Secure Access Labs (FAP+FG) V5.6

FortiAP Workshop Labs
FORTINET DOCUMENT LIBRARY

http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
END USER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
SET LATAM FAP LAB 2

Fortinet Technologies Inc.
CONTENTS
Lab Physical Topology...................................................................... 5
Lab Logical Topology........................................................................ 6
Lab 1 - Setting up WiFi with FortiAP ................................................ 7

Getting Started – Reset to Factory Defaults (Mandatory) .................................... 8
Upgrade your FortiOS release and FortiAP firmware .......................................... 8
Lab2 - Creating Captive Portal for WiFi Access. ............................15

Customize the AP profile to add the created GuestX SSID ............................... 19
Testing the SSID “GuestX” ................................................................................ 21
Lab3-Using 802.1X Authentication ..................................................23

Customize the AP profile to add the created EmployeeX SSID ......................... 27
Alert message from Windows users................................................................... 30
Testing the SSID “EmployeeX” .......................................................................... 32
Lab4 – Using WiFi Single Sign On with LDAP ................................34

Configuring LDAP Server access ...................................................................... 35
Customize the AP profile to add the created EmployeeADX SSID .................... 39
Testing the SSID “EmployeeADX” ..................................................................... 41
Lab5 – BYOD Example .....................................................................43
Lab6 - Creating WiFi Bridge with FAP.............................................50

Customize the AP profile to add the created SSID “BridgeX” ............................ 51
Testing the SSID “Bridge” .................................................................................. 52
Lab7 – Configuring Mesh Link.........................................................53

Creating the Backhaul SSID .............................................................................. 54
SET LATAM FAP LAB 3

Configuring the Leaf AP ..................................................................................... 55
Verifying Operating Channels for this Mesh Link. .............................................. 57
SET LATAM FAP LAB 4

Lab Physical Topology
SET LATAM FAP LAB 5

Lab Logical Topology
SET LATAM FAP LAB 6

Lab 1 - Setting up WiFi with FortiAP
In this lab you will:
Configure the FortiGate/FortiWiFi controller with FortiAP using the Controller´s GUI and CLI. This lab
will take you through:
Starting the FortiGate
Upgrade your FortiAP firmware
The goal of this lab is to understand the general workshop topology. It includes how the devices are
connected, IP addressing and the remaining components.
At this point you can plug the AP’s directly to the FGT or using PoE injector.
Please review the following instructions and recommendations:
Please make sure to install the latest release of FortiOS in your FortiGate and the latest
firmware for the FortiAP
FGT management will be through the Internal LAN
Student’s AP will be physically connected to the internal ports of the FGT or their
FortiSwitch if used.
Enable DHCP for the AP’s in the internal ports of the FGT
Remember naming convention for the lab. Your SSID should have a unique identifier,
please use your station number somewhere in the SSID name or your initials if needed.
Before starting, it is necessary to make sure that virtual network operation, wireless card, laptop OS
are correct and updated. You need to keep in mind this training is oriented to Wireless technology
and it does not cover install, configuration and /or other tasks related to FGT, Win2008, FAC or
Virtualization (VMware).
NOTE: During the LABS, the value X is your assigned student number. Some screenshots and
examples seen here will represent student 1, 2, or 3, but each class member’s configuration should
be unique.
SET LATAM FAP LAB 7

Getting Started – Reset to Factory Defaults (Mandatory)
1. Connect a console cable from your laptop to the FGT/FortiWiFi device using CLI interface.
Configure your terminal using Putty or your preferred terminal program for 9600 baud, 8-N-1,
no flow control. Verify your terminal is connected by pressing <enter> several times and log in
to FGT/FortiWiFi system and execute the following command (The username should be: admin
and the password <blank>
a. execute factoryreset
2. A warning will appear. Write Y
a. This operation will reset the system to factory default!

Do you want to continue? (y/n).
3. System will reboot and will load a basic configuration
Upgrade your FortiOS release and FortiAP firmware
4. Connect your laptop directly in the internal Port7 or any available port of your FGT/FWF device.
5. DHCP can be used on the laptop instead of static IP. If the laptop is already set to DHCP should
receive an IP address by default in the 192.168.1.X/24 segment or 192.168.100.X/24 depending
on the FGT model.
6. Open a browser and log in to the IP address for the FGT/FWF (generally https://192.168.1.99)
7. If factory reset went well the username should be: admin and the password <blank>
8. Upgrade your FGT to the version v5.6.1 build1484
Note: This lab does NOT cover how to upgrade the FGT.
9. Once you already performed system reset and upgrade you can plug one of your AP’s directly to
the Port1 of your FGT/FWF or any available port.
10. If your FGT unit has PoE interface you can use it, if not, you will require a power injector to power
up your FortiAP’s.
11. Make sure that your FortiAP has the default configuration. Otherwise PLEASE reset the AP, some
models have a (reset button) hole on the backside; keep it pressed during few seconds to perform
reset. Or check the documentation for that specific model.
12. Make sure your FGT is providing DHCP on the interface where you are connecting the FAP,
normally internal interface should be the same addressing where your laptop is connected
(192.168.X.0).
SET LATAM FAP LAB 8

13. Go to Interfaces, look for internal, software switch or LAN interface, double click and
configure the following parameters. (This procedure will identify every single FGT student unit
so please replace X value with your STUDENT Number)
a. Addressing mode: Manual

b. IP/Network mask: 192.168.X.1/24
c. Administrative access: enable HTTPS, SSH and CAPWAP
d. DHCP server: Create the new range (192.168.X.100 – 192.168.X.254)
e. Default Gateway: Same as Interface IP
f. DNS Server: Same as Interface IP
g. Let the other parameters as default
14. At this point, connect your FortiGate WAN interface directly to the classroom firewall core
PortX according to the topology diagram and the number assigned. Please review that you
are using the DHCP IP scope in the network range assigned.
NOTE: In this lab, the value X is your assigned student number. Some screenshots and
examples seen here will represent student or group 1, 2, or 3. Each class member’s configuration
should be unique.
SET LATAM FAP LAB 9

15. Go to Interfaces, select the interface connected to internet, it could be WAN1 or WAN2
depending on the FortiGate model and port used in the lab, double click on the interface selected.
16. Configure the following parameters and make sure the status. If none IP /netmask is assigned,
please click renew until it receives the corresponding IP 10.10.X.2/255.255.255.252 with gateway
10.10.X.1
a. Link status: Up
b. Addressing Mode : DHCP
c. Status: connected
d. Retrieve default gateway from server: on (highlight green)
e. Override Internal DNS: on (highlight green)
f. Administrative access: select https, ping
g. Click ok
SET LATAM FAP LAB 10

17. At this point, you should have internet connectivity from your FortiGate. Please go to the
Dashboard, go to the CLI console, ping to www.google.com, it should be successful, if not,
please review the configuration again.
WLC_ARC # execute ping www.google.com

PING www.google.com (216.58.219.100): 56 data bytes
64 bytes from 216.58.219.100: icmp_seq=0 ttl=54 time=84.3 ms
18. Once you have connected the AP, go to WiFi & Switch Controller > Managed FortiAPs, then
you should see the FAP waiting to be authorized with the state “?”. The FAP is shown in gray
color and is assigned the FortiAP profile “FAPXXX-default”.
19. Once the FAP is detected note that you must select or Right Click on the AP to Authorize. Wait
a few seconds while the FAP is rebooting.

20. After authorization Double Click on AP to view version. If the FAP version information does not
show the release we are using for the FGT unit (v5.6), please upgrade the access point
firmware).
21. If there is a new firmware available into the FortiGate GUI interface, it will show a message to
upgrade the FAP, click on the message directly or right click on Authorized FAP and click
upgrade

22. The new version is shown; click ok to upgrade the FAP if this is the case. PLEASE always make
sure to review the release notes upgrade information as best practice.
a. Choose FAP Firmware from Local PC Disk or Fortiguard

b. All FortiAP’s can be simultaneously upgraded centrally from the FortiGate Controller.
23. If you prefer, you can change the FAP IP address to a static value in the same network. Or, you
can also make an IP Reservation in the DHCP to maintain the assigned IP.
*Note: By default, telnet, ssh, http, https access to a FortiAP unit internal configuration are
disabled when the FortiAP is managed by a FortiGate (it happens from v5.4- build0339). You can
enable administrative access in the FortiAP profile. Connect to the FortiGate by CLI, use the
following commands and make sure to modify the correct profile:
a. config wireless-controller wtp-profile

b. edit FAP321C-default (Edit the profile your AP is assigned to)
c. set allowaccess http https ssh
d. end
How to create an IP Reservation? Go to DHCP Monitor, right click on your AP IP

Address assigned and click on Create DHCP Reservation

How to change the IP address to a STATIC ? Open a browser and log in to the FAP IP
address through https or http, change the IP address, netmask, gateway and apply the
changes. The username should be: admin and the password <blank>
Into the FortiGate GUI, click refresh button to see the new FAP IP address, if it is not
updated, reboot the AP, wait a few minutes and refresh again.
You have completed Lab 1

Proceed to Lab 2

Lab2 - Creating Captive Portal for WiFi
Access.
Configure the FortiGate for captive portal access so users can log on to your WiFi network. This
lab will take you through:
Create the user account
Add it to a user group
Create a captive portal SSID and configure the FortiAP unit.
When the user tries to browse the Internet, they will be redirected to the captive portal login
page and will be prompted to enter the username and password.
Customize the AP profile
Create and configure WLAN
General review of basic devices configuration
Basic configuration troubleshooting
1. Go to System > Features Select and enable WiFi Controller & Wireless Open Security
on the GUI, click apply

2. In order to authenticate users, we are going to create the user first. Go to User & Device >
User Definition > User Type> Local User
a. User name: userguest

b. Password: fortinet
c. Click next
d. Contact info: your mail
e. Enable sms
f. Country region: your country
g. Phone Number: your phone
h. Click next
i. Enable user account: On
j. Let other parameters by default
k. Click Create

3. Create the user group, go to > User & Device > User Groups > create new
a. Name: group_guest
b. Select Firewall
c. Members: userguest created previously
d. Click ok
4. Create SSID with Captive Portal authentication for guest users. Go to WiFi & Switch
Controller > SSID > Create New SSID
5. Fill and select the following parameters
a. Interface name: int_GuestX

b. Type: WiFi SSID
c. Traffic Mode: Tunnel to Wireless controller
d. Address: 10.60.X.1 /255.255.255.0
e. DHCP Server: enable
f. Address Range: 10.60.X.2 – 10.60.X.254
g. Default Gateway: Same as interface IP
h. DNS Server: Same as System DNS
i. Device Detection: Enable
j. WiFi Settings: SSID: GuestX
k. Security mode: Captive Portal
l. Portal Type: Authentication
m. Autentication Portal: Local
n. User Groups: group_guest

o. Broadcast SSID: enable
p. Schedule: always
q. Let the other parameters as default settings
r. Click OK
NOTE: In this lab, the value X = your assigned student number. Some screenshots and
examples seen here will represent student 1, 2, or 3. Each classroom member’s configuration
should be unique.

Customize the AP profile to add the created GuestX SSID
6. Go to WiFi & Switch Controller > FortiAP Profiles > Select and double click your FortiAP
profile seen in the Managed FortiAPs tab. This profile belongs to the FortiAP you wish to
broadcast the SSID.
7. Select the radio 1 and radio 2 the SSID that you just have created before and configure the
following:
a) Radio 1
b) Mode: Access Point
c) Radio Resource Provision: Unchecked
d) Channel: Check the following channels
36,40,44,48,149,153,157,161 (or available
for your region)
e) Auto TX power Control: Enable
f) TX Power Low: 3 dBm (it is due to you are
very close to the other partner´s AP, we must
reduce adjacent and co-channel interference)
g) TX power High: 8 dBm (it is due to you are
very close to the other partner´s AP, we must
reduce adjacent and co-channel interference)
h) SSIDs: Select int_GuestX
i) Radio 2
j) Mode: Access Point
k) Radio Resource Provision: Uncheck
l) Channel: Check 1,6,11
m) Auto TX power Control: Enable
n) TX Power Low: 3 dBm
o) TX power High: 8 dBm
p) SSIDs: Select int_GuestX
q) click OK below to confirm

8. At this point, you should be able to see the SSID on the Wireless client or any Network
Scanner Utility.
9. Create a Firewall Policy in order to allow the traffic flow from the Wireless interface to the
Internet. Go to Policy & Objects > IPv4 Policy >Create new >
a. Name: Policy_WiFi_internet
b. Incoming interface: GuestX(int_guestx)
c. Outgoing interface: Interface WAN (interface connected to the Firewall Core for
internet connection)
d. Source: all (in the real-life, this source could be the VLAN created for the guest
group)
e. Destination: all (in the real-life select only the https and http protocol depending on
the customer’s Internet Access policy)
f. Schedule: always
g. Service: all
h. Action: accept
i. NAT: enable
j. Log allowed traffic: enable (security events)
k. Enable this policy: enable
l. Click ok to save the policy

Testing the SSID “GuestX”
10. At this point you should test the connectivity with the wireless laptop, tablet or smartphone
connecting to the SSID such as the following screen
11. Test the internet connection trying to surf to https://www.fortinet.com,
12. The captive web portal should appear, remember to use the user and password created on
the previous steps.
a. User name: userguest


13. Go to Monitor > WiFi Client Monitor. So far, you should see the connected client. Find out
the assigned IP, channel, user, Signal Strength/Noise.
14. If it´s not working please check the policy that you created before for the internet guest
access, check the user and group definition. Troubleshoot Layer 2 and layer 3 issues.

Proceed to Lab 3

Lab3-Using 802.1X Authentication
In this Lab, you will improve your WiFi security with WPA2 enterprise authentication. With this
authentication method, there is no longer a pre-shared key that could fall into the wrong hands,
or needs to be changed if someone leaves the company. Each user has an individual user
account and password, and accounts can be added or removed later as needed. This lab shows
how to authenticate users with internal Fortigate Database. You can also integrate WPA2 security
with the majority of 3rd party authentication RADIUS.
802.1X authentication is a more secure and reliable way to authenticate wireless clients. The
authentication protocols that operate inside the 802.1X framework that are suitable for wireless
networks include EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP-
Tunneled TLS (EAP-TTLS). These protocols allow the network to authenticate the client while
also allowing the client to authenticate the network
This lab will take you through:
Create a user account
Add this user to user group
Create and configure WLAN with WPA2 Enterprise
General review of basic device configuration

1. Create additional users as needed for the employees; in our lab we will create just one. Go
to User & Device > User Definition > Create New Local User
a. Select Local User

b. User name: employeeX
c. Password: fortinet
d. Click Next
e. Click next to Extra info
f. Enable User Account: On
g. Click Create
2. Go to User & Device > User > User Groups, create a user group “employees” and add
the new user(s) to the group, choose in members the user created before and then click in
the ok button

3. Now Create a SSID with WPA/WPA2 authentication for employees. This SSID will be using
WPA/WPA2 Enterprise in tunnel mode. Go to WiFi & Switch Controller > SSID > create
new SSID
4. Enter and select the following parameters
a. Interface name: int_EmployeeX

b. Type: WiFi SSID
d. Address: 10.70.X.1 /255.255.255.0
e. DHCP Server: enable
f. Address Range: 10.70.X.2 – 10.70.X.254, netmask 255.255.255.0
g. Default Gateway: Same as interface IP
h. DNS Server: Same as System DNS

i. WiFi Settings: SSID: EmployeeX
j. Security mode: WPA2 Enterprise
k. Authentication: Local, select the group “employees” created before
l. Broadcast SSID: enable
m. Schedule: always
n. Let remaining parameters as default settings
o. click OK below to confirm
examples seen here will represent student 1, 2, or 3. Each class member’s configuration should
be unique.
Customize the AP profile to add the created EmployeeX SSID

broadcast the SSID.

6. Add in the Radio 1 and Radio 2 the “Employee1” SSID that you have just created before and
click OK below to confirm.
7. At this point you should be able to find the EmployeeX SSID on the Wireless client device.

8. On windows 10 and 8 the connection is done automatically,
9. On Android smartphones or tablets you could see something as follows. Since protocol
802.1x is being used, some parameters will be required depending on client device
(supplicant).
10. On MAC OS smartphones or tablets you could see something as follows, Click Continue
to accept the certificate
mes
sage
from
Wind
ows
user
SET LATAM FAP LAB s 29
Fortinet Technologies Inc. •
By
Alert message from Windows users
11. By default, using windows7 OS. It has enabled validate server certificate.
12. Wireless user will receive warning message during the server certificate validation. You can
Terminate or Connect
13. Disable Validation Server certificate on Windows7. Go to Network Properties click on

Settings and select Protected EAP (PEAP)
Alert message from

Windows users
• By default, using
windows7 OS. it has
enabled validate server
certificate.
• Wireless user will
receive warning message
during the server
certificate validation. You
can Terminate or Connect
Disable Validation Server

certificate in Windows7

14. Uncheck Validate Server Certificate, Select Authentication Method in EAP-MSCHAP v2
15. You won’t be able to surf on the internet at this moment, because you must create the
firewall policy first
a. Name: Policy_WiFi_employeeX_internet
b. Incoming interface: EmployeeX(int_EmployeeX)
c. Outgoing interface: Interface WAN X (interface connected to the firewall Core for
d. Source: all (in the real life select only the vlan created for the guest group)
e. Destination: all (in the real life select i.e only the https and http protocol depending
on the customer´s politics)
f. Schedule: always
g. Service: all
h. Action: accept
i. NAT: enable

Testing the SSID “EmployeeX”
17. At this point you can test the connectivity with the wireless laptop, tablet or smartphone
connecting to your SSID “EmployeeX”
18. Remember the credentials created previously.

a. User: employeeX
19. Once connected to EmployeeX SSID, test the internet connectivity trying to access
www.fortinet.com
20. Go to Monitor > WiFi Client Monitor. Look for the assigned IP, channel, user, signal
strength/noise, host information, device OS. Make sure to select the information, as you need
in order to see the device status. Right click on the column so you can select and add the
following columns (SSID, Device, User, IP, Channel, Signal Strength / Noise, Host
information, Noise Floor).

21. You should be able to see the connected client. Look for the Signal Strength /Noise and try
to find out the meaning? What was the Noise Floor detected? Is it good indicator to
troubleshoot an issue? Take notes
22. Please pay attention on the connected “device” mac address, write down this information
because we will need this mac address for the next lab.
23. If it´s not working please check the policy that you created before for the internet employee
access, check the password that you assigned. Troubleshoot Layer 2 and layer 3 issues.

Proceed to Lab 4

Lab4 – Using WiFi Single Sign On with
LDAP
In this lab, you will:
The WiFi users are Employees at a corporation. These users belong to a Windows Active Directory
(AD) group called WiFi Domain Users. When users enter their WiFi username and password, the
FortiGate checks the local group WiFi. Since the group has been set up with remote LDAP server,
the FortiGate performs user authentication against the LDAP Server. If the user is authenticated
successfully, the FortiGate will check for a policy that allows the WiFi group access.
The FortiGate unit can authenticate wireless users transparently and allow them network access based on
their privileges in Windows AD. This means that users who have logged on to the network are not asked
again for their credentials to access network resources through the FortiGate unit, hence the term “Single
Sign-On”.
Configure a LDAP Server access
Configure WiFi User Group
Test Remote LDAP Server
Create SSID with WPA2 Enterprise
Add the new SSID into the AP Profile
Create Policy for AD WiFi user group
Review the CLI and GUI options.
NOTE: In this lab, the value X = your assigned student number. Some screenshots and examples
seen here will represent student 1, 2, or 3. Each class member’s configuration should be unique.

Configuring LDAP Server access
1. To add and LDAP Server, go to User & Device > LDAP Servers and select Create New
2. Enter the following parameters

a. Name: ADSERVERX
b. Server IP/Name: 10.254.1.95
c. Server Port: (default 389)
d. Common Name Identifier: sAMAccountName
e. Distinguished Name: cn=users,dc=fortiad,dc=net
f. Bind Type: Select Regular
g. Username: CN=fortiuser,CN=Users,DC=fortiad,DC=net
h. Password: fortiuser
i. Secure Connection: disable
j. Click “Test Connectivity” to test the connection with LDAP server. Before to continue,
make sure that you receive a “successful” message, otherwise you must do
troubleshooting such as (ping, traceroute, etc)
k. Click: Ok to save the configuration
3. Go to User & Device > User Groups, click Create new, configure the following parameters
a. Name: UserGroupADX
b. Type: Firewall
c. Members: Not add
d. In Remote Groups, Click on Add:
e. Select ADSERVERX that you created before

f. Click OK
g. Enable Recursive, review that you can see
h. Select Groups and then Domain Users, click OK as the following screenshot
i. Review the Remote Group created
j. Click ok to save the configuration

4. Now Create another SSID with WPA/WPA2 authentication for employees who is authenticating
on LDAP server. This SSID will be using WPA/WPA2 Enterprise in tunnel mode. Go to WiFi &
Switch Controller > SSID > create new SSID
5. Enter and select the following parameters
a. Interface name: int_EmployeeADX

b. Type: WiFi SSID
d. Address: 10.70.X0.1 /255.255.255.0
e. Administrative Access: PING
f. DHCP Server: enable
g. Address Range: 10.70.X0.2 – 10.70.X0.254, netmask 255.255.255.0
h. Default Gateway: Same as interface IP
i. DNS Server: Same as System DNS

j. WiFi Settings: SSID: EmployeeADX
k. Security mode: WPA2 Enterprise
l. Authentication: Local, select the group “UserGroupADX” created before
m. Broadcast SSID: enable
n. Schedule: always
o. Let remaining parameters as default settings
p. click OK below to confirm

be unique.
Customize the AP profile to add the created EmployeeADX SSID

broadcast the SSID.

Add in the Radio 1 and Radio 2 the “EmployeeADX” SSID that you have just created before and
click OK below to confirm.
7. At this point, you should be able to find the EmployeeADX SSID on the Wireless client device.
8. You won’t be able to surf on the internet at this moment, because you must create the firewall
policy first
a. Name: Policy_WiFi_employeeADX_internet
b. Incoming interface: EmployeeADX(int_EmployeeADX)
c. Outgoing interface: Interface WAN X (interface connected to the firewall Core for
d. Source: In the Tab address select all (in the real life select only the address group
created for the AD employees group) then Go to User Tab and select the
UserGroupADX that you created before.

e. Destination: all (in the real life select i.e only the https and http protocol depending on
the customer´s politics)
f. Schedule: always
g. Service: all
h. Action: accept
i. NAT: enable
Testing the SSID “EmployeeADX”
10. At this point you can test the connectivity with the wireless laptop, tablet or smartphone
connecting to your SSID “EmployeeX”
11. Use the following credentials

a. User: userX
b. Password: userX
be unique.
12. On windows 10 and 8 the connection is done automatically,

13. On Android smartphones or tablets you could see something as follows. Some parameters will
be required depending on client device.

14. Once connected to EmployeeADX SSID, test the internet connectivity trying to access
www.fortinet.com
15. Go to Monitor > WiFi Client Monitor. Look for the assigned IP, channel, user, signal
strength/noise, host information, device OS. Make sure to select the information, as you need in
order to see the device status. Right click on the column so you can select and add the following
columns (SSID, Device, User, IP, Channel, Signal Strength / Noise, Host information, Noise
Floor).
16. Go to Monitor > Firewall User Monitor. Review

Proceed to Lab 5

Lab5 – BYOD Example
Create a FortiOS security policy that will require both, user and device authentication. You will notice
that known users can only access the network when they are using known devices. Using a
combination of user and device authentication improves security in BYOD environments. Any
authenticated user can connect through wireless, using any wireless device that is included in the
device group specified in the policy. Thus, the BYOD policy can even support a user with multiple
devices. This lab will take you through:
Create Local user
Create the user group
Device Definition
1. Create user for this lab. Go to User & Device > User Definition > Create New Local User
a. Select Local User
b. User name: userX

c. Password: fortinet
d. Click next

e. Click next to Extra info
f. Enable User Account: On
g. Click Create
2. Go to User & Device > User > User Groups, click on user group “employees” created in
previous labs and click on Edit tab.
3. Add the new user(s) to the group created “userX”, choose in members the user you created
before and then click on the ok button

4. Now we will create device and a device group. Go to User & Device > Custom Devices &
Groups > Create New > Device
a. Alias: DeviceX
b. MAC address: Enter the MAC address you wrote down in the previous lab. This MAC
address will be a device DENIED getting access for this example
c. Additional MACs: If you wish you can add as many MAC addresses you want to block.
In this case leave it Blank
d. Device Type: Look for the device you are using to do the test. Choose the correct device
depending on OS.
e. Custom Groups: Select “Mobile Devices”
f. Click Ok to save

5. We will create the subnet object used for the Employee team, so Go to Policy & Objects >
Addresses > Create new
a. Name: subnet_WiFi_employee
b. Type: IP/Netmask
c. Subnet/IP range: 10.70.X.0/255.255.255.0
d. Interface: employeeX (int_EmployeeX)
e. Click OK
Now, we will create the security Policy to restrict by employee’s user group and device group
when logging into the corporate WiFi network. Create a Firewall Policy in to block the traffic flow
from the Wireless interface for one device with specific user to the Internet. Go to Policy &
Objects > IPv4 Policy >Create new >
f. Name: Policy_WiFi_Internet_BYOD
g. Incoming interface: employeeX(int_EmployeeX)
h. Outgoing interface: Interface WAN X (interface connected to the Firewall Core for
internet connectivity)
i. Source: Go to user into the Select Entries. Select the User Group “employees”
created before.

On the same screen Click on Device and Select the device created in step #4 DeviceX
6. On the same screen Click on Address tab and select the subnet address created before
“Subnet_WiFi_Employee”.
a. Destination address: all (in the real-life select only the https and http protocol
depending on the customer´s Internet access policy)
b. Schedule: always
c. Service: all
d. Action: DENY
e. Enable this policy: enable
f. Click ok to save the policy

The policy should be look as the following
7. Once you created this policy (Policy_WiFi_Internet_byod) you must change the sequence to
locate this before the policy_WiFi_employeeX
8. We will use the same SSID “EmployeeX” in order to test the BYOD policy. At this point you can
test the connectivity with the device. Tablet, smartphone or laptop connecting to the SSID
“EmployeeX”
9. Remember the credentials you created before

a. User: userX
10. Please take note about what happen when you access to the SSID “Employee”. Were you able
to surf the Internet?
11. Go to User & Device -> Device Inventory. Look for your device and you will see something like
below image.

12. Go to User & Device -> Custom Devices & Groups. Double click on your defined custom device
and see the details.
13. Try another device and test Internet connectivity with this device (use the same user). What
happen?
14. Go to Monitor -> Firewall User Monitor and search for the users you used for the Employee
WiFi connection.
Here you can De-authenticate the user if you want. Select the user and click in “De-
authenticate”

Proceed to Lab 6

Lab6 - Creating WiFi Bridge with FAP
Set up a WiFi network with a FortiGate managing a FortiAP in Bridge mode. You can configure a
FortiAP unit in either Tunnel or Bridge mode. When a FortiAP is in Bridge mode, the Ethernet and
WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the
same subnet. Tunnel mode is the default mode for a FortiAP.
Create and configure WLAN
Basic configuration and troubleshooting
1. Create SSID with WPA2 authentication. Go to WiFi & Switch Controller > SSID > Create New
SSID
2. Fill out and select the following parameters
a. Interface name: int_bridgeX

b. Type: WiFi SSID
c. Traffic Mode: Local bridge with FortiAP´s Interface
d. WiFi Settings: SSID: BridgeX

e. Security mode: WPA2 Personal
f. Preshared key: fortinet
g. Let remaining parameters as default settings
h. Click OK

Customize the AP profile to add the created SSID “BridgeX”

broadcast the SSID.

4. Add information in the radio 1 and Radio 2 select the BridgeX SSID that you have just created
before and click OK below to confirm
Testing the SSID “Bridge”
5. At this point you should be able to see the BridgeX SSID on the Wireless client
6. We do not need to add a firewall policy because it was already added
7. Connect to the BridgeX SSID
8. Review the IP address assigned and verify if this belongs to the Internal LAN DHCP scope
9. If it´s not working please check the policy from internal LAN to WAN (internet), check the
password that you assigned. Troubleshoot Layer 2 and Layer 3 issues.
You have completed LAB 6

Proceed to LAB 7
Don’t remove the configuration, we will use for the next lab

Lab7 – Configuring Mesh Link
Create a backhaul mesh link. This means that two FortiAPs are used to extend the range of a single
WiFi network. The second FortiAP is connected to the FortiGate WiFi controller through a dedicated
WiFi backhaul network. Both FortiAPs provide the employee-staff network to clients that are in range.
More mesh-connected FortiAPs could be added to further expand the coverage range of the network.
Each AP must be within range of at least one other FortiAP. Mesh operation requires FortiAP models
with two dual radios, FortiAP-221C for example.
Configure a Mesh link between a wired AP (root) and a wireless AP (leaf).
Bridge the Ethernet port of the wireless AP (leaf) to the mesh network.
Associate to the leaf AP with a wireless station.
Review the CLI and GUI options.
At the end of this lab we will have the following topology implemented

Creating the Backhaul SSID
1. Go to WiFi & Switch Controller > SSID, click Create new SSID, configure the following
parameters
a. Interface name: backhaul_meshX

b. Type: WiFi SSID
c. Traffic Mode: Mesh Downlink
d. SSID: backhaul_meshX
e. Security mode: WPA2 Personal
f. Pre-shared Key: fortinet
g. Click ok to save the new SSID configuration
You will need remember the pre-shared key when configuring the mesh-connected leaf
FortiAP
2. Select one of your AP’s to be the root (which will be physically connected all the time to the FGT
unit). On this AP you will choose the Radio which is operating in 5GHz to add the Backhaul SSID
created on the previous STEP (DO NOT delete the other SSIDs). Leave TX Power settings unchanged.

Configuring the Leaf AP
3. NOW, you can connect your second AP if you have not done yet. This AP will be initially
connected directly in other free internal Port on your FortiGate unit. Review if the FortiGate has
another available PoE interface, if not, you will require a power injector. Repeat STEPS on Lab1
to authorize and leave in an operational state this new FortiAP (it is very recommendable you are
using the same firmware for BOTH AP’s if it is possible).
4. Go to this FortiAP IP address by https or http, change the IP address information if you wish or
(make a DHCP reservation again as you make on Lab 1). The username should be: admin and
the password <blank>if you followed the steps correctly.
5. Configure the Wireless Mesh Leaf through GUI using the Mesh AP SSID and mesh Password as
follows.
a. Uplink: Select “Mesh”

b. Mesh AP SSID: backhaul_meshX
c. Mesh AP Password: fortinet
d. Ethernet Bridge: Check
e. Click apply to save
*Make sure to use the same password when you created backhaul SSID on the STEP 1.
6. Once you set up the previous parameters it will take few seconds meanwhile the leaf AP
rebooting. If everything went OK you will see in WiFi & Switch Controller> Managed FortiAP’s
the mesh icon under Connected Via column as follows. If not, PLEASE wait a few minutes while
the backhaul link between Root and Leaf is established.
7. You can also configure the mesh leaf by CLI. Go to Dashboard > CLI Console, enter execute
ssh 192.168.X.X (this is the IP address of your second AP) to log in to the FortiAP as admin.
Enter the commands to change the FortiAP to mesh uplink on the SSID “backhaul_meshX”.
Enter exit to end. Use the following commands:

FWF60D4615021690 # execute ssh 192.168.X.X
Warning: Permanently added '192.168.X.X' (RSA) to the list of known hosts.
BusyBox v1.15.0 (2016-06-07 15:27:34 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.
FP221C3X16011292 # cfg -a MESH_AP_TYPE=1

FP221C3X16011292 # cfg -a MESH_AP_SSID=backhaul_meshX
FP221C3X16011292 # cfg -a MESH_AP_PASSWD=fortinet
FP221C3X16011292 # cfg -c
restarting wtp daemon ...
end
NOTE: The “Connected Via” field lists the IP address of each FortiAP and uses icons to show whether
the FortiAP is connected by Ethernet or Mesh. If you mouse over the Connected Via information, a
topology displays, showing how the FortiGate wireless controller connects to the FortiAP.
8. Connect your laptop to the Ethernet port in the leaf AP and make sure you get an IP address in
the same subnet than the Internal Network Interface.

Verifying Operating Channels for this Mesh Link.
1. At this point we are using channel bandwidth 20 Mhz in 5Ghz. We can use channel bandwidth
40 Mhz in order to improve the Backhaul link Max rate
2. Use your WiFi network analyzer in order to see the current channel information and Link Max
rate
a. What did you find?
b. What channel are you using?
c. What is the Channel Max Bandwidth for this case?
3. Change channel width to 40 MHz for both FortiAP’s. Remember as a best practice, always
change the Leaf settings first and then continue with Root. Verify the Radio you are using for
5GHz mesh link before change it.

4. Use your WiFi network analyzer again in order to see the new channel information and Link
Max rate
a. What did you find and Why?
b. What is the channel Max bandwidth for this case?
c. What channels are you using?
You have completed LAB 7


Secure Access Labs (FAP+FG) V5.6

Uploaded by

Copyright:

Available Formats

Secure Access Labs (FAP+FG) V5.6

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Secure Access Labs (FAP+FG) V5.6

Uploaded by

Copyright:

Available Formats

FortiAP Workshop Labs

FORTINET DOCUMENT LIBRARY

SET LATAM FAP LAB 2

Lab Physical Topology...................................................................... 5

Lab Logical Topology........................................................................ 6

Lab 1 - Setting up WiFi with FortiAP ................................................ 7

Lab2 - Creating Captive Portal for WiFi Access. ............................15

Lab3-Using 802.1X Authentication ..................................................23

Lab4 – Using WiFi Single Sign On with LDAP ................................34

Lab5 – BYOD Example .....................................................................43

Lab6 - Creating WiFi Bridge with FAP.............................................50

Lab7 – Configuring Mesh Link.........................................................53

SET LATAM FAP LAB 3

SET LATAM FAP LAB 4

SET LATAM FAP LAB 5

SET LATAM FAP LAB 6

Starting the FortiGate

Upgrade your FortiAP firmware

FGT management will be through the Internal LAN

SET LATAM FAP LAB 7

2. A warning will appear. Write Y

a. This operation will reset the system to factory default!

3. System will reboot and will load a basic configuration

Upgrade your FortiOS release and FortiAP firmware

8. Upgrade your FGT to the version v5.6.1 build1484

SET LATAM FAP LAB 8

a. Addressing mode: Manual

SET LATAM FAP LAB 9

SET LATAM FAP LAB 10

WLC_ARC # execute ping www.google.com

SET LATAM FAP LAB 11

SET LATAM FAP LAB 12

a. Choose FAP Firmware from Local PC Disk or Fortiguard

a. config wireless-controller wtp-profile

How to create an IP Reservation? Go to DHCP Monitor, right click on your AP IP

SET LATAM FAP LAB 13

You have completed Lab 1

SET LATAM FAP LAB 14

Create the user account

Add it to a user group

Create a captive portal SSID and configure the FortiAP unit.

Customize the AP profile

Create and configure WLAN

General review of basic devices configuration

Basic configuration troubleshooting

SET LATAM FAP LAB 15

a. User name: userguest

SET LATAM FAP LAB 16

5. Fill and select the following parameters

a. Interface name: int_GuestX

SET LATAM FAP LAB 17

SET LATAM FAP LAB 18

SET LATAM FAP LAB 19

SET LATAM FAP LAB 20

11. Test the internet connection trying to surf to https://www.fortinet.com,

a. User name: userguest

SET LATAM FAP LAB 21

You have completed Lab 2

SET LATAM FAP LAB 22

Create a user account