Fortinet black logo

Administration Guide

Wireless security

Copy Link
Copy Doc ID 8bec453a-b242-11e9-a989-00505692583a:760923
Download PDF

Wireless security

In an environment that is predominantly wireless, where employees and guests are increasingly bringing personal devices and attempting to connect to the wireless network, wireless security is a powerful configuration tool. It allows you to quickly connect to wireless controllers and access points and configure the integration between those devices and FortiNAC.

Wireless devices are added to the Network Devices view based on their IP addresses. FortiNAC reads the configuration on the device. For any given wireless device you can configure multiple secure SSIDs (802.1x) or open SSIDs (unsecured) as needed. FortiNAC saves the SSID configuration to its own database.

Wireless security is currently only supported for Xirrus Arrays, HP MSM controllers, and Ruckus controllers. Other wireless devices can be added using the network devices View. See Network devices.

For HP wireless devices in teaming mode, only the controller that is the team manager needs to be configured. Only the virtual IP address of the team should be used for configuration.

If you have purchased only the wireless only license and not the entire FortiNAC product, you can add only five wired devices. You cannot use discovery to scan the network for devices.

Implementation

General
  1. Configure your wireless devices via the Admin Interface for each device. Make sure that hosts can connect to the network before integrating the devices with FortiNAC.
  2. Review the integration document for your wireless device that is available on the Fortinet web site.
  3. Use the Discovery option to enter IP address ranges and device credentials and search your network for devices. This option is not available if you have the Wireless Only License. See Discovery.
  4. Review the results of the Discovery process to make sure all devices have been found. If there are missing devices, check the IP address ranges entered, add any missing ranges and run the Discovery process again. See Discovery results.
  5. If you plan to authenticate network users through a directory, configure the integration with one or more directories. See Directories.
  6. Configure the Captive Portal. See Portal configuration.
Guest Management
  1. Configure guest templates. Guest templates control parameters of guest accounts, such as account duration, password length, or times when the network can be accessed, as well as the SSIDs to which guests can connect. Create a guest template for each unique type of guest. For example, if you have guests who should only have access from 9 in the morning until 5 in the evening, create a template for them. If you have guests who should only be allowed to access a special VLAN or Access Group, create a template for them.
  2. If you would like to delegate guest account creation and management to other employees, create sponsor administrative accounts for those users. A sponsor account allows the user to log into the FortiNAC admin UI and create accounts for guests, send account credentials to guests and respond to guest self registration requests. See Add a guest manager profile.
  3. Create guest accounts as needed for incoming guests. See Guest/contractor accounts.
  4. Guest Management SSIDs configured using Wireless Security require at least one Guest Management SSID configuration for each guest template that is in use. Guests may connect to your network in other ways. If there are guest templates for guests that will never connect via one of the SSIDs you are configuring, those Templates do not require an SSID configuration.

    Guest templates are part of the filter that determines the Access Group or VLAN to which the guest is assigned. If a guest has a guest template but the template has not been associated with an SSID the guest will not be able to access the network using one of the SSIDs configured through Wireless Security. The Guest may need to access the network using another wireless connection or a wired connection. SSID options include a Secure (802.1x) SSID or an Open SSID. See Network devices and SSID mappings.

    • For the Secure SSID configuration you must have a primary RADIUS server. If you do not have one configured you can add it when configuring the SSID.
    • For the Open SSID configuration you must provide the RADIUS secret configured on the array.
Device Onboarding
  1. Add Secure (802.1x) or open SSIDs configurations for Device Onboarding to quickly register new devices and users on your network. See Network devices and SSID mappings.

    • For the Secure SSID configuration you must have a primary RADIUS server. If you do not have one configured you can add it when configuring the SSID.
    • For the Open SSID configuration you must provide the RADIUS secret configured on the device.
  2. If your configuration requires that a Supplicant be installed on a device for it to connect to a Secure SSID, do the following:

    • Configure an Open SSID for Device Onboarding that contains a supplicant configuration with the security configuration for a Secure SSID. See and Supplicant configurations.
    • Configure the Secure SSID to which hosts or devices should connect after the Supplicant is installed. See Secure SSID for device onboarding.

Wireless security

In an environment that is predominantly wireless, where employees and guests are increasingly bringing personal devices and attempting to connect to the wireless network, wireless security is a powerful configuration tool. It allows you to quickly connect to wireless controllers and access points and configure the integration between those devices and FortiNAC.

Wireless devices are added to the Network Devices view based on their IP addresses. FortiNAC reads the configuration on the device. For any given wireless device you can configure multiple secure SSIDs (802.1x) or open SSIDs (unsecured) as needed. FortiNAC saves the SSID configuration to its own database.

Wireless security is currently only supported for Xirrus Arrays, HP MSM controllers, and Ruckus controllers. Other wireless devices can be added using the network devices View. See Network devices.

For HP wireless devices in teaming mode, only the controller that is the team manager needs to be configured. Only the virtual IP address of the team should be used for configuration.

If you have purchased only the wireless only license and not the entire FortiNAC product, you can add only five wired devices. You cannot use discovery to scan the network for devices.

Implementation

General
  1. Configure your wireless devices via the Admin Interface for each device. Make sure that hosts can connect to the network before integrating the devices with FortiNAC.
  2. Review the integration document for your wireless device that is available on the Fortinet web site.
  3. Use the Discovery option to enter IP address ranges and device credentials and search your network for devices. This option is not available if you have the Wireless Only License. See Discovery.
  4. Review the results of the Discovery process to make sure all devices have been found. If there are missing devices, check the IP address ranges entered, add any missing ranges and run the Discovery process again. See Discovery results.
  5. If you plan to authenticate network users through a directory, configure the integration with one or more directories. See Directories.
  6. Configure the Captive Portal. See Portal configuration.
Guest Management
  1. Configure guest templates. Guest templates control parameters of guest accounts, such as account duration, password length, or times when the network can be accessed, as well as the SSIDs to which guests can connect. Create a guest template for each unique type of guest. For example, if you have guests who should only have access from 9 in the morning until 5 in the evening, create a template for them. If you have guests who should only be allowed to access a special VLAN or Access Group, create a template for them.
  2. If you would like to delegate guest account creation and management to other employees, create sponsor administrative accounts for those users. A sponsor account allows the user to log into the FortiNAC admin UI and create accounts for guests, send account credentials to guests and respond to guest self registration requests. See Add a guest manager profile.
  3. Create guest accounts as needed for incoming guests. See Guest/contractor accounts.
  4. Guest Management SSIDs configured using Wireless Security require at least one Guest Management SSID configuration for each guest template that is in use. Guests may connect to your network in other ways. If there are guest templates for guests that will never connect via one of the SSIDs you are configuring, those Templates do not require an SSID configuration.

    Guest templates are part of the filter that determines the Access Group or VLAN to which the guest is assigned. If a guest has a guest template but the template has not been associated with an SSID the guest will not be able to access the network using one of the SSIDs configured through Wireless Security. The Guest may need to access the network using another wireless connection or a wired connection. SSID options include a Secure (802.1x) SSID or an Open SSID. See Network devices and SSID mappings.

    • For the Secure SSID configuration you must have a primary RADIUS server. If you do not have one configured you can add it when configuring the SSID.
    • For the Open SSID configuration you must provide the RADIUS secret configured on the array.
Device Onboarding
  1. Add Secure (802.1x) or open SSIDs configurations for Device Onboarding to quickly register new devices and users on your network. See Network devices and SSID mappings.

    • For the Secure SSID configuration you must have a primary RADIUS server. If you do not have one configured you can add it when configuring the SSID.
    • For the Open SSID configuration you must provide the RADIUS secret configured on the device.
  2. If your configuration requires that a Supplicant be installed on a device for it to connect to a Secure SSID, do the following:

    • Configure an Open SSID for Device Onboarding that contains a supplicant configuration with the security configuration for a Secure SSID. See and Supplicant configurations.
    • Configure the Secure SSID to which hosts or devices should connect after the Supplicant is installed. See Secure SSID for device onboarding.