203 module 2 wireless controller

Course 203 - Fortinet Wireless Module 2 Wireless Controller

01-05002-RevA-0203-20130520

Fortinet WirelessFortinet WirelessCourse 203Module 2 – Wireless Controller

1

© 2012 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet.

Objectives

• List the components and advantages of the FortiGate integrated wireless controller and the wireless solution

• Identify the key configuration requirements of an SSID • Identify the key configuration requirements of an SSID

• Describe the purpose of the Virtual Access Point in the FortiOS configuration

• Describe the configuration of security and authentication settings for a wireless LAN

• Identify the purpose of MAC filtering

2

• Identify the managed AP topologies

• Identify the goals and describe the main phases of the CAPWAP protocol


01-05002-RevA-0203-20130520

Objectives

• Describe the basic access point configuration settings for a simple wireless LAN deployment

• Perform a wireless network deployment using equipment in a hands• Perform a wireless network deployment using equipment in a hands-on lab

3

The Fortinet WiFi Security Solution

802.11n compliant Up to 900 Mbps throughput (aggregated traffic)

3x3 MIMO with 3 spatial streams : 450 Mbps / Radio

Secure Access Points

FortiAP Secure APSingle or Dual Radio

FortiGates as Controllers

or 2x2 MIMO with 2 spatial streams : 300 Mbps / Radio

Single or Dual concurrent radio 2.4GHz/5GHz 802.11 a/b/g/n

Enterprise-Class feature set Dedicated built-in in air monitoring Internal or External Antenna design Highest value at competitive price

20+ platforms to meet any requirement

4

20+ platforms to meet any requirement Leverages same models already on the market 10Mbps – 40Gbps wireless LAN Capacity Programmable control & data planes, Hardware-based Cryptography Centralized managementFortiGate Platforms

With Integrated Wireless Controllers


01-05002-RevA-0203-20130520

Building the Secure Business Grade Wireless LAN

Secure WirelessInfrastructure Security

Business Grade

5

Secure Wireless Access Points

with Integrated Wireless Controller

Business Grade Wireless

Secure Business Grade Wireless

No additional licenses needed

Corporate Wi-Fi

Captive Portal, 802.1x—Radius /shared key

Assign users and devices (BYOD) to their role

Examines wireless traffic to remove threats

True stateful firewall controls users/applications

Identify applications and destinations of interest

6

pp

Reports on policy violations, application usage, destinations and PCI DSS

Ensures Business traffic has right of way


01-05002-RevA-0203-20130520

Extends Security Features to Wi-Fi

Each SSID appears as a Virtual Interface

7 7

Thin and Thick APs

FortiWiFi FortiAP Models

Standalone Thick AP Centrally Managed Thin AP

WiFi radio physically integrated into FortiGate device

Requires separate FortiGate as wireless controller

One WiFi Radio - targeted as AP with background scan or dedicated rogue AP

monitor

Single or Dual WiFi radio for simultaneous communication on 2.4Ghz and 5Ghz

bands or Simultaneous Air Monitor and AP or Mesh

8

or Mesh

IEEE 802.11 a/b/g/n on 60,80Runs full FortiOS with VPN

a/b/g/n bands standardRuns thin OS

Ideal for distributed office Space < 300 sq meters

Ideal for larger indoor or outdoor installations,

or existing customers looking for WiFi capability from existing FortiGates

8


01-05002-RevA-0203-20130520

3x3:3Resiliency

Throughput

Rad

io

Ban

d

802.11n Thin AP family

FAP-320B

FAP-223BD

ual

Dua

l

2x2:2Performance

le R

adio

FAP-220B

FAP-221BFAP-222B

FAP-210B

9

Sin

gl

1x1:1

Personal Outdoor Indoor

FAP-112BFAP-11C

Hardware Overview – FortiAP (Local)

FAP-112B FAP-210B FAP-220BFAP-

221B/223B*FAP-222B FAP-320B

Form FactorWall mount,

Ceiling Mount, indoor/outdoor

Wall mount, CeilingMount

Wall mount, Ceiling Mount

Smoke Detector

Form FactorOutdoor

Wall mount, Ceiling Mount

Radio 1 1 2 2 2 2

Bands2.4 Ghz b/g/n

1) 2.4 or 5Ghz,

switchableb/g/n or a/n

1) 2.4 Ghzb/g/n

2) 2.4/5GHz a/b/g/n

concurrent

1) 2.4 Ghzb/g/n

2) 2.4/5GHz a/b/g/n

concurrent

1) 2.4 Ghzb/g/n

2) 5GHz a/n concurrent

1) 2.4 Ghzb/g/n

2) 2.4/5GHz a/b/g/n

concurrent

PoE 802.3af 802.3af 802.3af 802.3af 802.3at 802.3af

Rx / Tx1x1, Single stream, 65

Mbps

1x2, Single stream, 300

Mbps

2x2 Dual stream,

600Mbps

2x2 Dual stream,

600Mbps

2x2 Dual stream,

600Mbps

3x3 Triple stream,

900Mbps

10

Antennas 1 internal 2 internal 4 internal4 internal

4 external*4 external 6 internal

Ethernet Interfaces2x FE (one

LAN and one WAN)

1x GbE Copper

1x GbE Copper

1x GbE Copper

1x GbE Copper

2x GbE Copper


01-05002-RevA-0203-20130520

FAP-11C FAP-14C FAP-28C

Form Factor Wall PlugDesktop/Wall

mountDesktop/Wall

mount

Radio 1 1 1

Hardware Overview – FortiAP (Remote)

Radio 1 1 1

Bands 2.4 Ghz b/g/n 2.4 Ghz b/g/n 2.4 or 5Ghz, switchableb/g/n or a/n

PoE NA NA NA

Rx / Tx1x1, Single stream, 65

Mbps

1x1, Single stream, 65

Mbps

2x2 Dual stream,

Antennas 1 internal 1 internal 2 internal

Ethernet Interfaces 2x FE 5x FE 10x GE

11

FAP-11C FAP-14C FAP-28C

Wireless Controller Configuration

• Make sure the FortiGate wireless controller is configured for your geographic location

• Optionally configure a custom Access Point (AP) profile• Optionally configure a custom Access Point (AP) profile

• Configure one or more SSIDs for your wireless network

• Optionally, configure the user group and users for authentication on the WLAN

• Configure the firewall policy for the WLAN

• Optionally, customize the captive portal

12

p y, p p

• Configure access points.


01-05002-RevA-0203-20130520

Wireless Controller Configuration

Virtual Access Point 1 Virtual Access Point 2Security

Virtual Access Point 1 Virtual Access Point 2

Access Point Profile 1

RadioSettings

Settings

13

PhysicalAccess Point Units

Configuring SSIDs

• The Virtual Access Point (VAP) interface is the interface used for traffic tunneled back to the wireless controller and it includes network settings of the interfacesettings of the interface.

14


01-05002-RevA-0203-20130520

Configuring SSIDs

• The SSID defined is associated with the VAP interface created.» Security mode of the SSID is defined here.

15

Security Mode

• Wi-Fi Protect Access (WPA)» Provides two methods of authentication:

• 802 1X (WPA Enterprise)• 802.1X (WPA-Enterprise)

• Pre-shared keys (WPA-Personal)

» Encrypt communications

• Advance Encryption Standard (AES)

• Temporal Key Integrity Protocol (TKIP)

» WPA2 provides additional security improvements

• Captive Portal

16

• Captive Portal

• WEP» Weak hence CLI only.


01-05002-RevA-0203-20130520

Wireless Authentication

• Authentication methods apply to wireless networks the same as they do for wired» User can also be authenticated against local user groups on FortiGate device» User can also be authenticated against local user groups on FortiGate device

» External authentication servers (RADIUS, LDAP and TACAS+, Windows Active Directory) also available

» For each wireless LAN, create a user group(s) and add the users who can access the WLAN

17

MAC Filtering

• Permit or exclude a list of clients based on the MAC address of their computer

• Should be used in conjunction with other security measures• Should be used in conjunction with other security measures» Unauthorized users could capture MAC addresses from network traffic and use

them to impersonate legitimate users

• Configured on a SSID/VAP interface basis

• Used for devices that cannot perform a user authentication, such as a printer or a games console

18


01-05002-RevA-0203-20130520

Virtual Access Points (VAP)

• A Virtual Access Point defines the security settings that can be applied to one or more physical Access Points

• Each VAP creates its own a virtual network interface on the FortiGate • Each VAP creates its own a virtual network interface on the FortiGate unit

• Define DHCP services, firewall policies and other settings for the wireless LAN

19

Virtual Access Point

• An SSID creates a Virtual Interface of type VAP

This interface can then be used for firewalling, traffic inspection ,QoS,

20

…


01-05002-RevA-0203-20130520

Intra-SSID Privacy

• This feature benefits Hotspot users by keeping their traffic private from other users on the same SSID

• Prevents Man in middle attacks from other PCs on the same network• Prevents Man-in-middle attacks from other PCs on the same network

• Undesirable when you have other devices in the SSID you connect to, such as a wireless printer

21

Managed AP Topologies

Direct Connection• FortiAP unit is connected directly to the FortiGate unit

Switched Connection• FortiAP unit is connected to the wireless controller on the FortiGate unit by an Ethernet

switch• Must be a routable path between FortiAP device and the FortiGate unit

Distributed• WLAN mesh model

22

• WTP repeat traffic over wireless neighbor nodes

Connection over WAN• The wireless controller is off-site and connected by a VPN to a local AP


01-05002-RevA-0203-20130520

Full Mesh

23

Full Mesh – LAN Bridge

24


01-05002-RevA-0203-20130520

Full Mesh

• Mesh SSID replaces wired distribution network between root and leaf APs» Usually backhaul SSID uses a dedicated radio but shared radio is also supported» Usually backhaul SSID uses a dedicated radio but shared radio is also supported

» Default SSID fortinet.mesh.vdom

» The mesh SSID is bridged with the Ethernet port on the root AP

• The root AP has a wired connection back to the wireless controller

• When tunneling traffic back to the FortiGate the leaf APs use the mesh SSID to reach the controller.

25

Full Mesh

• Automatically created VAP interface and SSID that is dedicated to the backhaul

• The mesh SSID is enabled on an AP then it will accept requests from • The mesh SSID is enabled on an AP then it will accept requests from other APs configured to use it

• Wireless clients cannot connect to the mesh-backhaul SSID

• The default mesh SSID may be deleted and replaced with a new configuration.

26


01-05002-RevA-0203-20130520

Full Mesh

• AP uplink options

27

Local Bridge

• Local bridge mode allows SSIDs to be centrally managed without backhauling the traffic to the wireless controller

• Traffic from the wireless is bridged to the local Ethernet port• Traffic from the wireless is bridged to the local Ethernet port» VLAN support increases number of bridges from one

• Configured per SSID» Bridge and tunnel mode SSIDs on same AP supported

• Configured in the Managed AP settings» Local bridge, no DHCP settings in SSID, local DHCP required

28

• Also it is possible to bridge an SSID to local port at the FortiGatedevice using a softswitch configuration


01-05002-RevA-0203-20130520

Local Bridge

• Local bridge SSID configuration

29

Local Bridge Traffic Flow

edit "SSID-bridge"set vdom "root"set ssid "SSIDBridge"set security wpa-enterpriseset auth radiusset encrypt TKIP-AESset radius-server "FortiAuth"set radius server FortiAuthset local-bridging enable

30


01-05002-RevA-0203-20130520

Local Bridge With VLAN Support

31

Discover and Authorize FortiAP

• Configure the FortiGate ethernet interface to which the AP will connect

• Configure DHCP service on the interface to which the AP will connect, if providing APs addresses via DHCPif providing APs addresses via DHCP

• The AP requires its own address, independent of any wireless device connecting to the VAP (SSID)

• Connect the AP units and let the FortiGate unit discover them

• Authorize each discovered AP if you want to manage it from that controller, edit to change its automatic settings or create a custom AP

32

profile.


01-05002-RevA-0203-20130520

Controller Discovery

Broadcast request• Controller and AP in same broadcast domain

Multicast request• Controller and AP do not need to in the same broadcast domain if multicast routing is

configured• The default multicast destination IP address is 224.0.1.140

Static IP address• Administrator specifies the controller’s static IP address on the FortiAP unit• Routing must be configured in both directions

33

• Routing must be configured in both directions

DHCP• Identifies controller address when AP’s IP address is assigned• Useful when the AP is on a remote site• IP address of the controller must be converted into hexadecimal in the DHCP option field

Configuring FortiAP using CLI

• The FortiAP unit has a CLI through which some configuration options can be set

• Login with user name admin and no password• Login with user name admin and no password

• Display help» cfg –h

• Make a configuration change» cfg –a

• Save the configuration

34

g» cfg –c


01-05002-RevA-0203-20130520

CAPWAP Wireless Controller and FortiAP Configuration

• A FortiAP unit can use any of four methods to locate a controller

• By default, FortiAP units cycle through all four of the discovery method

I t th i d t k fi ti h th • In most cases there is no need to make configuration changes on the FortiAP unit

• The next few slides look at these four methods.

35

Static IP

• By default, the FortiAP unit receives its IP address by DHCP» You can assign the AP unit a static IP address.

» To assign a static IP address to the FortiAP unit» To assign a static IP address to the FortiAP unit

• cfg -a ADDR_MODE=STATIC

• cfg –a AP_IPADDR="192.168.0.100"

• cfg -a AP_NETMASK="255.255.255.0“

• The AP unit sends a unicast discovery request message to the controller» Routing must be properly configured in both directions

36

» Routing must be properly configured in both directions.

» To specify the controller’s IP address on a FortiAP unit:

• cfg –a AC_IPADDR_1="192.168.0.1“


01-05002-RevA-0203-20130520

Broadcast

• The AP unit broadcasts a discovery request message to the network and the controller replies

• The AP and the controller must be in the same broadcast domain No • The AP and the controller must be in the same broadcast domain. No configuration adjustments are required.

37

Multicast

• The AP unit sends a multicast discovery request and the controller replies with a unicast discovery response message

• The AP and the controller do not need to be in the same broadcast • The AP and the controller do not need to be in the same broadcast domain if multicast routing is properly configured

• The default multicast destination address is 224.0.1.140» It can be changed through the CLI

» The address must be same on the controller and AP.

38


01-05002-RevA-0203-20130520

Multicast

• To change the multicast address on the controller» config wireless-controller global

» set discovery mc addr 224 0 1 250» set discovery-mc-addr 224.0.1.250

» end

• To change the multicast address on a FortiAP unit» cfg –a AC_DISCOVERY_MC_ADDR="224.0.1.250"

39

DHCP

• If you use DHCP to assign an IP address to your FortiAP unit, you can also provide the WiFi controller IP address at the same time.

• When you configure the DHCP server configure Option 138 to specify • When you configure the DHCP server, configure Option 138 to specify the WiFi controller IP address. You need to convert the address into hexadecimal. Convert each octet value separately from left to right and concatenate them.» For example, 10.10.10.31 converts to 0A0A0A1F.

40


01-05002-RevA-0203-20130520

DHCP

• If Option 138 is used for some other purpose on your network, you can use a different option number if you configure the AP units to match.

• To change the FortiAP DHCP option code• To change the FortiAP DHCP option code» To use option code 139 for example, enter

» cfg –a AC_DISCOVERY_DHCP_OPTION_CODE=139

41

DHCP

42


01-05002-RevA-0203-20130520


43


44


01-05002-RevA-0203-20130520

FortiAP GUI

• Simplified provisioning for FortiAP with the addition of a GUI

45

Configuring a FortiWiFi unit as a WiFi AP

• FortiWiFi running FortiOS 4.3 units can also be deployed as managed APs controlled by a FortiGate unit wireless controller.» In the CLI enter:» In the CLI, enter:

• config system global

• set wireless-mode wtp

• end

» The feature was removed in FortiOS 5.0

» Unlike FortiAP units, a FortiWiFi unit deployed as an AP does not cycle through the discovery methods. You must select one discovery method to use.

46

y y

• config wireless-controller global

• set ac-discovery-type dhcp


01-05002-RevA-0203-20130520

CAPWAP Protocol Overview

• The CAPWAP protocol is a generic protocol defining AC (Wireless Controller) and WTP (FortiAP) control and data plane communication via a CAPWAP protocol transport mechanismvia a CAPWAP protocol transport mechanism

• CAPWAP stands for Control and Provisioning of Wireless Access Points

• CAPWAP carries control and data traffic via two channels

• CAPWAP Control messages, and optionally CAPWAP Data messages, are secured using Datagram Transport Layer Security (DTLS)

47

(DTLS).

Goals of CAPWAP

• Centralize the authentication and policy enforcement functions for a wireless network

• Reduced cost and increase efficiency by applying the capabilities of • Reduced cost and increase efficiency by applying the capabilities of network processing to the wireless network

• Move higher-level protocol processing from the WTP (FortiAP)

• Leave the time-critical applications of wireless control and access in the WTP (FortiAP)

• The emergence of centralized IEEE 802.11 Wireless Local Area

48

Network (WLAN) architectures

• Simple IEEE 802.11 WTPs are managed by an Access Controller (FortiOS Wireless Controller).


01-05002-RevA-0203-20130520

CAPWAP Main Phases

CAPWAP begins with a discovery phase

FortiAPs send a discovery request

message

Any Wireless Controller receiving the message

responds with a discovery response

message

FortiAP selects a Wireless Controller and

establishes a secure DTLS session

Configuration exchange occurs• FortiAP may receive provisioning settings

• FortiAP is enabled for operation

The Wireless Controller and FortiAP exchange

is complete and the FortiAP is enabled

49

In tunnel mode client data frames are

encapsulated between the FortiAP and the Wireless Controller

Lab

• FortiGate Secure Wireless Configuration using a FortiAP Device

50

203 module 2 wireless controller

Documents