• Matt Sherif

Using your FortiAP as a Remote AP

We’re in a time that is changing the way we work. There’s no denying that COVID-19 has forced many of us to stay home. And while IT departments are scrambling to enable workers to access work remotely, they may have capabilities they’re unaware of in existing infrastructure.



One said capability is the ability to use a FortiAP as a Remote AP. Essentially sending a worker home with an AP that can then establish a tunnel back to the office, and allowing them to work as if they were in the office. This was something I wasn’t aware of until last week. In this article I hope to cover how to set up a FortiGate and FortiAP to work in this manner.


Assumptions:

  • FortiGate running 6.0.x/or 6.2.x as VPN head end hub

  • FortiAP E series (Could be FortiAP-U or FortiAP) running FortiAP OS 5.4.6 or 6.0.2

While we always understood FortiAP’s management channel to use DTLS for security, I was always under the impression that the data channel was encapsulated in a GRE tunnel and sent in clear text – not really offering any additional security. However, in mining the FortiDocs I found some cool info, other data channel options include:


  • DTLS – exactly as it sounds, the data channel is encrypted with DTLS. However because DTLS is not able to be hardware-accelerated on the FortiGate, you may end up experiencing much lower rates than via clear-text data channel

  • IPsec VPN – This automatically establishes an IPSec tunnel between the FortiGate and FortiAP that carries CAPWAP data packets. The bonus here is that IPSEC can be offloaded to the NP6 chip enabling much better performance than DTLS.


Ok, now that we got through the boring stuff, let’s get to it!


My topology for this article looks like this:



It’s important to note that I am using a FortiExtender to broker external internet access, but this could be replaced with a standard home internet connection. Also the AP is being powered with a power injector, however you can provide a power adapter if that’s your preference. I am taking into mind that most remote workers may not have PoE available in their homes


Configuring the FortiGate to accept AP connections on the WAN interface:


  • Under administrative access check the CAPWAP checkbox (NOTE:Under 6.2.3 or later you will need to check the ‘security fabric connection’ checkbox instead of CAPWAP)

  • Click OK


For AP discovery of the FortiGate you have a few options:

  • Auto – This will cycle through each type of discovery, reboot and try again

  • Hard code it – this is set via the AC IP Address fields; we will set this in the event DNS discovery fails

  • DHCP option 138 – since you may not have control of the remote user’s dhcp this may not be a good option

  • DNS – This is set via AC Host Name fields; we will set this as well

  • Broadcast – not applicable in this scenario

  • Multicast – beyond the scope of this scenario


I am going to assume we’re configuring from the office before giving this AP to a user to go home and test. I will be setting both IP address of the controller and hostname, you can choose to do either or both.


Creating a profile for use:

  • On the FortiGate that will be managing the APs browse to WiFI & Switch Controller > FortiAP Profiles and clone the FAPU321EV-default

  • We will name this profile uv.remote.U321E

  • We will assign the SSID uv.office to the profile on both Radio 1 & 2 - it's better to be selective about SSIDs assigned to remote APs

  • We will enable HTTPS and SSH management

  • We will also change the password as this is best practice

  • Leave all other settings as default for now


Authorizing the AP:


  • Browse to WiFi & Switch controller and apply the profile you just created to the AP you wish to authorize, we do this now as it will apply the config on authorization


  • Authorize the AP



Configuring the AP to connect using DNS:


  • Once the AP comes back up after authorization

  • This is a good time to upgrade the AP to the latest code if you haven't done so already

  • Be advised, that some U aps may take up to 10 minutes to come back up after authorization. This has to do with the changing of boot images to support fortigate control.

  • Log into the AP and set your discovery parameters


Setting the data channel to IPSEC:


For this you will need to log into your FortiGate CLI and execute the following commands:

config wireless-controller wtp-profile
   edit FortiAP-profile-name
      set dtls-policy ipsec-vpn
   next
end

At this point you can configure a policy to allow the SSID access to the appropriate internal resources, this is done form Policy & Objects > IPv4 Policy. here's a screenshot of what I configured:

Don't forget to create a policy for access to the internet if that's desired as well. This is assumed that internet access will be processed through the corporate FortiGate as well to ensure internet traffic is properly inspected. If you need to split tunnel refer to this page.


Testing access:


Before we set this AP home with our user, we will need to make sure it works. After all, what’s the point of all this work if the user takes it home and it doesn’t work.


  • I am plugging this AP into a FortiExtender with a working SIM, this will act as a remote internet connection

  • Under VPN > IPSec tunnel you’ll see that there’s a tunnel that was created, it’s important that we do not edit this tunnel

  • The ultimate test is from the device itself, and we are able to access corporate resources




And that's it! We're connected! Thank you for reading, I hope this is helpful.



2,326 views

Recent Posts

See All