Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Configuring security

Copy Link
Copy Doc ID 723e20ad-5098-11e9-94bf-00505692583a:908404
Download PDF

Configuring security

An SSID supports the following security modes:

  • Open
  • Captive portal
  • Wi-Fi Protected Access version 2 (WPA2), WPA2-Personal and WPA2-Enterprise
  • WPA3-Enterprise
  • WPA3-Simultaneous Authentication of Equals (SAE)
  • WPA3-SAE Transition
  • Opportunistic Wireless Encryption (OWE)
  • OWE Transition
  • OSU Server-Only Authenticated L2 Encryption Network (OSEN)

WPA2 security with a pre-shared key for authentication is called WPA2-Personal. This can work well for one person or a small group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.

A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes possible Role-Based Access Control (RBAC).

By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP). You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accommodate clients with either TKIP or AES, enter:

config wireless-controller vap

edit example_wlan

set security wpa-personal

set passphrase "hardtoguess"

set encrypt TKIP-AES

end

Captive portal security connects users to an open web portal defined in replacement messages. To navigate to any location beyond the web portal, the user must pass FortiGate user authentication.

WPA-Personal security

WPA2-Personal security setup requires only the preshared key that you will provide to your clients.

To configure WPA2-Personal security - GUI
  1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
  2. In Security Mode, select WPA2 Personal.
  3. In Pre-shared Key, enter a key between 8 and 63 characters long.
  4. Select OK.
To configure WPA2-Personal security - CLI

config wireless-controller vap

edit example_wlan

set security wpa2-personal

set passphrase "hardtoguess"

end

WPA-Enterprise security

If you will use FortiOS user groups for authentication, go to User & Device > User > User Groups and create those groups first. The groups should be Firewall groups.

If you will use a RADIUS server to authenticate wireless clients, you must first configure the FortiGate unit to access the RADIUS server.

To configure FortiGate unit access to the RADIUS server - GUI
  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter a Name for the server.
    1. In Primary Server area:
      1. IP/Name — enter the network name or IP address for the server.
      2. Secret — enter the shared secret used to access the server.
  3. Optionally, enter the information for a secondary or backup RADIUS server.
  4. Select OK.
To configure the FortiGate unit to access the RADIUS server - CLI

config user radius

edit exampleRADIUS

set auth-type auto

set server 10.11.102.100

set secret aoewmntiasf

end

RADIUS Change of Authorization (CoA) support

The CoA feature enables the FortiGate to receive a client disconnect message from the RADIUS server. This is used to disconnect clients when their time, credit or bandwidth had been used up. Enable this on the RADIUS server using the CLI:

config user radius

edit <name>

set radius-coa enable

end

To configure WPA-Enterprise security - GUI
  1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
  2. In Security Mode, select WPA2 Enterprise.
  3. In Authentication, do one of the following:
    • If you will use a RADIUS server for authentication, select RADIUS Server and then select the RADIUS server.
    • If you will use a local user group for authentication, select Local and then select the user group(s) permitted to use the wireless network.
  4. Select OK.
To configure WPA-Enterprise security - CLI

config wireless-controller vap

edit example_wlan

set security wpa2-enterprise

set auth radius

set radius-server exampleRADIUS

end

Captive portal security

Captive portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

The captive portal can be hosted on the FortiGate unit, or externally. For details see

Configuring WiFi captive portal security - FortiGate captive portal

Configuring WiFi captive portal security - external server

For general information about captive portals, see the Captive Portal chapter of the Authentication Guide.

Configuring WiFi captive portal security - FortiGate captive portal

The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.

To configure a WiFi Captive Portal - GUI:
  1. Go to WiFi & Switch Controller > SSID and create your SSID.
    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
  2. In Security Mode, select Captive Portal.
  3. Enter
  4. Portal Type

    The portal can provide authentication and/or disclaimer, or perform user email address collection.

    Authentication Portal

    Local

    User Groups

    Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

    Exempt List

    Select exempt lists whose members will not be subject to captive portal authentication.

    Customize Portal Messages

    Click the link of the portal page that you want to modify. For more information see the Captive Portal chapter of the Authentication Guide.

  5. Select OK.

Configuring WiFi captive portal security - external server

An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.

On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data
magic=session_id&username=<username>&password=<password>.
(The magic value was provided in the initial FortiGate request to the web server.)

To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

config user setting

set auth-secure-http enable

end

To configure use of an external WiFi Captive Portal - GUI:
  1. Go to WiFi & Switch Controller > SSID and create your SSID.
    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
  2. In Security Mode, select Captive Portal.
  3. Enter
  4. Portal Type

    The portal can provide authentication and/or disclaimer, or perform user email address collection.

    Authentication Portal

    External - enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.

    User Groups

    Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

    Exempt List

    Select exempt lists whose members will not be subject to captive portal authentication.

    Redirect after Captive Portal

    Original Request

    Specific URL - enter URL

  5. Select OK.

Adding a MAC filter

On each SSID or FortiAP, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

This is actually not as secure as it appears. Someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

To block a specific client from connecting to an SSID using a MAC filter - CLI
  1. Create a wireless controller address with the client's MAC address, and set the policy to deny:

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy deny

    next

    end

  2. Create a wireless controller address group using the above address and setting the default policy to allow:

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy allow

    next

    end

  3. On the VAP, select the above address group:

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

The client's MAC address (b4:ae:2b:cb:d1:72 in this example) will be denied a connection to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be allowed to connect.

To allow a specific client to connect to an SSID using a MAC filter - CLI
  1. Create a wireless controller address with the client's MAC address, and set the policy to allow:

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy allow

    next

    end

  2. Create a wireless controller address group using the above address and setting the default policy to deny:

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy deny

    next

    end

  3. On the VAP, select the above address group:

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

The client's MAC address (b4:ae:2b:cb:d1:73 in this example) will be allowed to connect to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be denied a connection.

To block a specific client from connecting to a WTP or FortiAP - CLI

config wireless-controller wtp-profile

edit "FAP-profile"

config deny-mac-list

edit 1

set mac 00:09:11:ef:37:67

next

end

end

You can log in to the FortiAP CLI to see the list of denied MAC addresses with the following command:

cw_diag -c deny-mac-list

WTP Configured Access Control List:

00:09:11:ef:37:67

---------------Total 1 MAC entries----------------

You can also see the denied event recorded from the FortiGate wireless event log.

Limiting the number of clients

You might want to prevent overloading of your access point by limiting the number of clients who can associate with it at the same time. Limits can be applied per SSID, per AP, or per radio.

To limit the number of clients per SSID - GUI
  1. Go to WiFi & Switch Controller > SSID and edit your SSID.
  2. Turn on Maximum Clients and enter the maximum number of clients in Limit Concurrent WiFi Clients.
To limit the number of clients per AP- CLI

Edit the wtp-profile (FortiAP profile), like this:

config wireless-controller wtp-profile

edit "FAP221C-default"

set max-clients 30

end

To limit the number of clients per radio - CLI

Edit the wtp-profile (FortiAP profile), like this:

config wireless-controller wtp-profile

edit "FAP221C-default"

config radio-1

set max-clients 10

end

config radio-2

set max-clients 30

end

end

Enabling multicast enhancement

FortiOS can translate multicast traffic into unicast traffic to send to clients, maintaining its own multicast client through IGMP snooping. You can configure this in the CLI:

config wireless-controller vap

edit example_wlan

set multicast-enhance enable

set me-disable-thresh 32

end

If the number of clients on the SSID is larger than me-disable-thresh, multicast enhancement is disabled.

Configuring security

An SSID supports the following security modes:

  • Open
  • Captive portal
  • Wi-Fi Protected Access version 2 (WPA2), WPA2-Personal and WPA2-Enterprise
  • WPA3-Enterprise
  • WPA3-Simultaneous Authentication of Equals (SAE)
  • WPA3-SAE Transition
  • Opportunistic Wireless Encryption (OWE)
  • OWE Transition
  • OSU Server-Only Authenticated L2 Encryption Network (OSEN)

WPA2 security with a pre-shared key for authentication is called WPA2-Personal. This can work well for one person or a small group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.

A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes possible Role-Based Access Control (RBAC).

By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP). You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accommodate clients with either TKIP or AES, enter:

config wireless-controller vap

edit example_wlan

set security wpa-personal

set passphrase "hardtoguess"

set encrypt TKIP-AES

end

Captive portal security connects users to an open web portal defined in replacement messages. To navigate to any location beyond the web portal, the user must pass FortiGate user authentication.

WPA-Personal security

WPA2-Personal security setup requires only the preshared key that you will provide to your clients.

To configure WPA2-Personal security - GUI
  1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
  2. In Security Mode, select WPA2 Personal.
  3. In Pre-shared Key, enter a key between 8 and 63 characters long.
  4. Select OK.
To configure WPA2-Personal security - CLI

config wireless-controller vap

edit example_wlan

set security wpa2-personal

set passphrase "hardtoguess"

end

WPA-Enterprise security

If you will use FortiOS user groups for authentication, go to User & Device > User > User Groups and create those groups first. The groups should be Firewall groups.

If you will use a RADIUS server to authenticate wireless clients, you must first configure the FortiGate unit to access the RADIUS server.

To configure FortiGate unit access to the RADIUS server - GUI
  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter a Name for the server.
    1. In Primary Server area:
      1. IP/Name — enter the network name or IP address for the server.
      2. Secret — enter the shared secret used to access the server.
  3. Optionally, enter the information for a secondary or backup RADIUS server.
  4. Select OK.
To configure the FortiGate unit to access the RADIUS server - CLI

config user radius

edit exampleRADIUS

set auth-type auto

set server 10.11.102.100

set secret aoewmntiasf

end

RADIUS Change of Authorization (CoA) support

The CoA feature enables the FortiGate to receive a client disconnect message from the RADIUS server. This is used to disconnect clients when their time, credit or bandwidth had been used up. Enable this on the RADIUS server using the CLI:

config user radius

edit <name>

set radius-coa enable

end

To configure WPA-Enterprise security - GUI
  1. Go to WiFi & Switch Controller > SSID and edit your SSID entry.
  2. In Security Mode, select WPA2 Enterprise.
  3. In Authentication, do one of the following:
    • If you will use a RADIUS server for authentication, select RADIUS Server and then select the RADIUS server.
    • If you will use a local user group for authentication, select Local and then select the user group(s) permitted to use the wireless network.
  4. Select OK.
To configure WPA-Enterprise security - CLI

config wireless-controller vap

edit example_wlan

set security wpa2-enterprise

set auth radius

set radius-server exampleRADIUS

end

Captive portal security

Captive portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.

The captive portal can be hosted on the FortiGate unit, or externally. For details see

Configuring WiFi captive portal security - FortiGate captive portal

Configuring WiFi captive portal security - external server

For general information about captive portals, see the Captive Portal chapter of the Authentication Guide.

Configuring WiFi captive portal security - FortiGate captive portal

The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.

To configure a WiFi Captive Portal - GUI:
  1. Go to WiFi & Switch Controller > SSID and create your SSID.
    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
  2. In Security Mode, select Captive Portal.
  3. Enter
  4. Portal Type

    The portal can provide authentication and/or disclaimer, or perform user email address collection.

    Authentication Portal

    Local

    User Groups

    Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

    Exempt List

    Select exempt lists whose members will not be subject to captive portal authentication.

    Customize Portal Messages

    Click the link of the portal page that you want to modify. For more information see the Captive Portal chapter of the Authentication Guide.

  5. Select OK.

Configuring WiFi captive portal security - external server

An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.

On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data
magic=session_id&username=<username>&password=<password>.
(The magic value was provided in the initial FortiGate request to the web server.)

To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:

config user setting

set auth-secure-http enable

end

To configure use of an external WiFi Captive Portal - GUI:
  1. Go to WiFi & Switch Controller > SSID and create your SSID.
    If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces.
  2. In Security Mode, select Captive Portal.
  3. Enter
  4. Portal Type

    The portal can provide authentication and/or disclaimer, or perform user email address collection.

    Authentication Portal

    External - enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL.

    User Groups

    Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy.

    Exempt List

    Select exempt lists whose members will not be subject to captive portal authentication.

    Redirect after Captive Portal

    Original Request

    Specific URL - enter URL

  5. Select OK.

Adding a MAC filter

On each SSID or FortiAP, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

This is actually not as secure as it appears. Someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

To block a specific client from connecting to an SSID using a MAC filter - CLI
  1. Create a wireless controller address with the client's MAC address, and set the policy to deny:

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy deny

    next

    end

  2. Create a wireless controller address group using the above address and setting the default policy to allow:

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy allow

    next

    end

  3. On the VAP, select the above address group:

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

The client's MAC address (b4:ae:2b:cb:d1:72 in this example) will be denied a connection to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be allowed to connect.

To allow a specific client to connect to an SSID using a MAC filter - CLI
  1. Create a wireless controller address with the client's MAC address, and set the policy to allow:

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy allow

    next

    end

  2. Create a wireless controller address group using the above address and setting the default policy to deny:

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy deny

    next

    end

  3. On the VAP, select the above address group:

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

The client's MAC address (b4:ae:2b:cb:d1:73 in this example) will be allowed to connect to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be denied a connection.

To block a specific client from connecting to a WTP or FortiAP - CLI

config wireless-controller wtp-profile

edit "FAP-profile"

config deny-mac-list

edit 1

set mac 00:09:11:ef:37:67

next

end

end

You can log in to the FortiAP CLI to see the list of denied MAC addresses with the following command:

cw_diag -c deny-mac-list

WTP Configured Access Control List:

00:09:11:ef:37:67

---------------Total 1 MAC entries----------------

You can also see the denied event recorded from the FortiGate wireless event log.

Limiting the number of clients

You might want to prevent overloading of your access point by limiting the number of clients who can associate with it at the same time. Limits can be applied per SSID, per AP, or per radio.

To limit the number of clients per SSID - GUI
  1. Go to WiFi & Switch Controller > SSID and edit your SSID.
  2. Turn on Maximum Clients and enter the maximum number of clients in Limit Concurrent WiFi Clients.
To limit the number of clients per AP- CLI

Edit the wtp-profile (FortiAP profile), like this:

config wireless-controller wtp-profile

edit "FAP221C-default"

set max-clients 30

end

To limit the number of clients per radio - CLI

Edit the wtp-profile (FortiAP profile), like this:

config wireless-controller wtp-profile

edit "FAP221C-default"

config radio-1

set max-clients 10

end

config radio-2

set max-clients 30

end

end

Enabling multicast enhancement

FortiOS can translate multicast traffic into unicast traffic to send to clients, maintaining its own multicast client through IGMP snooping. You can configure this in the CLI:

config wireless-controller vap

edit example_wlan

set multicast-enhance enable

set me-disable-thresh 32

end

If the number of clients on the SSID is larger than me-disable-thresh, multicast enhancement is disabled.