Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiWiFi and FortiAP Configuration Guide

WPA2 Security

WPA2 security with pre-shared keys (PSK) for authentication is called WPA2-Personal. This can work well for one person or a group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.

A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes possible Role-Based Access Control (RBAC).

By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP). You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accommodate clients with either TKIP or AES, enter:

config wireless-controller vap

edit example_wlan

set security wpa-personal

set passphrase "hardtoguess"

set encrypt TKIP-AES

end

WPA-Personal security

WPA2-Personal security setup requires a pre-shared key (PSK) that you provide to clients. You can select between creating a single PSK or batch generating multiple pre-shared keys (MPSK).

Configuring WPA2-Personal security with a single PSK

To configure WPA2-Personal security with a single PSK - GUI
  1. Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
  2. In Security Mode, select WPA2 Personal.
  3. In Pre-shared Key, select Single as the PSK mode.
  4. Enter a key between 8 and 63 characters long.
  5. Select OK.
To configure WPA2-Personal security - CLI

config wireless-controller vap

edit example_wlan

set security wpa2-personal

set passphrase "hardtoguess"

end

Configuring WPA2-Personal security with MPSK

You can batch generate or import MPSK keys, export MPSK keys to a CSV file, dynamically assign VLANs based on used MPSK, and apply an MPSK schedule in the GUI.

In the GUI, MPSK key entries are organized in different MPSK groups. An MPSK group can be created manually or imported. When MPSK is enabled, the previous single passphrase is dropped and a dynamic VLAN is automatically enabled.

In the CLI, an mpsk-profile is assigned in the VAP settings and MPSK is enabled. The dynamic VLAN is automatically enabled. Only one MPSK profile can be assigned to one VAP at a time.

To configure WPA2-Personal security with an MPSK group - GUI
  1. Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
  2. In Security Mode, select WPA2 Personal.
  3. In Pre-shared Key, select Multiple as the PSK mode.
  4. In the table, click Add > Create Group.
  5. Enter a group name and VLAN ID.
  6. Configure the pre-shared key settings:
    1. In the table, click Add > Generate Keys.
    2. Configure the settings as needed and click OK.
  7. Click OK to close the Pre-shared Key Group window.
  8. Click OK.

You can go to WiFi and Switch Controller > WiFi Clients to view the MPSK name in the Pre-shared Key column.

To use an MPSK profile in the CLI
  1. Configure the MPSK profile:

    config wireless-controller mpsk-profile

    edit "wifi-mpsk"

    config mpsk-group

    edit "group-a"

    set vlan-type fixed-vlan

    set vlan-id 10

    config mpsk-key

    edit "key-a-1"

    set passphrase ENC

    set mpsk-schedules "always"

    next

    end

    next

    edit "group-b"

    set vlan-type fixed-vlan

    set vlan-id 20

    config mpsk-key

    edit "key-b-1"

    set passphrase ENC

    set concurrent-client-limit-type unlimited

    set mpsk-schedules "always"

    next

    end

    next

    end

    next

    end

  2. Configure the VAP settings:

    config wireless-controller vap

    edit "wifi-mpsk"

    set ssid "wifi-mpsk"

    set local-bridging enable

    set schedule "always"

    set mpsk-profile "wifi-mpsk"

    set dynamic-vlan enable

    next

    end

  3. Verify the event log after the WiFi client is connected:

    1: date=2020-07-10 time=16:57:20 logid="0104043573" type="event" subtype="wireless" level="notice" vd="root" eventtime=1594425440439070726 tz="-0700" logdesc="Wireless client authenticated" sn="FP423E3X16000320" ap="FP423E3X16000320" vap="wifi-mpsk" ssid="wifi-mpsk" radioid=2 user="N/A" group="N/A" stamac="3c:2e:ff:83:91:33" srcip=10.0.10.2 channel=144 radioband="802.11ac" signal=-52 snr=50 security="WPA2 Personal" encryption="AES" action="client-authentication" reason="Reserved 0" mpsk="key-a-1" msg="Client 3c:2e:ff:83:91:33 authenticated."

WPA-Enterprise security

If you will use FortiOS user groups for authentication, go to User & Device > User > User Groups and create those groups first. The groups should be Firewall groups.

If you will use a RADIUS server to authenticate wireless clients, you must first configure the FortiGate unit to access the RADIUS server.

To configure FortiGate unit access to the RADIUS server - GUI
  1. Go to User & Authentication > RADIUS Servers and select Create New.
  2. Enter a Name for the server.
    1. In Primary Server  area:
      1. IP/Name — enter the network name or IP address for the server.
      2. Secret — enter the shared secret used to access the server.
  3. Optionally, enter the information for a secondary or backup RADIUS server.
  4. Select OK.
To configure the FortiGate unit to access the RADIUS server - CLI

config user radius

edit exampleRADIUS

set auth-type auto

set server 10.11.102.100

set secret aoewmntiasf

end

RADIUS Change of Authorization (CoA) support

The CoA feature enables the FortiGate to receive a client disconnect message from the RADIUS server. This is used to disconnect clients when their time, credit or bandwidth had been used up. Enable this on the RADIUS server using the CLI:

config user radius

edit <name>

set radius-coa enable

end

To configure WPA-Enterprise security - GUI
  1. Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
  2. In Security Mode, select WPA2 Enterprise.
  3. In Authentication, do one of the following:
    • If you will use a RADIUS server for authentication, select RADIUS Server and then select the RADIUS server.
    • If you will use a local user group for authentication, select Local and then select the user group(s) permitted to use the wireless network.
  4. Select OK.
To configure WPA-Enterprise security - CLI

config wireless-controller vap

edit example_wlan

set security wpa2-enterprise

set auth radius

set radius-server exampleRADIUS

end

WPA2 Security

WPA2 security with pre-shared keys (PSK) for authentication is called WPA2-Personal. This can work well for one person or a group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.

A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes possible Role-Based Access Control (RBAC).

By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP). You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accommodate clients with either TKIP or AES, enter:

config wireless-controller vap

edit example_wlan

set security wpa-personal

set passphrase "hardtoguess"

set encrypt TKIP-AES

end

WPA-Personal security

WPA2-Personal security setup requires a pre-shared key (PSK) that you provide to clients. You can select between creating a single PSK or batch generating multiple pre-shared keys (MPSK).

Configuring WPA2-Personal security with a single PSK

To configure WPA2-Personal security with a single PSK - GUI
  1. Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
  2. In Security Mode, select WPA2 Personal.
  3. In Pre-shared Key, select Single as the PSK mode.
  4. Enter a key between 8 and 63 characters long.
  5. Select OK.
To configure WPA2-Personal security - CLI

config wireless-controller vap

edit example_wlan

set security wpa2-personal

set passphrase "hardtoguess"

end

Configuring WPA2-Personal security with MPSK

You can batch generate or import MPSK keys, export MPSK keys to a CSV file, dynamically assign VLANs based on used MPSK, and apply an MPSK schedule in the GUI.

In the GUI, MPSK key entries are organized in different MPSK groups. An MPSK group can be created manually or imported. When MPSK is enabled, the previous single passphrase is dropped and a dynamic VLAN is automatically enabled.

In the CLI, an mpsk-profile is assigned in the VAP settings and MPSK is enabled. The dynamic VLAN is automatically enabled. Only one MPSK profile can be assigned to one VAP at a time.

To configure WPA2-Personal security with an MPSK group - GUI
  1. Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
  2. In Security Mode, select WPA2 Personal.
  3. In Pre-shared Key, select Multiple as the PSK mode.
  4. In the table, click Add > Create Group.
  5. Enter a group name and VLAN ID.
  6. Configure the pre-shared key settings:
    1. In the table, click Add > Generate Keys.
    2. Configure the settings as needed and click OK.
  7. Click OK to close the Pre-shared Key Group window.
  8. Click OK.

You can go to WiFi and Switch Controller > WiFi Clients to view the MPSK name in the Pre-shared Key column.

To use an MPSK profile in the CLI
  1. Configure the MPSK profile:

    config wireless-controller mpsk-profile

    edit "wifi-mpsk"

    config mpsk-group

    edit "group-a"

    set vlan-type fixed-vlan

    set vlan-id 10

    config mpsk-key

    edit "key-a-1"

    set passphrase ENC

    set mpsk-schedules "always"

    next

    end

    next

    edit "group-b"

    set vlan-type fixed-vlan

    set vlan-id 20

    config mpsk-key

    edit "key-b-1"

    set passphrase ENC

    set concurrent-client-limit-type unlimited

    set mpsk-schedules "always"

    next

    end

    next

    end

    next

    end

  2. Configure the VAP settings:

    config wireless-controller vap

    edit "wifi-mpsk"

    set ssid "wifi-mpsk"

    set local-bridging enable

    set schedule "always"

    set mpsk-profile "wifi-mpsk"

    set dynamic-vlan enable

    next

    end

  3. Verify the event log after the WiFi client is connected:

    1: date=2020-07-10 time=16:57:20 logid="0104043573" type="event" subtype="wireless" level="notice" vd="root" eventtime=1594425440439070726 tz="-0700" logdesc="Wireless client authenticated" sn="FP423E3X16000320" ap="FP423E3X16000320" vap="wifi-mpsk" ssid="wifi-mpsk" radioid=2 user="N/A" group="N/A" stamac="3c:2e:ff:83:91:33" srcip=10.0.10.2 channel=144 radioband="802.11ac" signal=-52 snr=50 security="WPA2 Personal" encryption="AES" action="client-authentication" reason="Reserved 0" mpsk="key-a-1" msg="Client 3c:2e:ff:83:91:33 authenticated."

WPA-Enterprise security

If you will use FortiOS user groups for authentication, go to User & Device > User > User Groups and create those groups first. The groups should be Firewall groups.

If you will use a RADIUS server to authenticate wireless clients, you must first configure the FortiGate unit to access the RADIUS server.

To configure FortiGate unit access to the RADIUS server - GUI
  1. Go to User & Authentication > RADIUS Servers and select Create New.
  2. Enter a Name for the server.
    1. In Primary Server  area:
      1. IP/Name — enter the network name or IP address for the server.
      2. Secret — enter the shared secret used to access the server.
  3. Optionally, enter the information for a secondary or backup RADIUS server.
  4. Select OK.
To configure the FortiGate unit to access the RADIUS server - CLI

config user radius

edit exampleRADIUS

set auth-type auto

set server 10.11.102.100

set secret aoewmntiasf

end

RADIUS Change of Authorization (CoA) support

The CoA feature enables the FortiGate to receive a client disconnect message from the RADIUS server. This is used to disconnect clients when their time, credit or bandwidth had been used up. Enable this on the RADIUS server using the CLI:

config user radius

edit <name>

set radius-coa enable

end

To configure WPA-Enterprise security - GUI
  1. Go to WiFi and Switch Controller > SSIDs and edit your SSID entry.
  2. In Security Mode, select WPA2 Enterprise.
  3. In Authentication, do one of the following:
    • If you will use a RADIUS server for authentication, select RADIUS Server and then select the RADIUS server.
    • If you will use a local user group for authentication, select Local and then select the user group(s) permitted to use the wireless network.
  4. Select OK.
To configure WPA-Enterprise security - CLI

config wireless-controller vap

edit example_wlan

set security wpa2-enterprise

set auth radius

set radius-server exampleRADIUS

end