203 module 4 advanced authentication
DESCRIPTION
203 Module 4 Advanced AuthenticationTRANSCRIPT
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Fortinet WirelessFortinet WirelessCourse 203Module 4 – Advanced Authentication
1
© 2012 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet.
Objectives
• Identify wireless authentication methods and describe WPA2 Enterprise authentication
• Explain 802 1X and EAP standards and their usage in wireless • Explain 802.1X and EAP standards and their usage in wireless networks
• Identify the capabilities of wireless Single Sign On (SSO)
• Describe the usage and configuration of the captive portal
• Describe the guest access capability
• Introduce FortiAuthenticator usage in the wireless solution
2
g
• Perform a configuration of enterprise authentication using 802.1X in the hands-on lab
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Captive Portal
Wireless Authentication Methods
• FortiGate Wireless Controller supports:
p•Web browsing intercept user login
WPA Personal (PSK)
• Wireless access using pre-shared keys
3
WPA-Enterprise (802.1x)
• More secure access with individual user logins
WPA/TKIP
• WPA (Wi-Fi Protected Access) is an industry-sponsored interim security standard» Subset of 802 11i RSN (Robust Security Network)» Subset of 802.11i RSN (Robust Security Network)
» Dramatic improvement over WEP
• WPA consists of 2 parts:» 802.1x Authentication
» TKIP encryption (Temporal Key Integrity Protocol)
• TKIP
4
» Provides per-packet key mixing, strong MIC (Message Integrity Check), extended IV, and a re-keying mechanism
» Based on RC4 - only requires a software upgrade for most devices
» Can use a Pre-Shared Key (PSK) like WEP or dynamic keys through 802.1x
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
802.11i/Wi-Fi Protected Access 2.0
• Robust Security, amendment to the original 802.11 standard
• Specifies security mechanisms for wireless networks(Wi Fi)(Wi-Fi)
• Major 802.11i components include: » 802.1X for authentication
» RSN (or WPA2) for keeping track of associations
» AES-based CCMP encryption
» 4-way authentication handshake
5
http://en.wikipedia.org/wiki/IEEE_802.11i-2004
4-way Handshake
• Robust security network associations (RSNAs)» Two stations (STAs) authenticate and associate with each other as well as create
dynamic encryption keys through a process known as the 4-Way Handshakedynamic encryption keys through a process known as the 4 Way Handshake
• RSNAs utilize a dynamic encryption-key management method that involves the creation of five separate keys
• Two master keys known as the Group Master Key (GMK) and the Pairwise Master Key (PMK)» The PMK is created as a result of 802.1X/EAP authentication.
A PMK l b t d f PSK th ti ti i t d f 802 1X/EAP
6
» A PMK can also be created from PSK authentication instead of 802.1X/EAP authentication.
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
4-way Handshake
• Master keys are the seeding material used to create the final dynamic keys
• The final keys are known as the Pairwise Transient Key (PTK) and the • The final keys are known as the Pairwise Transient Key (PTK) and the Group Temporal Key (GTK)» PTK is used to encrypt/decrypt unicast traffic
» GTK is used to encrypt/decrypt broadcast and multicast traffic
• These final keys are created during a four-way EAP frame exchange that is known as the 4-Way Handshake
7
» Always the final four frames exchanged during either 802.1 X/EAP authentications or PSK authentication
» Every time a client radio roams from one AP to another, a new 4-Way Handshake occurs.
Fast Roaming
• Users in a multi-AP network, especially with mobile devices, can move from one AP coverage area to another.» But the process of re-authentication can often take seconds to complete and this » But, the process of re-authentication can often take seconds to complete and this
can impair wireless voice traffic and time sensitive applications.
» It can be longer if the user authenticate against an external server.
• The FortiAP fast roaming feature solves this problem and is available only when moving between FortiAP units managed by the same Wireless Controller.» Currently supports only Layer 2 roaming
8
» Currently supports only Layer 2 roaming.
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Fast Roaming
• Users moving between APs must authenticate to each AP» Delays can impair wireless voice traffic or time sensitive applications
Pair ise Master Ke (PMK) caching • Pairwise Master Key (PMK) caching » Wireless controller caches a negotiated master key
• Should the user roam away from that AP and back again, the client will not have to re-authenticate
• Users can also pre-authenticate to the next AP that the client may roam to» PMK is derived in advance of the user movement and is cached
9
» PMK is derived in advance of the user movement and is cached
• Fast roaming is only available to FortiAP devices connected to the same FortiGate wireless controller.
Fast Roaming
• For the client station, the trigger to roam is a set of proprietary rules determined by the manufacturer of the wireless card, usually defined by received signal strength indicator (RSSI) thresholdsby received signal strength indicator (RSSI) thresholds
• The client station:» Moves away from the original access point with which it is associated as the
signal drops below a predetermined threshold
» Will attempt to connect to a new target access point that has a stronger signal
» Sends a frame, called the re-association request frame, to start the roaming procedure
10
procedure.
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Fast Roaming
• As the client station roams, the original access point and the target access point should communicate with each other across the Distribution System (wired)Distribution System (wired)
• The AP – AP handoff communications involves two primary tasks:» The target AP informs the original AP that the client station is roaming
» The target AP requests the client’s buffered packets from the original AP.
11
802.1x
• Standard protocol for authenticating user prior to granting access to L2 media
• Utilizes EAP (Extensible Authentication Protocol)• Utilizes EAP (Extensible Authentication Protocol)» Evolved from PPP, used for wired network authentication -unencrypted
» Several types of “Wireless” EAP
• Cisco LEAP
• EAP-TLS
• PEAP
• EAP-TTLS
12
• EAP-TTLS
• EAP-SIM
» These sub-types intended for use on untrusted networks such as wireless
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
802.1x EAP Overview
• Supplicant: Client Station
• Authenticator: FortiGate Wireless Controller
• Authentication server: RADIUS server
Three Components
1. Supplicant communicates with authentication server through the authenticator
2. Authenticator reformats 802.1x to RADIUS and forwards to Authentication Server
3. EAP exchange happens between supplicant and authentication server
13
server
4. On success, server delivers EAP Success via RADIUS message
5. Details often hidden from authenticator
6. The wireless controller is EAP agnostic
WLAN Authentication: 802.1X EAP
14
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Fortigate Configuration – Local Authentication
• In Local Authentication or Local EAP the Fortigate is both the Authenticator and the Authentication Server. Only valid for PEAP» Create a local user and create a group that contains that user
15
No remote server
Fortigate Configuration – Local Authentication
1. Configure the SSID with WPA/WPA2 Enterprise
2. Select Usergroup
3 S l t th ( )3. Select the group (s)
16
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Fortigate Configuration – Remote Authentication
1. Create a Radius Sever (IP address and Secret)
2 Create a User Group and add the created
17
2. Create a User Group and add the created server as a remote server
1. Don’t need to add users to the group. They come from Radius
Fortigate Configuration – Remote Authentication
1. Configure the SSID with WPA/WPA2 Enterprise
2. Select Radius Server
3. Select server from list
18
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
WPA/WPA2 Enterprise authentication - PEAP
• Wireless user require to submit username and password when using WPA/WPA2 enterprise authentication.
19
Alert message from Wireless users
• By default, using windows7 OS. it has enabled validate server certificate.
• Wireless user will receive warning message during the server • Wireless user will receive warning message during the server certificate validation. You can Terminate or Connect
20
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Disable Validation Server certificate in Windows7
Click on Settings
21
Validate Server Certificate – FTG Local Groups
• If you want to enforce server certificate validation but prevent any warning message due to server certificate validation fail you need to import the Athentication Server Certificate in the client» When using Local Groups Import FortiGate default WiFi CA certificate into your Client.
22
The Fortinet_Wifi certificate is embedded in the firmware and is same on every FortiGate unit. Download the .cer file to your drive. It is CA signed.
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Import certificate FTG Wireless Cert in Win7
23
Import External Radius Cert - FortiAuthenticator
• When using External Radius import the certificate from the Radius Server instead of FGT
24
This is the CA certificate where you can Export and importto your system. You need to place it in the Trusted Root CAs Store.
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Enable Server Certificate validation
25
Check the same CA that displays in the warning
Captive Portal
• Use to authenticate wireless users
• Display a web page containing acceptable use policy or other information This is called a captive portal information. This is called a captive portal.
• No matter what URL the user initially requested, the portal page is returned.
• Only after authenticating and agreeing to usage terms, can the user access other web or any other resources.
26
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Captive Portal Security
• There are several types of Captive portal Available» Disclaimer
» Authentication page» Authentication page
» Email harvesting
» Other…
• Captive portal security authentication methods:» Local users
» LDAP
27
» RADIUS
» TACACS+
» FSSO agent
Captive Portal Security
• Can be configured Several places» SSID – Implies Open SSID
» Interface (applicable for Local Bridge SSIDs)
» User Identity Policy
» Device Identify Policy
No User groups Disclaimer Page
28
User groups Authentication Page
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Captive Portal
29
Disclaimer Only Page Authentication Page
Captive Portal
• Multiple captive portal replacement messages allow customized login screens based on SSIDs
30
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Captive Portal – Under User Identity Policy
Disclaimer Page
Authentication Page
31
Guest Access and Receptionist Services
• A guest user is also an authenticated user but the account has expiration time
• The user account can be created by regular admin or by an specific • The user account can be created by regular admin or by an specific purpose defined account that can only create guest users
• That account has limited portal access only designed for a receptionist to assign temporary / guest user accounts and email/SMS/print logon credentials
• Guest access applies to both wired and wireless users
32
1. Need to create User Group type guest
2. Need to create admin user for guest management» Admin may create guest accounts under User > User Group > Guest
Management.
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Guest Access
• Create a User Group type Guest
33
Guest Access
• Create a Guest User under a selected guest group
1. Select group
2. Create new
34
3. Fill information
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Guest Access
• Admin user for guest management
35
Guest Access
• Guest management portal
36
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Guest Access
• Create a new guest
37
Guest Access
• Distribute guest credentials by printing, email or SMS
• Captive portal needs to be set for the interface users connect fromThi ff t ll t ffi th f t ffi ill ith t lid t f th » This affects all traffic therefore no traffic will pass without a valid account for the captive portal
• diag test user list» Current list of guest accounts
• It is possible to extend guess access and create a self provisioning portal by adding FortiAuthenticator to the solution.
38
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Single Sign-on For Wireless Users
• Wireless client user authentication can be re-used in an identity firewall policy» Wireless WPA and WPA2 Enterprise» Wireless WPA and WPA2 Enterprise
• This allows users who connect to the same SSID but reside in different authentication groups to have different security policies.
39
Single Sign-on For Wireless Users
• Example, when an SSID uses WPA/WPA2-Enterprise Authentication the user login can be reused in an identity policy
40
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
Single Sign-on For Wireless Users
41
FortiAuthenticator
• FortiAuthenticator can be an Authentication Server for EAP, also it can used in the wireless solution for user self service portal which is presented in the following use casepresented in the following use case.
42
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
User Self-Registration
• User Self Registration is different to Receptionist registration» The receptionist already has network access and the guest and receptionist can
be on different networks In this situation wireless captive portal is suitablebe on different networks. In this situation wireless captive portal is suitable.
» With self-registration, the FAC registration portal must be accessible for the user to self-register. Wireless Captive portal is therefore not suitable as the user need to log on before they can access the network to self-register (catch-22). Open Wireless with Identity Based Policy is therefore required.
» Configure the AP as Open Access (CLI or via GUI if display option is checked –only FOS 5.0)
43
config wireless-controller vapedit <SSID Name>
set security opennext
end
User Self-Registration
• FortiGate Captive Portal
User accepts T&Cs and can enter the newly created credentials to gain access to the network
44
On connection to Captive Portal configured AP, the user is notified additional authentication is needed
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
User Self-Registration
Create an Identity Based Policy authenticating against the FortiAuthenticator RADIUS
Customize the authentication
45
Customize the authentication Message to include a link to the FAC
User Self-Registration
• Create a more explicit rule above the catch all identity based policy allowing traffic to the FortiAuthenticator.
• There is also the option to create a walled garden here to allow • There is also the option to create a walled garden here to allow unauthenticated users access e.g. a hotel information web site.
46
Course 203 - Fortinet Wireless Module 4 Advanced Authentication
01-05002-RevA-0203-20130520
User Self-Registration
• When the user tries to browse to content, they will be blocked and prompted to log in.
Customise the login form to include a redirect to the FortiAuthenticator to create a login
47
Lab
• 802.1X/EAP with local user groups
• Captive Portal
48