Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Secure Wireless Concept Guide

    Home FortiAP / FortiWiFi 7.0.0 Secure Wireless Concept Guide
    7.0.0
    7.0.0

    Security

    Security

    Wi-Fi Security is a subset of network security. The great advantage of using a FortiGate based Wi-Fi system is that the entire security stack is easily available behind a single pane of glass—Security Driven Networking. However, Wi-Fi specific security differs from more general network security. Because Wi-Fi is over the air, there is no reliable way to limit physical access to the network, and because the network can be sniffed, it needs encryption if it is to be private. Nevertheless, open networks are common for guest use or in public venues, possibly with Captive Portals (see below) included.

    WPA2 and WPA3 Enterprise are RADIUS based. These are the standards any enterprise class network should be using. If you have a database of users with a RADIUS front end, this is what to use. Encryption and authentication are strongest. We are in a transition period, as there are still many clients out there that do not support WPA3 enterprise. Windows 11 with a compatible Wi-Fi card, Mac computers after 2013, iPhone 11, and more should support it, but you may need a transition plan for your network.

    FortiGate As RADIUS server - The locally defined users and user groups on the FortiGate can be used as the RADIUS server by choosing the local authentication option. A handy option for many environments or special cases.

    WPA2 Personal and WPA3 SAE use a Pre-Shared Key (PSK) for authentication and encryption. This is usually referred to as "the Wi-Fi password". This is meant for home use and small offices and should be avoided in locations where more than a few users are to be authenticated.

    A WPA2 Personal/WPA3 SAE SSID may be necessary even in large environments because of IoT devices that do not support the enterprise options. If so, security best practices are to isolate such WLANs to a specific VLAN.

    MPSK (Multiple PSK) - A Fortinet Wi-Fi option when creating a WPA2 Personal network is to use multiple keys. In this case, not every device uses the same PSK, sharing the keys among groups of devices or even a unique entry for each device. WPA3 SAE does not need this option. SAE (Simultaneous Authentication of Equals) generates a unique encryption key for each session/device.

    Captive Portals and Open Networks – Open Networks have no Layer 2 encryption or authentication, while a Captive portal is a web page than can be used for authentication above Layer 2, or simply present a click through disclaimer page. The authentication portal can be hosted at the FortiGate or use an external 3rd party portal. Captive Portal can also be combined with WPA2 Personal.

    • Public Networks, such as the local coffee shop, make frequent use of Captive portals, sometimes with a minimal disclaimer only, sometimes with self-registration. Fortinet Wi-Fi supports email capture during self-registration via captive portal

    • Guest Networks are more what one finds in Enterprise environments, where guests need permission from someone like a lobby administrator. Fortinet Wi-Fi supports this and several variations, such as a guest sponsorship.

    Hotspot 2.0 uses the OSEN security option in the SSID configuration screen. This is a standard for public hotspot registration across large service providers.

    Wireless Intrusion Detection System (WIDS) with Rogue AP Detection WIDs profiles can be enabled on a per radio basis in AP profiles. WIDS profiles monitor and alert for a number of Wi-Fi attacks such as EAPOL and other floods, deauthentication attacks and similar. All Wi-Fi 6 FortiAPs have a third radio for monitoring purposes and it is highly recommended to enable Rogue AP scanning on the monitoring radio, which can scan the entire channel space while the service radios support network clients. Rogue APs can also be suppressed automatically over-the-air.

    FortiLink NAC with an onboarding VLAN can be enabled on a WLAN. A Wi-Fi connected device can be allowed onto an initial onboarding VLAN and then automatically identified by criteria such as operating system, MAC address, hardware vendor and more. Once identified it can be moved to a specific VLAN designated for such devices. For instance, VoIP phones could be moved to a VoIP VLAN secured specifically for such devices.

    Security Driven Networking – While we focus on Wi-Fi specific security, don't overlook the central security advantage. The FortiOS WiFi Controller runs on a FortiGate, and ALL the security power of the FortiGate is integrated in a single pane of glass. The normal flow is for Wi-Fi SSID to be automatically isolated from the rest of the network, tunneled to the FortiGate without the need to configure any VLANs, and fully inspected before being allowed anywhere else.

    Previous
    Next

    Security

    Security

    Wi-Fi Security is a subset of network security. The great advantage of using a FortiGate based Wi-Fi system is that the entire security stack is easily available behind a single pane of glass—Security Driven Networking. However, Wi-Fi specific security differs from more general network security. Because Wi-Fi is over the air, there is no reliable way to limit physical access to the network, and because the network can be sniffed, it needs encryption if it is to be private. Nevertheless, open networks are common for guest use or in public venues, possibly with Captive Portals (see below) included.

    WPA2 and WPA3 Enterprise are RADIUS based. These are the standards any enterprise class network should be using. If you have a database of users with a RADIUS front end, this is what to use. Encryption and authentication are strongest. We are in a transition period, as there are still many clients out there that do not support WPA3 enterprise. Windows 11 with a compatible Wi-Fi card, Mac computers after 2013, iPhone 11, and more should support it, but you may need a transition plan for your network.

    FortiGate As RADIUS server - The locally defined users and user groups on the FortiGate can be used as the RADIUS server by choosing the local authentication option. A handy option for many environments or special cases.

    WPA2 Personal and WPA3 SAE use a Pre-Shared Key (PSK) for authentication and encryption. This is usually referred to as "the Wi-Fi password". This is meant for home use and small offices and should be avoided in locations where more than a few users are to be authenticated.

    A WPA2 Personal/WPA3 SAE SSID may be necessary even in large environments because of IoT devices that do not support the enterprise options. If so, security best practices are to isolate such WLANs to a specific VLAN.

    MPSK (Multiple PSK) - A Fortinet Wi-Fi option when creating a WPA2 Personal network is to use multiple keys. In this case, not every device uses the same PSK, sharing the keys among groups of devices or even a unique entry for each device. WPA3 SAE does not need this option. SAE (Simultaneous Authentication of Equals) generates a unique encryption key for each session/device.

    Captive Portals and Open Networks – Open Networks have no Layer 2 encryption or authentication, while a Captive portal is a web page than can be used for authentication above Layer 2, or simply present a click through disclaimer page. The authentication portal can be hosted at the FortiGate or use an external 3rd party portal. Captive Portal can also be combined with WPA2 Personal.

    • Public Networks, such as the local coffee shop, make frequent use of Captive portals, sometimes with a minimal disclaimer only, sometimes with self-registration. Fortinet Wi-Fi supports email capture during self-registration via captive portal

    • Guest Networks are more what one finds in Enterprise environments, where guests need permission from someone like a lobby administrator. Fortinet Wi-Fi supports this and several variations, such as a guest sponsorship.

    Hotspot 2.0 uses the OSEN security option in the SSID configuration screen. This is a standard for public hotspot registration across large service providers.

    Wireless Intrusion Detection System (WIDS) with Rogue AP Detection WIDs profiles can be enabled on a per radio basis in AP profiles. WIDS profiles monitor and alert for a number of Wi-Fi attacks such as EAPOL and other floods, deauthentication attacks and similar. All Wi-Fi 6 FortiAPs have a third radio for monitoring purposes and it is highly recommended to enable Rogue AP scanning on the monitoring radio, which can scan the entire channel space while the service radios support network clients. Rogue APs can also be suppressed automatically over-the-air.

    FortiLink NAC with an onboarding VLAN can be enabled on a WLAN. A Wi-Fi connected device can be allowed onto an initial onboarding VLAN and then automatically identified by criteria such as operating system, MAC address, hardware vendor and more. Once identified it can be moved to a specific VLAN designated for such devices. For instance, VoIP phones could be moved to a VoIP VLAN secured specifically for such devices.

    Security Driven Networking – While we focus on Wi-Fi specific security, don't overlook the central security advantage. The FortiOS WiFi Controller runs on a FortiGate, and ALL the security power of the FortiGate is integrated in a single pane of glass. The normal flow is for Wi-Fi SSID to be automatically isolated from the rest of the network, tunneled to the FortiGate without the need to configure any VLANs, and fully inspected before being allowed anywhere else.

    Previous
    Next