Fortinet black logo

Version:

7.0.0

Table of Contents

Campus WLAN Architecture Guide

7.0.0
7.0.0
Download PDF
Copy Doc ID 9ed9e505-8872-11ec-9fd1-fa163e15d75b:325627
Copy Link

Ownerless devices - IoT, MPSK and FortiLink NAC

The final type of devices to be concerned with are ones that do not have a user associated to them and/or do not support RADIUS, but only Pre-Shared Key associations. This category of devices, led by the increase of Internet of Things (IoT), has greatly expanded the attack surface of the network. They may be consumer-oriented devices like AppleTV, Roku, Amazon Echo, Smart TVs and others, or office appliances like printers, scanners, mobile credit card readers, etc., or operations devices like temperature sensors, door locks, and more. Using a single PSK for a large number of devices leaves many opportunities for the PSK to become known and exploited. Two FortiGate technologies are key in helping solve this problem: Multiple Pre-Shared Key (MPSK) and FortiLink NAC

MPSK allows what is technically a Pre-Shared Key SSID to have a unique key and a specific VLAN associated with each individual client device. Keys can be pre-generated and locked to the specific device on first use so that no other device can use the same key. If a device is removed, the key can be deleted

The same SSID can have multiple MPSK groups, with each group assigned a specific VLAN. The Multiple PSKs solve the Layer 2 problem of not being able to keep the single authentication key private. However, the group VLAN assignment is central to the necessary security isolation.

VLAN isolation, FortiGate firewall policies, and network architecture make this simple to secure. For IoT devices belonging to the same MPSK group and VLAN, create firewall policies that only allow exactly the traffic they must access. This is typically only to their management server on campus or often a specific internet address.

Note that MPSK can provide an alternative to guest networking for long term users such as contractors. Contractors can be assigned to a contractor VLAN with exactly the access they require while onsite, and their MPSKs can be deleted when they leave.

FortiLink NAC is another approach available with Fortinet Security Driven Networking. FortiLink NAC dynamically assigns devices to VLANs based on selection criteria such as operating system, MAC address range, hardware vendor, and others. One advantage of FortiLink NAC is that it is not confined to PSK SSIDs and may prove useful for BYOD devices in conjunction with a RADIUS base username/password scheme. When FortiLink NAC is used with an SSID, a device connects to the SSID, authenticates, and is assigned to an initial onboarding VLAN. Once devices details are detected, the device is moved to a VLAN specifically secured to the device needs.

In many cases, it is simpler to administer NAC Policies than MPSK for IoT devices. With NAC Policies, administrators can group devices by certain device patterns and allow the FortiGate to automatically assign them to their isolated VLAN. With MPSK, administrators must have a procedure to define which users or devices belong to a MPSK group and assign keys to them. However, these decisions are dependent on the needs of individual campus network(s). The critical security concern is for devices to get assigned to an isolated VLAN, which can be accomplished by both security provisioning methods.

To learn more about MPSK and FortiLink NAC, see the following documents:

Previous
Next

Ownerless devices - IoT, MPSK and FortiLink NAC

The final type of devices to be concerned with are ones that do not have a user associated to them and/or do not support RADIUS, but only Pre-Shared Key associations. This category of devices, led by the increase of Internet of Things (IoT), has greatly expanded the attack surface of the network. They may be consumer-oriented devices like AppleTV, Roku, Amazon Echo, Smart TVs and others, or office appliances like printers, scanners, mobile credit card readers, etc., or operations devices like temperature sensors, door locks, and more. Using a single PSK for a large number of devices leaves many opportunities for the PSK to become known and exploited. Two FortiGate technologies are key in helping solve this problem: Multiple Pre-Shared Key (MPSK) and FortiLink NAC

MPSK allows what is technically a Pre-Shared Key SSID to have a unique key and a specific VLAN associated with each individual client device. Keys can be pre-generated and locked to the specific device on first use so that no other device can use the same key. If a device is removed, the key can be deleted

The same SSID can have multiple MPSK groups, with each group assigned a specific VLAN. The Multiple PSKs solve the Layer 2 problem of not being able to keep the single authentication key private. However, the group VLAN assignment is central to the necessary security isolation.

VLAN isolation, FortiGate firewall policies, and network architecture make this simple to secure. For IoT devices belonging to the same MPSK group and VLAN, create firewall policies that only allow exactly the traffic they must access. This is typically only to their management server on campus or often a specific internet address.

Note that MPSK can provide an alternative to guest networking for long term users such as contractors. Contractors can be assigned to a contractor VLAN with exactly the access they require while onsite, and their MPSKs can be deleted when they leave.

FortiLink NAC is another approach available with Fortinet Security Driven Networking. FortiLink NAC dynamically assigns devices to VLANs based on selection criteria such as operating system, MAC address range, hardware vendor, and others. One advantage of FortiLink NAC is that it is not confined to PSK SSIDs and may prove useful for BYOD devices in conjunction with a RADIUS base username/password scheme. When FortiLink NAC is used with an SSID, a device connects to the SSID, authenticates, and is assigned to an initial onboarding VLAN. Once devices details are detected, the device is moved to a VLAN specifically secured to the device needs.

In many cases, it is simpler to administer NAC Policies than MPSK for IoT devices. With NAC Policies, administrators can group devices by certain device patterns and allow the FortiGate to automatically assign them to their isolated VLAN. With MPSK, administrators must have a procedure to define which users or devices belong to a MPSK group and assign keys to them. However, these decisions are dependent on the needs of individual campus network(s). The critical security concern is for devices to get assigned to an isolated VLAN, which can be accomplished by both security provisioning methods.

To learn more about MPSK and FortiLink NAC, see the following documents:

Previous
Next