FortiAP Management – Support for WPA3 on FAP

Support for WPA3 on FAP

This feature is implemented on FortiOS 6.2.0 B0816 and FAP-S/W2 6.2.0 b0218. In October 2017, Mathy Vanhoef published a document that exposed a flaw in WPA2 networks known as Key Reinstallation Attack (KRACK). To avoid the attack, the Wi-Fi Alliance announced in January that WPA2 enhancements and a new WPA3 standard were coming in 2018.

The Wi-Fi Alliance defines three areas for improvement:

  • Enhanced Open: The Wi-Fi Alliance proposes using Opportunistic Wireless Encryption (OWE) (RFC 8110)to improve security in such networks.
  • WPA3 Personal: WPA3-Personal utilizes Simultaneous Authentication of Equals (SAE). l WPA3 Enterprise: WPA3-Enterprise contains a new 192-bit security level.

All three areas incorporate Protected Management Frames (PMF) as a prerequisite to protect management frame integrity.

Configuration

  1. WPA3 OWE
    1. WPA3 OWE only: only Client which support WPA3 can connect with this SSID.

config wireless-controller vap

edit “80e_owe”

set ssid “80e_owe” set security owe set pmf enable set schedule “always”

next end

  1. WPA3 OWE TRANSITION: Client connected with normal OPEN or OWE depends on its capability. If client can support WPA3, it will connect with owe standard. If client not support WPA3, it will connect with Open SSID.

config wireless-controller vap

edit “80e_open” set ssid “80e_open” set security open set owe-transition enable set owe-transition-ssid “wpa3_open” set schedule “always” next edit “wpa3_owe_tr” set ssid “wpa3_open” set broadcast-ssid disable set security owe set pmf enable set owe-transition enable set owe-transition-ssid “80e_open” set schedule “always” next

  1. WPA3 SAE
  2. WPA3 SAE: Client with WPA3 support can connect with the SSID.

config wireless-controller vap

edit “80e_sae” set ssid “80e_sae” set security wpa3-sae set pmf enable set schedule “always” set sae-password 12345678

next end

  1. WPA3 SAE TRANSITION: There are two passwords in the SSID. Client will connect with WPA2 PSK if passphrase is used. Client will connect with WPA3 SAE if sae-password is used.

config wireless-controller vap

edit “80e_sae-tr” set ssid “80e_sae-transition” set security wpa3-sae-transition

set pmf optional set passphrase 11111111 set schedule “always” set sae-password 22222222

next end

  1. WPA3 Enterprise: When select security as wpa3-enterprise, the auth type can choose either radius authentication or local user authentication.

config wireless-controller vap edit “80e_wpa3” set ssid “80e_wpa3” set security wpa3-enterprise

set pmf enable set auth radius

set radius-server “wifi-radius” set schedule “always” next

edit “80e_wpa3_user” set ssid “80e_wpa3_user” set security wpa3-enterprise

set pmf enable set auth usergroup set usergroup “usergroup” set schedule “always”

next end

This entry was posted in Administration Guides, FortiAP, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

6 thoughts on “FortiAP Management – Support for WPA3 on FAP

  1. Morse

    The firmware version on this FortiAP does not support WPA3. The following SSIDs will not be available:
    This is the message I get with the 40F wifi? What does it mean when the wpa3 option is there.

    Reply
    1. Mike Post author

      Not on the FortiWIFI 40F unless I am mistaken. I have less experience with those models though. I don’t go below a 60 series normally.

      Reply
      1. Morse

        Thanks for the reply and sorry I thought my message was removed as did not see it initially. Just don’t understand why the option is there if it is not working? Seems really backwards,

        Reply
    1. Mike Post author

      HAH! Comments have to be approved before they go live on the site to reduce spam. I responded to your previous message after I approved it.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.