+32 (491)

(1)

JUVE Consulting BVBA ∙ Roosgrachtlaan 27, B-3400 Landen ∙ Tel.: +32 (491) 56.35.96 ∙

Whitepaper:

_{Fortinet wireless}

Title:

_{FAP 221C & Fortigate 60D}

Author:

_{Jurgen Vermeulen}

[email protected]

+32 (491) 56.35.96

(2)

08/05/2014, V 0.1 <public> Page 5 By default, the AP and Fortinet support both clear text or DTLS encryption channels. If both are available, clear text will be chosen automatically. You can force encryption by either changing the AP or WLC profile configuration. Using DTLS combined with tunneled traffic (see below) does have a performance impact.

3.3 SSID configuration

Each AP can handle multiple SSIDs. You create the ones you need on the Fortigate WLC and assign the required ones to each FortiAP profile. There are 2 ways to configure an SSID:

- Bridged to local interface: this will use the AP’s LAN interface to send data to the network. You can use this mode when the AP is connected directly to your LAN and you want to avoid the overhead of tunneling traffic towards the Fortigate.

(8)

Test configuration

08/05/2014, V 0.1 <public> Page 6

- Tunneled mode: all traffic from and to clients connected to these SSIDs will be sent through a tunnel between the AP and firewall. You can create several networks assigned to different profiles and these networks only need to exist at the firewall, not on the AP’s LAN connection point.

(9)

08/05/2014, V 0.1 <public> Page 7

3.4 Firewall policies

(10)

Test configuration

08/05/2014, V 0.1 <public> Page 8

3.5 Local AP management interface

It is possible to make some configuration changes to the AP through HTTP or telnet (needs to be manually enabled + access will be disabled once a connection to a WLC is made). This is needed when you connect the AP to a remote location and it isn’t able to autodiscover the WLC parameters. You can also assign a static IP and monitor the wireless radio.

(11)

08/05/2014, V 0.1 <public> Page 9

4 Test results

4.1 Clear text connection (DTLS disabled)

4.1.1 Bridged mode (Wifikeuh SSID)

When connected to the AP in bridged mode, it’s possible to get an average throughput of 39 mbps, which is better than what I’ve seen on my other equipment. The signal allows to play back a 1080p mkv with 5.1 surround without any issues when not too far away from the AP.

(12)

Test results

08/05/2014, V 0.1 <public> Page 10

4.1.2 Tunneled mode (Wifikeuh2 SSID)

Next, I switched to the Wifikeuh2 SSID, which has all traffic tunneled towards the Foritgate WLC, and is then routed onto the network. Results were very similar:

There’s little overhead and you don’t notice any difference when connected to this SSID. Video kept playing smoothly as well.

(13)

08/05/2014, V 0.1 <public> Page 11

4.2 Encrypted connection (DTLS enabled)

4.2.1 Bridged mode (Wifikeuh SSID)

When connected in bridge mode, you observe no speed difference when connected. This is logical, because all traffic is handed off through the LAN port of the AP, directly onto the network instead of being sent through the tunnel. Only control data is encrypted over the link between the AP and the WLC.

4.2.2 Tunneled mode (Wifikeuh2 SSID)

Where you do notice a difference, is in the tunneled SSIDs. When performing the same tests on a DTLS channel, my performance dropped to around 11 mbps:

Both the AP’s and the Fortigate’s CPU went very high. While this speed is more than enough to do some surfing and office work, don’t expect to stream full HD content over the DTLS link without any issues. If the AP is located remotely and needs to connect over an untrusted connection, DTLS is a must have, so keep this in mind when scaling the equipment.

(14)

Test results

08/05/2014, V 0.1 <public> Page 12

4.3 Range

One of the main drawbacks of my old wifi equipment was range. I used to have a Linksys WRT54GS, flashed DD-WRT on it and boosted transmit power to maximum to get some decent coverage. My second AP was a Netgear router with Wireless-N, dual band radio and that was barely able to server 1 floor in the house. Roaming between them was also impossible.

I was pleasantly surprised that with 2 access points, I now have decent wireless coverage throughout the entire house (ground floor, first floor and second floor), while having a lot of concrete and metal used throughout the house. Roaming is also working very well, thanks to the cooperation between the access points. I didn’t perform any VOIP tests yet, but I don’t get disconnected for a minute anymore when moving from one floor to another.

4.4 Generic remarks

4.4.1 HTTP Connection to the AP

While telnet gets disabled once the AP connects to the controller, and there aren’t that many options to configure on the AP, having a HTTPS interface would be preferred over HTTP. In the mean time, take this into account and make sure to use a different password and change it frequently in order to manage the AP from the web interface.

4.4.2 Clear text connection by default

The recommended setup for deploying AP’s is slightly different from what I did, ie. Connecting the AP’s to a dedicated Fortigate interface that is separated from the rest of the network, so I

understand that from a performance point of view, the default way of connecting the AP is using a clear text connection. However, since we’re talking about a security product, I would rather see the most secure option being chosen in case of multiple possibilities. By default, both clear text and DTLS are enabled, so logic would be to use DTLS. If you want to use clear text as default to bypass possible performance impact , make ‘clear text’ the default setting and not both options.

4.4.3 Firmware

The FAP 221C is a new product and the FortiOS 5.2.0 being a new ‘major’ release, there still are some hickups. The AP’s second radio sometimes doesn’t appear as functional in the Managed AP view, while it seems active on the AP itself, performing frequent changes confuse the AP and Fortigate, and I had to do 2 or 3 reboots of the AP’s because of some weird behavior.

Once I put on a final configuration and didn’t fiddle with it every couple of minutes, the setup was very stable though. These are some minor issues that should disappear in the coming firmware updates.

(15)

08/05/2014, V 0.1 <public> Page 13

5 Conclusion

I’m very happy with the performance of the AP’s and the interconnection between wireless and security. Range and throughput on the AP’s is very good, there are some minor bugs present in the current firmware but nothing shocking and It is very easy to deploy. I didn’t test every feature yet and focused on performance for now, but I’m very impressed with what you get for the money. Most AP’s are a lot more expensive and having to manage a separate WLC can be a hurdle. Another option are cloud-managed networks using Meraki/Aerohive/… but if you already have Fortinet equipment installed, the seamless integration is a real plus.

(16)

More information

08/05/2014, V 0.1 <public> Page 14

6 More information

For more information, a live demo or quote, don’t hesitate to contact us: JUVE Consulting

Jurgen Vermeulen

[email protected] +32 (491) 56.35.96

+32 (491)

Whitepaper:

_{Fortinet wireless}

Title:

_{FAP 221C & Fortigate 60D}

Author:

_{Jurgen Vermeulen}

[email protected]

+32 (491) 56.35.96

Table of Contents

Table of Contents

1

Introduction

Test setup

2 Test setup

2.1 Firewall & WLC

2.2 Access points

2.3 Network

2.4 Testing equipment

3 Test configuration

3.1 Connecting the Access Points

Test configuration

3.2 The FortiAP profiles

3.3 SSID configuration

Test configuration

3.4 Firewall policies

Test configuration

3.5 Local AP management interface

4 Test results

4.1 Clear text connection (DTLS disabled)

Test results

4.2 Encrypted connection (DTLS enabled)

Test results

4.3 Range

4.4 Generic remarks

5 Conclusion

More information

6 More information