Hello, everyone!
I hope you are all doing great.
We have already implemented 3 SSIDs, one of which was supposed to be for guests only, with WPA2 Personal, and the other two were for employees and managers.
However, since some employees had Android phones, which did not accept WPA2 Personal, we had to share the guest SSID password with them. The number of such users increased, and made it more difficult to ekep track of the users traffic, and the worst was that they also shared the password with other employees.
I have also created another SSID for the residency building, but I have not shared it with the residents, except one for testing purposes.
My question is, does Android have a solution for this? What should I do if I want to create a new SSID for the employees and residents with a new WPA2 SSID with same privileges as the guest SSID?
Note: We have Fortigate-100F and multiple FortiAP-231F.
Best regards,
As I am aware there is no limitation for android devices to use WPA2/3 for both Personal (PSK) and Enterprise. It may require some extra configurations but it's doable.
What issues are you facing?
This AP supports up to 8 SSIDs so you can create multiple SSIDs.
I don't know. Android has weird and more detailed configuration WPA2 Enterprise SSIDs.
Also, I don't need more SSIDs. I just need to have an SSID with username+password authentication.
What do you think?
The common used protocol for authenticating using user credentials is PEAP. You have to pay attention to the server certificate verification that need to be trusted from the phone. Either a public signed certificate (trusted by default) or from a private CA (the root CA need to be manually uploaded on each device) can be configured on the RADIUS server. There are many articles online for step by step android configurations like this one for example.
Hello Sagvan
As you know, WPA2 Personal involves distribute the PSK among your users, manageable for a small group, but unacceptable as the number of users increases.
Although 8 SSIDs are supported, it' s advisable not to add many SSIDs (unless required).
If you cannot deploy WPA2 or 3 Enterprise as Security Mode for managers and employees, consider WPA2 with Captive Portal at least.
For guest access you could add a disclaimer (see 'email collection' feature for tracking).
You could also authenticate users with password to permit network access controlled by firewall policies, and additionally allow access to only members of a specified user group.
Anyway, WPA2 Personal also offers 'multiple shared keys' feature under the same SSID. (FGT 100F supports that), an option to consider.
https://docs.fortinet.com/document/fortiap/7.4.0/fortiwifi-and-fortiap-configuration-guide/292926/ca...
Hope it helps.
As @ebilcari pointed, Enterprise security mode is the way to go when you have to deal with manager,employees and guest access to wireless and wired resources, but other requirements must be met (Radius/LDAP etc)
regards
/ Abel
MPSK helps to segment the same SSID from the access and security perspective. It allows to assign different VLANs based on the PSK that is used. It also offers some type of protection in case of a leaked shared key. So, in case of a compromised key, only that key need to be changed and only some of the host will be affected, not every host that connects to that SSID.
That's clear, thank you!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.