Table of Contents

TABLE OF CONTENTS......................................................................
LAB SETUP....................................................................................
LAB 1: FORTIGATE WIRELESS CONFIGURATION USING A FORTIAP
DEVICE..................................................................................
Exercise 1 Configuring a wireless LAN............................................................................4
Exercise 2 Device Identification configuration for WLAN.................................................7

LAB 2: IMPROVING WIRELESS SECURITY WITH WPA-ENTERPRISE

SECURITY..............................................................................
Exercise 1 PEAP using local user group...........................................................................9
Exercise 2 Captive Portal.............................................................................................. 10
Exercise 3: Using FortiAuthenticator for PEAP authentication........................................10

LAB 3: CUSTOM AP PROFILES........................................................13

Exercise 1 Configuring rogue AP detection...................................................................13
Exercise 2: Setting up Full Mesh Wireless on FortiGate Unit Using Two FortiAP Units.....14

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

Lab Setup
Please note that the following information is for reference only, this setup will have been
completed by the instructor.
The following instruction assumes a FortiGate VM01 and FortiAP per student. You may adapt
the instruction to use a physical FortiGate device if you prefer. The FortiAP device used in this
training is the 220B however you may also use a different device and adapt the instruction
accordingly. You also require a FortiAuthenticator VM per student however you may use the
inbuilt trial license.
For desktop virtualization we use VMware Player in this instruction.
First install the VMware Player application on your PC. You will require administrator privileges
to do this.
Next copy the FortiGate and FortiAuthenticator VMs, in OVF format, which will be used for this
class and open and import both VMs with the VMware Player application.
This lab instruction uses FortiOS 5.0.6 (build 271) and FortiAuthenticator 2.0 (build 208).
Import the FortiGate VM and name this VM Student.
Import the FortiAuthenticator VM and name this VM Authenticator.
We use two interfaces on the FGT: one as the default route and wireless AP distribution system
and one for the internal network. Note this setup relies on DHCP being available on the network
the laptops and APs connect to. The FortiAP 220B has Power-over-Ethernet interfaces
therefore you may use a PoE switch however the mesh lab does require a power supply for the
AP connecting to the wireless mesh.
The setup used in this training uses the Ethernet port of the laptop.
The FortiGate uses the following VMware vmnet interfaces:

Vmnet1 (host-only) which maps to port2.

Vmnet0 (bridged) which maps to port1.

From VMware Player edit the FGT VM settings and choose vmnet0 for port1 (the first interface in
the list) and vmnet1 for port2.
From VMware Player edit the FortiAuthenticator VM settings and choose vmnet1 for port1 (the
first interface in the list).
Configure the PC vmnet1 interface as 10.0.1.1/24, gateway and DNS 10.0.1.254. The PC
Ethernet port does not require IP settings because traffic will be routed through the FortiGate.
2

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

Start up the FGT VM and connect to the console and format the log disk, this is required for local
logging and for other services to function.

When the FGT restarts connect to the CLI set the port1 and port2 interface settings, DNS and an
outgoing policy:
config system interface
edit port1
set mode dhcp
set allowaccess ping
set defaultgw enable
next
edit port2
set ip 10.0.l.254/24
set allowaccess http https ping ssh
end
config system dns-server
edit "port2"
next
end
config firewall policy
edit 1
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
end
3

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

To create a configuration file with these settings, append the above CLI to the end of a blank
configuration file for your device.
Disable the PC firewall as this will interfere with traffic to and from the guest OS.
Connect to the FortiGate GUI, http://10.0.1.254. Connect via http first because without the
license installed only weak encryption is supported with the VM inbuilt evaluation license. If you
cannot connect to the GUI check the previous settings.
Install the VM license.

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

Lab 1: FortiGate Wireless

Configuration using a
FortiAP Device
eObvcjti
This lab supports the learning objectives for module 2. You will configure a basic wireless
network using WPA and pre-shared key. You will manage an AP device to work with your
wireless controller and configure firewall policies for the wireless clients. Additionally, using
device identification on your virtual access point, you will configure a device access list and deny
your mobile test device form connecting and verify this action by inspecting event log messages.

Exercise 1

Configuring a wireless LAN

1. Connect to FGT GUI and to the CLI (10.0.1.254/24).

2. Set your FortiGate system time and date correctly, this step is essential for logs and
certificates.
3. Next, set the proper geography location, the default is US.
conf wireless-controller setting
set country US
end

Note: The country defines the acceptable radio settings for your region.

To change this value you must first remove the predefined WTP profiles by entering the
following CLI commands:
config wireless-controller wtp-profile
purge
end
4. Edit port1 and enable CAPWAP in the allow access settings. (Do not dedicate this port
for ForitAP, doing so enables CAPWAP and also sets up a DHCP server for the FortiAPs,
this is not required because we use a shared network and rely on external DHCP
services in the classroom labs).

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

5. On the FortiGate web-based manager, go to Wifi Controller > Managed Access Points >
Managed FortiAP. If your AP is not listed select Refresh.

Discovery of the FortiAP unit can take up to two minutes. If however, the FortiAP is not
listed under Managed FortiAP after two minutes perform the following steps:

Check that the ethernet port on the FortiAP unit is up

Power cycle the FortiAP unit

If necessary connect a console cable to the AP, login as admin and enter
factoryreset, when the AP restarts login again and enter ifconfig br0 to check that
the AP has obtained an IP address from the DHCP in your training facility.

Seek assistance from your instructor if none of the above steps resolve the issue.
6. From the FortiGate Wi-Fi Controller, select the serial number of your FortiAP, right-click
the FortiAP and select Authorize. Wait for the authorization to complete.
7. When Authorized, right-click again and select edit and name your AP.

Verify that the FortiAP firmware version is the correct version for your training. If
necessary upgrade by right-clicking your FortiAP from the managed AP list and applying
the recommended upgrade via FortiGuard or a file provided by your instructor.

Accept default settings. Select OK.

8. Go to Wifi Controller > Wifi Network > SSID and select Create New to define your
wireless network. Configure the following settings:

Interface Name:

<you choose>

IP/Netmask:

10.10.10.1/255.255.255.0

Administrative Access:

Ping

Traffic Mode:

Tunnel to Wireless Controller

DHCP Server

Enable

Configure the security settings as follows:

SSID:

<you choose>

Security Mode:

WPA/WPA2-Personal

Data Encryption:

AES
6

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

Pre-shared Key:

<you choose>

Select OK.
9. Create firewall policies for the wireless clients.
Go to Policy > Policy > Policy and select Create New to add a wireless to internal
network policy for your wireless clients,

Configure the following settings:

Source Interface/Zone:

<your ssid>

Source Address:

All

Destination Interface/Zone:

port2

Destination Address:

All

Schedule:

Always

Service:

All

Action:

Accept

Source NAT is not required for this policy since the Wireless and internal networks are
visible to each other. A second policy in the reverse direction would be required for
bidirectional communication between the internal wired and wireless networks.

Select Create New to add a wireless to Internet policy that allows wireless clients to
access the Internet.

Configure the following settings:

Source Interface/Zone:

<your ssid>

Source Address:

All

Destination Interface/Zone:

port1

Destination Address:

All

Schedule:

Always

Service:

All

Action:

ACCEPT
7

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

Select Enable NAT and Use Destination Interface Address. Click OK.
10. Test your wireless network, this instruction assumes you have mobile device which you
can use for this test, look for your SSID and attempt to connect.

Connect and enter the preshared key when prompted. Verify that you can ping your PC
and that you can connect to the Internet.

You can go to Wireless Controller > Monitor > Client Monitor to view information about
the clients that are connected to your Wireless network.

11. Access the FortiAP GUI.

Note the IP address of your AP and from your browser connect to that address via HTTP.
View the System and Wireless information. The Wireless information should display your
configured SSID.

You can also connect to the FortiAP via telnet. You can do this from the FortiAP GUI or
from the wireless controller (FortiGate) using the following command.

config wireless-controller wtp

edit <serial number>
set login-enable enable
end

12. The following diagnostic commands to look at the wireless controller and access point
communication.
On the FortiGate:
diag sniff packet any port 5246
diag debug enable
diag debug app cw_acd 5
diag debug app cw_acd 0 #to stop

On the FortiAP:
8

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

cw_debug on #to enable debug in telnet

cw_debug app cwWtpd 5
cw_debug app cwWtpd 0 #to stop

To see CAPWAP control and data channel from the FortiGate use the following
commands, note that c looks at the control channel and d looks at the data channel:

diag wireless-controller wlac c wtp

diag wireless-controller wlac d wtp
diag debug enable
diag wireless-controller wlac sta-filter MAC@ <level>
(Use diag wireless-controller wlac c sta to get the station MAC address.)
See KB article, FD33214, for further information.

Exercise 2 Device Identification

configuration for WLAN
1

Go to System > Network > Interface and edit your virtual access point interface. You
should observe that Device Manager setting Detect and Identify devices is enabled.

From Wireless Controller > Monitor > Client Monitor observe the device type icon next to
your devices MAC address.

13. Go to User & Device and > Device > Device Definition to confirm that your device is listed
and has been correctly identified.
14. From the FGT CLI create a device access list.
confg user device-access-list
edit <name>
set default-action accept
config device-list
edit 1
set action deny
set device <select your device type>
end
9

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

end
15. Apply this list to the VAP interface from the CLI.
config system interface
edit <your interface name>
set device-access-list <your list name>
end
16. You should observe that your mobile device is disconnected. Go to Log & Report >
Event Log > WiFi and identify the log message for the BYOD event, the action should be
a client denial for your device.
17. To see the devices detected by the access list use the following command:
diag wireless-controller wlac c byod_detected
18. When you have completed your testing return to the interface settings form the CLI and
unset the device access list.
config system interface
unset device-access-list
end

10

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

Lab 2: Improving Wireless

Security with WPAEnterprise Security
eObvcjti
This lab supports the learning objectives for module 3. You will configure WPA/WPA2 Enterprise
security using a local user group. You will configure 802.1X authentication using local user
groups.

Exercise 1 PEAP using local user group

1

Create a user and a user group and add the user to your group.

Go to WiFi Controller > WiFi Network > SSID and edit your wireless network created in
the previous lab. Configure the WiFi security settings as follows:

SSID:

<your ssid>

Security Mode:

WPA/WPA2-Enterprise

DataEncryption:

AES

Authentication:

Usergroup

Usergroup:

<your user group>

Click OK.
19. On your mobile device connect again to your SSID. You will be required to enter the
username and password for your user.
You will be prompted to accept the certificate for the authentication server, which is the
ForitGate in this configuration.
Alternatively you may download the wireless CA certificate used on the FortiGate for
wireless and import into your mobile device. To do this, go to System > Certificates > CA
Certificate. Select and view the certificate. Note the CN of UTN-USERFirstHardware.
Select download. Copy or send this certificate to your mobile device is via email.
20. Once you have successfully authenticated, verify that you can connect to reach your
internal host and connect to the Internet.
11

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

Go to the Log & Report > Event Log > WiFi and identify the log message for the
authentication event.

You can go to Wifi Controller > Monitor > Client Monitor to view information about the
clients that are connected to your Wireless network.

Exercise 2 Captive Portal

In this exercise you will modify you SSID configuration to use a captive portal instead, therefore
users will be redirected to this portal for authentication. You will customize the portal page.
1

Go to WiFi Controller > WiFi Network > SSID and edit your wireless network created in
the previous lab. Configure the WiFi security settings as follows:

SSID:

<your ssid>

Security Mode:

Captive Portal

Usergroup:

<your user group>

21. Select Customize Portal Messages and then edit and select the Captive Portal Login
Page, make a few simple changes in order that you can identify your customization.
Save your changes.
22. Close the customization window and click ok to save the changes to your SSID.
23. On your mobile device connect again to your SSID. You will note that the wireless
security is open in order for you to connect to your portal. You connect to your portal via
https and then you need to authenticate using your user account.

Exercise 3:
Using FortiAuthenticator for
PEAP authentication
1

Before stating the FortiAuthenticator VM, ensure that port1 is assigned to the VMware
host-only interface (vmnet1). Start the FortiAuthenticator VM.
Enter username admin and no password. Set the port1 interface IP address:
set port1-ip 10.0.1.253/24
set default-gw 10.0.1.254
12

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

Enter show to view configured parameters.

24. Connect to the FortiAuthenticator GUI: https://10.0.1.253
25. Set the System Time.
26. The main configuration requirements when setting up FortiAuthenticator for PEAP are:

build a CA

configure the RADIUS server

add users

configure the FGT as a client for the RADIUS server

install the servers public key in the client

27. Create a self-signed root certificate authority (CA).

Certificate Management > Certificate Authorities > Local CAs. Create New, leave Root
CA certificate selected and choose a Certificate ID and Name (CN) for your CA
certificate, leave all other settings as default.
28. Next create a Local Services certificate for the FortiAuthenticator itself.
Certificate Management > End Entities > Local Services. Create New and chose a
Certificate ID and Name (CN) for your Local Services certificate. The issuer should be
your Root CA created in the previous step.
29. Next create a local user.
Authentication > Local User Management > Local Users. Create a user.
30. Next configure the FortiGate as a RADIUS client of the FortiAuthenticator device.
Go to Authentication > General > Auth. Clients. Create New. Enter a name, the IP
address of your FortiGate (10.0.1.254) and a shared secret key which you will also enter
on the FortiGate unit. Select PEAP from EAP types.
31. Next select the CA and Local Certificate for EAP.
Authentication > General > EAP Config. Select the Local Service certificate, created in
the earlier step, for the EAP Server Certificate. Select the Local CA certificate, created in
the earlier step, for the Local CAs.
32. Next configure your FortiGate to use the RADIUS server for remote authentication.
On the FortiGate GUI, go to User & Device > Authentication > RADIUS Server. Create
New and chose a name and enter the IP address of your FortiAuthenticator (10.0.1.253)
and the shared secret, configured earlier. Select Ok.
33. Edit the RADIUS server object again and test your authentication settings by selecting
Test and entering the username and password of the user configured earlier.
13

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

If configured correctly the user authentication will be successful, if not go back and check
the user and the RADIUS client and server settings configured earlier.
34. Next configure your SSID to use RADIUS Server authentication with the WPA/WPA2Enterprise security mode.
On the FortiGate GUI, go to WiFi Controller > WiFi Network > SSID. Edit your SSID and
change authentication in the WiFi settings to use WPA/WPA2-Enterprise and RADIUS
Server and choose the server object configured previously.
35. On your mobile device connect again to your SSID. You will be required to enter the
username and password for your user, using the user configured in FortiAuthenticator.
You will be prompted to accept the certificate for the authentication server, which is the
FortiAuthenticator in this configuration.
Alternatively you may download the certificates to avoid warnings, the mobile device
needs to trust the CA configured therefore you will need to export the certificate and
import this to your mobile device.
From FortiAuthenticator, Certificate Management> Certificate Authorities > Local CAs,
select your certificate and export. Send or copy this certificate to you mobile device and
click on the certificate to install it.

Check the FortiAuthenticator logs for the 802.1X login event for your user, go to Log &
Report > Event Log > WiFi and look for a message with client-authentication action.
36. On the FortiGate, use the following commands to see the 802.1X messages in the
debug.
diag debug enable
diag wireless-controller wlac sta-filter MAC@ <level>
(Use diag wireless-controller wlac c sta to get the station MAC address.)

14

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

Lab 3: Custom AP Profiles

eObvcjti
This lab supports the learning objectives for module 4. You will create a custom AP profile to
replace the automatic profile and configure one radio to be a dedicated monitor for rogue AP
detection and the second radio for wireless clients. In addition you will setup the mesh SSID on
the 5GHz band and connect a second AP via the mesh interface.

Exercise 1 Configuring rogue AP detection

1

Go to WiFi Controller > WiFi Network > Custom AP Profile and create a new AP profile
with follow settings.
First select the correct platform, in this example we are using the FAP 220B.

Select Radio 1 and set mode Dedicated Monitor. Do not select Rogue AP On-Wire Scan
because we will not be able to test this feature with our lab setup.

Select Radio 2 and set mode Access Point and use default Band and choose a channel
to use. Enable Auto TX Power Control with high 17 dBm and low 10 dBm. Enable your
SSID from the list of available SSIDs.

Click OK.
37. Next you need to apply your custom AP profile to your managed AP. Go to WiFi
Controller > Managed Access Points > Managed FortiAP and select your device and
select edit.
In the wireless settings change the AP profile from automatic to your new profile and
select apply and ok to save your changes. This change will cause the access point
daemon on the AP to restart.
38. From the managed AP list check that one radio is announcing your SSID and the other is
monitoring. You may change the Display By setting to radio.
39. Go to WiFi Controller > WiFi Network > Rogue AP Settings and enable Rogue AP
Detection, and on-wire detection, to enable this feature on the wireless controller.
40. Go to WiFi Controller > Monitor > Rogue AP Monitor. You should now see list of detected
wireless networks.
Working in pairs, one student attempts to connect to their network and send data while
the other suppresses the network. To suppress an SSID from the monitor list, first select
15

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

and mark as rogue, and then select and suppress AP. While this is enabled you will send
de-authentication packets to your neighbor.

You neighbor should try connecting to their SSID while you run the suppress SSID action.
41. Look for Rogue AP messages in the WiFi event log messages.
42. When the test is completed, disable Suppress AP and change roles so that you both test
the Suppress AP feature.
43. At the end of the lab disable the Suppress AP feature and go to WiFi Controller > WiFi
Network > Rogue AP Settings and disable Rogue AP Detection.

Exercise 2:
Setting up Full Mesh Wireless
on FortiGate Unit Using Two
FortiAP Units
1

Configure the mesh SSID, go to WiFi Controller > WiFi Network > SSID. Edit the default
mesh SSID fmesh.root and change the SSID from the default to something unique. Note
that the traffic mode is set to mesh downlink. Enter a new pre-shared key.

Go to WiFi Controller > WiFi Network > Custom AP Profile and create a new AP profile, or
edit the profile created earlier, and enter the follow settings:

Select the correct platform, in this example we are using the FAP 220B.

Select Radio 1 (5GHz) and set mode Access Point and use default Band and Channel
settings. Enable the mesh SSID only.

Select Radio 2 and set mode Access Point and use default Band and choose a channel
to use. Enable Auto TX Power Control with high 17 dBm and low 10 dBm. Enable your
SSID from the list of available SSIDs.

Click OK.
44. If this is a new profile you will need to apply this to your custom AP profile in your
managed AP.
Go to WiFi Controller > Managed Access Points > Managed FortiAP and select your
device and select edit.
16

 Lab 1: FortiGate Wireless Configuration using a FortiAP Device

In the wireless settings change the AP profile from automatic to your new profile and
select apply and ok to save your changes. This change will cause the access point
daemons on the AP to restart.
45. Start your second AP.
You may need to work in pairs for this lab, in that case one student de-authorizes their AP
and the other student authorizes this second AP in their managed APs.

The second AP will use the automatic profile which is fine for this lab. The second AP
should be using different channels so not to interfere with the other AP.
46. Configure the second AP to use the Ethernet with mesh backup support uplink option.
From the FortiAP GUI, go to Connectivity and select mesh and enter the mesh SSID and
pre-shared key. This change will cause the access point daemon on the AP to restart.
47. In order to perform this lab the second AP must be powered using an AC adaptor and not
PoE. When you reach this point connect the AC power on the second AP and unplug the
Ethernet cable.
You should observe that the second AP connects as a leaf device. Note it will take a few
minutes for the second AP to be displayed as a leaf AP and for the state icon to become
green.
48. You have now created the full mesh. If you would like to test that clients on the leaf AP
can reach the wireless controller, modify the AP profile associated with your root AP and
remove your wireless client SSID so that it is only being announced on the leaf AP.
49. Using the wireless controller debug of the FortiGate, try the following commands.
Use the following command to see the status of the FortiAPs:
diagnose wireless-controller wlac -c wtp

Use the following command to list the configured wireless LANs:

diagnose wireless-controller wlac -c wlan

Use the following command to list the connected wireless stations:

diagnose wireless-controller wlac -d sta.

17