203 Module 2 Wireless Controller
description
Transcript of 203 Module 2 Wireless Controller
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Fortinet WirelessFortinet WirelessCourse 203Module 2 – Wireless Controller
1
© 2012 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet.
Objectives
• List the components and advantages of the FortiGate integrated wireless controller and the wireless solution
• Identify the key configuration requirements of an SSID • Identify the key configuration requirements of an SSID
• Describe the purpose of the Virtual Access Point in the FortiOS configuration
• Describe the configuration of security and authentication settings for a wireless LAN
• Identify the purpose of MAC filtering
2
• Identify the managed AP topologies
• Identify the goals and describe the main phases of the CAPWAP protocol
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Objectives
• Describe the basic access point configuration settings for a simple wireless LAN deployment
• Perform a wireless network deployment using equipment in a hands• Perform a wireless network deployment using equipment in a hands-on lab
3
The Fortinet WiFi Security Solution
802.11n compliant Up to 900 Mbps throughput (aggregated traffic)
3x3 MIMO with 3 spatial streams : 450 Mbps / Radio
Secure Access Points
FortiAP Secure APSingle or Dual Radio
FortiGates as Controllers
or 2x2 MIMO with 2 spatial streams : 300 Mbps / Radio
Single or Dual concurrent radio 2.4GHz/5GHz 802.11 a/b/g/n
Enterprise-Class feature set Dedicated built-in in air monitoring Internal or External Antenna design Highest value at competitive price
20+ platforms to meet any requirement
4
20+ platforms to meet any requirement Leverages same models already on the market 10Mbps – 40Gbps wireless LAN Capacity Programmable control & data planes, Hardware-based Cryptography Centralized managementFortiGate Platforms
With Integrated Wireless Controllers
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Building the Secure Business Grade Wireless LAN
Secure WirelessInfrastructure Security
Business Grade
5
Secure Wireless Access Points
with Integrated Wireless Controller
Business Grade Wireless
Secure Business Grade Wireless
No additional licenses needed
Corporate Wi-Fi
Captive Portal, 802.1x—Radius /shared key
Assign users and devices (BYOD) to their role
Examines wireless traffic to remove threats
True stateful firewall controls users/applications
Identify applications and destinations of interest
6
pp
Reports on policy violations, application usage, destinations and PCI DSS
Ensures Business traffic has right of way
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Extends Security Features to Wi-Fi
Each SSID appears as a Virtual Interface
7 7
Thin and Thick APs
FortiWiFi FortiAP Models
Standalone Thick AP Centrally Managed Thin AP
WiFi radio physically integrated into FortiGate device
Requires separate FortiGate as wireless controller
One WiFi Radio - targeted as AP with background scan or dedicated rogue AP
monitor
Single or Dual WiFi radio for simultaneous communication on 2.4Ghz and 5Ghz
bands or Simultaneous Air Monitor and AP or Mesh
8
or Mesh
IEEE 802.11 a/b/g/n on 60,80Runs full FortiOS with VPN
a/b/g/n bands standardRuns thin OS
Ideal for distributed office Space < 300 sq meters
Ideal for larger indoor or outdoor installations,
or existing customers looking for WiFi capability from existing FortiGates
8
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
3x3:3Resiliency
Throughput
Rad
io
Ban
d
802.11n Thin AP family
FAP-320B
FAP-223BD
ual
Dua
l
2x2:2Performance
le R
adio
FAP-220B
FAP-221BFAP-222B
FAP-210B
9
Sin
gl
1x1:1
Personal Outdoor Indoor
FAP-112BFAP-11C
Hardware Overview – FortiAP (Local)
FAP-112B FAP-210B FAP-220BFAP-
221B/223B*FAP-222B FAP-320B
Form FactorWall mount,
Ceiling Mount, indoor/outdoor
Wall mount, CeilingMount
Wall mount, Ceiling Mount
Smoke Detector
Form FactorOutdoor
Wall mount, Ceiling Mount
Radio 1 1 2 2 2 2
Bands2.4 Ghz b/g/n
1) 2.4 or 5Ghz,
switchableb/g/n or a/n
1) 2.4 Ghzb/g/n
2) 2.4/5GHz a/b/g/n
concurrent
1) 2.4 Ghzb/g/n
2) 2.4/5GHz a/b/g/n
concurrent
1) 2.4 Ghzb/g/n
2) 5GHz a/n concurrent
1) 2.4 Ghzb/g/n
2) 2.4/5GHz a/b/g/n
concurrent
PoE 802.3af 802.3af 802.3af 802.3af 802.3at 802.3af
Rx / Tx1x1, Single stream, 65
Mbps
1x2, Single stream, 300
Mbps
2x2 Dual stream,
600Mbps
2x2 Dual stream,
600Mbps
2x2 Dual stream,
600Mbps
3x3 Triple stream,
900Mbps
10
Antennas 1 internal 2 internal 4 internal4 internal
4 external*4 external 6 internal
Ethernet Interfaces2x FE (one
LAN and one WAN)
1x GbE Copper
1x GbE Copper
1x GbE Copper
1x GbE Copper
2x GbE Copper
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
FAP-11C FAP-14C FAP-28C
Form Factor Wall PlugDesktop/Wall
mountDesktop/Wall
mount
Radio 1 1 1
Hardware Overview – FortiAP (Remote)
Radio 1 1 1
Bands 2.4 Ghz b/g/n 2.4 Ghz b/g/n 2.4 or 5Ghz, switchableb/g/n or a/n
PoE NA NA NA
Rx / Tx1x1, Single stream, 65
Mbps
1x1, Single stream, 65
Mbps
2x2 Dual stream,
Antennas 1 internal 1 internal 2 internal
Ethernet Interfaces 2x FE 5x FE 10x GE
11
FAP-11C FAP-14C FAP-28C
Wireless Controller Configuration
• Make sure the FortiGate wireless controller is configured for your geographic location
• Optionally configure a custom Access Point (AP) profile• Optionally configure a custom Access Point (AP) profile
• Configure one or more SSIDs for your wireless network
• Optionally, configure the user group and users for authentication on the WLAN
• Configure the firewall policy for the WLAN
• Optionally, customize the captive portal
12
p y, p p
• Configure access points.
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Wireless Controller Configuration
Virtual Access Point 1 Virtual Access Point 2Security
Virtual Access Point 1 Virtual Access Point 2
Access Point Profile 1
RadioSettings
Settings
13
PhysicalAccess Point Units
Configuring SSIDs
• The Virtual Access Point (VAP) interface is the interface used for traffic tunneled back to the wireless controller and it includes network settings of the interfacesettings of the interface.
14
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Configuring SSIDs
• The SSID defined is associated with the VAP interface created.» Security mode of the SSID is defined here.
15
Security Mode
• Wi-Fi Protect Access (WPA)» Provides two methods of authentication:
• 802 1X (WPA Enterprise)• 802.1X (WPA-Enterprise)
• Pre-shared keys (WPA-Personal)
» Encrypt communications
• Advance Encryption Standard (AES)
• Temporal Key Integrity Protocol (TKIP)
» WPA2 provides additional security improvements
• Captive Portal
16
• Captive Portal
• WEP» Weak hence CLI only.
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Wireless Authentication
• Authentication methods apply to wireless networks the same as they do for wired» User can also be authenticated against local user groups on FortiGate device» User can also be authenticated against local user groups on FortiGate device
» External authentication servers (RADIUS, LDAP and TACAS+, Windows Active Directory) also available
» For each wireless LAN, create a user group(s) and add the users who can access the WLAN
17
MAC Filtering
• Permit or exclude a list of clients based on the MAC address of their computer
• Should be used in conjunction with other security measures• Should be used in conjunction with other security measures» Unauthorized users could capture MAC addresses from network traffic and use
them to impersonate legitimate users
• Configured on a SSID/VAP interface basis
• Used for devices that cannot perform a user authentication, such as a printer or a games console
18
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Virtual Access Points (VAP)
• A Virtual Access Point defines the security settings that can be applied to one or more physical Access Points
• Each VAP creates its own a virtual network interface on the FortiGate • Each VAP creates its own a virtual network interface on the FortiGate unit
• Define DHCP services, firewall policies and other settings for the wireless LAN
19
Virtual Access Point
• An SSID creates a Virtual Interface of type VAP
This interface can then be used for firewalling, traffic inspection ,QoS,
20
…
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Intra-SSID Privacy
• This feature benefits Hotspot users by keeping their traffic private from other users on the same SSID
• Prevents Man in middle attacks from other PCs on the same network• Prevents Man-in-middle attacks from other PCs on the same network
• Undesirable when you have other devices in the SSID you connect to, such as a wireless printer
21
Managed AP Topologies
Direct Connection• FortiAP unit is connected directly to the FortiGate unit
Switched Connection• FortiAP unit is connected to the wireless controller on the FortiGate unit by an Ethernet
switch• Must be a routable path between FortiAP device and the FortiGate unit
Distributed• WLAN mesh model
22
• WTP repeat traffic over wireless neighbor nodes
Connection over WAN• The wireless controller is off-site and connected by a VPN to a local AP
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Full Mesh
23
Full Mesh – LAN Bridge
24
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Full Mesh
• Mesh SSID replaces wired distribution network between root and leaf APs» Usually backhaul SSID uses a dedicated radio but shared radio is also supported» Usually backhaul SSID uses a dedicated radio but shared radio is also supported
» Default SSID fortinet.mesh.vdom
» The mesh SSID is bridged with the Ethernet port on the root AP
• The root AP has a wired connection back to the wireless controller
• When tunneling traffic back to the FortiGate the leaf APs use the mesh SSID to reach the controller.
25
Full Mesh
• Automatically created VAP interface and SSID that is dedicated to the backhaul
• The mesh SSID is enabled on an AP then it will accept requests from • The mesh SSID is enabled on an AP then it will accept requests from other APs configured to use it
• Wireless clients cannot connect to the mesh-backhaul SSID
• The default mesh SSID may be deleted and replaced with a new configuration.
26
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Full Mesh
• AP uplink options
27
Local Bridge
• Local bridge mode allows SSIDs to be centrally managed without backhauling the traffic to the wireless controller
• Traffic from the wireless is bridged to the local Ethernet port• Traffic from the wireless is bridged to the local Ethernet port» VLAN support increases number of bridges from one
• Configured per SSID» Bridge and tunnel mode SSIDs on same AP supported
• Configured in the Managed AP settings» Local bridge, no DHCP settings in SSID, local DHCP required
28
• Also it is possible to bridge an SSID to local port at the FortiGatedevice using a softswitch configuration
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Local Bridge
• Local bridge SSID configuration
29
Local Bridge Traffic Flow
edit "SSID-bridge"set vdom "root"set ssid "SSIDBridge"set security wpa-enterpriseset auth radiusset encrypt TKIP-AESset radius-server "FortiAuth"set radius server FortiAuthset local-bridging enable
30
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Local Bridge With VLAN Support
31
Discover and Authorize FortiAP
• Configure the FortiGate ethernet interface to which the AP will connect
• Configure DHCP service on the interface to which the AP will connect, if providing APs addresses via DHCPif providing APs addresses via DHCP
• The AP requires its own address, independent of any wireless device connecting to the VAP (SSID)
• Connect the AP units and let the FortiGate unit discover them
• Authorize each discovered AP if you want to manage it from that controller, edit to change its automatic settings or create a custom AP
32
profile.
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Controller Discovery
Broadcast request• Controller and AP in same broadcast domain
Multicast request• Controller and AP do not need to in the same broadcast domain if multicast routing is
configured• The default multicast destination IP address is 224.0.1.140
Static IP address• Administrator specifies the controller’s static IP address on the FortiAP unit• Routing must be configured in both directions
33
• Routing must be configured in both directions
DHCP• Identifies controller address when AP’s IP address is assigned• Useful when the AP is on a remote site• IP address of the controller must be converted into hexadecimal in the DHCP option field
Configuring FortiAP using CLI
• The FortiAP unit has a CLI through which some configuration options can be set
• Login with user name admin and no password• Login with user name admin and no password
• Display help» cfg –h
• Make a configuration change» cfg –a
• Save the configuration
34
g» cfg –c
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
CAPWAP Wireless Controller and FortiAP Configuration
• A FortiAP unit can use any of four methods to locate a controller
• By default, FortiAP units cycle through all four of the discovery method
I t th i d t k fi ti h th • In most cases there is no need to make configuration changes on the FortiAP unit
• The next few slides look at these four methods.
35
Static IP
• By default, the FortiAP unit receives its IP address by DHCP» You can assign the AP unit a static IP address.
» To assign a static IP address to the FortiAP unit» To assign a static IP address to the FortiAP unit
• cfg -a ADDR_MODE=STATIC
• cfg –a AP_IPADDR="192.168.0.100"
• cfg -a AP_NETMASK="255.255.255.0“
• The AP unit sends a unicast discovery request message to the controller» Routing must be properly configured in both directions
36
» Routing must be properly configured in both directions.
» To specify the controller’s IP address on a FortiAP unit:
• cfg –a AC_IPADDR_1="192.168.0.1“
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Broadcast
• The AP unit broadcasts a discovery request message to the network and the controller replies
• The AP and the controller must be in the same broadcast domain No • The AP and the controller must be in the same broadcast domain. No configuration adjustments are required.
37
Multicast
• The AP unit sends a multicast discovery request and the controller replies with a unicast discovery response message
• The AP and the controller do not need to be in the same broadcast • The AP and the controller do not need to be in the same broadcast domain if multicast routing is properly configured
• The default multicast destination address is 224.0.1.140» It can be changed through the CLI
» The address must be same on the controller and AP.
38
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Multicast
• To change the multicast address on the controller» config wireless-controller global
» set discovery mc addr 224 0 1 250» set discovery-mc-addr 224.0.1.250
» end
• To change the multicast address on a FortiAP unit» cfg –a AC_DISCOVERY_MC_ADDR="224.0.1.250"
39
DHCP
• If you use DHCP to assign an IP address to your FortiAP unit, you can also provide the WiFi controller IP address at the same time.
• When you configure the DHCP server configure Option 138 to specify • When you configure the DHCP server, configure Option 138 to specify the WiFi controller IP address. You need to convert the address into hexadecimal. Convert each octet value separately from left to right and concatenate them.» For example, 10.10.10.31 converts to 0A0A0A1F.
40
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
DHCP
• If Option 138 is used for some other purpose on your network, you can use a different option number if you configure the AP units to match.
• To change the FortiAP DHCP option code• To change the FortiAP DHCP option code» To use option code 139 for example, enter
» cfg –a AC_DISCOVERY_DHCP_OPTION_CODE=139
41
DHCP
42
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
Configuring FortiAP using CLI
43
Configuring FortiAP using CLI
44
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
FortiAP GUI
• Simplified provisioning for FortiAP with the addition of a GUI
45
Configuring a FortiWiFi unit as a WiFi AP
• FortiWiFi running FortiOS 4.3 units can also be deployed as managed APs controlled by a FortiGate unit wireless controller.» In the CLI enter:» In the CLI, enter:
• config system global
• set wireless-mode wtp
• end
» The feature was removed in FortiOS 5.0
» Unlike FortiAP units, a FortiWiFi unit deployed as an AP does not cycle through the discovery methods. You must select one discovery method to use.
46
y y
• config wireless-controller global
• set ac-discovery-type dhcp
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
CAPWAP Protocol Overview
• The CAPWAP protocol is a generic protocol defining AC (Wireless Controller) and WTP (FortiAP) control and data plane communication via a CAPWAP protocol transport mechanismvia a CAPWAP protocol transport mechanism
• CAPWAP stands for Control and Provisioning of Wireless Access Points
• CAPWAP carries control and data traffic via two channels
• CAPWAP Control messages, and optionally CAPWAP Data messages, are secured using Datagram Transport Layer Security (DTLS)
47
(DTLS).
Goals of CAPWAP
• Centralize the authentication and policy enforcement functions for a wireless network
• Reduced cost and increase efficiency by applying the capabilities of • Reduced cost and increase efficiency by applying the capabilities of network processing to the wireless network
• Move higher-level protocol processing from the WTP (FortiAP)
• Leave the time-critical applications of wireless control and access in the WTP (FortiAP)
• The emergence of centralized IEEE 802.11 Wireless Local Area
48
Network (WLAN) architectures
• Simple IEEE 802.11 WTPs are managed by an Access Controller (FortiOS Wireless Controller).
Course 203 - Fortinet Wireless Module 2 Wireless Controller
01-05002-RevA-0203-20130520
CAPWAP Main Phases
CAPWAP begins with a discovery phase
FortiAPs send a discovery request
message
Any Wireless Controller receiving the message
responds with a discovery response
message
FortiAP selects a Wireless Controller and
establishes a secure DTLS session
Configuration exchange occurs• FortiAP may receive provisioning settings
• FortiAP is enabled for operation
The Wireless Controller and FortiAP exchange
is complete and the FortiAP is enabled
49
In tunnel mode client data frames are
encapsulated between the FortiAP and the Wireless Controller
Lab
• FortiGate Secure Wireless Configuration using a FortiAP Device
50