Fortinet black logo

FortiWiFi and FortiAP Cookbook

Home FortiAP / FortiWiFi 6.2.0 FortiWiFi and FortiAP Cookbook

WPA3 support

6.2.0
6.4.0
6.2.0
Copy Link
Copy Doc ID ac61f4d3-ce67-11e9-8977-00505692583a:953550
Download PDF

WPA3 support

WPA3 security modes can be selected when configuring SSIDs.

To configure WPA3 in the GUI:
  1. Go to WiFi & Switch Controller > SSID.
  2. Create a new SSID, or edit a current one.
  3. In the WiFi Settings section, set the Security Mode to a WPA3 option.

  4. Configure the remaining settings as needed.
  5. Click OK.
  6. Use a client with WPA3 to verify the connection.
To configure WPA3 in the CLI:
  1. WPA3 OWE:
    1. WPA3 OWE only.

      Clients that support WPA3 can connect with this SSID. 

      config wireless-controller vap
    edit "80e_owe"
        set ssid "80e_owe"
        set security owe
        set pmf enable
        set schedule "always"
    next
end
    2. WPA3 OWE TRANSITION.

      Clients connect with normal OPEN or OWE depending on its capability: Clients that support WPA3 connect with OWS standard, and clients that cannot support WPA3 connect with Open SSID. 

      config wireless-controller vap
    edit "80e_open"
        set ssid "80e_open"
        set security open
        set owe-transition enableset owe-transition-ssid "wpa3_open"
        set schedule "always"
    next
    edit "wpa3_owe_tr"
        set ssid "wpa3_open"
        set broadcast-ssid disable
        set security owe
        set pmf enable
        set owe-transition enableset owe-transition-ssid "80e_open"
        set schedule "always"
    next
end
  2. WPA3 SAE:
    1. WPA3 SAE.

      Clients that support WPA3 can connect with this SSID. 

      config wireless-controller vap
    edit "80e_sae"
        set ssid "80e_sae"
        set security wpa3-sae
        set pmf enable
        set schedule "always"
        set sae-password 12345678
    next
end
    2. WPA3 SAE TRANSITION.

      There are two passwords in the SSID. If passphrase is used, the client connects with WPA2 PSK. If sae-password is used, the client connects with WPA3 SAE.

      config wireless-controller vap
    edit "80e_sae-tr"
        set ssid "80e_sae-transition"
        set security wpa3-sae-transition
        set pmf optional
        set passphrase 11111111
        set schedule "always"
        set sae-password 22222222
    next
end
  3. WPA3 Enterprise.

    Select the auth type to use either RADIUS authentication or local user authentication.

    config wireless-controller vap
    edit "80e_wpa3"
        set ssid "80e_wpa3"
        set security wpa3-enterprise
        set pmf enable
        set auth radius
        set radius-server "wifi-radius"
        set schedule "always"
    next
    edit "80e_wpa3_user"
        set ssid "80e_wpa3_user"
        set security wpa3-enterprise
        set pmf enable
        set auth usergroup
        set usergroup "usergroup"
        set schedule "always"
    next
end
  4. Use a client with WPA3 to verify the connection.
Previous
Next

WPA3 support

WPA3 security modes can be selected when configuring SSIDs.

To configure WPA3 in the GUI:
  1. Go to WiFi & Switch Controller > SSID.
  2. Create a new SSID, or edit a current one.
  3. In the WiFi Settings section, set the Security Mode to a WPA3 option.

  4. Configure the remaining settings as needed.
  5. Click OK.
  6. Use a client with WPA3 to verify the connection.
To configure WPA3 in the CLI:
  1. WPA3 OWE:
    1. WPA3 OWE only.

      Clients that support WPA3 can connect with this SSID. 

      config wireless-controller vap
    edit "80e_owe"
        set ssid "80e_owe"
        set security owe
        set pmf enable
        set schedule "always"
    next
end
    2. WPA3 OWE TRANSITION.

      Clients connect with normal OPEN or OWE depending on its capability: Clients that support WPA3 connect with OWS standard, and clients that cannot support WPA3 connect with Open SSID. 

      config wireless-controller vap
    edit "80e_open"
        set ssid "80e_open"
        set security open
        set owe-transition enableset owe-transition-ssid "wpa3_open"
        set schedule "always"
    next
    edit "wpa3_owe_tr"
        set ssid "wpa3_open"
        set broadcast-ssid disable
        set security owe
        set pmf enable
        set owe-transition enableset owe-transition-ssid "80e_open"
        set schedule "always"
    next
end
  2. WPA3 SAE:
    1. WPA3 SAE.

      Clients that support WPA3 can connect with this SSID. 

      config wireless-controller vap
    edit "80e_sae"
        set ssid "80e_sae"
        set security wpa3-sae
        set pmf enable
        set schedule "always"
        set sae-password 12345678
    next
end
    2. WPA3 SAE TRANSITION.

      There are two passwords in the SSID. If passphrase is used, the client connects with WPA2 PSK. If sae-password is used, the client connects with WPA3 SAE.

      config wireless-controller vap
    edit "80e_sae-tr"
        set ssid "80e_sae-transition"
        set security wpa3-sae-transition
        set pmf optional
        set passphrase 11111111
        set schedule "always"
        set sae-password 22222222
    next
end
  3. WPA3 Enterprise.

    Select the auth type to use either RADIUS authentication or local user authentication.

    config wireless-controller vap
    edit "80e_wpa3"
        set ssid "80e_wpa3"
        set security wpa3-enterprise
        set pmf enable
        set auth radius
        set radius-server "wifi-radius"
        set schedule "always"
    next
    edit "80e_wpa3_user"
        set ssid "80e_wpa3_user"
        set security wpa3-enterprise
        set pmf enable
        set auth usergroup
        set usergroup "usergroup"
        set schedule "always"
    next
end
  4. Use a client with WPA3 to verify the connection.
Previous
Next