Using your FortiAP as a Remote AP
We’re in a time that is changing the way we work. There’s no denying that COVID-19 has forced many of us to stay home. And while IT departments are scrambling to enable workers to access work remotely, they may have capabilities they’re unaware of in existing infrastructure.
One said capability is the ability to use a FortiAP as a Remote AP. Essentially sending a worker home with an AP that can then establish a tunnel back to the office, and allowing them to work as if they were in the office. This was something I wasn’t aware of until last week. In this article I hope to cover how to set up a FortiGate and FortiAP to work in this manner.
FortiGate running 6.0.x/or 6.2.x as VPN head end hub
FortiAP E series (Could be FortiAP-U or FortiAP) running FortiAP OS 5.4.6 or 6.0.2
While we always understood FortiAP’s management channel to use DTLS for security, I was always under the impression that the data channel was encapsulated in a GRE tunnel and sent in clear text – not really offering any additional security. However, in mining the FortiDocs I found some cool info, other data channel options include:
DTLS – exactly as it sounds, the data channel is encrypted with DTLS. However because DTLS is not able to be hardware-accelerated on the FortiGate, you may end up experiencing much lower rates than via clear-text data channel
IPsec VPN – This automatically establishes an IPSec tunnel between the FortiGate and FortiAP that carries CAPWAP data packets. The bonus here is that IPSEC can be offloaded to the NP6 chip enabling much better performance than DTLS.
Ok, now that we got through the boring stuff, let’s get to it!
My topology for this article looks like this:
It’s important to note that I am using a FortiExtender to broker external internet access, but this could be replaced with a standard home internet connection. Also the AP is being powered with a power injector, however you can provide a power adapter if that’s your preference. I am taking into mind that most remote workers may not have PoE available in their homes
Configuring the FortiGate to accept AP connections on the WAN interface:
Under administrative access check the CAPWAP checkbox (NOTE:Under 6.2.3 or later you will need to check the ‘security fabric connection’ checkbox instead of CAPWAP)
For AP discovery of the FortiGate you have a few options:
Auto – This will cycle through each type of discovery, reboot and try again
Hard code it – this is set via the AC IP Address fields; we will set this in the event DNS discovery fails
DHCP option 138 – since you may not have control of the remote user’s dhcp this may not be a good option
DNS – This is set via AC Host Name fields; we will set this as well
Broadcast – not applicable in this scenario
Multicast – beyond the scope of this scenario
I am going to assume we’re configuring from the office before giving this AP to a user to go home and test. I will be setting both IP address of the controller and hostname, you can choose to do either or both.
Creating a profile for use:
On the FortiGate that will be managing the APs browse to WiFI & Switch Controller > FortiAP Profiles and clone the FAPU321EV-default
We will name this profile uv.remote.U321E
We will assign the SSID uv.office to the profile on both Radio 1 & 2 - it's better to be selective about SSIDs assigned to remote APs
We will enable HTTPS and SSH management
We will also change the password as this is best practice
Leave all other settings as default for now
Authorizing the AP:
Browse to WiFi & Switch controller and apply the profile you just created to the AP you wish to authorize, we do this now as it will apply the config on authorization
Authorize the AP
Configuring the AP to connect using DNS:
Once the AP comes back up after authorization
This is a good time to upgrade the AP to the latest code if you haven't done so already
Be advised, that some U aps may take up to 10 minutes to come back up after authorization. This has to do with the changing of boot images to support fortigate control.
Log into the AP and set your discovery parameters
Setting the data channel to IPSEC:
For this you will need to log into your FortiGate CLI and execute the following commands:
config wireless-controller wtp-profile edit FortiAP-profile-name set dtls-policy ipsec-vpn next end
At this point you can configure a policy to allow the SSID access to the appropriate internal resources, this is done form Policy & Objects > IPv4 Policy. here's a screenshot of what I configured:
Don't forget to create a policy for access to the internet if that's desired as well. This is assumed that internet access will be processed through the corporate FortiGate as well to ensure internet traffic is properly inspected. If you need to split tunnel refer to this page.
Before we set this AP home with our user, we will need to make sure it works. After all, what’s the point of all this work if the user takes it home and it doesn’t work.
I am plugging this AP into a FortiExtender with a working SIM, this will act as a remote internet connection
Under VPN > IPSec tunnel you’ll see that there’s a tunnel that was created, it’s important that we do not edit this tunnel
The ultimate test is from the device itself, and we are able to access corporate resources
And that's it! We're connected! Thank you for reading, I hope this is helpful.