Fortinet Document Library

Version:


Table of Contents

6.2.0
Download PDF
Copy Link

WPA3 support

WPA3 security modes can be selected when configuring SSIDs.

To configure WPA3 in the GUI:
  1. Go to WiFi & Switch Controller > SSID.
  2. Create a new SSID, or edit a current one.
  3. In the WiFi Settings section, set the Security Mode to a WPA3 option.

  4. Configure the remaining settings as needed.
  5. Click OK.
  6. Use a client with WPA3 to verify the connection.
To configure WPA3 in the CLI:
  1. WPA3 OWE:
    1. WPA3 OWE only.

      Clients that support WPA3 can connect with this SSID.

      config wireless-controller vap
          edit "80e_owe"
              set ssid "80e_owe"
              set security owe
              set pmf enable
              set schedule "always"
          next
      end
    2. WPA3 OWE TRANSITION.

      Clients connect with normal OPEN or OWE depending on its capability: Clients that support WPA3 connect with OWS standard, and clients that cannot support WPA3 connect with Open SSID.

      config wireless-controller vap
          edit "80e_open"
              set ssid "80e_open"
              set security open
              set owe-transition enableset owe-transition-ssid "wpa3_open"
              set schedule "always"
          next
          edit "wpa3_owe_tr"
              set ssid "wpa3_open"
              set broadcast-ssid disable
              set security owe
              set pmf enable
              set owe-transition enableset owe-transition-ssid "80e_open"
              set schedule "always"
          next
      end
  2. WPA3 SAE:
    1. WPA3 SAE.

      Clients that support WPA3 can connect with this SSID.

      config wireless-controller vap
          edit "80e_sae"
              set ssid "80e_sae"
              set security wpa3-sae
              set pmf enable
              set schedule "always"
              set sae-password 12345678
          next
      end
    2. WPA3 SAE TRANSITION.

      There are two passwords in the SSID. If passphrase is used, the client connects with WPA2 PSK. If sae-password is used, the client connects with WPA3 SAE.

      config wireless-controller vap
          edit "80e_sae-tr"
              set ssid "80e_sae-transition"
              set security wpa3-sae-transition
              set pmf optional
              set passphrase 11111111
              set schedule "always"
              set sae-password 22222222
          next
      end
  3. WPA3 Enterprise.

    Select the auth type to use either RADIUS authentication or local user authentication.

    config wireless-controller vap
        edit "80e_wpa3"
            set ssid "80e_wpa3"
            set security wpa3-enterprise
            set pmf enable
            set auth radius
            set radius-server "wifi-radius"
            set schedule "always"
        next
        edit "80e_wpa3_user"
            set ssid "80e_wpa3_user"
            set security wpa3-enterprise
            set pmf enable
            set auth usergroup
            set usergroup "usergroup"
            set schedule "always"
        next
    end
  4. Use a client with WPA3 to verify the connection.

WPA3 support

WPA3 security modes can be selected when configuring SSIDs.

To configure WPA3 in the GUI:
  1. Go to WiFi & Switch Controller > SSID.
  2. Create a new SSID, or edit a current one.
  3. In the WiFi Settings section, set the Security Mode to a WPA3 option.

  4. Configure the remaining settings as needed.
  5. Click OK.
  6. Use a client with WPA3 to verify the connection.
To configure WPA3 in the CLI:
  1. WPA3 OWE:
    1. WPA3 OWE only.

      Clients that support WPA3 can connect with this SSID.

      config wireless-controller vap
          edit "80e_owe"
              set ssid "80e_owe"
              set security owe
              set pmf enable
              set schedule "always"
          next
      end
    2. WPA3 OWE TRANSITION.

      Clients connect with normal OPEN or OWE depending on its capability: Clients that support WPA3 connect with OWS standard, and clients that cannot support WPA3 connect with Open SSID.

      config wireless-controller vap
          edit "80e_open"
              set ssid "80e_open"
              set security open
              set owe-transition enableset owe-transition-ssid "wpa3_open"
              set schedule "always"
          next
          edit "wpa3_owe_tr"
              set ssid "wpa3_open"
              set broadcast-ssid disable
              set security owe
              set pmf enable
              set owe-transition enableset owe-transition-ssid "80e_open"
              set schedule "always"
          next
      end
  2. WPA3 SAE:
    1. WPA3 SAE.

      Clients that support WPA3 can connect with this SSID.

      config wireless-controller vap
          edit "80e_sae"
              set ssid "80e_sae"
              set security wpa3-sae
              set pmf enable
              set schedule "always"
              set sae-password 12345678
          next
      end
    2. WPA3 SAE TRANSITION.

      There are two passwords in the SSID. If passphrase is used, the client connects with WPA2 PSK. If sae-password is used, the client connects with WPA3 SAE.

      config wireless-controller vap
          edit "80e_sae-tr"
              set ssid "80e_sae-transition"
              set security wpa3-sae-transition
              set pmf optional
              set passphrase 11111111
              set schedule "always"
              set sae-password 22222222
          next
      end
  3. WPA3 Enterprise.

    Select the auth type to use either RADIUS authentication or local user authentication.

    config wireless-controller vap
        edit "80e_wpa3"
            set ssid "80e_wpa3"
            set security wpa3-enterprise
            set pmf enable
            set auth radius
            set radius-server "wifi-radius"
            set schedule "always"
        next
        edit "80e_wpa3_user"
            set ssid "80e_wpa3_user"
            set security wpa3-enterprise
            set pmf enable
            set auth usergroup
            set usergroup "usergroup"
            set schedule "always"
        next
    end
  4. Use a client with WPA3 to verify the connection.