Fortinet black logo

Campus WLAN Deployment Guide

Home FortiAP / FortiWiFi 7.0.0 Campus WLAN Deployment Guide
7.0.0
7.0.0

SSIDs for Authorized Users with WPA2/WPA3 Enterprise Security Mode

SSIDs for Authorized Users with WPA2/WPA3 Enterprise Security Mode

For main campus users who can be authenticated against a RADIUS database, choose WPA2 Enterprise or WPA3 Enterprise. This section continues the SSID configuration steps from Configuring SSIDs/WLANs

  1. The interface settings—name, IP address, DHCP Server are already set.
  2. The SSID name was entered previously.

  3. Select a Security mode, either WPA2 Enterprise or WPA3 Enterprise.

    The Authentication menu appears.

  4. Select RADIUS Server and in the drop-down box, click Create.

    The New RADIUS Server screen appears.

  5. In the New RADIUS Server screen:

    1. Give the server a Name.

    2. If necessary, specify the Authentication method.

      1. Default will negotiate PAP, MSCHAP_v2, and CHAP in that order.

    3. Enter the IP Address of the RADIUS server.

    4. Enter the shared Secret.

    5. You can test connection status by clicking the Test Connectivity.

    6. Click OK.

  6. Ensure that the new server is selected in Security Mode Settings and click OK to save the new SSID.

    You can see your new SSID from the SSID page.

Add Firewall Policies for the Authorized Users SSID

The APs are now broadcasting the authenticated user SSID and clients can connect to the WLAN, but the traffic is isolated to the FortiGate WiFi Controller. The Fortinet Security Driven Networking model allows only explicitly allowed traffic. Firewall policies must be added to allow Internet or other network access.

  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New.

    The New Policy screen appears.

  3. Enter a Name for the policy.
  4. The Incoming Interface is the WLAN defined earlier. As a new interface, the FortiGate WiFi Controller created an address object automatically.
  5. Following the above example configurations, the outgoing interface is the WLAN-uplink interface.

  6. For simplicity, configure the Source, Destination, and Service fields as all.

  7. Leave the other fields with the default settings.

  8. Ensure that NAT is enabled.

  9. When you are finished, click OK.

Now Wi-Fi traffic can reach the upstream Internet gateway. This is a very simple, single rule Firewall Policy set. But keep in mind, the WiFi Controller is a full featured Next Generation Firewall (NGFW) and can work in conjunction with any upstream firewall, regardless of vendor. See other FortiGate documentation at https://docs.fortinet.com/product/fortigate.

Previous
Next

SSIDs for Authorized Users with WPA2/WPA3 Enterprise Security Mode

For main campus users who can be authenticated against a RADIUS database, choose WPA2 Enterprise or WPA3 Enterprise. This section continues the SSID configuration steps from Configuring SSIDs/WLANs

  1. The interface settings—name, IP address, DHCP Server are already set.
  2. The SSID name was entered previously.

  3. Select a Security mode, either WPA2 Enterprise or WPA3 Enterprise.

    The Authentication menu appears.

  4. Select RADIUS Server and in the drop-down box, click Create.

    The New RADIUS Server screen appears.

  5. In the New RADIUS Server screen:

    1. Give the server a Name.

    2. If necessary, specify the Authentication method.

      1. Default will negotiate PAP, MSCHAP_v2, and CHAP in that order.

    3. Enter the IP Address of the RADIUS server.

    4. Enter the shared Secret.

    5. You can test connection status by clicking the Test Connectivity.

    6. Click OK.

  6. Ensure that the new server is selected in Security Mode Settings and click OK to save the new SSID.

    You can see your new SSID from the SSID page.

Add Firewall Policies for the Authorized Users SSID

The APs are now broadcasting the authenticated user SSID and clients can connect to the WLAN, but the traffic is isolated to the FortiGate WiFi Controller. The Fortinet Security Driven Networking model allows only explicitly allowed traffic. Firewall policies must be added to allow Internet or other network access.

  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New.

    The New Policy screen appears.

  3. Enter a Name for the policy.
  4. The Incoming Interface is the WLAN defined earlier. As a new interface, the FortiGate WiFi Controller created an address object automatically.
  5. Following the above example configurations, the outgoing interface is the WLAN-uplink interface.

  6. For simplicity, configure the Source, Destination, and Service fields as all.

  7. Leave the other fields with the default settings.

  8. Ensure that NAT is enabled.

  9. When you are finished, click OK.

Now Wi-Fi traffic can reach the upstream Internet gateway. This is a very simple, single rule Firewall Policy set. But keep in mind, the WiFi Controller is a full featured Next Generation Firewall (NGFW) and can work in conjunction with any upstream firewall, regardless of vendor. See other FortiGate documentation at https://docs.fortinet.com/product/fortigate.

Previous
Next