Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

Table of Contents LAB SETUP ...................................................

Table of Contents LAB SETUP ............................................................................................................................... 2 LAB 1: FORTIGATE WIRELESS CONFIGURATION USING A FORTIAP DEVICE ................................ 4 Exercise 1 Configuring a wireless LAN ......................................................................................................................................... 4 LAB 2: DEVICE IDENTIFICATION ................................................................................................ 8 Exercise 1 BYOD configuration for a VAP ................................................................................................................................... 8 LAB 3: IMPROVING WIRELESS SECURITY WITH WPA-ENTERPRISE SECURITY ........................... 10 Exercise 1 PEAP using local user group .................................................................................................................................... 10 Exercise 2 Captive Portal ................................................................................................................................................................. 11 LAB 4: CUSTOM AP PROFILES ................................................................................................. 12 Exercise 1 Configuring rogue AP detection ............................................................................................................................. 12 LAB 5: PUTTING IT ALL TOGETHER .......................................................................................... 14 Exercise 1: Using FortiAuthenticator for PEAP authentication ....................................................................................... 14 Exercise 2: Setting up Full Mesh Wireless on FortiGate Unit Using Two FortiAP Units ....................................... 16  Lab Setup 2 Lab Setup Please note that the following information is for reference only, this setup will have been completed by the instructor. The following instruction assumes a FortiGate VM01 and FortiAP per student. You may adapt the instruction to use a physical FortiGate device if you prefer. The FortiAP device used in this training is the 220B however you may also use a different device and adapt the instruction accordingly. You also require a FortiAuthenticator VM per student however you may use the inbuilt trial license. For desktop virtualization we use VMware Player in this instruction. First install the VMware Player application on your PC. You will require administrator privileges to do this. Next copy the FortiGate and FortiAuthenticator VMs, in OVF format, which will be used for this class and open and import both VMs with the VMware Player application. We use two interfaces on the FGT: one as the default route and wireless AP distribution system and one for the internal network. Note this setup relies on DHCP being available on the network the laptops and APs connect to. The FortiAP 220B has Power-over-Ethernet interfaces therefore you may use a PoE switch however the mesh lab does require a power supply for the AP connecting to the wireless mesh. The setup used in this training uses the Ethernet port of the laptop. The Virtual Network Editor (vmnetcfg.exe) is required for this setup and is not included in VMware Player by default, therefore you need to install VMware Workstation on another system and copy this file from the Programs File directory on the source system to the target system with the VMware Player. Note that you must use the version of Workstation compatible with your version of player. The FortiGate uses the following VMware vmnet interfaces:  Vmnet1 (host-only) which maps to port2.  Vmnet0 (bridged) which maps to port1. From the Virtual Network Editor, edit interface Vmnet1 (host-only) and change the subnet IP to 10.0.1.0/24 and disable the DHCP service on this interface. From VMware Player edit the FGT VM settings and choose vmnet0 for port1 (the first interface in the list) and vmnet1 for port2. From VMware Player edit the FortiAuth VM settings and choose vmnet1 for port1 (the first interface in the list). Configure the PC vmnet1 interface as 10.0.1.10/24. Start up the FGT VM and connect to the console and format the log disk, this is required for local logging and for other services to function.  Lab Setup 3 When the FGT restarts connect to the CLI set the port1 and port2: config system interface edit port1 set mode dhcp set defaultgw enable next edit port2 set ip 10.0.l.254/24 set allowaccess http https ping ssh end Disable the PC firewall as this will interfere with traffic to and from the guest OS. Connect to the FortiGate GUI, http://10.0.1.254. Connect via http first because without the license installed only weak encryption is supported with the VM inbuilt evaluation license. If you cannot connect to the GUI check the previous settings. Install the VL license and configure the firewall with an accept policy for port2 to port1 and enable NAT.  Lab 1: FortiGate Wireless Configuration using a FortiAP Device 4 Lab 1: FortiGate Wireless Configuration using a FortiAP DeviceObjective This lab supports the learning objectives for module 2. You will configure a basic wireless network using WPA and pre-shared key. You will manage an AP device to work with your wireless controller and configure firewall policies for the wireless clients. Exercise 1Configuring a wireless LAN 1. Connect to FGT GUI and to the CLI (10.0.1.254/24). 2. Set your FortiGate system time and date correctly, this step is essential for logs and certificates. 3. Next, set the proper geography location, the default is US. conf wireless-controller setting set country US end Note: The country defines the acceptable radio settings for your region. To change this value you must first remove the predefined WTP profiles by entering the following CLI commands: config wireless-controller wtp-profile purge end  Lab 1: FortiGate Wireless Configuration using a FortiAP Device 5 4. On the FortiGate web-based manager, go to Wifi Controller > Managed Access_Points > Managed FortiAP. If your AP is not listed select Refresh. Discovery of the FortiAP unit can take up to two minutes. If however, the FortiAP is not listed under Managed FortiAP after two minutes perform the following steps:  Check that the ethernet port on the FortiAP unit is up  Power cycle the FortiAP unit  If necessary connect a console cable to the AP, login as ‘admin’ and enter ‘factoryreset’, when the AP restarts login again and enter ‘ifconfig br0’ to check that the AP has obtained an IP address from the DHCP in your training facility. Seek assistance from your instructor if none of the above steps resolve the issue. 5. From the FortiGate Wi-Fi Controller, right-click the FortiAP and select Authorize. Wait for the authorization to complete. If the AP is still not listed please discuss this with your instructor. 6. When Authorized, right-click again and select edit and name your AP. Verify that the FortiAP firmware version is the correct version for your training. Accept default settings. Select OK. 7. Go to Wifi Controller > Wifi Network > SSID and select Create New to define your wireless network. Configure the following settings: Interface Name: <you choose> IP/Netmask: 10.10.10.1/255.255.255.0 Administrative Access: Ping Traffic Mode: Tunnel to Wireless Controller 8. Enable DHCP with the following settings: Address Range: 10.10.10.10 - 10.10.10.20 Netmask: 255.255.255.0 Default Gateway: Same as Interface IP DNS Server: Same as System DNS  Lab 1: FortiGate Wireless Configuration using a FortiAP Device 6 9. Configure the security settings as follows: SSID: <you choose> Security Mode: WPA/WPA2-Personal Data Encryption: AES Pre-shared Key: <you choose> Select OK. 10. Create firewall policies for the wireless clients. Go to Policy > Policy > Policy and select Create New to add a wireless to internal network policy for your wireless clients, Configure the following settings: Source Interface/Zone: <your ssid> Source Address: All Destination Interface/Zone: port2 Destination Address: All Schedule: Always Service: All Action: Accept Source NAT is not required for this policy since the Wireless and internal networks are visible to each other. A second policy in the reverse direction would be required for bidirectional communication between the internal wired and wireless networks. Select Create New to add a wireless to Internet policy that allows wireless clients to access the Internet. Configure the following settings: Source Interface/Zone: <your ssid> Source Address: All Destination Interface/Zone: port1 Destination Address: All Schedule: Always Service: All Action: ACCEPT Select Enable NAT and Use Destination Interface Address. Click OK.  Lab 1: FortiGate Wireless Configuration using a FortiAP Device 7 11. Test your wireless network, this instruction assumes you have mobile device which you can use for this test, look for your SSID and attempt to connect. Connect and enter the preshared key when prompted. Verify that you can ping your PC and that you can connect to the Internet. You can go to Wireless Controller > Monitor > Client Monitor to view information about the clients that are connected to your Wireless network. 12. Access the FortiAP GUI. Note the IP address of your AP and from your browser connect to that address via HTTP. View the System and Wireless information. The Wireless information should display your configured SSID. You can also connect to the FortiAP via telnet. If necessary, enter the following command on the FortiGate to enable telnet on your managed AP. config wireless-controller wtp edit <name> set login-enable enable end 13. The following diagnostic commands to look at the wireless controller and access point communication. On the FortiGate: diag sniff packet any ‘port 5246’ diag debug app cw_acd 5 On the FortiAP: # cw_debug app cwWtpd 5 To see CAPWAP control and data channel from the FortiGate use the following commands, note that –c looks at the control channel and –d looks at the data channel: diag wireless-controller wlac –c wtp diag wireless-controller wlac –d wtp diag wireless-controller wlac sta-filter MAC@ <level> See KB article, FD33214, for further information.  Lab 2: Device Identification 8 Lab2: Device IdentificationObjective This lab supports the learning objectives for module 3. You will enable device identification on your virtual access point. You will uploads/Litterature/ 203-lab-guide.pdf