2013 Fortinet Business-Grade Wireless

FortiGate Multi-Threat Security Systems

Wifi Controler & FortiAP

Student Lab Guide

Course (5.0.1) v2.00
Lab 1 Setting up secure wireless on your
FortiGate unit using a FortiAP unit
Objectives
Problem – a FortiGate unit provides your office with wired networking, but employees also use laptops
and mobile devices. These devices need secure Wireless access to both the office network and the
Internet.
What is a good solution for a small number of users with no access to Windows Active Directory?
Solution – set up a Wireless network with WPA-Personal authentication.
Using the Wireless Controller feature on your FortiGate unit, configure a Wireless network. Then
connect a FortiAP unit and authorize it to carry your Wireless network.
On your Wireless network, use DHCP to assign IP addresses to Wireless users, as most mobile devices
are preconfigured to use DHCP.
Use WPA2 security. As there is no authentication in place for the wired network and this is a small
team in one place, WPA2-Personal security is appropriate.
There will be one pre-shared key that users must know to access the Wireless network. Create security
policies to enable the Wireless network to access both the office network and the Internet.
Configure Wan2, an unused network interface on the FortiGate unit, to connect to the FortiAP unit.
Connect the FortiAP unit to the Wan2 interface and wait for it to be discovered. Authorize the FortiAP
unit.

2
Exercise 1 Initial Setup of FortiGate Device
1. From your PC, open a RDP connection to your Windows XP VM : 192.168.251.X with the
username userX and password fortinetX where X is your user number.
2. Start a Putty session and double click on the shortcut : Console FortigateX (where X is your
user number)
3. At the FortiGate CLI login prompt, log in with username of admin (all lowercase). The default
password on the device is blank.
4. Reset the FortiGate device to factory defaults by typing the following command:
exec factoryreset

When asked to continue, type Y, press <enter>, and wait for the reset to complete.
5. Log in to the CLI once again and type the following command to display status information
about the FortiGate unit:
get system status

The output displays the FortiGate unit serial number, firmware build, operational mode, and
additional settings.
Confirm that the firmware build on the FortiGate unit is 5.0.1, the required version for this
course.
6. The next few steps are very important. You must set the country code in your wireless
settings in order for your device to adhere to the local radio standards.
First check the current setting:
show full wireless-controller setting

If the country code does not match the country you are in you will need to change it.
To make this change you must first remove the WTP Profiles
config wireless-controller wtp-profile
purge
This operation will clear all table!
Do you want to continue? (y/n)y

To delete all the profiles, then enter:

end

7. Next set the proper Geography Location, the importance of this will be explained in the
presentation.
Example:
config wireless-controller setting
set country FR
end

3
Exercise 2 Create the SSID

1. Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless
network:
Interface Name : Wifi_UserX
Status : enable
Traffic Mode : Tunnel to wireless Controller
IP / Netmask : 10.10.1XX.254 / 255.255.255.0
Administrative Access : Ping

2. Enable DHCP with the following settings:

Address Range : 10.10.1XX.10-10.10.1XX.19
Netmask : 255.255.255.0
Default Gateway : Same as Interface IP
DNS Server : Same as System DNS

3. Configure the security settings as follows:

SSID : Wifi_UserX
Security Mode : WPA/WPA2-Personal
Data Encryption : AES
Pre-shared Key : fortinet

4. Select OK

4
Exercise 3 Configure the Custom AP Profile
1. Go to Wifi Controler > Managed Access Point > Custom AP Profile and click Create New
2. Name : ProfileFAP220B
Platform FAP220B/FAP221B/FAP223B
3. Configure the Radio1

4. Configure the Radio 2

5. Click OK

5
Exercise 4 Manage The FortiAP
1. Go to Wifi Controler > Managed Access Point > Managed FortiAP and select the FortiAP and
edit it.
2. State : click Authorize
3. AP Profile : click [Change] and select the FAP220B-default AP Profile and click [Apply]
4. Click OK
5. You can configure the FortiAP via the web GUI. Browse the IP Address of the FortiAP.

Exercise 5 Create firewall and security policy settings

1. Go to Policy > Policy > Policy and select Create New to add a Wireless-to-Office network
policy that allows Wireless users to access to the office network.
Policy Type : Firewall
Policy Subtype : Address
Source Interface/Zone : Wifi_UserX
Source Address : All
Destination Interface/Zone : internal
Destination Address : All
Schedule : Always
Service : ANY
Action : ACCEPT

Source NAT is not required for this policy since the Wireless and internal networks are visible to
each other.

2. Select Create New to add a Wireless-to-Internet policy that allows Wireless users to access
the Internet.
Policy Type : Firewall
Policy Subtype : Address
Source Interface/Zone : Wifi_UserX
Source Address : all
Destination Interface/Zone : wan1
Destination Address : all
Schedule : always
Service : ANY
Action : ACCEPT

6
 3. Select Enable NAT and Use Destination Interface Address.

4. Select OK.

Exercise 6 Using the FortiGate packet sniffer to view the

FortiAP discovery process
1. Use the FortiGate unit’s built-in packet sniffer to view the discovery process.
This is useful if you experience difficulty in getting the FortiGate unit to recognize the FortiAP
unit.
2. Browse the IP address of the FortiAP. (Admin / no password)
3. In the WTP Configuration, for AC Discovery Type select Muticast.
4. Click Apply
5. Return to the FortiGate Web UI and go to System > Network > Packet Capture, Create a new
packet capture onthe Internal Interface of the Fortigate.
6. Run the Capture then reboot the FortiAP
7. The FortiAP unit uses several methods to find a Wireless controller. Here are some examples
of the request packets you should see. In our example we used multicast to discover the
Wireless Controller address.
8. Multicast Wireless controller discovery request:
wan2 -- 192.168.8.2.5246 -> 224.0.1.140.5246: udp
9. Note that this request is on the CAPWAP control port, 5246. The multicast IP address on the
FortiAP unit and the Wireless controller is reconfigurable and must agree. The Wireless
controller responds directly to the FortiAP unit in unicast on port 5246

7
Lab 2 Improving Wireless security with
WPA-Enterprise security
Problem – You set up a Wireless network with WPA- Personal security, but now you want better
security with individual authentication for your users.
Solution – Create user accounts and a wireless_users user group on the FortiGate unit. Modify your
SSID to use WPA/WPA2- Enterprise security and authenticate users who belong to the wireless_users
group.
There is no longer a pre-shared key that could fall into the wrong hands or would need to be changed
if someone left the group. Each user has an individual user name and password. Accounts can be
added or removed as needed.

Exercise 1 Create Wireless network user accounts

1. Go to User & Device > User > User and select Create New to create a user account:
• User Name : UserX
• Password : fortinet
Create additional user accounts as needed.
2. Go to User & Device > User Group > User Group and select Create New to create a user
group:
• Name : wireless_users
• Type: Firewall
• Members Add UserX and the other employee accounts to the Members list.
3. Select OK.

Exercise 2 Change the SSID security settings

1. Go to WiFi Controller > WiFi Network > SSID and edit the wifi-userX SSID object.

2. Configure the security settings as follows:

Security Mode : WPA/WPA2-Enterprise
Data Encryption : AES
Authentication : Usergroup
Usergroup : wireless_users

3. Select OK.

4. Results – on your laptop or mobile device, reconnect to the wifi-userX SSID

Unlike WPA/WPA2-Personal you will be prompted to enter your user name and password. Enter
UserX as the user name and fortinet as the password.

8
 If your device gives you additional options when configuring your profile, select Enterprise Sub-
Type PEAP and disable server certificate validation. If you are required to use a CA certificate
install the following certificate ‘UTN USERFirst Client’. Install the certificate for this CA in your
mobile device.
Once you have been authenticated, verify that you can connect to servers and other resources on
your office network. Also verify that you can connect to the Internet.
5. Go to Wireless Controller > Monitor > Client Monitor to view information about the clients that
are connected to your Wireless network.
Go to System > Monitor > DHCP Monitor to view information about the DHCP address allocation
on the wifi-userX interface

9
Lab 3 Setting up and manage secure WiFi
with a captive portal for guests

Exercise 1 Create a User Group Guest

1. Go to User & Device > User Group > User Group and select Create New to create a user
group:

Exercise 2 Create the SSID wifi-guests

1. Go to WiFi Controller > WiFi Network > SSID and click Create new.
Interface Name : Wifi-Guest
Status : Enabled
Traffic Mode : Tunnel to Wireless Controller
IP / Netmask : 192.168.2XX.254/24

10
Exercise 3 Create the Firewall Policy
1. Select Create New to add a Wireless-to-Internet policy that allows Wireless users to access
the Internet.
Policy Type : Firewall
Policy Subtype : Address
Source Interface/Zone : Wifi_Guest
Source Address : all
Destination Interface/Zone : wan1
Destination Address : all
Schedule : always
Service : ANY
Action : ACCEPT

2. Select Enable NAT and Use Destination Interface Address.

11
Exercise 4 Create Administator and manage the guests
account
1. Go to System > Admin > Administrators and Create new.
Administrator : adminguests
Password: fortinet
2. Select Restrict Provision Guest Accounts and select the group Grp-Wifi-Guests
3. Click OK
4. Log out from the WebUI and Log In with the account : adminguests
5. Or with the admin account, go to User & Device > User > Guests Management
6. To create a new guest account click Create New, Complete the request fields and Click OK

7. The guest user is created, you can print or send by mail the credentials.

12