This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• Master keys are the seeding material used to create the final dynamic keys
• The final keys are known as the Pairwise Transient Key (PTK) and the • The final keys are known as the Pairwise Transient Key (PTK) and the Group Temporal Key (GTK)» PTK is used to encrypt/decrypt unicast traffic
» GTK is used to encrypt/decrypt broadcast and multicast traffic
• These final keys are created during a four-way EAP frame exchange that is known as the 4-Way Handshake
7
» Always the final four frames exchanged during either 802.1 X/EAP authentications or PSK authentication
» Every time a client radio roams from one AP to another, a new 4-Way Handshake occurs.
Fast Roaming
• Users in a multi-AP network, especially with mobile devices, can move from one AP coverage area to another.» But the process of re-authentication can often take seconds to complete and this » But, the process of re-authentication can often take seconds to complete and this
can impair wireless voice traffic and time sensitive applications.
» It can be longer if the user authenticate against an external server.
• The FortiAP fast roaming feature solves this problem and is available only when moving between FortiAP units managed by the same Wireless Controller.» Currently supports only Layer 2 roaming
• Users moving between APs must authenticate to each AP» Delays can impair wireless voice traffic or time sensitive applications
Pair ise Master Ke (PMK) caching • Pairwise Master Key (PMK) caching » Wireless controller caches a negotiated master key
• Should the user roam away from that AP and back again, the client will not have to re-authenticate
• Users can also pre-authenticate to the next AP that the client may roam to» PMK is derived in advance of the user movement and is cached
9
» PMK is derived in advance of the user movement and is cached
• Fast roaming is only available to FortiAP devices connected to the same FortiGate wireless controller.
Fast Roaming
• For the client station, the trigger to roam is a set of proprietary rules determined by the manufacturer of the wireless card, usually defined by received signal strength indicator (RSSI) thresholdsby received signal strength indicator (RSSI) thresholds
• The client station:» Moves away from the original access point with which it is associated as the
signal drops below a predetermined threshold
» Will attempt to connect to a new target access point that has a stronger signal
» Sends a frame, called the re-association request frame, to start the roaming procedure
• As the client station roams, the original access point and the target access point should communicate with each other across the Distribution System (wired)Distribution System (wired)
• The AP – AP handoff communications involves two primary tasks:» The target AP informs the original AP that the client station is roaming
» The target AP requests the client’s buffered packets from the original AP.
11
802.1x
• Standard protocol for authenticating user prior to granting access to L2 media
• Utilizes EAP (Extensible Authentication Protocol)• Utilizes EAP (Extensible Authentication Protocol)» Evolved from PPP, used for wired network authentication -unencrypted
» Several types of “Wireless” EAP
• Cisco LEAP
• EAP-TLS
• PEAP
• EAP-TTLS
12
• EAP-TTLS
• EAP-SIM
» These sub-types intended for use on untrusted networks such as wireless
• In Local Authentication or Local EAP the Fortigate is both the Authenticator and the Authentication Server. Only valid for PEAP» Create a local user and create a group that contains that user
• Wireless user require to submit username and password when using WPA/WPA2 enterprise authentication.
19
Alert message from Wireless users
• By default, using windows7 OS. it has enabled validate server certificate.
• Wireless user will receive warning message during the server • Wireless user will receive warning message during the server certificate validation. You can Terminate or Connect
• If you want to enforce server certificate validation but prevent any warning message due to server certificate validation fail you need to import the Athentication Server Certificate in the client» When using Local Groups Import FortiGate default WiFi CA certificate into your Client.
22
The Fortinet_Wifi certificate is embedded in the firmware and is same on every FortiGate unit. Download the .cer file to your drive. It is CA signed.
• Display a web page containing acceptable use policy or other information This is called a captive portal information. This is called a captive portal.
• No matter what URL the user initially requested, the portal page is returned.
• Only after authenticating and agreeing to usage terms, can the user access other web or any other resources.
• A guest user is also an authenticated user but the account has expiration time
• The user account can be created by regular admin or by an specific • The user account can be created by regular admin or by an specific purpose defined account that can only create guest users
• That account has limited portal access only designed for a receptionist to assign temporary / guest user accounts and email/SMS/print logon credentials
• Guest access applies to both wired and wireless users
32
1. Need to create User Group type guest
2. Need to create admin user for guest management» Admin may create guest accounts under User > User Group > Guest
• Distribute guest credentials by printing, email or SMS
• Captive portal needs to be set for the interface users connect fromThi ff t ll t ffi th f t ffi ill ith t lid t f th » This affects all traffic therefore no traffic will pass without a valid account for the captive portal
• diag test user list» Current list of guest accounts
• It is possible to extend guess access and create a self provisioning portal by adding FortiAuthenticator to the solution.
• Wireless client user authentication can be re-used in an identity firewall policy» Wireless WPA and WPA2 Enterprise» Wireless WPA and WPA2 Enterprise
• This allows users who connect to the same SSID but reside in different authentication groups to have different security policies.
39
Single Sign-on For Wireless Users
• Example, when an SSID uses WPA/WPA2-Enterprise Authentication the user login can be reused in an identity policy
• FortiAuthenticator can be an Authentication Server for EAP, also it can used in the wireless solution for user self service portal which is presented in the following use casepresented in the following use case.
• User Self Registration is different to Receptionist registration» The receptionist already has network access and the guest and receptionist can
be on different networks In this situation wireless captive portal is suitablebe on different networks. In this situation wireless captive portal is suitable.
» With self-registration, the FAC registration portal must be accessible for the user to self-register. Wireless Captive portal is therefore not suitable as the user need to log on before they can access the network to self-register (catch-22). Open Wireless with Identity Based Policy is therefore required.
» Configure the AP as Open Access (CLI or via GUI if display option is checked –only FOS 5.0)
43
config wireless-controller vapedit <SSID Name>
set security opennext
end
User Self-Registration
• FortiGate Captive Portal
User accepts T&Cs and can enter the newly created credentials to gain access to the network
44
On connection to Captive Portal configured AP, the user is notified additional authentication is needed
Create an Identity Based Policy authenticating against the FortiAuthenticator RADIUS
Customize the authentication
45
Customize the authentication Message to include a link to the FAC
User Self-Registration
• Create a more explicit rule above the catch all identity based policy allowing traffic to the FortiAuthenticator.
• There is also the option to create a walled garden here to allow • There is also the option to create a walled garden here to allow unauthenticated users access e.g. a hotel information web site.