essential for logs and certificates.
3. Next, set the proper geography location, the default is US.
conf wireless-controller setting
set country US
end
Note: The country defines the acceptable radio settings for your region.
To change this value you must first remove the predefined WTP profiles by entering the following CLI commands:
config wireless-controller wtp-profile
purge
end
Lab 1: FortiGate Wireless Configuration using a FortiAP Device
5
4. On the FortiGate web-based manager, go to Wifi Controller > Managed Access_Points > Managed FortiAP. If your AP is not listed select Refresh. Discovery of the FortiAP unit can take up to two minutes. If however, the FortiAP is not listed under Managed FortiAP after two minutes perform the following steps:
Check that the ethernet port on the FortiAP unit is up
Power cycle the FortiAP unit
If necessary connect a console cable to the AP, login as ‘admin’ and enter ‘factoryreset’, when the AP restarts login again and enter ‘ifconfig br0’ to check that the AP has obtained an IP address from the DHCP in your training facility.
Seek assistance from your instructor if none of the above steps resolve the issue.
5. From the FortiGate Wi-Fi Controller, right-click the FortiAP and select Authorize. Wait for the authorization to complete. If the AP is still not listed please discuss this with your instructor.
6. When Authorized, right-click again and select edit and name your AP. Verify that the FortiAP firmware version is the correct version for your training. Accept default settings. Select OK.
7. Go to Wifi Controller > Wifi Network > SSID and select Create New to define your wireless network. Configure the following settings:
Interface Name: <you choose>
IP/Netmask: 10.10.10.1/255.255.255.0
Administrative Access: Ping
Traffic Mode: Tunnel to Wireless Controller
8. Enable DHCP with the following settings:
Address Range: 10.10.10.10 - 10.10.10.20
Netmask: 255.255.255.0
Default Gateway: Same as Interface IP
DNS Server: Same as System DNS
Lab 1: FortiGate Wireless Configuration using a FortiAP Device
6
9. Configure the security settings as follows:
SSID: <you choose>
Security Mode: WPA/WPA2-Personal
Data Encryption: AES
Pre-shared Key: <you choose>
Select OK.
10. Create firewall policies for the wireless clients.
Go to Policy > Policy > Policy and select Create New to add a wireless to internal network policy for your wireless clients, Configure the following settings:
Source Interface/Zone: <your ssid>
Source Address: All
Destination Interface/Zone: port2
Destination Address: All
Schedule: Always
Service: All
Action: Accept
Source NAT is not required for this policy since the Wireless and internal networks are visible to each other. A second policy in the reverse direction would be required for bidirectional communication between the internal wired and wireless networks. Select Create New to add a wireless to Internet policy that allows wireless clients to access the Internet. Configure the following settings:
Source Interface/Zone: <your ssid>
Source Address: All
Destination Interface/Zone: port1
Destination Address: All
Schedule: Always
Service: All
Action: ACCEPT
Select Enable NAT and Use Destination Interface Address. Click OK.
Lab 1: FortiGate Wireless Configuration using a FortiAP Device
7
11. Test your wireless network, this instruction assumes you have mobile device which you can use for this test, look for your SSID and attempt to connect.
Connect and enter the preshared key when prompted. Verify that you can ping your PC and that you can connect to the Internet. You can go to Wireless Controller > Monitor > Client Monitor to view information about the clients that are connected to your Wireless network.
12. Access the FortiAP GUI.
Note the IP address of your AP and from your browser connect to that address via HTTP. View the System and Wireless information. The Wireless information should display your configured SSID. You can also connect to the FortiAP via telnet. If necessary, enter the following command on the FortiGate to enable telnet on your managed AP.
config wireless-controller wtp
edit <name>
set login-enable enable
end
13. The following diagnostic commands to look at the wireless controller and access point communication.
On the FortiGate:
diag sniff packet any ‘port 5246’
diag debug app cw_acd 5
On the FortiAP:
# cw_debug app cwWtpd 5
To see CAPWAP control and data channel from the FortiGate use the following commands, note that –c looks at the control channel and –d looks at the data channel:
This lab supports the learning objectives for module 3. You will enable device identification on your virtual access point. You will configure a device access list and deny your mobile test device form connecting and verify this action by inspecting event log messages.
1. Go to System > Network > Interface and edit your virtual access point interface. Select ‘Detect and Identify devices’.
2. Connect your mobile device to your wireless network and generate web browsing traffic so that the client can be correctly detected.
3. Go to User & Device and > Device > Device Definition to confirm that your device is listed and has been correctly identified.
4. From the FGT CLI create a device access list.
confg user device-access-list
edit <name>
set default-action accept
config device-list
edit 1
set action deny
set device <select your device type>
end
end
5. Apply this list to the VAP interface from the CLI.
config system interface
edit <your interface name>
set device-access-list <your list name>
end
You should observe that your mobile device is disconnected. Go to Log & Report > Event Log > WiFi and identify the log message for the BYOD event, the action should be a client denial for your device.
Lab 2: Device Identification
9
6. To see the devices detected by the access list use the following command:
diag wireless-controller wlac –c byod_detected
7. When you have completed your testing return to the interface settings form the CLI and disable device identification and unset the device access list.
config system interface
edit <your interface name>
unset device-access-list
set device-identification disable
end
Lab 3: Improving Wireless Security with WPA-Enterprise Security
10
This lab supports the learning objectives for module 4. You will configure WPA/WPA2 Enterprise security using a local user group. You will configure 802.1X authentication using local user groups.
1. Create a user and a user group and add the user to your group.
2. Go to Wireless Controller > Wireless Network > SSID and edit your wireless network created in the previous lab. Configure the WiFi security settings as follows:
SSID: <your ssid>
Security Mode: WPA/WPA2-Enterprise
DataEncryption: AES
Authentication: Usergroup
Usergroup: <your user group>
Click OK.
3. Next download the wireless CA certificate used on the FortiGate for wireless and import to your mobile device. To do this, go to System > Certificates > CA Certificate. Select and view the certificate. Note the CN of UTN-USERFirstHardware. Select download. Copy or send this certificate to your mobile device is via email. If you cannot do this you must disable server certificate authentication in order to complete this lab.
4. On your mobile device connect again to your SSID. You will be required to enter the username and password for your user.
5. Once you have successfully authenticated, verify that you can connect to reach your internal host and connect to the Internet.
Go to the Log & Report > Event Log > WiFi and identify the log message for the authentication event. You can go to Wifi Controller > Monitor > Client Monitor to view information about the clients that are connected to your Wireless network.
Lab 3: Improving Wireless Security with WPA-Enterprise Security
11
In this exercise you will modify you SSID configuration to use a captive portal instead, therefore users will be redirected to this portal for authentication. You will customize the portal page.
1. Go to Wireless Controller > Wireless Network > SSID and edit your wireless network created in the previous lab. Configure the WiFi security settings as follows:
SSID: <your ssid>
Security Mode: Captive Portal
Usergroup: <your user group>
2. Select Customize Portal Messages and then edit and select the Captive Portal Login Page, make a few simple changes in order that you can identify your customization. Save your changes.
3. Close the customization window and click ok to save the changes to your SSID.
4. On your mobile device connect again to your SSID. You will note that the wireless security is open in order for you to connect to your portal. You connect to your portal via https and then you need to authenticate using your user account.
Lab 4: Custom AP Profiles
12
This lab supports the learning objectives for module 5. You will create a custom AP profile to replace the automatic profile and configure one radio to be a dedicated monitor for rogue AP detection and the second radio for wireless clients.
1. Go to WiFi Controller > WiFi Network > Custom AP Profile and create a new AP profile with follow settings.
First select the correct platform, in this example we are using the FAP 220B. Select Radio 1 and set mode Dedicated Monitor. Do not select Rogue AP On-Wire Scan because we will not be able to test this feature with our lab setup. Select Radio 2 and set mode Access Point and use default Band and Channel settings. Enable your SSID from the list of available SSIDs. Click OK. Next you need to apply your custom AP profile to your managed AP.
2. Go to WiFi Controller > Managed Access Points > Managed FortiAP and select your device and select edit.
3. In the wireless settings change the AP profile from automatic to your new profile and select apply and ok to save your changes. This change will cause the access point daemons on the AP to restart.
4. From the managed AP list check that one radio is announcing your SSID and the other is monitoring.
5. Go to WiFi Controller > WiFi Network > Rogue AP Settings and enable Rogue AP Detection to enable this feature on the wireless controller. Again, do not enable on-wire rouge AP detection.
6. Go to WiFi Controller > Monitor > Rogue AP Monitor. You should now see list of detected wireless networks.
Working in pairs, one student attempts to connect to their network and send data while the other suppresses the network. To suppress an SSID from the monitor list, first select and mark as rogue, and then select and suppress AP. While this is enabled you will send de-authentication packets to your neighbor. You neighbor should try connecting to their SSID while you run the suppress SSID action.
Lab 4: Custom AP Profiles
13
7. Look for Rogue AP messages in the event log for the rogue and suppresses status.
8. When the test is completed, disable Suppress AP and change roles so that you both test the Suppress AP feature.
9. At the end of the lab disable the Supress AP feature and go to WiFi Controller > WiFi Network > Rogue AP Settings and disable Rogue AP Detection.
Lab 5: Putting it all together
14
In this lab you will configure a mesh of FortiAPs and you will use FortiAuthenticator for PEAP authentication of users connecting you’re your SSID.
1. Before stating the FortiAuthenticator VM, ensure that port1 is assigned to the VMware host-only interface (vmnet1). Start the FortiAuthenticator VM.
Enter username ‘admin’ and no password. Set the port1 interface IP address:
set port1-ip 10.0.1.253/24
set default-gw 10.0.1.254
Enter show to view configured parameters.
2. Connect to the FortiAuthenticator GUI: https://10.0.1.253
3. Set the System Time.
4. The main configuration requirements when setting up FortiAuthenticator for PEAP are:
build a CA
configure the RADIUS server
add users
configure the FGT as a client for the RADIUS server
install the server’s public key in the client
5. Create a self-signed root certificate authority (CA).
Certificate Management > Certificate Authorities > Local CAs. Create New, leave Root CA certificate selected and choose a Certificate ID and Name (CN) for your CA certificate, leave all other settings as default.
6. Next create a Local Services certificate for the FortiAuthenticator itself.
Certificate Management > End Entities > Local Services. Create New and chose a Certificate ID and Name (CN) for your Local Services certificate. The issuer should be your Root CA created in the previous step.
Authentication > Local User Management > Local Users. Create a user.
8. Next configure the FortiGate as a RADIUS client of the FortiAuthenticator device.
Go to Authentication > General > Auth. Clients. Create New. Enter a name, the IP address of your FortiGate (10.0.1.254) and a shared secret key which you will also enter of the FortiGate unit. Select PEAP from EAP types.
9. Next select the CA and Local Certificate for EAP.
Authentication > General > EAP Config. Select the Local Service certificate, created in the earlier step, for the EAP Server Certificate. Select the Local CA certificate, created in the earlier step, for the Local CAs.
10. Next configure your FortiGate to use the RADIUS server for remote authentication.
On the FortiGate GUI, go to User & Device > Authentication > RADIUS Server. Create New and chose a name and enter the IP address of your FortiAuthenticator (10.0.1.253) and the shared secret, configured earlier. Select Ok.
11. Edit the RADIUS server object again and test your authentication settings by selecting ‘Test’ and entering the username and password of the user configured earlier.
If configured correctly the user authentication will be successful, if not go back and check the user and the RADIUS client and server settings configured earlier.
12. Next configure your SSID to use RADIUS Server authentication with the WPA/WPA2-Enterprise security mode.
On the FortiGate GUI, go to WiFi Controller > WiFi Network > SSID. Edit your SSID and change authentication in the WiFi settings use RADIUS Server and choose the server object configured previously.
13. Next configure your mobile device, the mobile device needs to trust the CA root certificate configured therefore you will need to export the certificate and import this to your mobile device.
From FortiAuthenticator, Certificate Management> Certificate Authorities > Local CAs, select your certificate and export. Send or copy this certificate to you mobile device and click on the certificate to install it.
14. From your mobile device, first delete your saved SSID and reconnect this time specify the new certificate authority added in the previous step and the username and password for the user configured in FortiAuthenticator.
Your client authentication should be successful. If not, review the above settings and double check the valid from of the server certificate. Check the FortiAuthenticator logs for the 802.1X login event for your user, go to Log & Report > Event Log >WiFi and look for a message with ‘client-authentication’ action.
Lab 5: Putting it all together
16
1. Configure the mesh SSID, go to WiFi Controller > WiFi Network > SSID. Edit the default mesh SSID fmesh.root and change the SSID from the default to something unique. Note that the traffic mode is set to mesh downlink. Enter a new pre-shared key.
2. Go to WiFi Controller > WiFi Network > Custom AP Profile and create a new AP profile, or edit the profile created earlier, and enter the follow settings: Select the correct platform, in this example we are using the FAP 220B. Select Radio 1 and set mode Access Point and use default Band and Channel settings. Enable your SSID and the mesh SSID from the list of available SSIDs. Select Radio 2 and set mode Access Point and use default Band and Channel settings. Enable your SSID and the mesh SSID from the list of available SSIDs. Click OK.
3. If this is a new profile you will need to apply this to your custom AP profile in your managed AP.
Go to WiFi Controller > Managed Access Points > Managed FortiAP and select your device and select edit. In the wireless settings change the AP profile from automatic to your new profile and select apply and ok to save your changes. This change will cause the access point daemons on the AP to restart.
4. Start your second AP.
You may need to work in pairs for this lab, in that case one student de-authorizes their AP and the other student authorizes this second AP in their managed APs. The second AP will use the automatic profile which is fine for this lab.
5. Configure the second AP to use the wireless mesh as an uplink.
From the FortiAP GUI, go to Connectivity and select mesh and enter the mesh SSID and pre-shared key. This change will cause the access point daemons on the AP to restart.
Lab 5: Putting it all together
17
6. You should observe that the second AP connects as a leaf device. Note it might take some time for the state icon to become green however if you feel it is taking to long ca n you can reboot the AP to expedite the process.
7. You have now created the full mesh. If you would like to test that clients on the leaf AP can reach the wireless controller modify the AP profile associated with your root AP and remove your wireless client SSID so that it is only being announced on the leaf AP.
8. Using the wireless controller debug of the FortiGate, try the following commands.
Use the following command to see the status of the FortiAPs:
diagnose wireless-controller wlac -c wtp
Use the following command to list the configured wireless LANs:
diagnose wireless-controller wlac -c wlan
Use the following command to list the connected wireless stations:
