- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- New SSID Recommendation
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New SSID Recommendation
Hello, everyone!
I hope you are all doing great.
I have the task of creating a new SSID for our campus accommodation. This SSID must have limited access, meaning the users should only access the Internet, not local resources, such as servers, PCs, network devices, such as printers, etc.
We already have three other SSIDs with two lines coming from the ISP, meaning we also have SD-WAN.
The main line is 100Mbps while the backup is 30Mbps. The backup is used for employees with limited access and guests.
After business hours, most of the time, there could only be a few people working, so I was thinking of using the main line so it could handle the tens to hundreds of users.
I am also planning to give the access points at the building only this new SSID with a schedule to work after business hours until the next day's morning.
My questions are:
1- Should I create a WPA2 Personal or WPA2 Enterprise to have the best monitoring and logs? The WPA3 implementation will be more headache for me to manage their usernames and passwords. WPA2 will not show who is doing what.
2- How should I define my policies and how many policies should I create to have the best security?
3- DO I need a separate SD-WAN zone and rule or should I just add the new SSID to the existing one of the main line?
4- Should I implement application control and web filtering?
5- Should I give half of the speed (50Mbps) to this new SSID?
6- What are somethings I may have forgotten to ask and should consider?
Best regards,
Sagvan Saleem
Solved! Go to Solution.
Sagvan Saleem
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sagvan ,
Here are some recommendations and answers to your questions for creating a new SSID with limited access on your infrastructure:
1. WPA2 vs. WPA3
WPA2:
- Easier to manage with a shared password.
- Less secure than WPA3 but still widely used.
- Limited ability to track individual users.
WPA3:
- More secure, especially against brute-force attacks.
- Individualized encryption (SAE) offers better protection.
- Slightly more complex to manage, requiring user-specific credentials.
Recommendation: If security is a priority and your client devices support WPA3, it’s worth implementing WPA3. However, if ease of management is more important and WPA2 provides sufficient security for your use case, WPA2 is acceptable. For better monitoring and logging, consider using WPA2-Enterprise or WPA3-Enterprise with a RADIUS server to manage individual user credentials.
2. Policies for Best Security
Two main policies (one to allow Internet access and one to block local resources) should suffice. Add more granular policies if needed based on specific requirements.
3. SD-WAN Zone and Rule
If your current SD-WAN setup is not overly complex, adding the new SSID to the existing SD-WAN should be fine. Create a specific SD-WAN rule to prioritize traffic during off-peak hours.
4. Application Control and Web Filtering
Yes, implement both application control and web filtering to enhance security and ensure appropriate use of the network.
5. Bandwidth Allocation
Allocate bandwidth based on expected usage to prevent network congestion. Consider 50Mbps if you anticipate high usage during off-peak hours.
Recommendation: Start with 50Mbps and monitor the usage. Adjust as needed based on actual performance and user experience.
6.Additional Considerations
Access Point Scheduling: Implement the schedule to activate the SSID during desired hours. Ensure that the new SSID is only active during specified hours to manage network load and security.
Guest Network Configuration: Ensure the new SSID is configured as a guest network with appropriate isolation. So, it has proper isolation and security for users connecting to the new SSID.
Quality of Service (QoS): Implement QoS policies to prioritize critical traffic.
Monitoring and Alerts: Set up monitoring and alerting to quickly respond to any issues or unusual activity.
User Education: Inform users about the new SSID, its purpose, and any access limitations.
BR.
If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.
Atakan Atak
Atakan Atak
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sagvan ,
Here are some recommendations and answers to your questions for creating a new SSID with limited access on your infrastructure:
1. WPA2 vs. WPA3
WPA2:
- Easier to manage with a shared password.
- Less secure than WPA3 but still widely used.
- Limited ability to track individual users.
WPA3:
- More secure, especially against brute-force attacks.
- Individualized encryption (SAE) offers better protection.
- Slightly more complex to manage, requiring user-specific credentials.
Recommendation: If security is a priority and your client devices support WPA3, it’s worth implementing WPA3. However, if ease of management is more important and WPA2 provides sufficient security for your use case, WPA2 is acceptable. For better monitoring and logging, consider using WPA2-Enterprise or WPA3-Enterprise with a RADIUS server to manage individual user credentials.
2. Policies for Best Security
Two main policies (one to allow Internet access and one to block local resources) should suffice. Add more granular policies if needed based on specific requirements.
3. SD-WAN Zone and Rule
If your current SD-WAN setup is not overly complex, adding the new SSID to the existing SD-WAN should be fine. Create a specific SD-WAN rule to prioritize traffic during off-peak hours.
4. Application Control and Web Filtering
Yes, implement both application control and web filtering to enhance security and ensure appropriate use of the network.
5. Bandwidth Allocation
Allocate bandwidth based on expected usage to prevent network congestion. Consider 50Mbps if you anticipate high usage during off-peak hours.
Recommendation: Start with 50Mbps and monitor the usage. Adjust as needed based on actual performance and user experience.
6.Additional Considerations
Access Point Scheduling: Implement the schedule to activate the SSID during desired hours. Ensure that the new SSID is only active during specified hours to manage network load and security.
Guest Network Configuration: Ensure the new SSID is configured as a guest network with appropriate isolation. So, it has proper isolation and security for users connecting to the new SSID.
Quality of Service (QoS): Implement QoS policies to prioritize critical traffic.
Monitoring and Alerts: Set up monitoring and alerting to quickly respond to any issues or unusual activity.
User Education: Inform users about the new SSID, its purpose, and any access limitations.
BR.
If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.
Atakan Atak
Atakan Atak
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply!
I actually meant WPA2 Personal vs WPA2 Enterprise difference, not WPA3 since we have already implemented WPA2 types.
Sagvan Saleem
Sagvan Saleem
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The main difference is that Personal will use a PSK (shared secret) and you can't keep track of users activity since they will appear the same. You can enable "Client MAC Address Filtering" to get better visibility but in this case a RADIUS is needed to handle the hosts, like for example FortiNAC.
With Enterprise, authentication is mandatory so you will be able to identify the logged in user but it's a bit complex to setup, it will need a RADIUS server and configuration of the supplicant on the end host.
Some details are shown in this integration guide FAP/FGT with FNAC.
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sagvan ,
The most logical approach seems to be creating a guest SSID that only provides internet access and is not used for any other service. Since you mentioned you haven't defined this yet, I recommend considering it on the additional consideration part, although it is not mandatory.
I mentioned QoS to prioritize your desired content by applying shaper definitions to a specific portion of your 50Mbps line for relevant traffic. You can refer to the link below for guidance or use the example thread provided.
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/297431/traffic-shaping
WPA2 comes in two main variants: WPA2 Personal and WPA2 Enterprise. Both provide robust security features, but they cater to different use cases and offer varying levels.
WPA2 Personal (WPA2-PSK)
It is designed for home and small business networks where ease of use is a priority. Here are the key characteristics:
Authentication:
Uses a pre-shared key (PSK) for authentication.
All users share the same password to access the network.
Security:
Provides strong encryption using AES.
Vulnerable to brute-force attacks if the password is weak.
Shared key means that if one user’s credentials are compromised, the entire network is at risk.
WPA2 Enterprise (WPA2-EAP)
It is designed for larger networks such as corporate, educational, and enterprise environments where security and scalability are crucial. Here are the key characteristics:
Authentication:
Uses a RADIUS server for authentication.
Each user has unique credentials (username/password) to access the network.
Security:
Provides strong encryption using AES.
Individual user credentials reduce the risk of network-wide breaches.
Enhanced security through mutual authentication (both client and server validate each other).
BR.
Atakan Atak
Atakan Atak
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did not quite get the following as we have not implemented them already. Can you please elaborate how these would be helpful?
Guest Network Configuration: Ensure the new SSID is configured as a guest network with appropriate isolation. So, it has proper isolation and security for users connecting to the new SSID.
Quality of Service (QoS): Implement QoS policies to prioritize critical traffic.
Why would I need to enable guest network while I have a limited access SSID?
Sagvan Saleem
Sagvan Saleem
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @sagvan ,
1- You can use WPA3 SAE with FSSO for more security. WPA3 SAE Uses old-style pre-shared key authentication and if you implement FSSO with that, you can see the username through FSSO.
2-You just want to give access to the internet. Because of that, one rule is enough for that.
3- In my opinion there is no need for the new zone. You can use the existing zone.
4- If you want, yes. This depends on your company policies. But my advice is every time to enable web filtering profiles on internet rules. This rule should be configured with a block for harmful websites.
5-Also this depends on your decision, you said that I just use this ssid after work hours. If your bandwidth isn't used on after work hours you can give 50mbit.
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Related Posts
- Fortiap dhcp issue 170 Views
- WPA2 Enterprise - Android Problem 304 Views
- Help with WiFi SSID DNS issue... 304 Views
- Routing Problem to DHCP Relay 360 Views
- FortiAP-231F Scheduled Boots and Shut downs 188 Views
Labels
-
FortiGate
6,920 -
FortiClient
1,365 -
5.2
801 -
5.4
639 -
FortiManager
597 -
FortiAnalyzer
436 -
6.0
416 -
5.6
362 -
FortiAP
361 -
FortiSwitch
357 -
FortiClient EMS
279 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
122 -
FortiGuard
111 -
IPsec
96 -
FortiGateCloud
91 -
FortiSIEM
91 -
FortiCloud Products
85 -
SSL-VPN
83 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
42 -
SD-WAN
41 -
Fortivoice
41 -
FortiDNS
37 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
VLAN
27 -
High Availability
27 -
FortiAuthenticator
26 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
FortiConverter
21 -
DNS
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
FortiGate v5.2
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
FortiLink
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Fortigate Cloud
9 -
4.0MR2
9 -
SSID
8 -
FortiBridge
8 -
WAN optimization
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 983 | |
| 820 | |
| 446 | |
| 440 | |
| 131 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.