Fortinet Document Library

Version:


Table of Contents

FortiWiFi and FortiAP Cookbook

6.4.0
Download PDF
Copy Link

WPA3 on FortiAP

WPA3 is supported by FortiGate devices running FortiOS 6.2.0 and later, and FortiAP-S and FortiAP-W2 device running 6.2.0 and later.

WPA3 Opportunistic Wireless Encryption (OWE), Simultaneous Authentication of Equals (SAE), and Enterprise are supported, including OWE and SAE transition mode.

To configure WPA3 OWE:
  • WPA3 OWE only:

    Clients that support WPA3 can connect with this SSID.

    config wireless-controller vap
        edit "80e_owe"
            set ssid "80e_owe"
            set security owe
            set pmf enable
            set schedule "always"
        next
    end
  • WPA3 OWE Transition:

    Clients connect with normal OPEN or OWE depending on its capability. Clients which support WPA3 connect with OWS standard. Clients which cannot support WPA3 connect with Open SSID.

    config wireless-controller vap
        edit "80e_open"
            set ssid "80e_open"
            set security open
            set owe-transition enableset owe-transition-ssid "wpa3_open"
            set schedule "always"
        next
        edit "wpa3_owe_tr"
            set ssid "wpa3_open"
            set broadcast-ssid disable
            set security owe
            set pmf enable
            set owe-transition enableset owe-transition-ssid "80e_open"
            set schedule "always"
        next
    end
To configure WPA3 SAE:
  • WPA3 SAE:

    Clients that support WPA3 can connect with this SSID.

    config wireless-controller vap
        edit "80e_sae"
            set ssid "80e_sae"
            set security wpa3-sae
            set pmf enable
            set schedule "always"
            set sae-password 12345678
        next
    end
  • WPA3 SAE Transition:

    There are two passwords in the SSID. If passphrase is used, the client connects with WPA2 PSK. If sae-password is used, the client connects with WPA3 SAE.

    config wireless-controller vap
        edit "80e_sae-tr"
            set ssid "80e_sae-transition"
            set security wpa3-sae-transition
            set pmf optional
            set passphrase 11111111
            set schedule "always"
            set sae-password 22222222
        next
    end
To configure WPA3 Enterprise:

Using this option, you can select the auth type to use either RADIUS authentication or local user authentication.

config wireless-controller vap
    edit "80e_wpa3"
        set ssid "80e_wpa3"
        set security wpa3-enterprise
        set pmf enable
        set auth radius
        set radius-server "wifi-radius"
        set schedule "always"
    next
    edit "80e_wpa3_user"
        set ssid "80e_wpa3_user"
        set security wpa3-enterprise
        set pmf enable
        set auth usergroup
        set usergroup "usergroup"
        set schedule "always"
    next
end

WPA3 on FortiAP

WPA3 is supported by FortiGate devices running FortiOS 6.2.0 and later, and FortiAP-S and FortiAP-W2 device running 6.2.0 and later.

WPA3 Opportunistic Wireless Encryption (OWE), Simultaneous Authentication of Equals (SAE), and Enterprise are supported, including OWE and SAE transition mode.

To configure WPA3 OWE:
  • WPA3 OWE only:

    Clients that support WPA3 can connect with this SSID.

    config wireless-controller vap
        edit "80e_owe"
            set ssid "80e_owe"
            set security owe
            set pmf enable
            set schedule "always"
        next
    end
  • WPA3 OWE Transition:

    Clients connect with normal OPEN or OWE depending on its capability. Clients which support WPA3 connect with OWS standard. Clients which cannot support WPA3 connect with Open SSID.

    config wireless-controller vap
        edit "80e_open"
            set ssid "80e_open"
            set security open
            set owe-transition enableset owe-transition-ssid "wpa3_open"
            set schedule "always"
        next
        edit "wpa3_owe_tr"
            set ssid "wpa3_open"
            set broadcast-ssid disable
            set security owe
            set pmf enable
            set owe-transition enableset owe-transition-ssid "80e_open"
            set schedule "always"
        next
    end
To configure WPA3 SAE:
  • WPA3 SAE:

    Clients that support WPA3 can connect with this SSID.

    config wireless-controller vap
        edit "80e_sae"
            set ssid "80e_sae"
            set security wpa3-sae
            set pmf enable
            set schedule "always"
            set sae-password 12345678
        next
    end
  • WPA3 SAE Transition:

    There are two passwords in the SSID. If passphrase is used, the client connects with WPA2 PSK. If sae-password is used, the client connects with WPA3 SAE.

    config wireless-controller vap
        edit "80e_sae-tr"
            set ssid "80e_sae-transition"
            set security wpa3-sae-transition
            set pmf optional
            set passphrase 11111111
            set schedule "always"
            set sae-password 22222222
        next
    end
To configure WPA3 Enterprise:

Using this option, you can select the auth type to use either RADIUS authentication or local user authentication.

config wireless-controller vap
    edit "80e_wpa3"
        set ssid "80e_wpa3"
        set security wpa3-enterprise
        set pmf enable
        set auth radius
        set radius-server "wifi-radius"
        set schedule "always"
    next
    edit "80e_wpa3_user"
        set ssid "80e_wpa3_user"
        set security wpa3-enterprise
        set pmf enable
        set auth usergroup
        set usergroup "usergroup"
        set schedule "always"
    next
end