Escolar Documentos
Profissional Documentos
Cultura Documentos
2012 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet.
Objectives Identify wireless authentication methods and describe WPA2 Enterprise authentication Explain 802.1X 802 1X and EAP standards and their usage in wireless networks Identify the capabilities of wireless Single Sign On (SSO) Describe the usage and configuration of the captive portal Describe the guest access capability Introduce FortiAuthenticator usage g in the wireless solution Perform a configuration of enterprise authentication using 802.1X in the hands-on lab
01-05002-RevA-0203-20130520
TKIP
Provides per-packet key mixing, strong MIC (Message Integrity Check), extended IV, and a re-keying mechanism Based on RC4 - only requires a software upgrade for most devices Can use a Pre-Shared Key (PSK) like WEP or dynamic keys through 802.1x
4
01-05002-RevA-0203-20130520
802.11i/Wi-Fi Protected Access 2.0 Robust Security, amendment to the original 802.11 standard Specifies security mechanisms for wireless networks (Wi Fi) (Wi-Fi) Major 802.11i components include:
802.1X for authentication RSN (or WPA2) for keeping track of associations AES-based CCMP encryption 4-way authentication handshake
http://en.wikipedia.org/wiki/IEEE_802.11i2004
RSNAs utilize a dynamic encryption-key management method that involves the creation of five separate keys Two master keys known as the Group Master Key (GMK) and the Pairwise Master Key (PMK)
The PMK is created as a result of 802.1X/EAP authentication. A PMK can also l be b created t df from PSK authentication th ti ti iinstead t d of f 802 802.1X/EAP 1X/EAP authentication.
01-05002-RevA-0203-20130520
4-way Handshake Master keys are the seeding material used to create the final dynamic keys The final keys are known as the Pairwise Transient Key (PTK) and the Group Temporal Key (GTK)
PTK is used to encrypt/decrypt unicast traffic GTK is used to encrypt/decrypt broadcast and multicast traffic
These final keys are created during a four-way EAP frame exchange that is known as the 4-Way Handshake
Always the final four frames exchanged during either 802.1 X/EAP authentications or PSK authentication Every time a client radio roams from one AP to another, a new 4-Way Handshake occurs.
7
Fast Roaming Users in a multi-AP network, especially with mobile devices, can move from one AP coverage area to another.
But, But the process of re-authentication can often take seconds to complete and this can impair wireless voice traffic and time sensitive applications. It can be longer if the user authenticate against an external server.
The FortiAP fast roaming feature solves this problem and is available only when moving between FortiAP units managed by the same Wireless Controller.
Currently supports only Layer 2 roaming. roaming
01-05002-RevA-0203-20130520
Users can also pre-authenticate to the next AP that the client may roam to
PMK is derived in advance of the user movement and is cached
Fast roaming is only available to FortiAP devices connected to the same FortiGate wireless controller.
Fast Roaming For the client station, the trigger to roam is a set of proprietary rules determined by the manufacturer of the wireless card, usually defined by received signal strength indicator (RSSI) thresholds The client station:
Moves away from the original access point with which it is associated as the signal drops below a predetermined threshold Will attempt to connect to a new target access point that has a stronger signal Sends a frame, called the re-association request frame, to start the roaming procedure procedure.
10
01-05002-RevA-0203-20130520
Fast Roaming As the client station roams, the original access point and the target access point should communicate with each other across the Distribution System (wired) The AP AP handoff communications involves two primary tasks:
The target AP informs the original AP that the client station is roaming The target AP requests the clients buffered packets from the original AP.
11
802.1x Standard protocol for authenticating user prior to granting access to L2 media Utilizes EAP (Extensible Authentication Protocol)
Evolved from PPP, used for wired network authentication -unencrypted Several types of Wireless EAP
Cisco LEAP EAP-TLS PEAP EAP-TTLS EAP-SIM
12
01-05002-RevA-0203-20130520
Three Components
1. Supplicant communicates with authentication server through the authenticator 2. Authenticator reformats 802.1x to RADIUS and forwards to Authentication Server 3. EAP exchange happens between supplicant and authentication server 4. On success, server delivers EAP Success via RADIUS message 5. Details often hidden from authenticator 6. The wireless controller is EAP agnostic
13
14
01-05002-RevA-0203-20130520
No remote server
15
16
01-05002-RevA-0203-20130520
1.
2 Create a User Group and add the created 2. server as a remote server
1. Dont need to add users to the group. They come from Radius
17
1.
18
01-05002-RevA-0203-20130520
WPA/WPA2 Enterprise authentication - PEAP Wireless user require to submit username and password when using WPA/WPA2 enterprise authentication.
19
Alert message from Wireless users By default, using windows7 OS. it has enabled validate server certificate. Wireless user will receive warning message during the server certificate validation. You can Terminate or Connect
20
01-05002-RevA-0203-20130520
Click on Settings
21
The Fortinet_Wifi certificate is embedded in the firmware and is same on every FortiGate unit. Download the .cer file to your drive. It is CA signed.
22
01-05002-RevA-0203-20130520
23
Import External Radius Cert - FortiAuthenticator When using External Radius import the certificate from the Radius Server instead of FGT
This is the CA certificate where you can Export and import to your system. You need to place it in the Trusted Root CAs Store.
24
01-05002-RevA-0203-20130520
25
Captive Portal Use to authenticate wireless users Display a web page containing acceptable use policy or other information This is called a captive portal information. portal. No matter what URL the user initially requested, the portal page is returned. Only after authenticating and agreeing to usage terms, can the user access other web or any other resources.
26
01-05002-RevA-0203-20130520
Captive Portal Security There are several types of Captive portal Available
Disclaimer Authentication page Email harvesting Other
27
28
01-05002-RevA-0203-20130520
Captive Portal
Authentication Page
29
Captive Portal Multiple captive portal replacement messages allow customized login screens based on SSIDs
30
01-05002-RevA-0203-20130520
Authentication Page
Disclaimer Page
31
Guest Access and Receptionist Services A guest user is also an authenticated user but the account has expiration time The user account can be created by regular admin or by an specific purpose defined account that can only create guest users That account has limited portal access only designed for a receptionist to assign temporary / guest user accounts and email/SMS/print logon credentials Guest access applies to both wired and wireless users 1. Need to create User Group type guest 2. Need to create admin user for guest management
Admin may create guest accounts under User > User Group > Guest Management.
32
01-05002-RevA-0203-20130520
33
3. Fill information
34
01-05002-RevA-0203-20130520
35
36
01-05002-RevA-0203-20130520
37
Guest Access Distribute guest credentials by printing, email or SMS Captive portal needs to be set for the interface users connect from
This Thi affects ff t all ll t traffic ffi th therefore f no t traffic ffi will ill pass without ith t a valid lid account tf for th the captive portal
It is possible to extend guess access and create a self provisioning portal by adding FortiAuthenticator to the solution.
38
01-05002-RevA-0203-20130520
Single Sign-on For Wireless Users Wireless client user authentication can be re-used in an identity firewall policy
Wireless WPA and WPA2 Enterprise
This allows users who connect to the same SSID but reside in different authentication groups to have different security policies.
39
Single Sign-on For Wireless Users Example, when an SSID uses WPA/WPA2-Enterprise Authentication the user login can be reused in an identity policy
40
01-05002-RevA-0203-20130520
41
FortiAuthenticator FortiAuthenticator can be an Authentication Server for EAP, also it can used in the wireless solution for user self service portal which is presented in the following use case. case
42
01-05002-RevA-0203-20130520
43
On connection to Captive Portal configured AP, the user is notified additional authentication is needed
44
01-05002-RevA-0203-20130520
User Self-Registration
45
User Self-Registration Create a more explicit rule above the catch all identity based policy allowing traffic to the FortiAuthenticator. There is also the option to create a walled garden here to allow unauthenticated users access e.g. a hotel information web site.
46
01-05002-RevA-0203-20130520
User Self-Registration When the user tries to browse to content, they will be blocked and prompted to log in.
Customise the login form to include a redirect to the FortiAuthenticator to create a login
47
48
01-05002-RevA-0203-20130520