Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Fortinet Wireless Course 203

Module 5 Custom AP Profiles

2012 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet.

Objectives Identify the requirement for custom AP profiles and the features that can be configured using custom profiles Describe rogue AP detection feature and the protection provided Describe wireless IDS techniques and protection provided Describe the usage of client load balancing mechanisms and the options available Perform a configuration to enable rouge AP detection in the hands-on lab

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Custom AP Profiles If the automatic AP profile settings dont meet your needs, you can define a custom AP Profile.

Power TX power is set to 100% of the maximum power permitted in your region
To change the level level, drag the slider slider.

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Channels Select the IEEE wireless protocol that is available to the region.

Distributed Automatic Radio Resource Provisioning Distributed Automatic Radio Resource Provisioning (DARRP)
Allows each FortiAP unit to select an optimum WiFi channel Units do not interfere with each other

Reduces load on FortiGate wireless controller Reduces chatter between APs Channel selected is evaluated every 5 minutes
Clients automatically signaled to migrate to a new channel

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

DARRP

Rogue AP Detection A Rogue AP is a wireless network available in your location that are not part of your managed wireless network
They may cause some interference, interference but they are not always security threat There is a risk that people in your organization could connect unsecured wireless devices to your wired network inadvertently providing access to unauthorized parties.

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Monitoring Rogue APs The access point radio equipment can scan for other available access points:
As dedicated monitor As background scan while the AP is idle

Discovered APs are listed in the Rogue AP Monitor list

You can mark them as Accepted or Rogue

This is only a designation to help tracking AP in your environment.

It does not affect the ability to use these APs.

On-Wire Rogue AP Detection Other APs that are available in the same area as your own APs are not necessarily rogues A neighboring AP that has no connection to your network might cause interference, but it is not a security threat The on-wire detection technique differentiates between interferers and rogues by checking whether the APs MAC address is also seen on the wired network we are protecting.

10

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

On-Wire Rogue AP Detection Limitations There must be at least one WiFi client connected to the suspect AP and continuously sending traffic. If the suspect AP is a router router, its WiFi MAC must be very similar to its Ethernet port MAC.
The WiFi controller correlates WiFi and Ethernet MAC addresses by determining whether they are within a certain numerical distance of each other. This is called the MAC adjacency. By default, the difference in MAC address values must be seven or less.
config wireless wireless-controller controller global rogue-scan-mac-adjacency <int>

11

Suppressing Rogue APs Enable rogue AP suppression to actively prevent your users from connecting to them:
Enable monitoring of rogue APs with the on-wire detection technique When suppression is activated against an AP:
FortiGate wireless controller sends de-authentication messages to the rogue APs clients, posing as the rogue AP FortiGate also sends de-authentication messages to the rogue AP, posing as its clients.

This is done using the monitoring radio and requires dedicated monitor mode.

12

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Wireless Client Load Balancing Load balancing for high density deployments:
Client load-balancing across FAPs Client load-balancing load balancing across 2.4 2 4 and 5Ghz frequencies. frequencies

13

Access Point Hand-off Signal clients to connect to another AP If the load on an access point (AP1) exceeds a threshold (of for example 30 clients) then the client with the weakest signal will be example, signaled by wireless controller to drop off and join another nearby access point (AP2) The setting can be configured in a custom AP profile

14

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Frequency Hand-off Signal clients to connect to another frequency The wireless controller monitors the usage of 2.4GHz and 5GHz bands and signals clients to switch to the lesser-used bands, lesser used frequency The setting can be configured in a custom AP profile

15

Wireless IDS The FortiGate WIDS monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts When an attack is detected the FortiGate unit records a log attempts. message.

16

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Wireless IDS The FortiGate WIDS monitors wireless traffic for a wide range of security threats by detecting and reporting on possible intrusion attempts When an attack is detected the FortiGate unit records a log attempts. message.

17

Wireless IDS Define Wireless IDS profile

config wireless-controller wids-profile edit "default" set comment "default wids profile" set wireless-bridge enable set deauth-broadcast enable set eapol-pre-succ-flood enable set eapol-pre-fail-flood enable end

18

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 5 Custom AP Profiles

Wireless IDS Apply Wireless IDS profile to custom AP profile

config wireless-controller wtp-profile edit "test" config platform set type 210B end config radio-1 set mesh-downlink enable set band 802.11n set wids-profile "default"

19

Lab Rogue AP detection

20

01-05002-RevA-0203-20130520