Tag Archives: Vlans

Fortinet – Creating vlans for devices directly connected to device

The other day I had the need to plug a Ruckus Access point directly into the Fortigate firewall. The client only needed 1 AP, and connecting directly into one of the ports on the Fortigate was the best way – PoE was provided by an injector.

The question came up of how to create the Vlan interface when directly connecting the device to Fortigate.

In this example I will create the vlan on the Internal switch “lan”, and control the vlan from the Ruckus Zonedirector. This will create two separate logical interfaces. Internal, and Staff-Wireless, my newly created vlan.¬† These two interfaces will require IPV4 policies to allow communication. If you have a lot of VLANs it might be a great idea to utilize Zones in the FW to reduce the number of firewall policies needed.

Lets get started

Vlan creation of Fortigate

So, lets create the vlan for “Staff-Wifi” Vlan 200. You can just create

create-interface

Now lets put in the needed info.

Interface

The below shows the status of the interface:

show-int

Notice the VLAN ID – this is seen by right clicking the column settings and enabling that.

Thats it! The Ruckus AP will tag “Staff-Wireless” traffic as vlan 200. So, when the FGT sees the vlan tag of 200 on any ports in the lan switch, it will be treated as Staff-Wifi, thus getting all of its network and policies.

To make the AP work correctly, it needs to be plugged directly into the FGT or a switch behind the FGT that has the vlan created and that vlan would need to be tagged on both the AP and uplink to Fortigate.

Below shows the advanced options of my Ruckus  ZD. I am tagging the Staff-Wifi SSID as vlan 200.

Ruckus.JPG

Remember on the Ruckus side only vlan 200 is being tagged for Staff-wifi AP management traffic is untagged – so it would be on my “LAN” switch network.

 

Advertisements

Passing VLAN tags through a Ubiquiti NanoStation M5

I was working with some wireless bridge the other day that I had never used. I needed to get VLAN tags to pass through this wireless bridge, but for some reason they were not. I thought.. “this is a bridge it should pretty much be plug and play”. I was wrong. These bridges seem to do a great job, and are easy to setup, but I had problems finding out how to do this. I thought I would write up a simple post on how to allow VLAN tags to pass through this bridge.

My first issue was the bridges were on a very old firmware. I was on version 5.3, after finding some documentation I thought it was best that I upgrade. I upgraded all the way to the newest version which is 5.6.

Next I noticed that the WDS was not checked. To give some background on why this is so important:

WDS, which stands for Wireless Distribution System, is a feature that enables single-radio APs to be wirelessly inconnected instead of using a wired Ethernet connection.WDS connections are MAC address-based and employ a special data frame type that uses all four of the (MAC) address fields allowed in the 802.11 standard, instead of the three addresses used in normal AP <-> STA (client) traffic. (In the 802.11 frame header, address 1 is the destination address, address 2 is the source address, address 3 is the BSSID of the network and address 4 is used for WDS, to indicate the transmitter address.)

So that’s the reason that Vlan tags would not pass – WDS was not checked, so basically this was a acting as a switch instead of a transparent bridge.

Here are my settings that in the end fixed my vlan tagging issues. First had to upgrade the firmware, then next enable WDS on both aps, one being a Station (Client) the other being a AP. Last, of course make sure that switches both bridges plug into are trunk ports, and have the vlans created.

bridge2

bridge1

Dynamic Vlans with Ruckus wireless and Microsoft NPS

Hello all, I recently was given a strange task. An office needs to have everyone in there office on different vlans. The reason for this is that each user is developing software and they need to test VIA wireless to other wireless¬† devices. Lots and Lots of broadcast, as well as different subnets. So, how can we separate each of these users wirelessly and give each of them their own “play space”? You can accomplish this a couple ways: We can have 100 different WLANs, each with their own Vlans, or use 1 SSID and use Dynamic Vlans to separate them out.

The tools I will be using are – Ruckus Wireless Zondirector, and APs, Microsoft NPS, and Wireshark to take a better look at what is happening at the packet level.

So first lets setup everything. We need to use 802.1x authentication for WLAN Access. I will not walk through all the steps here but definitely do another blog entry on setting that up. So lets assume as of now we have 802.1x working great for authentication.

Our next step is that we need to create new Security Groups in AD and add our users to them. I added groups that reflected the Vlan name. For example WIFI-VLan-150 and then added my user I want to get VLAN 150 to.

Next lets create our Radius Policies.

Create a new Network Policy- match the Group, add your Encryption and other settings. See below:

1

Then add your Constraints that you would like:

constraints

Next the magic happens – we have to add in our Radius attributes . These are Standard radius attributes. We will add 4 802.1x attributes.

Attributes to add:

1. Tunnel-Assignment-ID – String – Vlan ID.

2. Tunnel-Type – Select Virtual Lans (VLANS)

3. Tunnel-Medium-Type – Value – 802 – Commonly used for 802.1x

4. Tunnel-Pvt-Group-ID – Value – String – Vlan ID. Note – I did not add this at first, this attribute is what fixed my issue, and successfully pushed the Vlan ID to my client.

Here is a screenshot of all the attributes:

attributes

Make sure this policy is above your default policies. The next screen shot shows my order of policies. Notice I have one for 666 vlan, and 150. Then there is a domain computer, then a catch all for domain users.

policies

That’s it for Radius, now we need to create the WLAN for in Ruckus for our Dynamic Vlans. Remember, we are assuming everything works great with Radius authentication from the get go.

The main thing when creating the WLAN in Ruckus is to use 802.1x for authentication, and then under “Advanced” check the “Dynamic Vlan” box. You will notice I am using “SRV-dir03” For authentication (My Radius Server). Apply this and we should be golden.

ruckus

To check and make sure you are on the correct vlan/wlan you can always check your ip address or look into Ruckus and see what your info is. You Notice mine –

jc