Configuring security
An SSID supports the following security modes:
- Open
- Captive portal
- Wi-Fi Protected Access version 2 (WPA2), WPA2-Personal and WPA2-Enterprise
- WPA3-Enterprise
- WPA3-Simultaneous Authentication of Equals (SAE)
- WPA3-SAE Transition
- Opportunistic Wireless Encryption (OWE)
- OWE Transition
- OSU Server-Only Authenticated L2 Encryption Network (OSEN)
WPA2 security with pre-shared keys (PSK) for authentication is called WPA2-Personal. This can work well for one person or a group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.
A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes possible Role-Based Access Control (RBAC).
By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP). You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accommodate clients with either TKIP or AES, enter:
config wireless-controller vap
edit example_wlan
set security wpa-personal
set passphrase "hardtoguess"
set encrypt TKIP-AES
end
Captive portal security connects users to an open web portal defined in replacement messages. To navigate to any location beyond the web portal, the user must pass FortiGate user authentication.
WPA-Personal security
WPA2-Personal security setup requires a pre-shared key (PSK) that you provide to clients. You can select between creating a single PSK or batch generating multiple pre-shared keys (MPSK).
Configuring WPA2-Personal security with a single PSK
To configure WPA2-Personal security with a single PSK - GUI
- Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
- In Security Mode, select WPA2 Personal.
- In Pre-shared Key, select Single as the PSK mode.
- Enter a key between 8 and 63 characters long.
- Select OK.
To configure WPA2-Personal security - CLI
config wireless-controller vap
edit example_wlan
set security wpa2-personal
set passphrase "hardtoguess"
end
Configuring WPA2-Personal security with MPSK
You can batch generate or import MPSK keys, export MPSK keys to a CSV file, dynamically assign VLANs based on used MPSK, and apply an MPSK schedule in the GUI.
In the GUI, MPSK key entries are organized in different MPSK groups. An MPSK group can be created manually or imported. When MPSK is enabled, the previous single passphrase is dropped and a dynamic VLAN is automatically enabled.
In the CLI, an mpsk-profile
is assigned in the VAP settings and MPSK is enabled. The dynamic VLAN is automatically enabled. Only one MPSK profile can be assigned to one VAP at a time.
To configure WPA2-Personal security with an MPSK group - GUI
- Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
- In Security Mode, select WPA2 Personal.
- In Pre-shared Key, select Multiple as the PSK mode.
- In the table, click Add > Create Group.
- Enter a group name and VLAN ID.
- Configure the pre-shared key settings:
- In the table, click Add > Generate Keys.
- Configure the settings as needed and click OK.
- Click OK to close the Pre-shared Key Group window.
- Click OK.
You can go to (Undefined variable: FortiOSGUIVariables.WiFi & Switch Controller > WiFi Clients) to view the MPSK name in the Pre-shared Key column.
To use an MPSK profile in the CLI
-
Configure the MPSK profile:
config wireless-controller mpsk-profile
edit "wifi-mpsk"
config mpsk-group
edit "group-a"
set vlan-type fixed-vlan
set vlan-id 10
config mpsk-key
edit "key-a-1"
set passphrase ENC
set mpsk-schedules "always"
next
end
next
edit "group-b"
set vlan-type fixed-vlan
set vlan-id 20
config mpsk-key
edit "key-b-1"
set passphrase ENC
set concurrent-client-limit-type unlimited
set mpsk-schedules "always"
next
end
next
end
next
end
-
Configure the VAP settings:
config wireless-controller vap
edit "wifi-mpsk"
set ssid "wifi-mpsk"
set local-bridging enable
set schedule "always"
set mpsk-profile "wifi-mpsk"
set dynamic-vlan enable
next
end
-
Verify the event log after the WiFi client is connected:
1: date=2020-07-10 time=16:57:20 logid="0104043573" type="event" subtype="wireless" level="notice" vd="root" eventtime=1594425440439070726 tz="-0700" logdesc="Wireless client authenticated" sn="FP423E3X16000320" ap="FP423E3X16000320" vap="wifi-mpsk" ssid="wifi-mpsk" radioid=2 user="N/A" group="N/A" stamac="3c:2e:ff:83:91:33" srcip=10.0.10.2 channel=144 radioband="802.11ac" signal=-52 snr=50 security="WPA2 Personal" encryption="AES" action="client-authentication" reason="Reserved 0" mpsk="key-a-1" msg="Client 3c:2e:ff:83:91:33 authenticated."
WPA-Enterprise security
If you will use FortiOS user groups for authentication, go to User & Device > User > User Groups and create those groups first. The groups should be Firewall groups.
If you will use a RADIUS server to authenticate wireless clients, you must first configure the FortiGate unit to access the RADIUS server.
To configure FortiGate unit access to the RADIUS server - GUI
- Go to (Undefined variable: FortiOSGUIVariables.User & Device > RADIUS Servers) and select Create New.
- Enter a Name for the server.
-
- In Primary Server area:
- IP/Name — enter the network name or IP address for the server.
- Secret — enter the shared secret used to access the server.
- In Primary Server area:
- Optionally, enter the information for a secondary or backup RADIUS server.
- Select OK.
To configure the FortiGate unit to access the RADIUS server - CLI
config user radius
edit exampleRADIUS
set auth-type auto
set server 10.11.102.100
set secret aoewmntiasf
end
RADIUS Change of Authorization (CoA) support
The CoA feature enables the FortiGate to receive a client disconnect message from the RADIUS server. This is used to disconnect clients when their time, credit or bandwidth had been used up. Enable this on the RADIUS server using the CLI:
config user radius
edit <name>
set radius-coa enable
end
To configure WPA-Enterprise security - GUI
- Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
- In Security Mode, select WPA2 Enterprise.
- In Authentication, do one of the following:
- If you will use a RADIUS server for authentication, select RADIUS Server and then select the RADIUS server.
- If you will use a local user group for authentication, select Local and then select the user group(s) permitted to use the wireless network.
- Select OK.
To configure WPA-Enterprise security - CLI
config wireless-controller vap
edit example_wlan
set security wpa2-enterprise
set auth radius
set radius-server exampleRADIUS
end
Captive portal security
Captive portal security provides an access point that initially appears open. The wireless client can connect to the AP with no security credentials. The AP responds to the client’s first HTTP request with a web page requesting user name and password. Until the user enters valid credentials, no communication beyond the AP is permitted.
The captive portal can be hosted on the FortiGate unit, or externally. For details see
Configuring WiFi captive portal security - FortiGate captive portal
Configuring WiFi captive portal security - external server
For general information about captive portals, see the Captive Portal chapter of the Authentication Guide.
Configuring WiFi captive portal security - FortiGate captive portal
The built-in FortiGate captive portal is simpler than an external portal. It can even be customized if needed.
To configure a WiFi Captive Portal - GUI:
- Go to WiFi and Switch Controller > SSIDs and create your SSID.
If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces. - In Security Mode, select Captive Portal.
- Enter
- Select OK.
Portal Type |
The portal can provide authentication and/or disclaimer, or perform user email address collection. |
Authentication Portal |
Local |
User Groups |
Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy. |
Exempt List |
Select exempt lists whose members will not be subject to captive portal authentication. |
Customize Portal Messages |
Click the link of the portal page that you want to modify. For more information see the Captive Portal chapter of the Authentication Guide. |
Configuring WiFi captive portal security - external server
An external captive portal is a web page on a web server. The essential part of the web portal page is a script that gathers the user’s logon credentials and sends back to the FortiGate a specifically-formatted POST message. The portal page can also contain links to local information such as legal notices, terms of service and so on. Without authenticating, the user cannot access any other information. This is sometimes called a “walled garden”.
On the captive portal page, the user submits credentials, which the script returns to the FortiGate at the URL https://<FGT_IP>:1000/fgtauth with data
magic=session_id&username=<username>&password=<password>.
(The magic value was provided in the initial FortiGate request to the web server.)
To ensure that credentials are communicated securely, enable the use of HTTPS for authentication:
config user setting
set auth-secure-http enable
end
To configure use of an external WiFi Captive Portal - GUI:
- Go to WiFi and Switch Controller > SSIDs and create your SSID.
If the SSID already exists, you can edit the SSID or you can edit the WiFi interface in Network > Interfaces. - In Security Mode, select Captive Portal.
- Enter
- Select OK.
Portal Type |
The portal can provide authentication and/or disclaimer, or perform user email address collection. |
Authentication Portal |
External - enter the FQDN or IP address of the external portal. Typically, this is the URL of a script. Do not include the protocol (http:// or https://) part of the URL. |
User Groups |
Select permitted user groups or select Use Groups from Policies, which permits the groups specified in the security policy. |
Exempt List |
Select exempt lists whose members will not be subject to captive portal authentication. |
Redirect after Captive Portal |
Original Request |
Adding a MAC filter
On each SSID or FortiAP, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.
This is actually not as secure as it appears. Someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.
To block a specific client from connecting to an SSID using a MAC filter - CLI
-
Create a wireless controller address with the client's MAC address, and set the policy to deny:
config wireless-controller address
edit "client_1"
set mac b4:ae:2b:cb:d1:72
set policy deny
next
end
-
Create a wireless controller address group using the above address and setting the default policy to allow:
config wireless-controller addrgrp
edit mac_grp
set addresses "client_1"
set default-policy allow
next
end
-
On the VAP, select the above address group:
config wireless-controller vap
edit wifi-vap
set ssid "Fortinet-psk"
set security wpa2-only-personal
set passphrase fortinet
set address-group "mac_grp"
next
end
The client's MAC address (b4:ae:2b:cb:d1:72 in this example) will be denied a connection to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be allowed to connect.
To allow a specific client to connect to an SSID using a MAC filter - CLI
-
Create a wireless controller address with the client's MAC address, and set the policy to allow:
config wireless-controller address
edit "client_1"
set mac b4:ae:2b:cb:d1:72
set policy allow
next
end
-
Create a wireless controller address group using the above address and setting the default policy to deny:
config wireless-controller addrgrp
edit mac_grp
set addresses "client_1"
set default-policy deny
next
end
-
On the VAP, select the above address group:
config wireless-controller vap
edit wifi-vap
set ssid "Fortinet-psk"
set security wpa2-only-personal
set passphrase fortinet
set address-group "mac_grp"
next
end
The client's MAC address (b4:ae:2b:cb:d1:73 in this example) will be allowed to connect to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be denied a connection.
To block a specific client from connecting to a WTP or FortiAP - CLI
config wireless-controller wtp-profile
edit "FAP-profile"
config deny-mac-list
edit 1
set mac 00:09:11:ef:37:67
next
end
end
You can log in to the FortiAP CLI to see the list of denied MAC addresses with the following command:
cw_diag -c deny-mac-list
WTP Configured Access Control List:
00:09:11:ef:37:67
---------------Total 1 MAC entries----------------
You can also see the denied event recorded from the FortiGate wireless event log.
Limiting the number of clients
You might want to prevent overloading of your access point by limiting the number of clients who can associate with it at the same time. Limits can be applied per SSID, per AP, or per radio.
To limit the number of clients per SSID - GUI
- Go to WiFi and Switch Controller > SSIDs and edit your SSID.
- Turn on Maximum Clients and enter the maximum number of clients in Limit Concurrent WiFi Clients.
To limit the number of clients per AP- CLI
Edit the wtp-profile (FortiAP profile), like this:
config wireless-controller wtp-profile
edit "FAP221C-default"
set max-clients 30
end
To limit the number of clients per radio - CLI
Edit the wtp-profile (FortiAP profile), like this:
config wireless-controller wtp-profile
edit "FAP221C-default"
config radio-1
set max-clients 10
end
config radio-2
set max-clients 30
end
end
Enabling multicast enhancement
FortiOS can translate multicast traffic into unicast traffic to send to clients, maintaining its own multicast client through IGMP snooping. You can configure this in the CLI:
config wireless-controller vap
edit example_wlan
set multicast-enhance enable
set me-disable-thresh 32
end
If the number of clients on the SSID is larger than me-disable-thresh
, multicast enhancement is disabled.