redes:firewalls:fortinet:fortiap
Tabla de Contenidos
FortiGate como controlador Wireless
A partir de la versión de FortiOS 4.0 MR2 ya se soporta la funcionalidad de Controlador Wireless o lo que se conoce como Wireless Centralizado. Consiste en una funcionalidad que nos permite tener Access Points distribuidos, pero controlando los accesos y la seguridad desde un punto centralizado.
FortiAP
Administración
Ejemplo de configuración de IP y de controlador Wireless
cfg -a ADDR_MODE=STATIC cfg -a AP_IPADDR=192.168.1.100 cfg -a AP_NETMASK=255.255.255.0 cfg -a IPGW=192.168.1.1 cfg -a AC_DISCOVERY_TYPE=1 cfg -a AC_IPADDR_1=192.168.1.155 cfg -c
FortiAP CLI
http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-wireless-54/reference-fortiap-cli.htm
The FortiAP CLI controls radio and network operation through the use of variables manipulated with the cfg command. There are also diagnostic commands.
The cfg command include the following
cfg -s | List variables. |
cfg -a var=value | Add or change a variable value. |
cfg -c | Commit the change to flash. |
cfg -x | Reset settings to factory defaults. |
cfg -r var | Remove variable. |
cfg -e | Export variables. |
cfg -h | Display help for all commands. |
The configuration variables are:
| Var | Description and Values |
|---|---|
AC_CTL_PORT | WiFi Controller control (CAPWAP) port. Default 5246. |
AC_DATA_CHAN_SEC | Data channel security.0 - Clear text1 - DTLS (encrypted)2 - Accept either DTLS or clear text (default) |
AC_DISCOVERY_TYPE | 1 - Static. Specify WiFi Controllers2 - DHCP3 - DNS5 - Broadcast6 - Multicast0 - Cycle through all of the discovery types until successful. |
AP_IPADDRAP_NETMASKIPGW | These variables set the FortiAP unit IP address, netmask and default gateway when ADDR_MODE is STATIC.Default 192.168.1.2 255.255.255.0, gateway 192.168.1.1. |
AC_HOSTNAME_1AC_HOSTNAME_2AC_HOSTNAME_3 | WiFi Controller host names for static discovery. |
AC_IPADDR_1AC_IPADDR_2AC_IPADDR_3 | WiFi Controller IP addresses for static discovery. |
AC_DISCOVERY_DHCP_OPTION_CODE | Option code for DHCP server. Default 138. |
AC_DISCOVERY_MC_ADDR | Multicast address for controller discovery. Default 224.0.1.140. |
ADDR_MODE | How the FortiAP unit obtains its IP address and netmask.DHCP - FortiGate interface assigns address.STATIC - Specify in AP_IPADDR and AP_NETMASK.Default is DHCP. |
ADMIN_TIMEOUT | Administrative timeout in minutes. Applies to Telnet and web-based manager sessions. Default is 5 minutes. |
AP_MGMT_VLAN_ID | Non-zero value applies VLAN ID for unit management. Default: 0. |
AP_MODE | FortiAP operating mode.0 - Thin AP (default)2 - Unmanaged Site Survey mode. See SURVEY variables. |
BAUD_RATE | Console data rate: 9600, 19200, 38400, 57600, or 115200 baud. |
DNS_SERVER | DNS Server for clients. If ADDR_MODE is DHCP the DNS server is automatically assigned. |
FIRMWARE_UPGRADE | Default is 0. |
HTTP_ALLOW | Access to FortiAP web-based manager1 - Yes (default), 0 - No. |
LED_STATE | Enable/disable status LEDs.0 - LEDs enabled, 1 - LEDs disabled, 2 - follow AC setting. |
LOGIN_PASSWD | Administrator login password. By default this is empty. |
STP_MODE | Spanning Tree Protocol. 0 is off. 1 is on. |
TELNET_ALLOW | By default (value 0), Telnet access is closed when the FortiAP unit is authorized. Set value to 1 to keep Telnet always available. |
WTP_LOCATION | Optional string describing AP location. |
| Mesh variables | |
MESH_AP_TYPE | Type of communication for backhaul to controller:0 - Ethernet (default)1 - WiFi mesh2 - Ethernet with mesh backup support |
MESH_AP_SSID | SSID for mesh backhaul. Default: fortinet.mesh.root |
MESH_AP_BSSID | WiFi MAC address |
MESH_AP_PASSWD | Pre-shared key for mesh backhaul. |
MESH_ETH_BRIDGE | 1 - Bridge mesh WiFi SSID to FortiAP Ethernet port. This can be used for point-to-point bridge configuration. This is available only when MESH_AP_TYPE =1.0 - No WiFi-Ethernet bridge (default). |
MESH_MAX_HOPS | Maximum number of times packets can be passed from node to node on the mesh. Default is 4. |
| The following factors are summed and the FortiAP associates with the lowest scoring mesh AP. | |
MESH_SCORE_HOP_WEIGHT | Multiplier for number of mesh hops from root. Default 50. |
MESH_SCORE_CHAN_WEIGHT | AP total RSSI multiplier. Default 1. |
MESH_SCORE_RATE_WEIGHT | Beacon data rate multiplier. Default 1. |
MESH_SCORE_BAND_WEIGHT | Band weight (0 for 2.4GHz, 1 for 5GHz) multiplier. Default 100. |
MESH_SCORE_RSSI_WEIGHT | AP channel RSSI multiplier. Default 100. |
| Survey variables | |
SURVEY_SSID | SSID to broadcast in site survey mode (AP_MODE=2). |
SURVEY_TX_POWER | Transmitter power in site survey mode (AP_MODE=2). |
SURVEY_CH_24 | Site survey transmit channel for the 2.4Ghz band (default 6). |
SURVEY_CH_50 | Site survey transmit channel for the 5Ghz band (default 36). |
SURVEY_BEACON_INTV | Site survey beacon interval. Default 100msec. |
Diagnose commands include:
cw_diag help | Display help for all diagnose commands. |
cw_diag uptime | Show daemon uptime. |
cw_diag –tlog <on|off> | Turn on/off telnet log message. |
cw_diag –clog <on|off> | Turn on/off console log message. |
cw_diag baudrate [9600 | 19200 | 38400 | 57600 | 115200] | Set the console baud rate. |
cw_diag plain-ctl [0|1] | Show or change current plain control setting. |
cw_diag sniff-cfg ip port | Set sniff server ip and port. |
cw_diag sniff [0|1|2] | Enable/disable sniff packet. |
cw_diag stats wl_intf | Show wl_intf status. |
cw_diag admin-timeout [30] | Set shell idle timeout in minutes. |
cw_diag -c wtp-cfg | Show current wtp config parameters in control plane. |
cw_diag -c radio-cfg | Show current radio config parameters in control plane. |
cw_diag -c vap-cfg | Show current vaps in control plane. |
cw_diag -c ap-rogue | Show rogue APs pushed by AC for on-wire scan. |
cw_diag -c sta-rogue | Show rogue STAs pushed by AC for on-wire scan. |
cw_diag -c arp-req | Show scanned arp requests. |
cw_diag -c ap-scan | Show scanned APs. |
cw_diag -c sta-scan | Show scanned STAs. |
cw_diag -c sta-cap | Show scanned STA capabilities. |
cw_diag -c wids | Show scanned WIDS detections. |
cw_diag -c darrp | Show darrp radio channel. |
cw_diag -c mesh | Show mesh status. |
cw_diag -c mesh-veth-acinfo | Show mesh veth ac info, and mesh ether type. |
cw_diag -c mesh-veth-vap | Show mesh veth vap. |
cw_diag -c mesh-veth-host | Show mesh veth host. |
cw_diag -c mesh-ap | Show mesh ap candidates. |
cw_diag -c scan-clr-all | Flush all scanned AP/STA/ARPs. |
cw_diag -c ap-suppress | Show suppressed APs. |
cw_diag -c sta-deauth | De-authenticate an STA. |
Troubleshooting
Para la gestión de problemas en el controlador wireless de FortiOS siempre es aconsejable de antemano que el controlador apunte a un Syslog para poder analizar los mensajes de debug.
Entre otras cosas, necesitamos tener presente por ejemplo el siguiente puerto donde va el tráfico CAPWAP
- UDP/5246
- UDP/5247
Lo primero que debemos hacer es verificar si el equipo efectivamente se esta comunicando con el controlador :
- fap-get-status
- diagnose sniff packet any “port 5246 and src [IP FortiAP]” 4
Opción I
Activar debug en el FortiAP :
cw_diag plain-ctl 1 cw_debug app cwWtpd 0x7fff
Desde el controlador :
diag wireless-controller wlac plain-ctl [FortiAP S/N]
Desactivar el debug desde el FortiAP :
cw_debug app cwWtpd 0x0
Opción II
Verificar tráfico entre el cliente y el FortiAP desde el controlador :
diagnose wireless-controller wlac sta_filter clear diagnose wireless-controller wlac sta_filter [MAC_CLIENTE] 2 diagnose debug enable
Verificar tráfico entre el controlador y el FortiAP :
diagnose wireless-controller wlac wtp_filter [FortiAP S/N] 0-[IP FortiAP]:5246 2 diagnose de console timestamp en diagnose de application cw_acd 0x7ff diagnose de en
En ambos casos para finalizar el debug :
Controlador
diagnose debug disable
Referencias
redes/firewalls/fortinet/fortiap.txt · Última modificación: 2017/09/25 14:53 por cayu