FortiRU Wireless controllers support remote AP setup mostly from SD6.0 Onwords. You will have a remote AP configured at your small office/remote office or home that can be managed/Provisioned by WLC sitting at Data Center. In this case the data communication between controller and AP goes over the internet which is secure by open VPN encryption.
Configuring VPN AP:
First step, is to install a SSL Certificate for WLC controller (VPN server certificate) to manage and authenticate the remote APs.
+Before Processing to import the signed SSL certificate for controller first install the trusted CA certificates.
+Similarly import all subordinate CA certificates(if any sub CA’s).
Create a certificate Signing request(csr) for Controller:
+Login to Controller, Go to Configuration ->Security-> Certificates -> Controller Certificates.
+Click on Add button (You can see a Certificate Add Popup), Fill in the Input Fields and click on Save.
+User can View CSR (select the radio button against the Pending CSR) and then Click View button or export the CSR by clicking Export Button
+Once the CSR is created, User can see Entry Created (showing the Type as Pending-CSR)
+Select the radio button against the Pending CSR, then click on Import Certificate Button
+User can see the Certificate Alias name, issued to, Issued By etc.
Step Two, Configuring Remote VPN AP and assigning a certificate for the VPN client.
i. Login to Controller, Go to Configuration -> Certificates -> AP Certificates and List of AP’s will be displayed, Make sure that the AP for which you are installing is Enabled and its Online.
ii. Select the radio button against the AP, then click on Create CSR Button
iii. A Create Signing Request – AP Certificate Popup will Appear
iv. Enter the Validity (in days) and then click Apply.
v. Click the Refresh Button, Once on Refresh, user can see CSR-Generation-in-Progress under User Req status.
vii. User can View CSR (select the radio button against the AP) and the Click View button or export the CSR by clicking Export Button
viii. Give the CSR File or the Contents to the CSR to the admin to get the Certificate and the CA Certificate
ix. Incase if the Certificates is issued by a different CA server, First install the CA Certificate as mentioned in “Trusted CA install section at the beginning .”.
x. Import the Certificate for the AP, by selecting the radio button against the AP and by clicking Import Button
xi. Once the Certificate is copied, user can see a message “Cert-Installation-In-Progress ” under user Req Status
xii. Once the Certificate is Installed, user can see “Cert-Installed” message under User Req Status
NOTE: AP must be on L3 connection(must assign IP)
Assigning the server certificate for the VPN server:
i. Login to Controller, Go to Configuration -> Certificates -> Controller Certificates
ii. Click on Application Button, A Popup will appear, select the certificate next to VPN Application and click save.
iii. A popup message will be displayed asking user to run reload-vpn command from CLI ( On running reload-vpn, selected certificate will be used by VPN Server) Forti-Ru gives this option to user, because if already all AP’s are connected using VPN, running reload-vpn will cause all VPN AP’s to reboot, Hence when there are no stations, the user can run reload-vpn.
Creating a VPN SERVER on Controller:
I. Login to Controller, Go to Configuration -> Security -> VPN Server
ii. Fill in VPN Server/IP Name, it should be Controller’s Publicly reachable IP address or the hostname (FQDN), also fill the port, default will be 1194, IP pool and subnet needs to be added.
Finally, Adding the AP to VPN Group:
i. Login to Controller, Go to Configuration -> security -> VPN server -> VPN AP’s
ii. Select the AP’s that you want to add to the VPN Group and Click on next
iii. See the Column below Action required, if the status is “No Action Required“, Click activate, if there is any pending action, User need to finish the pending action before activating.
iv. Once User clicks Activate, Initially the VPN connectivity status will be disconnected, AP will go for reboot
v. Once the AP comes back, AP will connect back to controller in VPN mode and user can see the status as Connected under VPN Connectivity Status.
default(15)# show vpn-ap
default(15)# show vpn-server
default(15)# show vpn-ap <id>
default(15)# show ap-certificate <id>
default(15)# capture-packets -R ip.addr==x.x.x.x
+Run Capture packets command with filter as AP’s Real IP address, the communication between controller and AP should happen only on VPN port (in this case UDP port 1194)
ap 8> ip vpn show