Example Security Profile with 802.1X RADIUS
In the following example, the Security Profile 8021x-data is created. It supports 802.1X authentication and uses the RADIUS profile main-auth to enable the primary RADIUS authentication server and the backup-auth profile for the secondary RADIUS server.
default(config)# security-profile 8021x-data default(config‐security)# allowed-l2-modes 802.1x default(config‐security)# radius‐server primary main‐auth default(config‐security)# radius‐server secondary backup‐auth default(config‐security)# exit default(config)# exit
802.1X PTK Rekey
With the 802.1X PTK rekey feature, whenever the rekey interval expires, the Access Point sends a unicast key and a broadcast key to the client. These two key packets are NOT encrypted.
To enable 802.1X PTK rekey, enter the following command from the Security Profile configuration: (n can be from 0 to 65535 (60 minutes), and is specified in seconds) default(config‐security)# rekey period n
To disable 802.1X PTK rekey, enter the following command from the Security Profile configuration:
default(config‐security)# rekey period 0
802.1X GTK Rekey
To configure the 802.1X GTK rekey period, from the Security Profile configuration, add the following command (the rekey period is specified in seconds): default(config‐security)# group-rekey interval n
To disable 802.1X GTK rekey, enter the following command from the Security Profile configuration:
default(config‐security)# no group-rekey interval
802.1X RADIUS Server Command Summary
The following commands are used to configure the RADIUS servers:
TABLE 14: Commands to Configure the 802.1X RADIUS Servers
| Command | Purpose |
| radius-profile name | Creates a RADIUS server profile with the specified name and enters RADIUS profile configuration submode (maximum 16 characters). |
| description text | Configures a description of the profile (maximum 128 characters). |
| ip-address ip-address | Configures the IP address of the RADIUS profile (required parameter). |
| key key | Specifies the shared secret text string used by the controller for the RADIUS profile (required parameter if password-type is shared-secret).
Maximum 64 characters. |
| password-type shared-secret | macaddress | Specifies whether the password type is the RADIUS key (shared-secret) or is the MAC address of the client, as determined by the client setup in RADIUS for MAC Filtering configuration. |
| mac-delimiter colon | hyphen | singlehyphen | none | Optional. Sets the RADIUS profile delimiter character. |
| port port | Optional. Configures the RADIUS profile port (the default port 1812, is configured by default). |
| vlan vlan | Optional. Configures a VLAN for the RADIUS server. Use the command if the RADIUS server is located on a VLAN so that RADIUS requests are sent to the VLAN interface instead of default/untagged interface. |
| pmkcaching pmkcaching | disable | Enables or disables PMK caching. |
| rekey period n | Sets the PTK rekey period. The default is set to 60 seconds and the allowable range is 60 seconds to 60 minutes. |
| [no] group-rekey interval n | Sets the GTK group rekey period. The default is set to 60 seconds and the allowable range is 60 seconds to 60 minutes |
TABLE 15: Commands Used to Create Security Profiles
| Command | Purpose |
| allowed-l2-modes 802.1x | In Security Profile configuration, enables 802.1X authentication. |
TABLE 15: Commands Used to Create Security Profiles
| radius-server primary profile | In Security Profile configuration, specifies the RADIUS profile containing the configuration parameters for the primary RADIUS server. |
| radius-server secondary profile | Optional. In Security Profile configuration, specifies the RADIUS profile containing the configuration parameters for the secondary RADIUS server. |
| rekey multicast-enable | Optional. In Security Profile configuration, enable the multicast key broadcast. |
| [no] 8021x-network-initiation | In Security Profile configuration, determines 802.1X initiation method. When enabled (default), the AP sends the first EAP packet (an EAP ID request) to the wireless station to start 802.1X after the wireless station completes 802.11 authentication and association to an 802.1X-enabled ESSID. With the command no 8021x-network-initiation, the wireless station sends an EAPOL Start packet to the AP to start the 802.1X exchange. |
Configure WPA2 With the CLI
The controller supports the WPA2 standard that includes CCMP encryption which is considered extremely secure. Implementing WPA2 provides the highest level of security that the Fortinet Wireless LAN System offers.
Additionally, if 802.1X is implemented at the site, automatic key exchange is provided by the RADIUS server. Existing primary and secondary RADIUS Server Profiles can be assigned from within the Security Profile to leverage the existing 802.1X authentication. Otherwise, the WPA2-PSK configuration can be implemented.
Example WPA2 Configuration
To configure WPA2 security with the Web UI, click Configuration > Security > Profile. Click Help for option details.
The following CLI example creates the profile named wpa2-ccmp that enables WPA2 for Layer 2, sets the encryption mode to CCMP-AES, and names the RADIUS server in the mainauth profile as the primary RADIUS authentication server.
default(config)# security-profile wpa2-ccmp default(config‐security)# allowed-l2-modes wpa2 default(config‐security)# encryption‐modes ccmp default(config‐security)# radius‐server primary main‐auth default(config‐security)# exit default(config)# exit
Example WPA2-PSK Configuration
To configure security with the Web UI, click Configuration > Security > Profile. Click Help for option details.
When setting the PSK key with the CLI, use a key from 8 to 63 ASCII characters (the characters ! \ ” ? must be escaped with the backslash (\) character; for example \! \?) or 64 hex characters (hex keys must be prefixed with “0x” or the key will not work).
The following example creates the profile named wpa2-psk that enables WPA2-PSK for Layer 2, sets the encryption mode to CCMP, and sets the preshared key to theSecretKeyForNov28.
default(config)# security-profile wpa2-psk default(config‐security)# allowed-l2-modes wpa2-psk default(config‐security)# encryption‐modes ccmp default(config‐security)# psk key theSecretKeyForNov28 default(config‐security)# exit default(config)# exit
Opportunistic PMK Caching for WPA
Opportunistic PMK caching allows the controller, acting as the 802.1X authenticator, to cache the results of a full 802.1X authentication so that if a client roams to any AP associated with that controller, the wireless client needs to perform only the 4-way handshake and determine new pair-wise transient keys. PMK caching is supported only for KDDI phones when using WPA with TKIP and 802.1X authentication.
The system automatically detects the KDDI phone using the KDDI Vendor ID and applies PMK caching if available.
From with the Security Profile configuration, enable or disable PMK caching for KDDI phones. This option is only available when WPA is chosen for L2 encryption.
To enable PMK caching, add the following line to the WPA Security Profile configuration: default(config‐security)# pmkcaching enabled
To disable PMK caching, execute the following command at the WPA Security Profile configuration:
default(config‐security)# pmkcaching disabled
Configure 802.11 WEP Encryption
The controller supports two WEP cypher suites: WEP128 and WEP64.
The key configuration parameters allow the setting of the mutually shared key and the choice of key slot positions from 1 to 4, as allowed by most user key configuration programs.
Example 802.11 WEP Configuration
The following example creates the profile named wep- that supports a static 128-bit WEP encryption for users. The static WEP key is defined as and uses the third key index position on a user station’s WEP key definition.
default(config)# security-profile wepdefault(config‐security)# allowed-l2-modes wep default(config‐security)# encryption-modes wep128 default(config‐security)# static-wep key default(config‐security)# static-wep key-index 3 default(config‐security)# exit default(config)# exit default#
802.11 WEP Command Summary
The following summarizes the commands that can be used to configure 802.11 WEP security.
TABLE 16: Commands to Configure 802.11 WEP Security
| Command | Purpose |
| encryption-modes wep128|wep64 | Sets the cipher suite to WEP128, or WEP64 respectively. |
| static-wep key key | Sets the WEP key:
• For WEP64, also known as WEP or WEP40, the key is a 5-character ASCII (for example, 123de) or 10-character hex key (for example, 0x0123456789) (the 0x prefix must be entered). • For WEP128, the key must be 13 ASCII characters or 26 hex digits (the 0x prefix must be entered). |
| static-wep key-index position | Sets which WEP key is in use. position can be set from 1 to 4. |
| allowed-l2-modes wep | clear | Enables or disables 802.11 WEP security. The clear option sets the mode to open. |
Checking a CLI Configuration
To view all Security Profiles currently configured, use the show security-profile command.
# sh security‐profile
Profile Name L2 Mode Data Encrypt Firewall Filter
default clear none captive‐portal clear none wep wep wep64 802.1x 802.1x wep128 wpa wpa tkip wpapsk wpa‐psk tkip wpa2 wpa2 ccmp wpa2psk wpa2‐psk ccmp
Security Profile Table(8)
To view the details of an individual Security Profile, use the show security-profile profile-name command.
default# show security-profile wpa-leap
Security Profile Table
Security Profile Name : wpa‐leap
L2 Modes Allowed : 802.1x
Data Encrypt : none
Primary RADIUS Profile Name : ACS‐87‐8#
Secondary RADIUS Profile Name :
WEP Key ASCII:(default) 13 chars / 0x:26 chars : *****
Static WEP Key Index : 1
Re‐Key Period (seconds) : 0
Enable Multicast Re‐Key : off
Captive Portal : disabled
802.1X Network Initiation : on
Tunnel Termination : PEAP, TTLS
Shared Key Authentication : off
Pre‐shared Key (Alphanumeric/Hexadecimal) : *****
Group Keying Interval (seconds) : 0
PMK Caching : disabled
Key Rotation : disabled
Reauthentication : off MAC Filtering : off
Firewall Capability : none
Firewall Filter ID :
Security Logging : off
Use the commands show web login-page and show web custom-area to find out what set of web pages are used for Captive Portal and WebAuth.