WPA3 on FortiAP
WPA3 is supported by FortiGate devices running FortiOS 6.2.0 and later, and FortiAP-S and FortiAP-W2 device running 6.2.0 and later.
WPA3 Opportunistic Wireless Encryption (OWE), Simultaneous Authentication of Equals (SAE), and Enterprise are supported, including OWE and SAE transition mode.
To configure WPA3 OWE:
- WPA3 OWE only:
Clients that support WPA3 can connect with this SSID.
config wireless-controller vap edit "80e_owe" set ssid "80e_owe" set security owe set pmf enable set schedule "always" next end
- WPA3 OWE Transition:
Clients connect with normal OPEN or OWE depending on its capability. Clients which support WPA3 connect with OWS standard. Clients which cannot support WPA3 connect with Open SSID.
config wireless-controller vap edit "80e_open" set ssid "80e_open" set security open set owe-transition enableset owe-transition-ssid "wpa3_open" set schedule "always" next edit "wpa3_owe_tr" set ssid "wpa3_open" set broadcast-ssid disable set security owe set pmf enable set owe-transition enableset owe-transition-ssid "80e_open" set schedule "always" next end
To configure WPA3 SAE:
- WPA3 SAE:
Clients that support WPA3 can connect with this SSID.
config wireless-controller vap edit "80e_sae" set ssid "80e_sae" set security wpa3-sae set pmf enable set schedule "always" set sae-password 12345678 next end
- WPA3 SAE Transition:
There are two passwords in the SSID. If passphrase is used, the client connects with WPA2 PSK. If sae-password is used, the client connects with WPA3 SAE.
config wireless-controller vap edit "80e_sae-tr" set ssid "80e_sae-transition" set security wpa3-sae-transition set pmf optional set passphrase 11111111 set schedule "always" set sae-password 22222222 next end
To configure WPA3 Enterprise:
Using this option, you can select the auth
type to use either RADIUS authentication or local user authentication.
config wireless-controller vap edit "80e_wpa3" set ssid "80e_wpa3" set security wpa3-enterprise set pmf enable set auth radius set radius-server "wifi-radius" set schedule "always" next edit "80e_wpa3_user" set ssid "80e_wpa3_user" set security wpa3-enterprise set pmf enable set auth usergroup set usergroup "usergroup" set schedule "always" next end