Featured

Fortinet WLAN controller Refresh

WLAN Controller Refresh

  • 3 new FortiWLC Controllers:
    • AP capacity equivalent to MC1550, MC3200 and MC4200.
    • higher performance (faster CPU – will provide more details later).
    • complete transition to Fortinet branding.
    • FortiWLC Controllers run System Director 8.1 (SD 8.0 Minor Release)3 N.

meru

Featured

Introduction to Wireless Local Area Network

Wireless Network:

A  wireless local-area network (LAN) uses radio waves to connect devices such as laptops to the Internet and to your business network and its applications. When you connect a laptop to a WiFi hotspot at a cafe, hotel, airport lounge, or other public place, you’re connecting to that business’s wireless network.

•Why WLAN?
•Mobility
▫Increases working efficiency and productivity.
▫Roaming support: extended on-line times
-> universal access & seamless services
•No new wiring and installation on difficult-to-wire areas
▫Offices, public places, and homes
▫Factories, vehicles, roads, and railroads
•Reduced installation time
▫No cabling time
▫Easy setup

How are Wireless LANs (WLANs) Similar to (wired) LANs?

Featured

First blog post

Hii tr,

I am IT Networking Profession with Extensive experience in WiFI and Security. Working with a leading security company as Sr.wireless Expert and Field Support Engineer. My passion towards Wireless have driven me so far and I am pleased to introduce myself as a WiFi Engineer.

Wireless Experts blogs and other WiFi communities have always been so helpful in finding solutions for all my question ever. I am Very much excited and happy to share my thoughts and experience about Wireless and Security.

Featured

Useful Wireless Troubleshooting commands for windows clients

#To display all wireless interfaces: netsh wlan show interfaces
#To show the wireless drivers installed run this command. This is particularly interesting as exploits in drivers do exist and most admins do not pay as close attention to driver versions as other types of software: netsh wlan show drivers

#To list available wireless networks (similar to Linux’s iwlist scan option):

netsh wlan show networks
#To view profiles of networks saved on this machine: netsh wlan show profiles

#To make Windows connect to the specified profile (usually named after the SSID of the network): netsh wlan connect name=”ProfileName”

#To export the profile details to an XML file (which includes an encrypted version of the PSK if applicable): netsh wlan export profile name=”ProfileName”

#Now crucially, here are the commands to turn the Windows 7 (or Server 2008 R2) into an Access Point sharing its existing wireless connection out to others: netsh wlan set hostednetwork mode=allow ssid=SomeSSID key=passphrase

#The hosted network is now created but it is not yet started. To start it, issue the command: netsh wlan start hostednetwork

#Your Windows box is now advertising a network “SomeSSID” (in this case) which other machines can connect to. No notification is given on the Windows box that this has happened and no further notification happens when someone connects.

AirCapture with MacBook

Sniff AirTraffic using Macbook is easy and you just have to follow the steps below:
1.)Quit all open applications.
2.)Try to join the Wi-Fi network that you are having issues with if you are not already connected.
3.)Open Wireless Diagnostics. Tip: You can hold down the Option key and then click the Wi-Fi menu extra.
4.)Enter your admin name and password when prompted.
5.)In Wireless Diagnostics, choose Window > Sniffer,
5.)Choose appropriate channel and channel width as per your Wireless AP Radio configuration

Start the capture , click stop when you are done , A capture file will be placed on the desktop.

I also found a Video done my benmiller regarding the same:

http://www.sniffwifi.com/2013/10/how-to-capture-wifi-free-in-mac-os-x.html

COA | Change Of Authorization

COA | Change of authorization
RFC 3576
UDP port 3766 | IEEE

>Change of authorization is used to ask NETWORK SWITCH/ROUTER/WIFI-CONTROLLER to disconnect-user, session timeout, bounce port of the existing user session on network.
>Mostly AAA server is user to record the user accounting information and based on the user activity or time the user is then disconnected from the network or session timed out.
>The Network device will send the accounting information to a AAA server.
>The AAA server keeps track of user information like Device MAC-ADDRESS, User SESSION-ID, USERNAME, FRAMED-IP-ADDRESS and more based on what it gets from accounting request.
>The radius accounting request traffic will be send only after a successful authentication.
>You could configure to send interim accounting update about the user to accounting server.This interim update can help in scenarios where you want to disconnect the user after usage of certain amount of bandwidth in network. Default time:300 Sec

#Things to remember while working on a COA setup:
>Make sure the network device is configured to except the COA request from COA server on respected port.
>NAS devices wants to see particular attriutes in COA request to identify the user session and perform COA, So sending the right attributes on COA request is important and it depends on the NAS device vendor.
>The expected COA user identification attribute might be different for a Captive portal authenticated user and Dot1.x user.
>Some vendor ignote the unsupported or unknown attributes in COA request and still ACK your COA request. However some vendor devices dont like you sending a unsupported COA attributes, so they respond with disconnect-NAK
#Here in case of Fortigate Firewall you might need to send the right COA supported attribute to identify the user session.

*supported attributes: WPA-Enterprise&UserGroup and Captive Portal supports:
USER_NAME,
FRAMED_IP_ADDRESS,
EVENT_TIMESTAMP,
MESSAGE_AUTHENTICATOR,

*User-name” and “Frame-ip” were supported in DM request and both MUST be involved, other attributes like “Calling-Station-Id”, “Called-Station-Id” could not be supported and would cause 503 error message.
*The attributes “EVENT_TIMESTAMP” and “MESSAGE_AUTHENTICATOR” are options.
*Note: Supported attributes as on the latest firmware v5.4

#In case of ARUBA MOBILIY CONTROLLER:

The mobility controller supports the following attributes for identifying the users who authenticate with an RFC 3576 server:

* user-name: Name of the user to be authenticated.
* framed-ip-address: User’s IP address.
* calling-station-id: Phone number of a station that originated a call.
* accounting-session-id: Unique accounting ID for the user session

–> Other attribute might cause 503 error.

#Other ports to Remember:
*Radus Accounting request and Response is on UDP1813
*Radius Authentication is on UDP1812

#Some snapshots attached here to see what’s there inside Disconnect-request,Disconnect-,ACK,Disconnect-NAK.

Accounting Request:

radius-acc

Disconnect Request:

Disconnect-request

Disconnect-ACK:

Disconnect_Ack

Disconnect-NAK:

Disconnect_NAK

If would like to look at the entire pcap, let me know I can share with your guys.

 

Separating your RF space for priority traffic with Single Channel Architecture and Channel Layering

Segmentation of services can be achieved by doing channel layering with Fortinet Infrastructure WiFi(SCA). By doing so you actually separate  business critical traffic  from  your non critical and Guest traffics.

There are applications like VO-WIFI and few other low latency sensitive application that need special care taken.

#Wired infrastructure :You deploy a separate Vlan and end-end QOS written and so.

#On WIFI Controller you can do inbound/outbound QOS

#The WMM supported clients have TX-OP /Access category  Q for prioritizing the voice/video traffic.

In a SCA you further get the opportunity to do Segmentation of services by creating  a separate RF space for them.

Ref Pic:

SCA

 

 

 

Some Wireless Capture Analysis today

I was working on a WiFi client Disconnection issue and got to analyse some Wireless  frames . Thought of sharing  some IO

wifi_sniff_analysis

How to check why FortiAP got Offline from FortiGate

If the AP lost its channel connection with FortiGate you can check to see if the AP has just lost the contact with firewall missing the heartbeat or if has got rebooted for any reason.

Points to remember:

*Forti AP reboot only if has any power issue.

*FortiAP had any Software crash or kernal panic.

>>Following command on FortiGate can give you an idea why the AP is offline in FortiGate:

 

#Scene 1 :If the AP is offline because of any operation initiated from controller/FortiGate (changes that needs a AP reboot)

——————————-WTP 1—————————-
WTP vd : root
vfid : 0
id : FP221B3X12007124
mgmt_vlanid : 0
region code : N
regcode status : invalid
refcnt : 2 own(1) wtpprof(1)
plain_ctl : disabled
deleted : no
admin : enable
cfg-wtp-profile : praveen_wifi_integrated
override-profile : enabled
oper-wtp-profile : resv-dflt-FP221B3X12007124
wtp-mode : normal
wtp-group :
name :
location :
led-state : enabled
ip-frag-prevent : TCP_MSS
tun-mtu : 0,0
split-tunneling-local-ap-subnet : disabled
active sw ver : FP221B-v5.2-build0254
local IPv4 addr : 192.168.242.63
board mac : 00:09:0f:7c:1a:70
join_time : Tue Jan 17 13:51:56 2017
mesh-uplink : ethernet
mesh hop count : 0
parent wtp id :
connection state : Disconnected
image download progress: 0
last failure : 8 — AC daemon reset timer expired –<change caused AP reboot>     
last failure param: N/A
last failure time: Tue Jan 17 13:52:01 2017
station info : 0/0

 

#Scene 2: On the other hand FortiGate is reporting that the Heatbeat timed out and so the AP went offline.

#diagnose  wireless-controller  wlac -c wtp

——————————-WTP 1—————————-
WTP vd : root
vfid : 0
id : FP221B3X12007124
mgmt_vlanid : 0
region code : N
regcode status : invalid
refcnt : 3 own(1) wtpprof(1) ws(1)
plain_ctl : disabled
deleted : no
admin : enable
cfg-wtp-profile : praveen_wifi_integrated
override-profile : enabled
oper-wtp-profile : resv-dflt-FP221B3X12007124
wtp-mode : normal
wtp-group :
name :
location :
led-state : enabled
ip-frag-prevent : TCP_MSS
tun-mtu : 0,0
split-tunneling-local-ap-subnet : disabled
active sw ver : FP221B-v5.2-build0254
local IPv4 addr : 192.168.242.63
board mac : 00:09:0f:7c:1a:70
join_time : Tue Jan 17 13:41:18 2017
mesh-uplink : ethernet
mesh hop count : 0
parent wtp id :
connection state : Connected
image download progress: 0
last failure : 14 — ECHO REQ is missing        … <heatbeat missed>
last failure param: N/A
last failure time: Tue Jan 17 13:40:39 2017     …<Failure time>
station info : 0/0
geo : World (0)
LLDP : disabled
Radio 1 : AP

So FortiGate just reported its a heatbeat miss from AP that cause AP go offline and Wifi service interrupted.

*Here we need to find the reason if its the network or the AP itself didn’t sent out the heatbeat.

*Log into the AP and check to see if the AP got rebooted or even AP reports that WTP is  what its has  has to reconnect.

*To TELNET from FortiGate into the AP,Command ## execute telnet <dest>    IP address.

*Check the Uptime on AP,#cw_diag uptime

Log1:

FP221B3XXXXXXXXX # cw_diag uptime
Could not open fsm RUN uptime file /tmp/uptime_fsm_run.
Current uptime : 1567338
WTP daemon start uptime : 1565549                                         <Ap never got rebooted>
WTP daemon RUN uptime : 1567338
Time since WTP daemon started : 1789   
Time since WTP daemon connected : 0                        <Did loose the contact with FGT>

Watchdog timer triggered : 0
Watchdog timer action : 3
Watchdog timer time : 27

Log2:

FP221B3XXXXXXXX # cw_diag uptime
Could not open fsm RUN uptime file /tmp/uptime_fsm_run.
Current uptime : 78                                                                     <AP got rebooted>
WTP daemon start uptime : 31
WTP daemon RUN uptime : 78
Time since WTP daemon started : 47
Time since WTP daemon connected : 0

Watchdog timer triggered : 0
Watchdog timer action : 3
Watchdog timer time : 29

*By this way you could narrow down the issues and so next time could help to find Route Cause of the issue.

Other Handy AP commands:

>cfg -s
>fap-get-status
>cw_diag uptime
>cw_diag sys-performance
>iwconfig
>diag_debug_crashlog read
>cw_diag -c wtp-cfg
>cw_diag -c radio-cfg
>cw_diag -c vap-cfg
>cw_diag kernel-panic
>dmesg
>rcfg
>klog

 

 

 

BYOD fails because of those CNA agents on IOS and Android

I had this chance to work with an Australian Account for BYOD solution issue.

Deployment: Fortinet Infrastructure wifi solution with Forticonnect a Byod solution.

Issue: Windows devices are able to get on-boarded successfully but the Macintosh and android having issues.

Once i jumped onto troubleshoot this issue found the configuration seems to be totally fine. So is it a software bug?
What i get to find again is this tiny browser (CNA agent) on wifi clients which doesn’t have the full browser capacity is the cause of the issue.

Firstly , how a traditional BYOD solution works is users initially connect to a OPEN ssid and then they download a DOT1.X PROFILE and later using the profile user are on-boarded securely on the network.This can also be done using a single SSID also, It depends on how much your BYOD solution can assist you on this.

Coming back to my issue here, I say the user connected on the guest network and did authenticate to the CAPTIVE PORTAL/ BYOD. However this authentication success message was never passed back to the WLAN controller, So that WLC can initiate the RADIUS REQUEST to RADIUS SERVER.

>This is how a station log for problematic wifi client looks like.

2017-Jan- 9 13:14:27.306847 | 44:2a:60:fc:39:d4 | Station Assign | <AID=3>[abgn](v0) assigned to <AP=99> ESSID=e-smart-access A-BSSID=00:0c:e6:0a:39:ee Ch=149 reason=Station probed
station-log>
2017-Jan- 9 13:14:27.352095 | 44:2a:60:fc:39:d4 | Band Steering | <AID=0>[abgn](v0) Steering to 5Ghz under policy=A Blocking 2.4Ghz, present staType=ABGN ESSID=e-smart-access B-BSSID=00:0c:e6:0a:cb:1f Ch=11
station-log>
2017-Jan- 9 13:14:27.554238 | 44:2a:60:fc:39:d4 | 802.11 State | <AID=3>[abgn](v0) state change <old=Unauthenticated><new=Authenticated><AP[99]=00:0c:e6:13:27:a5> ESSID=e-smart-access Ch=149 A-<BSSID=00:0c:e6:0a:39:ee>
station-log>
2017-Jan- 9 13:14:27.554248 | 44:2a:60:fc:39:d4 | 802.11 State | <AID=3>[abgn](v0) state change <old=Unauthenticated> <new=Authenticated> <AP=99> ESSID=e-smart-access Ch=149 A-<BSSID=00:0c:e6:0a:39:ee>
station-log>
2017-Jan- 9 13:14:27.555616 | 44:2a:60:fc:39:d4 | 802.11 State | . <AID=3>[abgn](v0) state change <old=Authenticated><new=Associated><AP[99]=00:0c:e6:13:27:a5> ESSID=e-smart-access Ch=149 A-<BSSID=00:0c:e6:0a:39:ee>
station-log>
2017-Jan- 9 13:14:27.555625 | 44:2a:60:fc:39:d4 | 802.11 State | . <AID=3>[abgn](v0) state change <old=Authenticated> <new=Associated> <AP=99> ESSID=e-smart-access Ch=149 A-<BSSID=00:0c:e6:0a:39:ee>
station-log>
2017-Jan- 9 13:14:27.555993 | 44:2a:60:fc:39:d4 | Band Steering | * <AID=3>[abgn](v0) Steered to 5Ghz under policy=A staType=ABGN[15] ESSID=e-smart-access A-BSSID=00:0c:e6:0a:39:ee Ch=149 Steering time = 0.203891 seconds
station-log>
2017-Jan- 9 13:14:27.563019 | 44:2a:60:fc:39:d4 | DHCP | <msg_type=REQUEST><server_ip=127.0.0.1><client_ip=0.0.0.0>
station-log>
2017-Jan- 9 13:14:27.572135 | 44:2a:60:fc:39:d4 | DHCP | <msg_type=ACK><server_ip=127.0.0.1><offered_ip=10.12.1.135>
station-log>
2017-Jan- 9 13:14:28.573801 | 44:2a:60:fc:39:d4 | IP Address Discovered | <Old IP discovery Method=none><Old IP=0.0.0.0><New IP discovery Method=dynamic><New IP=10.12.1.135

While if you want to compare how a successful CP authentication looks like on contrast:

2017-Jan- 9 13:50:53.401458 | 44:2a:60:fc:39:d4 | Station Assign | <AID=3>[abgn](v0) assigned to <AP=99> ESSID=e-smart-access A-BSSID=00:0c:e6:0a:39:ee Ch=149 reason=RSSI changed
station-log>
2017-Jan- 9 13:50:55.921525 | 44:2a:60:fc:39:d4 | Station Assign | <AID=3>[abgn](v0) removed from <AP=99> ESSID=e-smart-access A-BSSID=00:0c:e6:0a:39:ee Ch=149 reason=Inactivity timer expired
station-log>
2017-Jan- 9 13:52:33.440124 | 44:2a:60:fc:39:d4 | Station Assign | <AID=2>[abgn](v0) assigned to <AP=99> ESSID=e-smart-access A-BSSID=00:0c:e6:0a:39:ee Ch=149 reason=Station probed
station-log>
2017-Jan- 9 13:52:33.440941 | 44:2a:60:fc:39:d4 | 802.11 State | <AID=2>[abgn](v0) state change <old=Unauthenticated><new=Authenticated><AP[99]=00:0c:e6:13:27:a5> ESSID=e-smart-access Ch=149 A-<BSSID=00:0c:e6:0a:39:ee>
station-log>
2017-Jan- 9 13:52:33.440950 | 44:2a:60:fc:39:d4 | 802.11 State | <AID=2>[abgn](v0) state change <old=Unauthenticated> <new=Authenticated> <AP=99> ESSID=e-smart-access Ch=149 A-<BSSID=00:0c:e6:0a:39:ee>
station-log>
2017-Jan- 9 13:52:33.441122 | 44:2a:60:fc:39:d4 | 802.11 State | . <AID=2>[abgn](v0) state change <old=Authenticated><new=Authenticated><AP[99]=00:0c:e6:13:27:a5> ESSID=e-smart-access Ch=149 A-<BSSID=00:0c:e6:0a:39:ee>
station-log>
2017-Jan- 9 13:52:33.441131 | 44:2a:60:fc:39:d4 | 802.11 State | . <AID=2>[abgn](v0) state change <old=Authenticated> <new=Authenticated> <AP=99> ESSID=e-smart-access Ch=149 A-<BSSID=00:0c:e6:0a:39:ee>
station-log>
2017-Jan- 9 13:52:33.441549 | 44:2a:60:fc:39:d4 | 802.11 State | . <AID=2>[abgn](v0) state change <old=Authenticated><new=Associated><AP[99]=00:0c:e6:13:27:a5> ESSID=e-smart-access Ch=149 A-<BSSID=00:0c:e6:0a:39:ee>
station-log>
2017-Jan- 9 13:52:33.441558 | 44:2a:60:fc:39:d4 | 802.11 State | . <AID=2>[abgn](v0) state change <old=Authenticated> <new=Associated> <AP=99> ESSID=e-smart-access Ch=149 A-<BSSID=00:0c:e6:0a:39:ee>
station-log>
2017-Jan- 9 13:52:33.442632 | 44:2a:60:fc:39:d4 | Band Steering | * <AID=2>[abgn](v0) Self-steered to 5Ghz under policy = A staType = ABGN ESSID=e-smart-access A-BSSID=00:0c:e6:0a:39:ee Ch=149 Steering time = 0
station-log>
2017-Jan- 9 13:52:33.448274 | 44:2a:60:fc:39:d4 | DHCP | <msg_type=REQUEST><server_ip=127.0.0.1><client_ip=0.0.0.0>
station-log>
2017-Jan- 9 13:52:33.454929 | 44:2a:60:fc:39:d4 | DHCP | <msg_type=ACK><server_ip=127.0.0.1><offered_ip=10.12.1.135>
station-log>
2017-Jan- 9 13:52:34.507002 | 44:2a:60:fc:39:d4 | IP Address Discovered | <Old IP discovery Method=none><Old IP=0.0.0.0><New IP discovery Method=dynamic><New IP=10.12.1.135>
station-log>
station-log>
station-log>
station-log>
2017-Jan- 9 13:53:54.616485 | 44:2a:60:fc:39:d4 | CP User Authentication | <Captive Portal Profile= captive-portal> <User : chewc@xxxx.edu.au> <ipaddr=10.12.1.135> Sending User Authentication Request.
station-log>
2017-Jan- 9 13:53:54.616487 | 44:2a:60:fc:39:d4 | CP User Authentication | <User=chewc@XXXX.edu.au> <ipaddr=10.12.1.135> Sent Guest User Authentication Request.
station-log>
2017-Jan- 9 13:53:54.616626 | 44:2a:60:fc:39:d4 | CP User Authentication | <User=chewc@XXXX.edu.au> <ipaddr=10.12.1.135> Sent Radius Authentication Request.
station-log>
2017-Jan- 9 13:53:54.678054 | 44:2a:60:fc:39:d4 | CP User Authentication | <User=chewc@XXXX.edu.au> <ipaddr=10.12.1.135> Radius User Authenticated Successfully <session_time=0 secs> <filter_id=> <idle_time=0 secs>
station-log>
>You would see on the above successful station log that the client has forwarded the WiFi Auth credentials back to the WLAN controller (4th line from the last) and so Radius Auth session can now be initiated to RADIUS Server(last 3 lines)
Note:This is very important for the controller to know that the users is authenticated and so later when ANDROID user going to google play store or when an IOS user going to Apple store the controller lets the traffic go out. Since captive portal SSID always allows only ARP, DNS, DHCP traffic of client before authentication success. And in few other vendors you still need to allow the client subnet to access google play store and apple store.

>Else you would run into issues such that the wifi clients are not able to download the application(smart connect) from APP STORE that assists the device to download dot1.x profile from BYOD server.

Solution: After we just disabling the CNA agent(tiny browser) the wifi clients have no problem in onbording to a dot1.x network. We forced the client not to use the CNA AGENT by using the feature in WiFi controller.

>There are some parameter (SSID+CLIENT_MACADDRESS+SWITCHIP:PORT+BROWSERINFO+some other)on the fly(During onboard) the browser  remember till it POST the credential back to controller for radius authentication.

>Since those tiny browsers are  not capable to do this, Some times you have hard time to Successfully design BYOD Onboard.

First universal APs @fortinet

These U- FAPs can be managed by Infrastructure controllers or Fortigate Firewalls or via Cloud based management.

Like other Fortinet infrastructure Access points it support  Single channel Architecture/ Virtual Cell or Micro cell/Native cell too.

#802.11AC#Wave2#4*4#universal