Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Fortinet Wireless Course 203

Module 4 Advanced Authentication

2012 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet.

Objectives Identify wireless authentication methods and describe WPA2 Enterprise authentication Explain 802.1X 802 1X and EAP standards and their usage in wireless networks Identify the capabilities of wireless Single Sign On (SSO) Describe the usage and configuration of the captive portal Describe the guest access capability Introduce FortiAuthenticator usage g in the wireless solution Perform a configuration of enterprise authentication using 802.1X in the hands-on lab

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Wireless Authentication Methods FortiGate Wireless Controller supports:

Captive p Portal Web browsing intercept user login

WPA Personal (PSK) Wireless access using pre-shared keys

WPA-Enterprise (802.1x) More secure access with individual user logins

WPA/TKIP WPA (Wi-Fi Protected Access) is an industry-sponsored interim security standard

Subset of 802.11i 802 11i RSN (Robust Security Network) Dramatic improvement over WEP

WPA consists of 2 parts:

802.1x Authentication TKIP encryption (Temporal Key Integrity Protocol)

TKIP
Provides per-packet key mixing, strong MIC (Message Integrity Check), extended IV, and a re-keying mechanism Based on RC4 - only requires a software upgrade for most devices Can use a Pre-Shared Key (PSK) like WEP or dynamic keys through 802.1x
4

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

802.11i/Wi-Fi Protected Access 2.0 Robust Security, amendment to the original 802.11 standard Specifies security mechanisms for wireless networks (Wi Fi) (Wi-Fi) Major 802.11i components include:
802.1X for authentication RSN (or WPA2) for keeping track of associations AES-based CCMP encryption 4-way authentication handshake
http://en.wikipedia.org/wiki/IEEE_802.11i2004

4-way Handshake Robust security network associations (RSNAs)

Two stations (STAs) authenticate and associate with each other as well as create dynamic encryption keys through a process known as the 4 4-Way Way Handshake

RSNAs utilize a dynamic encryption-key management method that involves the creation of five separate keys Two master keys known as the Group Master Key (GMK) and the Pairwise Master Key (PMK)
The PMK is created as a result of 802.1X/EAP authentication. A PMK can also l be b created t df from PSK authentication th ti ti iinstead t d of f 802 802.1X/EAP 1X/EAP authentication.

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

4-way Handshake Master keys are the seeding material used to create the final dynamic keys The final keys are known as the Pairwise Transient Key (PTK) and the Group Temporal Key (GTK)
PTK is used to encrypt/decrypt unicast traffic GTK is used to encrypt/decrypt broadcast and multicast traffic

These final keys are created during a four-way EAP frame exchange that is known as the 4-Way Handshake
Always the final four frames exchanged during either 802.1 X/EAP authentications or PSK authentication Every time a client radio roams from one AP to another, a new 4-Way Handshake occurs.
7

Fast Roaming Users in a multi-AP network, especially with mobile devices, can move from one AP coverage area to another.
But, But the process of re-authentication can often take seconds to complete and this can impair wireless voice traffic and time sensitive applications. It can be longer if the user authenticate against an external server.

The FortiAP fast roaming feature solves this problem and is available only when moving between FortiAP units managed by the same Wireless Controller.
Currently supports only Layer 2 roaming. roaming

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Fast Roaming Users moving between APs must authenticate to each AP

Delays can impair wireless voice traffic or time sensitive applications

Pairwise Pair ise Master Key Ke (PMK) caching

Wireless controller caches a negotiated master key
Should the user roam away from that AP and back again, the client will not have to reauthenticate

Users can also pre-authenticate to the next AP that the client may roam to
PMK is derived in advance of the user movement and is cached

Fast roaming is only available to FortiAP devices connected to the same FortiGate wireless controller.

Fast Roaming For the client station, the trigger to roam is a set of proprietary rules determined by the manufacturer of the wireless card, usually defined by received signal strength indicator (RSSI) thresholds The client station:
Moves away from the original access point with which it is associated as the signal drops below a predetermined threshold Will attempt to connect to a new target access point that has a stronger signal Sends a frame, called the re-association request frame, to start the roaming procedure procedure.

10

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Fast Roaming As the client station roams, the original access point and the target access point should communicate with each other across the Distribution System (wired) The AP AP handoff communications involves two primary tasks:
The target AP informs the original AP that the client station is roaming The target AP requests the clients buffered packets from the original AP.

11

802.1x Standard protocol for authenticating user prior to granting access to L2 media Utilizes EAP (Extensible Authentication Protocol)
Evolved from PPP, used for wired network authentication -unencrypted Several types of Wireless EAP
Cisco LEAP EAP-TLS PEAP EAP-TTLS EAP-SIM

These sub-types intended for use on untrusted networks such as wireless

12

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

802.1x EAP Overview

Supplicant: Client Station Authenticator: FortiGate Wireless Controller Authentication server: RADIUS server

Three Components

1. Supplicant communicates with authentication server through the authenticator 2. Authenticator reformats 802.1x to RADIUS and forwards to Authentication Server 3. EAP exchange happens between supplicant and authentication server 4. On success, server delivers EAP Success via RADIUS message 5. Details often hidden from authenticator 6. The wireless controller is EAP agnostic
13

WLAN Authentication: 802.1X EAP

14

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Fortigate Configuration Local Authentication

In Local Authentication or Local EAP the Fortigate is both the Authenticator and the Authentication Server. Only valid for PEAP
Create a local user and create a group that contains that user

No remote server

15

Fortigate Configuration Local Authentication

1. Configure the SSID with WPA/WPA2 Enterprise

2. Select Usergroup 3 Select 3. S l t the th group (s) ( )

16

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Fortigate Configuration Remote Authentication

1.

Create a Radius Sever (IP address and Secret)

2 Create a User Group and add the created 2. server as a remote server
1. Dont need to add users to the group. They come from Radius

17

Fortigate Configuration Remote Authentication

1.

Configure the SSID with WPA/WPA2 Enterprise

2. Select Radius Server 3. Select server from list

18

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

WPA/WPA2 Enterprise authentication - PEAP Wireless user require to submit username and password when using WPA/WPA2 enterprise authentication.

19

Alert message from Wireless users By default, using windows7 OS. it has enabled validate server certificate. Wireless user will receive warning message during the server certificate validation. You can Terminate or Connect

20

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Disable Validation Server certificate in Windows7

Click on Settings

21

Validate Server Certificate FTG Local Groups

If you want to enforce server certificate validation but prevent any warning message due to server certificate validation fail you need to import the Athentication Server Certificate in the client
When using Local Groups Import FortiGate default WiFi CA certificate into your Client.

The Fortinet_Wifi certificate is embedded in the firmware and is same on every FortiGate unit. Download the .cer file to your drive. It is CA signed.
22

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Import certificate FTG Wireless Cert in Win7

23

Import External Radius Cert - FortiAuthenticator When using External Radius import the certificate from the Radius Server instead of FGT

This is the CA certificate where you can Export and import to your system. You need to place it in the Trusted Root CAs Store.

24

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Enable Server Certificate validation

Check the same CA that displays in the warning

25

Captive Portal Use to authenticate wireless users Display a web page containing acceptable use policy or other information This is called a captive portal information. portal. No matter what URL the user initially requested, the portal page is returned. Only after authenticating and agreeing to usage terms, can the user access other web or any other resources.

26

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Captive Portal Security There are several types of Captive portal Available
Disclaimer Authentication page Email harvesting Other

Captive portal security authentication methods:

Local users LDAP RADIUS TACACS+ FSSO agent

27

Captive Portal Security

Can be configured Several places
SSID Implies Open SSID Interface (applicable for Local Bridge SSIDs) User Identity Policy Device Identify Policy

No User groups Disclaimer Page

User groups Authentication Page

28

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Captive Portal

Disclaimer Only Page

Authentication Page

29

Captive Portal Multiple captive portal replacement messages allow customized login screens based on SSIDs

30

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Captive Portal Under User Identity Policy

Authentication Page

Disclaimer Page

31

Guest Access and Receptionist Services A guest user is also an authenticated user but the account has expiration time The user account can be created by regular admin or by an specific purpose defined account that can only create guest users That account has limited portal access only designed for a receptionist to assign temporary / guest user accounts and email/SMS/print logon credentials Guest access applies to both wired and wireless users 1. Need to create User Group type guest 2. Need to create admin user for guest management
Admin may create guest accounts under User > User Group > Guest Management.
32

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Guest Access Create a User Group type Guest

33

Guest Access Create a Guest User under a selected guest group

2. Create new 1. Select group

3. Fill information

34

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Guest Access Admin user for guest management

35

Guest Access Guest management portal

36

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Guest Access Create a new guest

37

Guest Access Distribute guest credentials by printing, email or SMS Captive portal needs to be set for the interface users connect from
This Thi affects ff t all ll t traffic ffi th therefore f no t traffic ffi will ill pass without ith t a valid lid account tf for th the captive portal

diag test user list

Current list of guest accounts

It is possible to extend guess access and create a self provisioning portal by adding FortiAuthenticator to the solution.

38

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Single Sign-on For Wireless Users Wireless client user authentication can be re-used in an identity firewall policy
Wireless WPA and WPA2 Enterprise

This allows users who connect to the same SSID but reside in different authentication groups to have different security policies.

39

Single Sign-on For Wireless Users Example, when an SSID uses WPA/WPA2-Enterprise Authentication the user login can be reused in an identity policy

40

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

Single Sign-on For Wireless Users

41

FortiAuthenticator FortiAuthenticator can be an Authentication Server for EAP, also it can used in the wireless solution for user self service portal which is presented in the following use case. case

42

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

User Self-Registration User Self Registration is different to Receptionist registration

The receptionist already has network access and the guest and receptionist can be on different networks networks. In this situation wireless captive portal is suitable suitable. With self-registration, the FAC registration portal must be accessible for the user to self-register. Wireless Captive portal is therefore not suitable as the user need to log on before they can access the network to self-register (catch-22). Open Wireless with Identity Based Policy is therefore required. Configure the AP as Open Access (CLI or via GUI if display option is checked only FOS 5.0)
config wireless-controller vap edit <SSID Name> set security open next end

43

User Self-Registration FortiGate Captive Portal

User accepts T&Cs and can enter the newly created credentials to gain access to the network

On connection to Captive Portal configured AP, the user is notified additional authentication is needed
44

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

User Self-Registration

Create an Identity Based Policy authenticating against the FortiAuthenticator RADIUS

Customize the authentication Message to include a link to the FAC

45

User Self-Registration Create a more explicit rule above the catch all identity based policy allowing traffic to the FortiAuthenticator. There is also the option to create a walled garden here to allow unauthenticated users access e.g. a hotel information web site.

46

01-05002-RevA-0203-20130520

Course 203 - Fortinet Wireless

Module 4 Advanced Authentication

User Self-Registration When the user tries to browse to content, they will be blocked and prompted to log in.

Customise the login form to include a redirect to the FortiAuthenticator to create a login

47

Lab 802.1X/EAP with local user groups Captive Portal

48

01-05002-RevA-0203-20130520