FortiAP™ Wireless Starter Kit

Transcription

Wireless Starter Kit Guide
for FortiOS 4.0 MR2
23 February 2011
01-420-139115-20110223
for FortiOS 4.0 MR2
© Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
Contents
FortiAP unit overview .
Features . . . . .
Rear panel . . . .
Front panel . . . .
Power options . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5
5
5
6
7
FortiGate wireless controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Connecting the hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Checking the firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Obtaining and installing the FortiGate firmware . . . . . . . . . . . . . . . . . . . 9
Obtaining and installing the FortiAP firmware . . . . . . . . . . . . . . . . . . . 10
Installing the Starter Kit configuration . . . . . . . . . . . . . . . . . . . . . . . . .
Obtaining the configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
10
Demonstrating authentication . . . . . . . . . . . . . . . . . . . . .
Discovering and enabling the FortiAP units . . . . . . . . . . . .
Confirming that the wireless access points are activated . . . . .
Viewing the profile-based configuration . . . . . . . . . . . . . .
Checking wireless signals . . . . . . . . . . . . . . . . . . . . .
Captive portal demonstration. . . . . . . . . . . . . . . . . . . .
WPA shared key demonstration . . . . . . . . . . . . . . . . . .
WPA/WPA2-Enterprise demonstration . . . . . . . . . . . . . . .
WPA Client Setup . . . . . . . . . . . . . . . . . . . . . . .
WPA/WPA2-Enterprise with external database demonstration
WPA/WPA2-Enterprise with local database demonstration . .
.
.
.
.
.
.
.
.
.
.
.
11
11
12
12
13
13
14
14
14
14
14
Monitoring traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
Rogue AP scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
15
01-420-139115-20110223
http://docs.fortinet.com/ • Feedback
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3
Contents
4
Wireless Starter Kit Guide for FortiOS 4.0 MR2
01-420-139115-20110223
The purpose of the Wireless Starter Kit is to provide a very cost effective and simplified
way to showcase the capability of FortiAP wireless access points. This document
introduces the FortiAP unit and the FortiOS wireless controller feature as demonstrated in
the Starter Kit.
FortiOS is the operating system of FortiGate and FortiWiFi units.
FortiAP unit overview
A FortiAP unit, of which there are several models, is a compact wireless access point
device. Indoor units can be wall-mounted or ceiling mounted. An optional ceiling tile rail
mount is available. It is also acceptable to place the unit on a desktop or shelf. There is
also an outdoor model available.
The FortiAP unit contains the radio equipment required for a wireless access point. It must
be controlled by a FortiGate or FortiWiFi unit.
Features
•
Most models have dual radios for simultaneous 802.11a/n & 802.11 b/g/n operation.
FortiAP-210B is a single-radio model.
•
Four high-gain dual band (2.4GHz, 5GHz) omni-directional antennas. Single radio
models have two antennas. Indoor models have internal antennas.
•
2x2 MIMO configuration using the latest signal processing technology. 600Mbps total
throughput for dual-radio units, 300Mbps for single-radio units.
•
14 SSIDs for client access, (7 for single radio models)
•
2 SSIDs for dedicated monitoring, (1 for single radio models)
•
Firmware upgradable through the wireless controller.
01-420-139115-20110223
5
Rear panel
All connections to the FortiAP unit are made on the real panel.
In typical use as a wireless access point, only Port 0 is used. An Ethernet cable connects
Port 0 to a port on the FortiGate unit. The Power jack is connected to the power supply
provided with the FortiAP unit. Optionally, you can use a power-over-Ethernet (POE)
adaptor to avoid the need for a power outlet near the FortiAP unit. In that case, the power
output of the POE adaptor connects to the Power jack.
Front panel
The front panel contains indicators that show the status of the unit.
6
Port 1, 2, 3, 4
Green indicates a connection to the corresponding port on the rear panel.
Wireless
Flashing indicates wireless network running.
Port 0
Green indicates a network connection to Port 0 on the rear panel.
Port 0 connects to the FortiGate unit that acts as the wireless controller.
Power
Flashing - power connected but unit not managed.
Lit steadily - indicates that the unit has power and is managed.
01-420-139115-20110223
Power options
The FortiAP unit requires 12 volts and power supply with universal 100-240 volt input is
provided. If power is not conveniently available at the mounting location, it is possible to
use a power-over-Ethernet (POE) adaptor to feed 12 volt power to the device through the
Ethernet cable. POE adaptors have two components: one to combine power and Ethernet
and the other to separate them again. The wiring looks like this:
FortiAP units have been tested with the LinkSys WAPPOE12 adaptor. Use the power
supply provided with the FortiAP, rather than the power supply provided with the POE unit.
01-420-139115-20110223
7
FortiOS wireless controller
FortiOS wireless controller
The FortiOS wireless controller feature enables FortiGate and FortiWiFi units to manage
FortiAP units. The wireless controller configuration is composed of three types of objects:
Virtual AP — defines the security settings for your wireless network. This is similar to the
wlan interface settings on a FortiWiFi unit and it creates a virtual network interface.
AP Profile — defines the radio settings, such as band (802.11g for example) and channel
selection. It also selects the Virtual APs to which the settings apply. Any change to the AP
Profile affects all APs assigned to that profile.
Physical AP — represents the FortiAP units that the wireless controller has discovered.
There is one physical access point definition for each FortiAP unit. The Physical AP
configuration selects the AP Profile that applies that FortiAP unit.
Connecting the hardware
Connect all of the hardware as described below.
To connect the FortiAP unit to the wireless controller
1 Connect Port 0 of one FortiAP unit to one of the Internal ports on the FortiGate unit.
2 Connect Port 0 of the other FortiAP unit to the DMZ port on the FortiGate unit.
1 After mounting the FortiAP unit, connect the Ethernet cable to Port 0 and connect the
power supply to the Power jack.
2 Connect the WAN1 port of the FortiGate unit to the Internet.
3 At each FortiAP unit, connect the power supply (or the power cable of the POE unit) to
the Power jack.
4 Connect the power supply to the FortiGate unit.
The FortiGate supply is rated at 3A. The FortiAP supplies are 1.5A.
8
01-420-139115-20110223
Checking the firmware
Checking the firmware
You need to verify that the units have the appropriate firmware installed. If the firmware is
not correct, you can download and install appropriate firmware.
To verify the FortiGate unit firmware
1 Connect a computer to one of the Internal ports.
2 Use a browser to connect to http://172.16.1.1.
3 Log in with user name “Admin” and password “fortinet”.
4 Go to System > Dashboard > Status and check the Firmware version in System
Information.
If the build number is not 6390, see “Obtaining and installing the FortiGate firmware”,
next.
To verify the FortiAP unit firmware
1 On the FortiGate unit, go to Wireless Controller > Configuration > Access Points.
2 The FortiAP units should be listed. If necessary, select Refresh.
3 If the Version column does not show build 112, see “Obtaining and installing the
FortiAP firmware” on page 10.
Obtaining and installing the FortiGate firmware
In FortiOS 4.0 MR2, only build 6390 supports wireless controller functionality. If your
FortiGate does not already have this firmware loaded, you need to download build 6390
from the Customer Support web site.
To get the wireless controller firmware for your FortiGate unit
1 Log on to the Support web site at https://support.fortinet.com/.
2 Go to Download > Firmware Images.
3 Select FortiAP > v4.00 > 4.0MR2 > MR2_Patch_2 > Wireless_controller.
4 Download the firmware build for your FortiGate model.
01-420-139115-20110223
9
Installing the Starter Kit configuration
To install the firmware on the FortiGate unit
1 Log in to the FortiGate unit with user name “Admin” and password “fortinet”.
See “To verify the FortiGate unit firmware” on page 9 or see the unit’s QuickStart Guide
for more information.
2 Go to System > Maintenance > Firmware and select Upgrade.
3 Select Browse, find the firmware that you downloaded and then select OK.
Obtaining and installing the FortiAP firmware
The configuration of the Starter Kit is based on FortiAP firmware version 112. If this is not
the installed version on the FortiAP units, you need to download and install build 112.
To get FortiAP firmware
1 Log on to the Support website at https://support.fortinet.com/.
3 Select FortiAP > v4.00 > 4.0MR2 > MR2_Patch_2.
4 Download the file that corresponds to your model.
The Starter Kit contains FortiAP-220A units, FAP_22A_v4.2.0_b0112 is the correct file.
5 Copy the file to a TFTP server accessible from your FortiGate unit.
To install the firmware on the FortiAP units
2 Go to System > Dashboard > Status and enter the following command in the
CLI Console: (substitute your TFTP server IP address for x.x.x.x)
execute wireless-controller upload-wtp-image tftp
FAP_22A_v4.2.0_b0112 x.x.x.x
3 After the upload completes, go to Wireless Controller > Configuration > Access Points,
select the FortiAP units and then select Reset All.
4 After the reset completes, check that the Version column shows build 112.
Installing the Starter Kit configuration
The Starter Kit includes a configuration file which simplifies entering the correct
configuration settings into your FortiGate unit.
Obtaining the configuration file
The Customer Support site has a configuration file for a FortiGate-80CM with two FortiAP220A units. The configuration file can be modified for other FortiGate models.
To download a configuration file
1 Log on to the Support web site at https://support.fortinet.com/.
3 Select FortiAP > StarterKit.
4 Download StarterKit/Starter_Kit_FG-80CM_4.0MR2Patch1_20100916.zip.
5 Expand the .zip file to obtain the configuration file FG-80-Starter_Kit_20100907.conf.
10
01-420-139115-20110223
Demonstrating authentication
The configuration file is intended for a FortiGate model 80CM. If you want to use this
configuration with a different model, make the following changes to the file with a text
editor:
•
Edit the first 3 lines to match your FortiGate platform.
•
Change the interface names to match your FortiGate model.
The FortiGate unit must use build 6390 firmware with this configuration.
To install the configuration on the FortiGate unit
2 Go to System > Status.
3 In System Information, on the System Configuration line, select Restore.
4 Select Browse, find the configuration file that you downloaded, and select Restore.
The FortiGate unit will restart.
The FortiGate unit is configured to use DHCP to obtain an IP address for the WAN1
interface. Go to Network > Interface and verify that the WAN1 interface has obtained an IP
address.
Discovering and enabling the FortiAP units
This step shows that the FortiGate unit has discovered the FortiAP units. You then enable
them so that the Wireless Controller will manage these access points.
1 On the FortiGate or FortiWiFi unit, go to Wireless Controller > Configuration > Access
Points and verify that the two FortiAP units are listed.
2 Select each FortiAP unit and change its status from Discovered to Enabled.
3 In AP Profile, select Demo-profile and then select OK.
01-420-139115-20110223
11
Confirming that the wireless access points are activated
Check each FortiAP unit to see that the Power, Port 0, and Wireless LEDs are all lit green.
This can take up to five minutes after the APs are enabled. On the FortiGate unit, go to
Wireless Controller > Configuration > Access Points and check that the Status of both APs
is Connected.
Viewing the profile-based configuration
Go to Wireless Controller > Configuration > AP Profile and select the Demo-profile.
Note the selection of Platform (Access Point) type, Band, Channels. These will all apply to
the Virtual APs that you select.
12
01-420-139115-20110223
Checking wireless signals
With a WiFi-equipped computer, check the available wireless networks. You should see
the following SSIDs listed:
•
FAP-Guest
•
FAP-Contractor
•
FAP-Faculty
•
FAP-Student
•
FAP-VLAN10
Each of these SSIDs is configured differently to demonstrate the features and security
capabilities of the FortiOS wireless controller. The following table shows the configurations
with key differences emphasized.
Table 1: Wireless SSID configurations for Demo
FAP-Guest
FAP-Contractor FAP-Faculty
FAP-Student
FAP-VLAN10
172.16.4.x
172.16.10.x
IP
172.16.1.x
172.16.2.x
172.16.3.x
Auth
Captive
Portal
WPA2-PSK
WPA2-RADIUS WPA2-PSK
WPA2-PSK
Auth
Database
Local User
Shared key
External
RADIUS
Local User
Shared key
VLAN tag
N/A
N/A
N/A
N/A
DMZ-VLAN10
Policy
WAN only
Everywhere
Everywhere
Everywhere
DMZ-VLAN
UTM
IPS
IPS
IPS
IPS
IPS
DHCP
Server
Server
Server
Server
Relay
DMZ port
WAN port
Routed
NAT
NAT
NAT
NAT
N/A
Captive portal demonstration
On your computer, connect to FAP-Guest. Once connected, open a browser and try to
connect to a website. You will be redirected to the captive portal page:
Log in using user name “guest1” and password “guest1”. You should be redirected to the
website that you wanted to view.
01-420-139115-20110223
13
WPA shared key demonstration
On your computer, select the FAP-Contractor SSID. Enter the shared key “fortinet”. Check
that you have received an IP address in the 10.16.x.x range. Browse to a web site to
confirm your connectivity.
Note: If WPA authentication is not visible as an authentication option, either the NIC driver
is outdated or your operating system needs to be updated.
WPA/WPA2-Enterprise demonstration
WPA-Enterprise is more secure than shared key WPA-Personal authentication because
users each have their own credentials. When implemented on a FortiGate unit, WPAEnterprise authentication can use either an external authentication server or its own local
user authentication database.
WPA Client Setup
Your WPA-Enterprise client must be configured for PEAP authentication, which includes
validation of the server’s certificate. The following illustration shows how to do this in
Windows.
WPA/WPA2-Enterprise with external database demonstration
On your computer, select the FAP-Faculty SSID. When prompted for login credentials,
enter “Employee1” as the user name and “Employee1” as the password. Check that you
have received an IP address in the 10.16.x.x range. Browse to a web site to confirm your
connectivity.
WPA/WPA2-Enterprise with local database demonstration
On your computer, select the FAP-Student SSID. When prompted for login credentials,
enter “student1” as the user name and “student1” as the password. Check that you have
received an IP address in the 10.16.x.x range. Browse to a web site to confirm your
connectivity.
14
01-420-139115-20110223
Monitoring traffic
Monitoring traffic
Go to Dashboard > Traffic History to monitor the amount of traffic on each wireless
network (SSID).
Rogue AP scanning
Go to Wireless Controller > Monitor > Rogue AP to view the other access points available
at your location. Some of these APs belong to your neighbors, but others may be
unauthorized APs connected to your wired network.
01-420-139115-20110223
15
Rogue AP scanning
16
01-420-139115-20110223

FortiAP™ Wireless Starter Kit

Transcription

Similar documents

get protected! - Pine Cellular

party for a living

- Saurashtra University

Where you come to know.

Fortinet Company Profile

SignalPro® - EDX Wireless

Dejavoo Systems 1129 Northern Blvd Suite 303

Fun houses - Michael Prager

SCENERA RESEARCH LAUNCHES NEW WEBSITE

Security Safe Company