Sunteți pe pagina 1din 10

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Fortinet Wireless Course 203 Module 5 – Custom AP Profiles © 2012 Fortinet Training Services. This
Fortinet Wireless
Course 203
Module 5 – Custom AP Profiles
© 2012 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or
1
distributed to anyone without prior written consent of an authorized representative of Fortinet.
Objectives
Objectives

Identify the requirement for custom AP profiles and the features that can be configured using custom profiles

Describe rogue AP detection feature and the protection provided Describe wireless IDS techniques and protection provided

Describe the usage of client load balancing mechanisms and the options available

Perform a configuration to enable rouge AP detection in the hands-on lab

2
2

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Custom AP Profiles
Custom AP Profiles

If the automatic AP profile settings don’t meet your needs, you can define a custom AP Profile.

3
3
Power
Power

TX power is set to 100% of the maximum power permitted in your region

» To change the level, drag the slider.

Power • TX power is set to 100% of the maximum power permitted in your region
4
4

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Channels
Channels

Select the IEEE wireless protocol that is available to the region.

Channels • Select the IEEE wireless protocol t hat is available to the region. 5 Distributed
5
5
 
Distributed Automatic Radio Resource Provisioning
Distributed Automatic Radio Resource Provisioning

Distributed Automatic Radio Resource Provisioning (DARRP)

» Allows each FortiAP unit to select an optimum WiFi channel » Units do not interfere with each other

Reduces load on FortiGate wireless controller Reduces chatter between APs Channel selected is evaluated every 5 minutes

» Clients automatically signaled to migrate to a new channel

Channels • Select the IEEE wireless protocol t hat is available to the region. 5 Distributed
6
6

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

DARRP
DARRP
DARRP 7 Rogue AP Detection • A Rogue AP is a wireless network ava ilable in
7
7
 
Rogue AP Detection
Rogue AP Detection

A Rogue AP is a wireless network available in your location that are not part of your managed wireless network

» They may cause some interference, but they are not always security threat

» There is a risk that people in your organization could connect unsecured wireless devices to your wired network inadvertently providing access to unauthorized parties.

8
8

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Monitoring Rogue APs
Monitoring Rogue APs

The access point radio equipment can scan for other available access points:

» As dedicated monitor » As background scan while the AP is idle

Discovered APs are listed in the Rogue AP Monitor list

» You can mark them as Accepted or Rogue

This is only a designation to help tracking AP in your environment.

» It does not affect the ability to use these APs.

9
9
On-Wire Rogue AP Detection
On-Wire Rogue AP Detection

Other APs that are available in the same area as your own APs are not necessarily rogues

A neighboring AP that has no connection to your network might cause interference, but it is not a security threat

The on-wire detection technique differentiates between interferers and rogues by checking whether the AP’s MAC address is also seen on the wired network we are protecting.

10
10

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

On-Wire Rogue AP Detection Limitations
On-Wire Rogue AP Detection Limitations

There must be at least one WiFi client connected to the suspect AP and continuously sending traffic.

If the suspect AP is a router, its WiFi MAC must be very similar to its Ethernet port MAC.

» The WiFi controller correlates WiFi and Ethernet MAC addresses by determining whether they are within a certain numerical distance of each other. This is called the MAC adjacency.

» By default, the difference in MAC address values must be seven or less.

config wireless-controller global rogue-scan-mac-adjacency <int>

11
11
 
Suppressing Rogue APs
Suppressing Rogue APs

Enable rogue AP suppression to actively prevent your users from connecting to them:

» Enable monitoring of rogue APs with the on-wire detection technique » When suppression is activated against an AP:

FortiGate wireless controller sends de-authentication messages to the rogue AP’s clients, posing as the rogue AP FortiGate also sends de-authentication messages to the rogue AP, posing as its clients.

This is done using the monitoring radio and requires dedicated monitor mode .

12
12

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Wireless Client Load Balancing
Wireless Client Load Balancing

Load balancing for high density deployments:

» Client load-balancing across FAPs » Client load-balancing across 2.4 and 5Ghz frequencies.

Wireless Client Load Balancing • Load balancing for high density deployments: » Client load-balancing across FAPs
13
13
Access Point Hand-off
Access Point Hand-off

Signal clients to connect to another AP

If the load on an access point (AP1) exceeds a threshold (of for example, 30 clients) then the client with the weakest signal will be signaled by wireless controller to drop off and join another nearby access point (AP2)

The setting can be configured in a custom AP profile

14
14

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Frequency Hand-off
Frequency Hand-off

Signal clients to connect to another frequency The wireless controller monitors the usage of 2.4GHz and 5GHz bands, and signals clients to switch to the lesser-used frequency The setting can be configured in a custom AP profile

15
15
Wireless IDS
Wireless IDS

The FortiGate WIDS monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected the FortiGate unit records a log message.

16
16

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Wireless IDS
Wireless IDS

The FortiGate WIDS monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts. When an attack is detected the FortiGate unit records a log message.

17
17
Wireless IDS
Wireless IDS

Define Wireless IDS profile

config wireless-controller wids-profile edit "default" set comment "default wids profile" set wireless-bridge enable set deauth-broadcast enable … set eapol-pre-succ-flood enable set eapol-pre-fail-flood enable end

18
18

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Wireless IDS
Wireless IDS

Apply Wireless IDS profile to custom AP profile

config wireless-controller wtp-profile edit "test" config platform set type 210B end config radio-1 set mesh-downlink enable set band 802.11n set wids-profile "default" …

19
19
 
Lab
Lab

Rogue AP detection

20
20