Scribd Logo
Upload

Welcome to Scribd!

  • 13 views

    Labs Formation Wifi 5.01 v2.0

    Uploaded by

    aripang
    This document provides a guide for setting up secure wireless access on a FortiGate unit using a FortiAP unit. It outlines exercises to configure a wireless network with WPA2-Personal authentication initially, then modify it to use WPA2-Enterprise authentication by creating user accounts and a wireless user group. The exercises walk through steps to set up the wireless controller, SSID, AP profile, manage the FortiAP, firewall policies, and packet capture to view the FortiAP discovery process.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Labs Formation Wifi 5.01 v2.0

    Uploaded by

    aripang
    13 views12 pages
    This document provides a guide for setting up secure wireless access on a FortiGate unit using a FortiAP unit. It outlines exercises to configure a wireless network with WPA2-Personal authentication initially, then modify it to use WPA2-Enterprise authentication by creating user accounts and a wireless user group. The exercises walk through steps to set up the wireless controller, SSID, AP profile, manage the FortiAP, firewall policies, and packet capture to view the FortiAP discovery process.

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides a guide for setting up secure wireless access on a FortiGate unit using a FortiAP unit. It outlines exercises to configure a wireless network with WPA2-Personal authentication initially, then modify it to use WPA2-Enterprise authentication by creating user accounts and a wireless user group. The exercises walk through steps to set up the wireless controller, SSID, AP profile, manage the FortiAP, firewall policies, and packet capture to view the FortiAP discovery process.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    13 views12 pages

    Labs Formation Wifi 5.01 v2.0

    Uploaded by

    aripang
    This document provides a guide for setting up secure wireless access on a FortiGate unit using a FortiAP unit. It outlines exercises to configure a wireless network with WPA2-Personal authentication initially, then modify it to use WPA2-Enterprise authentication by creating user accounts and a wireless user group. The exercises walk through steps to set up the wireless controller, SSID, AP profile, manage the FortiAP, firewall policies, and packet capture to view the FortiAP discovery process.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 12

    2013 Fortinet Business-Grade Wireless

    FortiGate Multi-Threat Security Systems


    Wifi Controler & FortiAP

    Student Lab Guide


    Course (5.0.1) v2.00
    Lab 1 Setting up secure wireless on your
    FortiGate unit using a FortiAP unit
    Objectives
    Problem – a FortiGate unit provides your office with wired networking, but employees also use laptops
    and mobile devices. These devices need secure Wireless access to both the office network and the
    Internet.
    What is a good solution for a small number of users with no access to Windows Active Directory?
    Solution – set up a Wireless network with WPA-Personal authentication.
    Using the Wireless Controller feature on your FortiGate unit, configure a Wireless network. Then
    connect a FortiAP unit and authorize it to carry your Wireless network.
    On your Wireless network, use DHCP to assign IP addresses to Wireless users, as most mobile devices
    are preconfigured to use DHCP.
    Use WPA2 security. As there is no authentication in place for the wired network and this is a small
    team in one place, WPA2-Personal security is appropriate.
    There will be one pre-shared key that users must know to access the Wireless network. Create security
    policies to enable the Wireless network to access both the office network and the Internet.
    Configure Wan2, an unused network interface on the FortiGate unit, to connect to the FortiAP unit.
    Connect the FortiAP unit to the Wan2 interface and wait for it to be discovered. Authorize the FortiAP
    unit.

    2
    Exercise 1 Initial Setup of FortiGate Device
    1. From your PC, open a RDP connection to your Windows XP VM : 192.168.251.X with the
    username userX and password fortinetX where X is your user number.
    2. Start a Putty session and double click on the shortcut : Console FortigateX (where X is your
    user number)
    3. At the FortiGate CLI login prompt, log in with username of admin (all lowercase). The default
    password on the device is blank.
    4. Reset the FortiGate device to factory defaults by typing the following command:
    exec factoryreset

    When asked to continue, type Y, press <enter>, and wait for the reset to complete.
    5. Log in to the CLI once again and type the following command to display status information
    about the FortiGate unit:
    get system status

    The output displays the FortiGate unit serial number, firmware build, operational mode, and
    additional settings.
    Confirm that the firmware build on the FortiGate unit is 5.0.1, the required version for this
    course.
    6. The next few steps are very important. You must set the country code in your wireless
    settings in order for your device to adhere to the local radio standards.
    First check the current setting:
    show full wireless-controller setting

    If the country code does not match the country you are in you will need to change it.
    To make this change you must first remove the WTP Profiles
    config wireless-controller wtp-profile
    purge
    This operation will clear all table!
    Do you want to continue? (y/n)y

    To delete all the profiles, then enter:


    end

    7. Next set the proper Geography Location, the importance of this will be explained in the
    presentation.
    Example:
    config wireless-controller setting
    set country FR
    end

    3
    Exercise 2 Create the SSID

    1. Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless
    network:
    Interface Name : Wifi_UserX
    Status : enable
    Traffic Mode : Tunnel to wireless Controller
    IP / Netmask : 10.10.1XX.254 / 255.255.255.0
    Administrative Access : Ping

    2. Enable DHCP with the following settings:


    Address Range : 10.10.1XX.10-10.10.1XX.19
    Netmask : 255.255.255.0
    Default Gateway : Same as Interface IP
    DNS Server : Same as System DNS

    3. Configure the security settings as follows:


    SSID : Wifi_UserX
    Security Mode : WPA/WPA2-Personal
    Data Encryption : AES
    Pre-shared Key : fortinet

    4. Select OK

    4
    Exercise 3 Configure the Custom AP Profile
    1. Go to Wifi Controler > Managed Access Point > Custom AP Profile and click Create New
    2. Name : ProfileFAP220B
    Platform FAP220B/FAP221B/FAP223B
    3. Configure the Radio1

    4. Configure the Radio 2

    5. Click OK

    5
    Exercise 4 Manage The FortiAP
    1. Go to Wifi Controler > Managed Access Point > Managed FortiAP and select the FortiAP and
    edit it.
    2. State : click Authorize
    3. AP Profile : click [Change] and select the FAP220B-default AP Profile and click [Apply]
    4. Click OK
    5. You can configure the FortiAP via the web GUI. Browse the IP Address of the FortiAP.

    Exercise 5 Create firewall and security policy settings


    1. Go to Policy > Policy > Policy and select Create New to add a Wireless-to-Office network
    policy that allows Wireless users to access to the office network.
    Policy Type : Firewall
    Policy Subtype : Address
    Source Interface/Zone : Wifi_UserX
    Source Address : All
    Destination Interface/Zone : internal
    Destination Address : All
    Schedule : Always
    Service : ANY
    Action : ACCEPT

    Source NAT is not required for this policy since the Wireless and internal networks are visible to
    each other.

    2. Select Create New to add a Wireless-to-Internet policy that allows Wireless users to access
    the Internet.
    Policy Type : Firewall
    Policy Subtype : Address
    Source Interface/Zone : Wifi_UserX
    Source Address : all
    Destination Interface/Zone : wan1
    Destination Address : all
    Schedule : always
    Service : ANY
    Action : ACCEPT

    6
    3. Select Enable NAT and Use Destination Interface Address.

    4. Select OK.

    Exercise 6 Using the FortiGate packet sniffer to view the


    FortiAP discovery process
    1. Use the FortiGate unit’s built-in packet sniffer to view the discovery process.
    This is useful if you experience difficulty in getting the FortiGate unit to recognize the FortiAP
    unit.
    2. Browse the IP address of the FortiAP. (Admin / no password)
    3. In the WTP Configuration, for AC Discovery Type select Muticast.
    4. Click Apply
    5. Return to the FortiGate Web UI and go to System > Network > Packet Capture, Create a new
    packet capture onthe Internal Interface of the Fortigate.
    6. Run the Capture then reboot the FortiAP
    7. The FortiAP unit uses several methods to find a Wireless controller. Here are some examples
    of the request packets you should see. In our example we used multicast to discover the
    Wireless Controller address.
    8. Multicast Wireless controller discovery request:
    wan2 -- 192.168.8.2.5246 -> 224.0.1.140.5246: udp
    9. Note that this request is on the CAPWAP control port, 5246. The multicast IP address on the
    FortiAP unit and the Wireless controller is reconfigurable and must agree. The Wireless
    controller responds directly to the FortiAP unit in unicast on port 5246

    7
    Lab 2 Improving Wireless security with
    WPA-Enterprise security
    Problem – You set up a Wireless network with WPA- Personal security, but now you want better
    security with individual authentication for your users.
    Solution – Create user accounts and a wireless_users user group on the FortiGate unit. Modify your
    SSID to use WPA/WPA2- Enterprise security and authenticate users who belong to the wireless_users
    group.
    There is no longer a pre-shared key that could fall into the wrong hands or would need to be changed
    if someone left the group. Each user has an individual user name and password. Accounts can be
    added or removed as needed.

    Exercise 1 Create Wireless network user accounts


    1. Go to User & Device > User > User and select Create New to create a user account:
    • User Name : UserX
    • Password : fortinet
    Create additional user accounts as needed.
    2. Go to User & Device > User Group > User Group and select Create New to create a user
    group:
    • Name : wireless_users
    • Type: Firewall
    • Members Add UserX and the other employee accounts to the Members list.
    3. Select OK.

    Exercise 2 Change the SSID security settings


    1. Go to WiFi Controller > WiFi Network > SSID and edit the wifi-userX SSID object.

    2. Configure the security settings as follows:


    Security Mode : WPA/WPA2-Enterprise
    Data Encryption : AES
    Authentication : Usergroup
    Usergroup : wireless_users

    3. Select OK.

    4. Results – on your laptop or mobile device, reconnect to the wifi-userX SSID


    Unlike WPA/WPA2-Personal you will be prompted to enter your user name and password. Enter
    UserX as the user name and fortinet as the password.

    8
    If your device gives you additional options when configuring your profile, select Enterprise Sub-
    Type PEAP and disable server certificate validation. If you are required to use a CA certificate
    install the following certificate ‘UTN USERFirst Client’. Install the certificate for this CA in your
    mobile device.
    Once you have been authenticated, verify that you can connect to servers and other resources on
    your office network. Also verify that you can connect to the Internet.
    5. Go to Wireless Controller > Monitor > Client Monitor to view information about the clients that
    are connected to your Wireless network.
    Go to System > Monitor > DHCP Monitor to view information about the DHCP address allocation
    on the wifi-userX interface

    9
    Lab 3 Setting up and manage secure WiFi
    with a captive portal for guests

    Exercise 1 Create a User Group Guest


    1. Go to User & Device > User Group > User Group and select Create New to create a user
    group:

    Exercise 2 Create the SSID wifi-guests


    1. Go to WiFi Controller > WiFi Network > SSID and click Create new.
    Interface Name : Wifi-Guest
    Status : Enabled
    Traffic Mode : Tunnel to Wireless Controller
    IP / Netmask : 192.168.2XX.254/24

    10
    Exercise 3 Create the Firewall Policy
    1. Select Create New to add a Wireless-to-Internet policy that allows Wireless users to access
    the Internet.
    Policy Type : Firewall
    Policy Subtype : Address
    Source Interface/Zone : Wifi_Guest
    Source Address : all
    Destination Interface/Zone : wan1
    Destination Address : all
    Schedule : always
    Service : ANY
    Action : ACCEPT

    2. Select Enable NAT and Use Destination Interface Address.

    11
    Exercise 4 Create Administator and manage the guests
    account
    1. Go to System > Admin > Administrators and Create new.
    Administrator : adminguests
    Password: fortinet
    2. Select Restrict Provision Guest Accounts and select the group Grp-Wifi-Guests
    3. Click OK
    4. Log out from the WebUI and Log In with the account : adminguests
    5. Or with the admin account, go to User & Device > User > Guests Management
    6. To create a new guest account click Create New, Complete the request fields and Click OK

    7. The guest user is created, you can print or send by mail the credentials.

    12

    You might also like