Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sagvan
Contributor

New SSID Recommendation

Hello, everyone!
I hope you are all doing great.

 

I have the task of creating a new SSID for our campus accommodation. This SSID must have limited access, meaning the users should only access the Internet, not local resources, such as servers, PCs, network devices, such as printers, etc.

 

We already have three other SSIDs with two lines coming from the ISP, meaning we also have SD-WAN.

The main line is 100Mbps while the backup is 30Mbps. The backup is used for employees with limited access and guests.

After business hours, most of the time, there could only be a few people working, so I was thinking of using the main line so it could handle the tens to hundreds of users.

 

I am also planning to give the access points at the building only this new SSID with a schedule to work after business hours until the next day's morning.

 

My questions are:

1- Should I create a WPA2 Personal or WPA2 Enterprise to have the best monitoring and logs? The WPA3 implementation will be more headache for me to manage their usernames and passwords. WPA2 will not show who is doing what.

2- How should I define my policies and how many policies should I create to have the best security?

3- DO I need a separate SD-WAN zone and rule or should I just add the new SSID to the existing one of the main line?

4- Should I implement application control and web filtering?

5- Should I give half of the speed (50Mbps) to this new SSID?

6- What are somethings I may have forgotten to ask and should consider?

 

 

Best regards,

Sagvan Saleem
Sagvan Saleem
1 Solution
atakannatak
New Contributor III

Hi @sagvan ,

 

Here are some recommendations and answers to your questions for creating a new SSID with limited access on your infrastructure:

 

1. WPA2 vs. WPA3
WPA2:

  • Easier to manage with a shared password.
  • Less secure than WPA3 but still widely used.
  • Limited ability to track individual users.

 

WPA3:

  • More secure, especially against brute-force attacks.
  • Individualized encryption (SAE) offers better protection.
  • Slightly more complex to manage, requiring user-specific credentials.

 

Recommendation: If security is a priority and your client devices support WPA3, it’s worth implementing WPA3. However, if ease of management is more important and WPA2 provides sufficient security for your use case, WPA2 is acceptable. For better monitoring and logging, consider using WPA2-Enterprise or WPA3-Enterprise with a RADIUS server to manage individual user credentials.

 

2. Policies for Best Security
Two main policies (one to allow Internet access and one to block local resources) should suffice. Add more granular policies if needed based on specific requirements.

 

3. SD-WAN Zone and Rule
If your current SD-WAN setup is not overly complex, adding the new SSID to the existing SD-WAN should be fine. Create a specific SD-WAN rule to prioritize traffic during off-peak hours.

 

4. Application Control and Web Filtering
Yes, implement both application control and web filtering to enhance security and ensure appropriate use of the network.

 

5. Bandwidth Allocation
Allocate bandwidth based on expected usage to prevent network congestion. Consider 50Mbps if you anticipate high usage during off-peak hours.

Recommendation: Start with 50Mbps and monitor the usage. Adjust as needed based on actual performance and user experience.

 

6.Additional Considerations
Access Point Scheduling: Implement the schedule to activate the SSID during desired hours. Ensure that the new SSID is only active during specified hours to manage network load and security.
Guest Network Configuration: Ensure the new SSID is configured as a guest network with appropriate isolation. So, it has proper isolation and security for users connecting to the new SSID.
Quality of Service (QoS): Implement QoS policies to prioritize critical traffic.
Monitoring and Alerts: Set up monitoring and alerting to quickly respond to any issues or unusual activity.
User Education: Inform users about the new SSID, its purpose, and any access limitations.

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

Atakan Atak

View solution in original post

Atakan Atak
7 REPLIES 7
atakannatak
New Contributor III

Hi @sagvan ,

 

Here are some recommendations and answers to your questions for creating a new SSID with limited access on your infrastructure:

 

1. WPA2 vs. WPA3
WPA2:

  • Easier to manage with a shared password.
  • Less secure than WPA3 but still widely used.
  • Limited ability to track individual users.

 

WPA3:

  • More secure, especially against brute-force attacks.
  • Individualized encryption (SAE) offers better protection.
  • Slightly more complex to manage, requiring user-specific credentials.

 

Recommendation: If security is a priority and your client devices support WPA3, it’s worth implementing WPA3. However, if ease of management is more important and WPA2 provides sufficient security for your use case, WPA2 is acceptable. For better monitoring and logging, consider using WPA2-Enterprise or WPA3-Enterprise with a RADIUS server to manage individual user credentials.

 

2. Policies for Best Security
Two main policies (one to allow Internet access and one to block local resources) should suffice. Add more granular policies if needed based on specific requirements.

 

3. SD-WAN Zone and Rule
If your current SD-WAN setup is not overly complex, adding the new SSID to the existing SD-WAN should be fine. Create a specific SD-WAN rule to prioritize traffic during off-peak hours.

 

4. Application Control and Web Filtering
Yes, implement both application control and web filtering to enhance security and ensure appropriate use of the network.

 

5. Bandwidth Allocation
Allocate bandwidth based on expected usage to prevent network congestion. Consider 50Mbps if you anticipate high usage during off-peak hours.

Recommendation: Start with 50Mbps and monitor the usage. Adjust as needed based on actual performance and user experience.

 

6.Additional Considerations
Access Point Scheduling: Implement the schedule to activate the SSID during desired hours. Ensure that the new SSID is only active during specified hours to manage network load and security.
Guest Network Configuration: Ensure the new SSID is configured as a guest network with appropriate isolation. So, it has proper isolation and security for users connecting to the new SSID.
Quality of Service (QoS): Implement QoS policies to prioritize critical traffic.
Monitoring and Alerts: Set up monitoring and alerting to quickly respond to any issues or unusual activity.
User Education: Inform users about the new SSID, its purpose, and any access limitations.

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

Atakan Atak
Atakan Atak
sagvan

@atakannatak 

Thank you for the reply!

I actually meant WPA2 Personal vs WPA2 Enterprise difference, not WPA3 since we have already implemented WPA2 types.

Sagvan Saleem
Sagvan Saleem
ebilcari

The main difference is that Personal will use a PSK (shared secret) and you can't keep track of users activity since they will appear the same. You can enable "Client MAC Address Filtering" to get better visibility but in this case a RADIUS is needed to handle the hosts, like for example FortiNAC.

With Enterprise, authentication is mandatory so you will be able to identify the logged in user but it's a bit complex to setup, it will need a RADIUS server and configuration of the supplicant on the end host.

Some details are shown in this integration guide FAP/FGT with FNAC.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
atakannatak
New Contributor III

Hi @sagvan ,

 

The most logical approach seems to be creating a guest SSID that only provides internet access and is not used for any other service. Since you mentioned you haven't defined this yet, I recommend considering it on the additional consideration part, although it is not mandatory.

 

I mentioned QoS to prioritize your desired content by applying shaper definitions to a specific portion of your 50Mbps line for relevant traffic. You can refer to the link below for guidance or use the example thread provided.

 

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/297431/traffic-shaping

 

WPA2 comes in two main variants: WPA2 Personal and WPA2 Enterprise. Both provide robust security features, but they cater to different use cases and offer varying levels.

 

WPA2 Personal (WPA2-PSK)
It is designed for home and small business networks where ease of use is a priority. Here are the key characteristics:

 

Authentication:
Uses a pre-shared key (PSK) for authentication.
All users share the same password to access the network.

 

Security:
Provides strong encryption using AES.
Vulnerable to brute-force attacks if the password is weak.
Shared key means that if one user’s credentials are compromised, the entire network is at risk.


WPA2 Enterprise (WPA2-EAP)
It is designed for larger networks such as corporate, educational, and enterprise environments where security and scalability are crucial. Here are the key characteristics:

 

Authentication:
Uses a RADIUS server for authentication.
Each user has unique credentials (username/password) to access the network.

 

Security:
Provides strong encryption using AES.
Individual user credentials reduce the risk of network-wide breaches.
Enhanced security through mutual authentication (both client and server validate each other).

 

BR.

Atakan Atak
Atakan Atak
sagvan

I did not quite get the following as we have not implemented them already. Can you please elaborate how these would be helpful?


Guest Network Configuration: Ensure the new SSID is configured as a guest network with appropriate isolation. So, it has proper isolation and security for users connecting to the new SSID.
Quality of Service (QoS): Implement QoS policies to prioritize critical traffic.

Why would I need to enable guest network while I have a limited access SSID?

Sagvan Saleem
Sagvan Saleem
ozkanaltas
Valued Contributor III

Hello @sagvan ,

 

 

1- You can use WPA3 SAE with FSSO for more security. WPA3 SAE Uses old-style pre-shared key authentication and if you implement  FSSO with that, you can see the username through FSSO. 

2-You just want to give access to the internet. Because of that, one rule is enough for that.

3- In my opinion there is no need for the new zone. You can use the existing zone.

4- If you want, yes. This depends on your company policies. But my advice is every time to enable web filtering profiles on internet rules. This rule should be configured with a block for harmful websites.

5-Also this depends on your decision, you said that I just use this ssid after work hours. If your bandwidth isn't used on after work hours you can give 50mbit. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
sagvan

@ozkanaltas 

 

Thank you for this reply!

Sagvan Saleem
Sagvan Saleem
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors