Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Support MACsec on FortiAP G-series 7.4.4

    Support MACsec on FortiAP G-series 7.4.4

    Media Access Control Security (MACsec) is a network protocol that provides authenticity and integrity for the entire Ethernet frame as well as encryption of the Layer 2 data payload. Enabling MACsec on a FortiAP improves communication security of Layer 2 frames passing through wired networks.

    Since MACsec is an extension to 802.1X, which provides secure key exchange and mutual authentication for MACsec nodes, FortiAPs must first be configured to pass 802.1X authentication as a supplicant. MACsec can be enabled from the FortiGate or locally on a FortiAP.

    Note
    • MACsec is only supported on FortiAP G-s-eries models.
    • Only the MACsec dynamic-CAK model is supported; PSK mode is not supported,
    • Due to technical limitations, FortiAP G-series models only support the MACsec policy Confidentiality Offset value of 0 (default for most implementations) or 30. It does not support 50.

    Enabling MACsec on FortiAP

    In deployments where all FortiAPs are managed by a FortiGate, you can configure 802.1x and MACsec on the FortiAP profile and the configurations will be pushed to assigned FortiAPs. Then, depending on the switch used in your deployment, configure and apply 802.1x and MACsec on the switch ports to which the FortiAPs connect. The FortiAPs continue to communicate with their managing FortiGate and function as usual.

    In deployments where you need to connect a new FortiAP to your network before it is managed by FortiGate, you can pre-configure the FortiAP profiles while also configuring MACsec locally on the FortiAP device. Then, ensure that the switch ports to which the FortiAPs will connect have 802.1x and MACsec configured before connecting the FortiAPs.

    Note

    If MACsec is enabled on a FortiAP, but the switch port that the FortiAP connects to does not have 802.1x and MACsec enabled, then authentication will fail and the FortiAP will lose network connection.
    To enable MACsec from a FortiAP profile - CLI:
    config wireless-controller wtp-profile
  edit <name>
    set wan-port-auth 802.1x
    set wan-port-auth-usrname "tester"
    set wan-port-auth-password ENC *
    set wan-port-auth-methods EAP-PEAP
    set wan-port-auth-macsec enable
  next
end
    To enable MACsec locally from a FortiAP - CLI:
    FortiAP-233G # cfg -a WAN_1X_ENABLE:=1
cfg -a WAN_1X_USERID:=tester
cfg -a WAN_1X_PASSWD:=*
cfg -a WAN_1X_METHOD:=3
cfg -a WAN_1X_MACSEC_POLICY:=1
    To verify a FortiAP successfully passes MACsec authentication:
    FP233G # cw_diag -c wan1x macsec                        
participant_idx=0
ckn=972149b46b1ff31c11d3c1d864b0bad9
mi=94a9763a40b2905ba3ec2be9
mn=78974
active=Yes
participant=No
retain=No
live_peers=1
potential_peers=0
is_key_server=No
is_elected=Yes
TX SCI : 74:78:a6:98:dc:28@1
RX SCI : 70:35:09:21:cb:84@2
Cipher : GCM-AES-256
Tx Next PN: 298329
Distributed SAK Received : 1
  Distributed_an : 0
  AN : 0
      tx : InUse
      rx : InUse
  Confidentiality_offset : 30
  replay_protect : 0
  replay_window : 0
    To verify a FortiAP is registered in FortiGate with 802.1X and MACsec authentication:
    FortiGate-301E (vdom1) # diagnose  wireless-controller  wlac -c wtp
 
WTP vd               : vdom1, 3-FP233GTF23000132    MP00
    uuid                 : 0d96e930-1aaf-51ef-0a3a-315f022a18d7
    mgmt_vlanid      : 0
    region code        : E  invalid
    refcnt                  : 3 own(1) wtpprof(1) ws(1)   deleted(no)
    apcfg status       : N/A,N/A cfg_ac=0.0.0.0:0 val_ac=0.0.0.0:0 cmds T 0 P 0 U 0 I 0 M 0
    apcfg cmd details: 
    plain_ctl           : disabled
    image-dl(wtp,rst): yes,no
    admin                : enable
    wtp-profile       : cfg(233G) override(disabled) oper(233G)
……….
  SNMP               : disabled
  WAN port authentication: 802.1X
  WAN port 802.1x EAP method: EAP-PEAP
  WAN port 802.1x Macsec: enabled
    Previous
    Next

    Support MACsec on FortiAP G-series 7.4.4

    Support MACsec on FortiAP G-series 7.4.4

    Media Access Control Security (MACsec) is a network protocol that provides authenticity and integrity for the entire Ethernet frame as well as encryption of the Layer 2 data payload. Enabling MACsec on a FortiAP improves communication security of Layer 2 frames passing through wired networks.

    Since MACsec is an extension to 802.1X, which provides secure key exchange and mutual authentication for MACsec nodes, FortiAPs must first be configured to pass 802.1X authentication as a supplicant. MACsec can be enabled from the FortiGate or locally on a FortiAP.

    Note
    • MACsec is only supported on FortiAP G-s-eries models.
    • Only the MACsec dynamic-CAK model is supported; PSK mode is not supported,
    • Due to technical limitations, FortiAP G-series models only support the MACsec policy Confidentiality Offset value of 0 (default for most implementations) or 30. It does not support 50.

    Enabling MACsec on FortiAP

    In deployments where all FortiAPs are managed by a FortiGate, you can configure 802.1x and MACsec on the FortiAP profile and the configurations will be pushed to assigned FortiAPs. Then, depending on the switch used in your deployment, configure and apply 802.1x and MACsec on the switch ports to which the FortiAPs connect. The FortiAPs continue to communicate with their managing FortiGate and function as usual.

    In deployments where you need to connect a new FortiAP to your network before it is managed by FortiGate, you can pre-configure the FortiAP profiles while also configuring MACsec locally on the FortiAP device. Then, ensure that the switch ports to which the FortiAPs will connect have 802.1x and MACsec configured before connecting the FortiAPs.

    Note

    If MACsec is enabled on a FortiAP, but the switch port that the FortiAP connects to does not have 802.1x and MACsec enabled, then authentication will fail and the FortiAP will lose network connection.
    To enable MACsec from a FortiAP profile - CLI:
    config wireless-controller wtp-profile
  edit <name>
    set wan-port-auth 802.1x
    set wan-port-auth-usrname "tester"
    set wan-port-auth-password ENC *
    set wan-port-auth-methods EAP-PEAP
    set wan-port-auth-macsec enable
  next
end
    To enable MACsec locally from a FortiAP - CLI:
    FortiAP-233G # cfg -a WAN_1X_ENABLE:=1
cfg -a WAN_1X_USERID:=tester
cfg -a WAN_1X_PASSWD:=*
cfg -a WAN_1X_METHOD:=3
cfg -a WAN_1X_MACSEC_POLICY:=1
    To verify a FortiAP successfully passes MACsec authentication:
    FP233G # cw_diag -c wan1x macsec                        
participant_idx=0
ckn=972149b46b1ff31c11d3c1d864b0bad9
mi=94a9763a40b2905ba3ec2be9
mn=78974
active=Yes
participant=No
retain=No
live_peers=1
potential_peers=0
is_key_server=No
is_elected=Yes
TX SCI : 74:78:a6:98:dc:28@1
RX SCI : 70:35:09:21:cb:84@2
Cipher : GCM-AES-256
Tx Next PN: 298329
Distributed SAK Received : 1
  Distributed_an : 0
  AN : 0
      tx : InUse
      rx : InUse
  Confidentiality_offset : 30
  replay_protect : 0
  replay_window : 0
    To verify a FortiAP is registered in FortiGate with 802.1X and MACsec authentication:
    FortiGate-301E (vdom1) # diagnose  wireless-controller  wlac -c wtp
 
WTP vd               : vdom1, 3-FP233GTF23000132    MP00
    uuid                 : 0d96e930-1aaf-51ef-0a3a-315f022a18d7
    mgmt_vlanid      : 0
    region code        : E  invalid
    refcnt                  : 3 own(1) wtpprof(1) ws(1)   deleted(no)
    apcfg status       : N/A,N/A cfg_ac=0.0.0.0:0 val_ac=0.0.0.0:0 cmds T 0 P 0 U 0 I 0 M 0
    apcfg cmd details: 
    plain_ctl           : disabled
    image-dl(wtp,rst): yes,no
    admin                : enable
    wtp-profile       : cfg(233G) override(disabled) oper(233G)
……….
  SNMP               : disabled
  WAN port authentication: 802.1X
  WAN port 802.1x EAP method: EAP-PEAP
  WAN port 802.1x Macsec: enabled
    Previous
    Next