Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jbandroidtv
New Contributor

WIFI portal for AD users

As I know Fortigate support WIFI portal for authenticating internal users with AD, but how can we protect our users' login/password from being stolen by connecting to a fake SSID and fake protal ?
3 REPLIES 3
Warren_Olson_FTNT

Check out the rogue AP detection capabilities of your device(under WIFI settings). Start with this article which is general but may get you started. http://www.fortinet.com/wireless/Fortinet_WiFi_Sol_Guide.pdf
Mark_Oakton
Contributor

You may also want to look at certificates and zone separation and decide what the BYOD strategy is, e.g. are you going to allow AD credentials to be entered into untrusted devices as there is an inherent risk. And protection is more complicated if you are needing to actively protect the ' air' when any rogue is not also connected to the wired lan
Infosec Partners
Infosec Partners
Sean_Toomey_FTNT

If you want users to authenticate with LDAP / Active Directory, wouldn' t it be better to use WPA2 Enterprise with 802.1x? Have a read on the wireless guide at http://docs.fortinet.com/d/fortigate-deploying-wireless-networks-2 for more info. That is far more secure and does not require user intervention. Also for Rogue AP, monitoring the AP' s in the area is one thing, but be sure to whitelist any known good AP' s for neighboring people or companies before turning on any blocking of rogue AP' s, or else you will not win any friends from your neighbors when you bring down their wireless network. :)
-- Sean Toomey, CISSP FCNSP Consulting Security Engineer (CSE) FORTINET— High Performance Network Security
Labels
Top Kudoed Authors