203 module 4 advanced authentication

Course 203 - Fortinet Wireless Module 4 Advanced Authentication

01-05002-RevA-0203-20130520

Fortinet WirelessFortinet WirelessCourse 203Module 4 – Advanced Authentication

1

© 2012 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet.

Objectives

• Identify wireless authentication methods and describe WPA2 Enterprise authentication

• Explain 802 1X and EAP standards and their usage in wireless • Explain 802.1X and EAP standards and their usage in wireless networks

• Identify the capabilities of wireless Single Sign On (SSO)

• Describe the usage and configuration of the captive portal

• Describe the guest access capability

• Introduce FortiAuthenticator usage in the wireless solution

2

g

• Perform a configuration of enterprise authentication using 802.1X in the hands-on lab


01-05002-RevA-0203-20130520

Captive Portal

Wireless Authentication Methods

• FortiGate Wireless Controller supports:

p•Web browsing intercept user login

WPA Personal (PSK)

• Wireless access using pre-shared keys

3

WPA-Enterprise (802.1x)

• More secure access with individual user logins

WPA/TKIP

• WPA (Wi-Fi Protected Access) is an industry-sponsored interim security standard» Subset of 802 11i RSN (Robust Security Network)» Subset of 802.11i RSN (Robust Security Network)

» Dramatic improvement over WEP

• WPA consists of 2 parts:» 802.1x Authentication

» TKIP encryption (Temporal Key Integrity Protocol)

• TKIP

4

» Provides per-packet key mixing, strong MIC (Message Integrity Check), extended IV, and a re-keying mechanism

» Based on RC4 - only requires a software upgrade for most devices

» Can use a Pre-Shared Key (PSK) like WEP or dynamic keys through 802.1x


01-05002-RevA-0203-20130520

802.11i/Wi-Fi Protected Access 2.0

• Robust Security, amendment to the original 802.11 standard

• Specifies security mechanisms for wireless networks(Wi Fi)(Wi-Fi)

• Major 802.11i components include: » 802.1X for authentication

» RSN (or WPA2) for keeping track of associations

» AES-based CCMP encryption

» 4-way authentication handshake

5

http://en.wikipedia.org/wiki/IEEE_802.11i-2004

4-way Handshake

• Robust security network associations (RSNAs)» Two stations (STAs) authenticate and associate with each other as well as create

dynamic encryption keys through a process known as the 4-Way Handshakedynamic encryption keys through a process known as the 4 Way Handshake

• RSNAs utilize a dynamic encryption-key management method that involves the creation of five separate keys

• Two master keys known as the Group Master Key (GMK) and the Pairwise Master Key (PMK)» The PMK is created as a result of 802.1X/EAP authentication.

A PMK l b t d f PSK th ti ti i t d f 802 1X/EAP

6

» A PMK can also be created from PSK authentication instead of 802.1X/EAP authentication.


01-05002-RevA-0203-20130520

4-way Handshake

• Master keys are the seeding material used to create the final dynamic keys

• The final keys are known as the Pairwise Transient Key (PTK) and the • The final keys are known as the Pairwise Transient Key (PTK) and the Group Temporal Key (GTK)» PTK is used to encrypt/decrypt unicast traffic

» GTK is used to encrypt/decrypt broadcast and multicast traffic

• These final keys are created during a four-way EAP frame exchange that is known as the 4-Way Handshake

7

» Always the final four frames exchanged during either 802.1 X/EAP authentications or PSK authentication

» Every time a client radio roams from one AP to another, a new 4-Way Handshake occurs.

Fast Roaming

• Users in a multi-AP network, especially with mobile devices, can move from one AP coverage area to another.» But the process of re-authentication can often take seconds to complete and this » But, the process of re-authentication can often take seconds to complete and this

can impair wireless voice traffic and time sensitive applications.

» It can be longer if the user authenticate against an external server.

• The FortiAP fast roaming feature solves this problem and is available only when moving between FortiAP units managed by the same Wireless Controller.» Currently supports only Layer 2 roaming

8

» Currently supports only Layer 2 roaming.


01-05002-RevA-0203-20130520

Fast Roaming

• Users moving between APs must authenticate to each AP» Delays can impair wireless voice traffic or time sensitive applications

Pair ise Master Ke (PMK) caching • Pairwise Master Key (PMK) caching » Wireless controller caches a negotiated master key

• Should the user roam away from that AP and back again, the client will not have to re-authenticate

• Users can also pre-authenticate to the next AP that the client may roam to» PMK is derived in advance of the user movement and is cached

9

» PMK is derived in advance of the user movement and is cached

• Fast roaming is only available to FortiAP devices connected to the same FortiGate wireless controller.

Fast Roaming

• For the client station, the trigger to roam is a set of proprietary rules determined by the manufacturer of the wireless card, usually defined by received signal strength indicator (RSSI) thresholdsby received signal strength indicator (RSSI) thresholds

• The client station:» Moves away from the original access point with which it is associated as the

signal drops below a predetermined threshold

» Will attempt to connect to a new target access point that has a stronger signal

» Sends a frame, called the re-association request frame, to start the roaming procedure

10

procedure.


01-05002-RevA-0203-20130520

Fast Roaming

• As the client station roams, the original access point and the target access point should communicate with each other across the Distribution System (wired)Distribution System (wired)

• The AP – AP handoff communications involves two primary tasks:» The target AP informs the original AP that the client station is roaming

» The target AP requests the client’s buffered packets from the original AP.

11

802.1x

• Standard protocol for authenticating user prior to granting access to L2 media

• Utilizes EAP (Extensible Authentication Protocol)• Utilizes EAP (Extensible Authentication Protocol)» Evolved from PPP, used for wired network authentication -unencrypted

» Several types of “Wireless” EAP

• Cisco LEAP

• EAP-TLS

• PEAP

• EAP-TTLS

12

• EAP-TTLS

• EAP-SIM

» These sub-types intended for use on untrusted networks such as wireless


01-05002-RevA-0203-20130520

802.1x EAP Overview

• Supplicant: Client Station

• Authenticator: FortiGate Wireless Controller

• Authentication server: RADIUS server

Three Components

1. Supplicant communicates with authentication server through the authenticator

2. Authenticator reformats 802.1x to RADIUS and forwards to Authentication Server

3. EAP exchange happens between supplicant and authentication server

13

server

4. On success, server delivers EAP Success via RADIUS message

5. Details often hidden from authenticator

6. The wireless controller is EAP agnostic

WLAN Authentication: 802.1X EAP

14


01-05002-RevA-0203-20130520

Fortigate Configuration – Local Authentication

• In Local Authentication or Local EAP the Fortigate is both the Authenticator and the Authentication Server. Only valid for PEAP» Create a local user and create a group that contains that user

15

No remote server

Fortigate Configuration – Local Authentication

1. Configure the SSID with WPA/WPA2 Enterprise

2. Select Usergroup

3 S l t th ( )3. Select the group (s)

16


01-05002-RevA-0203-20130520

Fortigate Configuration – Remote Authentication

1. Create a Radius Sever (IP address and Secret)

2 Create a User Group and add the created

17

2. Create a User Group and add the created server as a remote server

1. Don’t need to add users to the group. They come from Radius

Fortigate Configuration – Remote Authentication

1. Configure the SSID with WPA/WPA2 Enterprise

2. Select Radius Server

3. Select server from list

18


01-05002-RevA-0203-20130520

WPA/WPA2 Enterprise authentication - PEAP

• Wireless user require to submit username and password when using WPA/WPA2 enterprise authentication.

19

Alert message from Wireless users

• By default, using windows7 OS. it has enabled validate server certificate.

• Wireless user will receive warning message during the server • Wireless user will receive warning message during the server certificate validation. You can Terminate or Connect

20


01-05002-RevA-0203-20130520

Disable Validation Server certificate in Windows7

Click on Settings

21

Validate Server Certificate – FTG Local Groups

• If you want to enforce server certificate validation but prevent any warning message due to server certificate validation fail you need to import the Athentication Server Certificate in the client» When using Local Groups Import FortiGate default WiFi CA certificate into your Client.

22

The Fortinet_Wifi certificate is embedded in the firmware and is same on every FortiGate unit. Download the .cer file to your drive. It is CA signed.


01-05002-RevA-0203-20130520

Import certificate FTG Wireless Cert in Win7

23

Import External Radius Cert - FortiAuthenticator

• When using External Radius import the certificate from the Radius Server instead of FGT

24

This is the CA certificate where you can Export and importto your system. You need to place it in the Trusted Root CAs Store.


01-05002-RevA-0203-20130520

Enable Server Certificate validation

25

Check the same CA that displays in the warning

Captive Portal

• Use to authenticate wireless users

• Display a web page containing acceptable use policy or other information This is called a captive portal information. This is called a captive portal.

• No matter what URL the user initially requested, the portal page is returned.

• Only after authenticating and agreeing to usage terms, can the user access other web or any other resources.

26


01-05002-RevA-0203-20130520

Captive Portal Security

• There are several types of Captive portal Available» Disclaimer

» Authentication page» Authentication page

» Email harvesting

» Other…

• Captive portal security authentication methods:» Local users

» LDAP

27

» RADIUS

» TACACS+

» FSSO agent

Captive Portal Security

• Can be configured Several places» SSID – Implies Open SSID

» Interface (applicable for Local Bridge SSIDs)

» User Identity Policy

» Device Identify Policy

No User groups Disclaimer Page

28

User groups Authentication Page


01-05002-RevA-0203-20130520

Captive Portal

29

Disclaimer Only Page Authentication Page

Captive Portal

• Multiple captive portal replacement messages allow customized login screens based on SSIDs

30


01-05002-RevA-0203-20130520

Captive Portal – Under User Identity Policy

Disclaimer Page

Authentication Page

31

Guest Access and Receptionist Services

• A guest user is also an authenticated user but the account has expiration time

• The user account can be created by regular admin or by an specific • The user account can be created by regular admin or by an specific purpose defined account that can only create guest users

• That account has limited portal access only designed for a receptionist to assign temporary / guest user accounts and email/SMS/print logon credentials

• Guest access applies to both wired and wireless users

32

1. Need to create User Group type guest

2. Need to create admin user for guest management» Admin may create guest accounts under User > User Group > Guest

Management.


01-05002-RevA-0203-20130520

Guest Access

• Create a User Group type Guest

33

Guest Access

• Create a Guest User under a selected guest group

1. Select group

2. Create new

34

3. Fill information


01-05002-RevA-0203-20130520

Guest Access

• Admin user for guest management

35

Guest Access

• Guest management portal

36


01-05002-RevA-0203-20130520

Guest Access

• Create a new guest

37

Guest Access

• Distribute guest credentials by printing, email or SMS

• Captive portal needs to be set for the interface users connect fromThi ff t ll t ffi th f t ffi ill ith t lid t f th » This affects all traffic therefore no traffic will pass without a valid account for the captive portal

• diag test user list» Current list of guest accounts

• It is possible to extend guess access and create a self provisioning portal by adding FortiAuthenticator to the solution.

38


01-05002-RevA-0203-20130520

Single Sign-on For Wireless Users

• Wireless client user authentication can be re-used in an identity firewall policy» Wireless WPA and WPA2 Enterprise» Wireless WPA and WPA2 Enterprise

• This allows users who connect to the same SSID but reside in different authentication groups to have different security policies.

39


• Example, when an SSID uses WPA/WPA2-Enterprise Authentication the user login can be reused in an identity policy

40


01-05002-RevA-0203-20130520


41

FortiAuthenticator

• FortiAuthenticator can be an Authentication Server for EAP, also it can used in the wireless solution for user self service portal which is presented in the following use casepresented in the following use case.

42


01-05002-RevA-0203-20130520

User Self-Registration

• User Self Registration is different to Receptionist registration» The receptionist already has network access and the guest and receptionist can

be on different networks In this situation wireless captive portal is suitablebe on different networks. In this situation wireless captive portal is suitable.

» With self-registration, the FAC registration portal must be accessible for the user to self-register. Wireless Captive portal is therefore not suitable as the user need to log on before they can access the network to self-register (catch-22). Open Wireless with Identity Based Policy is therefore required.

» Configure the AP as Open Access (CLI or via GUI if display option is checked –only FOS 5.0)

43

config wireless-controller vapedit <SSID Name>

set security opennext

end


• FortiGate Captive Portal

User accepts T&Cs and can enter the newly created credentials to gain access to the network

44

On connection to Captive Portal configured AP, the user is notified additional authentication is needed


01-05002-RevA-0203-20130520


Create an Identity Based Policy authenticating against the FortiAuthenticator RADIUS

Customize the authentication

45

Customize the authentication Message to include a link to the FAC


• Create a more explicit rule above the catch all identity based policy allowing traffic to the FortiAuthenticator.

• There is also the option to create a walled garden here to allow • There is also the option to create a walled garden here to allow unauthenticated users access e.g. a hotel information web site.

46


01-05002-RevA-0203-20130520


• When the user tries to browse to content, they will be blocked and prompted to log in.

Customise the login form to include a redirect to the FortiAuthenticator to create a login

47

Lab

• 802.1X/EAP with local user groups

• Captive Portal

48

203 module 4 advanced authentication

Documents

fortinet wireless module

psk authentication

wireless solution2g

authentication rsn

xeap authentication

final keys

final dynamic keys

way handshake master