Wi-Fi Security Modes and FortiGate Security Extensions
As part of the Wi-Fi standards, the two latest generations of Wi-Fi security, WPA2 and WPA3 are supported and recommended with a Fortinet Wi-Fi deployment. WPA3 improves on WPA encryption and authentication security, particularly at the personal level (or Pre-Shared Key level), but client support is still not 100%. When possible, use WPA3, and if not possible develop a plan for transitioning to it, depending on your clients.
With WPA2 and WPA3, there are three basic security modes, covering authentication and encryption:
- Open - no security
- Personal - all users use the same Pre-Shared Key (PSK)
- also called "SAE" in WPA3
-
Enterprise class - using 802.1X, usually username/password based
FortiGate Security Extensions
Other security options operate above the Layer-2 Wi-Fi level:
-
Captive portal authenticates users at essentially Layer 7 in a web page. The lower layer security could be either Open or Personal. Technically the device is already on the network and has an IP address, but network access is limited until portal level authentication has been accepted. In public venues, this may simply be checking a Terms and Conditions screen. Captive portals are normally used for guest users.
-
Firewall policies and other inspection options. One of the benefits of using FortiOS Integrated WLAN Controllers is that it is also a fully functional FortiGate, with simple integration of traffic inspection. All tunneled SSIDs are interfaces that firewall policies can, and must, be applied to. The configuration flow to set up the Interface and the SSID are unified. After SSID setup, it is necessary to go to Firewall Policies and specifically enable the Wi-Fi traffic.
-
FortiLink NAC uses device fingerprinting to identify devices or classes of devices on a Wi-Fi onboarding/default VLAN and move them to a specifically designated VLAN for that device type. This is particularly useful for IoT devices or 'no-owner' devices such as printers.