Configuring WPA2-CCMP-AES security profile.
KB ARTICLE TYPE: Configuration
RELATED PRODUCTS: controller
RELATED SOFTWARE VERSIONS:
KEYWORDS: WPA2, MAC address, encryption
To configure RADIUS profile parameters:
CONFIGURATION STEPS:
RADIUS Profile
1) In the RADIUS Profile Name box, type the name of the RADIUS profile. The name can be up to 16 alphanumeric characters long and cannot contain spaces.
2) In the Description text box, add some descriptive text about the RADIUS profile. A maximum of 128 characters of text can be added.
3) In the RADIUS IP text boxes, add the IP address of the RADIUS server.
4) In the RADIUS Secret text box, add the shared secret that is configured for the RADIUS server. The key can be a maximum of 64 characters.
5) In the RADIUS Port text box, change the default port for authentication servers, 1812, to another port if the RADIUS server uses a non-default port or if the configuration is for a RADIUS accounting server, which uses port 1813 by default
6) In the MAC Address Delimiter drop-down list, select the delimiter used on the RADIUS server to separate MAC addresses.
None--No delimiter is used.
Hyphen (-)--A hyphen is used to delimit the fields (xx-yy-zz-aa-bb-cc)
Single Hyphen (-)--Only one hyphen is used to delimit fields (xxyyzz-aabbcc)
Colon(:) if the default Hyphen (-) is not used.
the default MAC address delimiter is set to Hyphen (-)
Click OK to complete the RADIUS server configuration >> save settings and exit this window.
Security Profile
GUI Steps - (Requires 802.1x RADIUS server authentication with one of the EAP types)
STEP 1: Launch WebUI of controller > click configuration > click profile under security >> click button <Add>
STEP 2: Give a name to security profile (1-32 chars) use spaces and special characters, enclose them in double quotation marks (“ ”).
STEP 3: Select WPA2 under L2 Modes Allowed
STEP 4: Select Data Encrypt as CCMP-AES
STEP 5: Select primary RADIUS profile name from the drop down menu (From the Primary Radius Profile Name list, select one of the configured RADIUS Server Profiles for use as the primary server.
STEP 6: Leave rest of the settings as default >> click OK and save the settings
CLI Steps:
STEP 1: Get into the CLI of the controller, through telnet, hyper terminal or SSH
STEP 2: Get into config terminal mode and use the following commands
STEP 3: MeruController1# configure terminal
MeruController1(config)# security-profile WPA2
MeruController1(config-security)# allowed-l2-modes wpa2
MeruController1(config-security)# encryption-modes ccmp
MeruController1(config-security)# radius-server primary test
MeruController1(config-security)# exit
MeruController1(config)# exit
MeruController1#
STEP 4: Save the running config to startup config
STEP 5: Use the following command to see the security profile MeruController1# sh security-profile WPA2
TEST RESULTS: -
MeruController1# sh security-profile WPA2
Security Profile Table | |
Security Profile Name | WPA2 |
L2 Modes Allowed | wpa2 |
Data Encrypt | ccmp |
Primary RADIUS Profile Name | test |
Secondary RADIUS Profile Name | |
WEP Key (Alphanumeric/Hexadecimal) | ***** |
Static WEP Key Index | 1 |
Re-Key Period (seconds) | 0 |
Captive Portal | disabled |
802.1X Network Initiation | on |
Shared Key Authentication | off |
Pre-shared Key (Alphanumeric/Hexadecimal) | ***** |
Group Keying Interval (seconds) | 0 |
Key Rotation | disabled |
Reauthentication | on |
MAC Filtering | off |
Firewall Capability | none |
Firewall Filter ID | |
Security Logging | off |
Allow mentioned IP/Subnet to pass through Captive portal | 0.0.0.0 |
Subnet Mask for allowed IP/Subnet to pass through Captive portal | 0.0.0.0 |
MeruController1# |
Expected behavior: -
Once all parameters are set accordingly, wireless clients will get connected with radius authentication, encryption mode will be ccmp
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.