Complex wireless network example
This example creates multiple networks and uses custom AP profiles.
Scenario example
In this example, Example Co. provides two wireless networks, one for its employees and the other for customers or other guests of its business. Guest users have access only to the Internet, not to the company's private network. The equipment for these WiFi networks consists of FortiAP units controlled by a FortiGate unit.
The employee network operates in 802.11n mode on both the 2.4 GHz and 5 GHz bands. Client IP addresses are in the 10.10.120.0/24 subnet, with 10.10.120.1 the IP address of the WAP. The guest network also operates in 802.11n mode, but only on the 2.4 GHz band. Client IP addresses are on the 10.10.115.0/24 subnet, with 10.10.115.1 the IP address of the WAP.
On the FortiAP units, the 802.11n mode also supports 802.11g and 802.11b clients on the 2.4 GHz band and 802.11a clients on the 5 GHz band.
The guest network WAP broadcasts its SSID, the employee network WAP does not.
The employee network uses WPA-Enterprise authentication through a FortiGate user group. The guest network features a captive portal. When a guest first tries to connect to the Internet, a login page requests logon credentials. Guests use numbered guest accounts authenticated by RADIUS. The captive portal for the guests includes a disclaimer page.
In this example, the FortiAP units connect to port 3 and are assigned addresses on the 192.168.8.0/24 subnet.
Configuration example
To configure these wireless networks, perform the following tasks:
- Configuring authentication for employee wireless users
- Configuring authentication for guest wireless users
- Configuring the SSIDs
- Configuring the FortiAP profile
- Configuring firewall policies
- Connecting the FortiAP units
Configuring authentication for employee wireless users
Employees have user accounts on the FortiGate unit. This example shows creation of one user account, but you can create multiple accounts and add them as members to the user group.
To configure a WiFi user - GUI:
- Go to User & Authentication > User Definition and select Create New.
- Select Local User and then click Next.
- Enter a User Name and Password and then click Next.
- Click Next.
- Make sure that Enable is selected and then click Create.
To configure the user group for employee access - GUI:
- Go to User & Device > User Groups and select Create New.
- Enter the following information and then select OK:
Name |
employee-group |
Type |
Firewall |
Members |
Add users. |
To configure a WiFi user and the user group for employee access - CLI:
config user user
edit "user01"
set type password
set passwd "asdf12ghjk"
end
config user group
edit "employee-group"
set member "user01"
end
The user authentication setup will be complete when you select the employee-group in the SSID configuration.
Configuring authentication for guest wireless users
Guests are assigned temporary user accounts created on a RADIUS server. The RADIUS server stores each user's group name in the Fortinet-Group-Name attribute. Wireless users are in the group named "wireless".
The FortiGate unit must be configured to access the RADIUS server.
To configure the FortiGate unit to access the guest RADIUS server - GUI:
- Go to User & Authentication > RADIUS Servers and select Create New.
-
Enter the following information and select OK:
Name
guestRADIUS
Primary Server IP/Name
10.11.102.100
Primary Server Secret
grikfwpfdfg
Secondary Server IP/Name
Optional
Secondary Server Secret
Optional
Authentication Scheme
Use default, unless server requires otherwise.
Leave other settings at their default values.
To configure the FortiGate unit to access the guest RADIUS server - CLI:
config user radius
edit guestRADIUS
set auth-type auto
set server 10.11.102.100
set secret grikfwpfdfg
end
To configure the user group for guest access - GUI:
- Go to User & Device > User Groups and select Create New.
-
Enter the following information and then select OK:
Name
guest-group
Type
Firewall
Members
Leave empty.
- Select Create new.
-
Enter:
Remote Server
Select guestRADIUS.
Groups
Select
wireless
. - Select OK.
To configure the user group for guest access - CLI:
config user group
edit "guest-group"
set member "guestRADIUS"
config match
edit 0
set server-name "guestRADIUS"
set group-name "wireless"
end
end
The user authentication setup will be complete when you select the guest-group user group in the SSID configuration.
Configuring the SSIDs
First, establish the SSIDs (network interfaces) for the employee and guest networks. This is independent of the number of physical access points that will be deployed. Both networks assign IP addresses using DHCP.
To configure the employee SSID - GUI:
- Go to WiFi and Switch Controller > SSIDs and select Create New > SSID.
- Enter the following information and select OK:
Interface Name |
example_inc |
Traffic Mode |
Tunnel to Wireless Controller |
IP/Netmask |
10.10.120.1/24 |
Administrative Access |
Ping (to assist with testing) |
Enable DHCP |
Enable |
Address Range |
10.10.120.2 - 10.10.120.199 |
Netmask |
255.255.255.0 |
Default Gateway |
Same As Interface IP |
DNS Server |
Same as System DNS |
SSID |
example_inc |
Security Mode |
WPA/WPA2-Enterprise |
Authentication |
Select Local, then select employee-group. |
Leave other settings at their default values. |
To configure the employee SSID - CLI:
config wireless-controller vap
edit example_inc
set ssid "example_inc"
set security wpa-enterprise
set auth usergroup
set usergroup employee-group
set schedule always
end
config system interface
edit example_inc
set ip 10.10.120.1 255.255.255.0
end
config system dhcp server
edit 0
set default-gateway 10.10.120.1
set dns-service default
set interface example_inc
config ip-range
edit 1
set end-ip 10.10.120.199
set start-ip 10.10.120.2
end
set lease-time 7200
set netmask 255.255.255.0
end
To configure the example_guest SSID - GUI:
- Go to WiFi and Switch Controller > SSIDs and select Create New.
- Enter the following information and select OK:
Name |
example_guest |
IP/Netmask |
10.10.115.1/24 |
Administrative Access |
Ping (to assist with testing) |
Enable DHCP |
Enable |
Address Range |
10.10.115.2 - 10.10.115.50 |
Netmask |
255.255.255.0 |
Default Gateway |
Same as Interface IP |
DNS Server |
Same as System DNS |
SSID |
example_guest |
Security Mode |
Captive Portal |
Portal Type |
Authentication |
Authentication Portal |
Local |
User Groups |
Select guest-group. |
Leave other settings at their default values. |
To configure the example_guest SSID - CLI:
config wireless-controller vap
edit example_guest
set ssid "example_guest"
set security captive-portal
set selected-usergroups guest-group
set schedule always
end
config system interface
edit example_guest
set ip 10.10.115.1 255.255.255.0
end
config system dhcp server
edit 0
set default-gateway 10.10.115.1
set dns-service default
set interface "example_guest"
config ip-range
edit 1
set end-ip 10.10.115.50
set start-ip 10.10.115.2
end
set lease-time 7200
set netmask 255.255.255.0
end
Configuring the FortiAP profile
The FortiAP Profile defines the radio settings for the networks. The profile provides access to both Radio 1 (2.4 GHz) and Radio 2 (5 GHz) for the employee virtual AP, but provides access only to Radio 1 for the guest virtual AP.
To configure the FortiAP Profile - GUI:
- Go to WiFi and Switch Controller > FortiAP Profiles and select Create New.
- Enter the following information and select OK:
Name |
example_AP |
Platform |
FAP221E |
Radio 1 |
|
Mode |
Access Point |
Band |
802.11n |
Channel plan |
Select Three Channels. |
Transmit power mode |
Select Percent. |
Transmit power |
Set the bar to 100%. |
SSID |
Select Manual and select example_inc and example_guest. |
Radio 2 |
|
Mode |
Access Point |
Band |
802.11n_5G |
Channel |
Select All. |
Transmit power mode |
Select Percent. |
Transmit power |
Set the bar to 100%. |
SSID |
Select Manual and select example_inc. |
To configure the AP Profile - CLI:
config wireless-controller wtp-profile
edit "example_AP"
config platform
set type 221E
end
config radio-1
set ap-bgscan enable
set band 802.11n
set channel "1" "6" "11"
set vaps "example_inc" "example_guest"
end
config radio-2
set ap-bgscan enable
set band 802.11n-5G
set channel "36" "40" "44" "48" "149" "153" "157" "161" "165"
set vaps "example_inc"
end
Configuring firewall policies
Identity-based firewall policies are needed to enable the WLAN users to access the Internet on Port1. First you create firewall addresses for employee and guest users, then you create the firewall policies.
To create firewall addresses for employee and guest WiFi users:
- Go to Policy & Objects > Addresses.
- Select Create New, enter the following information and select OK.
- Select Create New, enter the following information and select OK.
Address Name |
employee-wifi-net |
Type |
Subnet / IP Range |
Subnet / IP Range |
10.10.120.0/24 |
Interface |
example_inc |
Address Name |
guest-wifi-net |
Type |
Subnet / IP Range |
Subnet / IP Range |
10.10.115.0/24 |
Interface |
example_guest |
To create firewall policies for employee WiFi users - GUI:
- Go to Policy & Objects > Firewall Policy and select Create New.
- Enter the following information and select OK:
- Optionally, select security profile for wireless users.
- Select OK.
- Repeat steps 1 through 4 but select Internal as the Destination Interface/Zone to provide access to the ExampleCo private network.
Incoming Interface |
example_inc |
Source Address |
employee-wifi-net |
Outgoing Interface |
port1 |
Destination Address |
all |
Schedule |
always |
Service |
ALL |
Action |
ACCEPT |
NAT |
Enable NAT |
To create firewall policies for employee WiFi users - CLI:
config firewall policy
edit 0
set srcintf "employee_inc"
set dstintf "port1"
set srcaddr "employee-wifi-net"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
set schedule "always"
set service "ANY"
next
edit 0
set srcintf "employee_inc"
set dstintf "internal"
set srcaddr "employee-wifi-net"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
set schedule "always"
set service "ANY"
end
To create a firewall policy for guest WiFi users - GUI:
- Go to Policy & Objects > Firewall Policy and select Create New.
- Enter the following information and select OK:
- Optionally, select UTM and set up UTM features for wireless users.
- Select OK.
Incoming Interface |
example_guest |
Source Address |
guest-wifi-net |
Outgoing Interface |
port1 |
Destination Address |
all |
Schedule |
always |
Service |
ALL |
Action |
ACCEPT |
NAT |
Enable NAT |
To create a firewall policy for guest WiFi users - CLI:
config firewall policy
edit 0
set srcintf "example_guest"
set dstintf "port1"
set srcaddr "guest-wifi-net"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
end
Connecting the FortiAP units
You need to connect each FortiAP unit to the FortiGate unit, wait for it to be recognized, and then assign it to the AP Profile. But first, you must configure the interface to which the FortiAP units connect and the DHCP server that assigns their IP addresses.
In this example, the FortiAP units connect to port 3 and are controlled through IP addresses on the 10.10.70.0/24 network.
To configure the interface for the AP unit - GUI:
- Go to Network > Interfaces, and edit the interface to which the AP unit connects (in this example, port3).
- In Addressing mode, select Manual.
-
In IP/Network Mask, enter an IP address and netmask for the interface (in this example, 10.10.70.1/255.255.255.0).
- In the Administrative Access section, go to IPv4 and select the Security Fabric Connection checkbox.
-
When FortiAP units are connected to the interface on FortiGate (directly or through a switch), you can go to the Edit Interface section and set the Role to LAN.
Selecting the LAN role loads the DHCP Server toggle. If you enable DHCP Server, the GUI can automatically set the DHCP IP range based on the interface IP address.
- Click OK.
To configure the interface for the AP unit - CLI:
config system interface
edit "port3"
set mode static
set ip 10.10.70.1 255.255.255.0
set allowaccess fabric
next
end
To configure the DHCP server for AP units - CLI:
config system dhcp server
edit 3
set interface "port3"
config ip-range
edit 1
set start-ip 10.10.70.2
set end-ip 10.10.70.254
next
end
set default-gateway 10.10.70.1
set netmask 255.255.255.0
set vci-match enable
set vci-string "FortiAP"
next
end
The optional vci-match
and vci-string
fields ensure that the DHCP server will provide IP addresses only to FortiAP units.
To connect a FortiAP unit - GUI:
- Go to WiFi and Switch Controller > Managed FortiAPs.
- Connect the FortiAP unit to port 3.
- Periodically select Refresh while waiting for the FortiAP unit to be listed.
Recognition of the FortiAP unit can take up to two minutes.
If there is persistent difficulty recognizing FortiAP units, try disabling VCI-Match in the DHCP server settings. - When the FortiAP unit is listed, select the entry to edit it.
The Edit Managed Access Point window opens. - In State, select Authorize.
- In the AP Profile, select [Change] and then select the example_AP profile.
- Select OK.
- Repeat Steps 2 through 7 for each FortiAP unit.
To connect a FortiAP unit - CLI:
- Connect the FortiAP unit to port 3.
- Enter:
config wireless-controller wtp
- Wait 30 seconds, then enter
get
. - Retry the
get
command every 15 seconds or so until the unit is listed, like this:== [ FAP22B3U10600118 ]
wtp-id: FAP22B3U10600118
- Edit the discovered FortiAP unit like this:
edit FAP22B3U10600118
set admin enable
set wtp-profile example_AP
end
- Repeat Steps 2 through 5 for each FortiAP unit.