Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sagvan
Contributor

WPA2 Enterprise - Android Problem

Hello, everyone!
I hope you are all doing great.

 

We have already implemented 3 SSIDs, one of which was supposed to be for guests only, with WPA2 Personal, and the other two were for employees and managers.

 

However, since some employees had Android phones, which did not accept WPA2 Personal, we had to share the guest SSID password with them. The number of such users increased, and made it more difficult to ekep track of the users traffic, and the worst was that they also shared the password with other employees.

 

I have also created another SSID for the residency building, but I have not shared it with the residents, except one for testing purposes.

 

My question is, does Android have a solution for this? What should I do if I want to create a new SSID for the employees and residents with a new WPA2 SSID with same privileges as the guest SSID?

 

Note: We have Fortigate-100F and multiple FortiAP-231F.

 

Best regards,

Sagvan Saleem
Sagvan Saleem
8 REPLIES 8
ebilcari
Staff
Staff

As I am aware there is no limitation for android devices to use WPA2/3 for both Personal (PSK) and Enterprise. It may require some extra configurations but it's doable.

What issues are you facing?

This AP supports up to 8 SSIDs so you can create multiple SSIDs.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
sagvan

@ebilcari 

I don't know. Android has weird and more detailed configuration WPA2 Enterprise SSIDs.

Also, I don't need more SSIDs. I just need to have an SSID with username+password authentication.

What do you think?

Sagvan Saleem
Sagvan Saleem
sagvansaleem

@ebilcari 

What do you think I should choose among these?
WhatsApp Image 2024-05-25 at 13.36.39_ae3d0f70.jpg

Sagvan Saleem
Sagvan Saleem
ebilcari

The common used protocol for authenticating using user credentials is PEAP. You have to pay attention to the server certificate verification that need to be trusted from the phone. Either a public signed certificate (trusted by default) or from a private CA (the root CA need to be manually uploaded on each device) can be configured on the RADIUS server. There are many articles online for step by step android configurations like this one for example.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
abelio
SuperUser
SuperUser

Hello Sagvan

 

As you know, WPA2 Personal involves distribute the PSK among your users, manageable for a small group, but unacceptable as the number of users increases.
Although 8 SSIDs are supported, it' s advisable not to add many SSIDs  (unless required).

If you cannot deploy WPA2 or 3 Enterprise as Security Mode for managers and employees, consider  WPA2 with Captive Portal at least.

For guest access you could add a disclaimer (see 'email collection'  feature for tracking).
You could also authenticate users with password to permit network access controlled by firewall policies, and additionally allow access to  only members  of a specified user group.

Anyway, WPA2 Personal also offers  'multiple shared keys' feature under the same SSID. (FGT 100F supports that), an option to consider.

https://docs.fortinet.com/document/fortiap/7.4.0/fortiwifi-and-fortiap-configuration-guide/292926/ca...

Hope it helps.

As @ebilcari  pointed, Enterprise security mode is the way to go when you have to deal with manager,employees and guest access to wireless and wired resources, but  other requirements must be met (Radius/LDAP etc)

 



   

 

regards




/ Abel

regards / Abel
sagvan

@abelio 

Thank you for the comment.

 

How would I benefit from the multiple key feature?

Sagvan Saleem
Sagvan Saleem
ebilcari

MPSK helps to segment the same SSID from the access and security perspective. It allows to assign different VLANs based on the PSK that is used. It also offers some type of protection in case of a leaked shared key. So, in case of a compromised key, only that key need to be changed and only some of the host will be affected, not every host that connects to that SSID.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
sagvan

That's clear, thank you!

Sagvan Saleem
Sagvan Saleem
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors