Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

WPA3 Security

Copy Link
Copy Doc ID 89ea0dba-bc2e-11ec-9fd1-fa163e15d75b:233803
Download PDF

WPA3 Security

Tooltip

For full WPA3 support, we recommend you update your FortiGate and FortiAP devices to the latest supported firmware version.

  • FortiGate devices running FortiOS 7.0.0 and later.

  • FortiAP devices running 6.4.3 and later.
  • FortiAP-S and FortiAP-W2 devices running 6.4.3 and later.
  • FortiAP-U devices running 6.2.2 and later.

For more precise support information between FortiGate and FortiAP firmware versions, see each model's release notes.

You can configure the following WPA3 security modes:

  • WPA3 Enterprise 192-bit
  • WPA3 Enterprise Only
  • WPA3 Enterprise Transition
  • WPA3 Simultaneous Authentication of Equals (SAE)
  • WPA3 SAE Transition
  • Opportunistic Wireless Encryption (OWE)
  • OWE Transition
To configure WPA3 on an SSID - GUI
  1. Go to WiFi Controller > SSID.
  2. Create a new SSID, or edit a current one.
  3. In the WiFi Settings section, set the Security Mode to a WPA3 option.

  4. Configure the relevant security settings as needed.

  5. Click OK.

Configuring WPA3 OWE - CLI

To configure WPA3 OWE only

Clients that support WPA3 can connect with this SSID.

config wireless-controller vap
    edit "80e_owe"
        set ssid "80e_owe"
        set security owe
        set pmf enable
        set schedule "always"
    next
end
To configure WPA3 OWE Transition

Clients connect with normal OPEN or OWE depending on its capability. Clients which support WPA3 connect with OWS standard. Clients which cannot support WPA3 connect with Open SSID.

config wireless-controller vap
    edit "80e_open"
        set ssid "80e_open"
        set security open
        set owe-transition enable
        set owe-transition-ssid "wpa3_open"
        set schedule "always"
    next
    edit "wpa3_owe_tr"
        set ssid "wpa3_open"
        set broadcast-ssid disable
        set security owe
        set pmf enable
        set owe-transition enable
        set owe-transition-ssid "80e_open"
        set schedule "always"
    next
end

Configuring WPA3 SAE - CLI

To configure WPA3 SAE

Clients that support WPA3 can connect with this SSID.

config wireless-controller vap
    edit "80e_sae"
        set ssid "80e_sae"
        set security wpa3-sae
        set pmf enable
        set schedule "always"
        set sae-password ********
    next
end
To configure WPA3 SAE Transition

There are two passwords in the SSID. If passphrase is used, the client connects with WPA2 PSK. If sae-password is used, the client connects with WPA3 SAE.

config wireless-controller vap
    edit "80e_sae-tr"
        set ssid "80e_sae-transition"
        set security wpa3-sae-transition
        set pmf optional
        set passphrase ********
        set schedule "always"
        set sae-password ********
    next
end
To configure WPA3 SAE and enable H2E only
config wireless-controller vap
  edit "wifi"
    set ssid "Example_SSID"
    set security wpa3-sae
    set pmf enable
    set sae-h2e-only enable
    set schedule "always"
    set sae-password ENC *
  next
end
To configure WPA3 SAE and enable SAE-PK
config wireless-controller vap
  edit "wifi"
    set ssid "Example_SSID"
    set security wpa3-sae
    set pmf enable
    set sae-pk enable
    set sae-private-key "11"
    set schedule "always"
    set sae-password ENC *
  next
end

Configuring WPA3 Enterprise - CLI

When using the following WPA3 Enterprise options, you can select the auth type to use either RADIUS authentication or local user authentication.

To configure WPA3 Enterprise 192-bit
Tooltip

By default, this option is not show in the GUI. When you configure this SSID from the CLI, the GUI will list the security option as WPA3 Enterprise 192-bit.

Using this option, you can set the security mode to wpa3-enterprise to use 192-bit encryption with PMF mandatory.

config wireless-controller vap
    edit "80e_wpa3"
        set ssid "80e_wpa3"
        set security wpa3-enterprise
        set pmf enable
        set auth radius
        set radius-server "wifi-radius"
        set schedule "always"
    next
    edit "80e_wpa3_user"
        set ssid "80e_wpa3_user"
        set security wpa3-enterprise
        set pmf enable
        set auth usergroup
        set usergroup "usergroup"
        set schedule "always"
    next
end
To configure WPA3 Enterprise Only

Using this option, you can set the security mode to wpa3-only-enterprise to use WPA3 Enterprise with PMF mandatory.

config wireless-controller vap
  edit "wpa3"
    set ssid "wpa3"
    set security wpa3-only-enterprise
    set pmf enable
    set auth radius
    set radius-server "FAC"
    set schedule "always"
  next
end
To configure WPA3 Enterprise Transition

Using this option, you can set the security mode to wpa3-enterprise-transition to use WPA3 Enterprise with PMF optional. A WPA3-Enterprise STA shall negotiate PMF when associating with an AP using WPA3-Enterprise transition mode.

config wireless-controller vap
  edit "wpa3"
    set ssid "wpa3"
    set security wpa3-enterprise-transition
    set pmf optional
    set auth radius
    set radius-server "FAC"
    set schedule "always"
  next
end

WPA3 Security

Tooltip

For full WPA3 support, we recommend you update your FortiGate and FortiAP devices to the latest supported firmware version.

  • FortiGate devices running FortiOS 7.0.0 and later.

  • FortiAP devices running 6.4.3 and later.
  • FortiAP-S and FortiAP-W2 devices running 6.4.3 and later.
  • FortiAP-U devices running 6.2.2 and later.

For more precise support information between FortiGate and FortiAP firmware versions, see each model's release notes.

You can configure the following WPA3 security modes:

  • WPA3 Enterprise 192-bit
  • WPA3 Enterprise Only
  • WPA3 Enterprise Transition
  • WPA3 Simultaneous Authentication of Equals (SAE)
  • WPA3 SAE Transition
  • Opportunistic Wireless Encryption (OWE)
  • OWE Transition
To configure WPA3 on an SSID - GUI
  1. Go to WiFi Controller > SSID.
  2. Create a new SSID, or edit a current one.
  3. In the WiFi Settings section, set the Security Mode to a WPA3 option.

  4. Configure the relevant security settings as needed.

  5. Click OK.

Configuring WPA3 OWE - CLI

To configure WPA3 OWE only

Clients that support WPA3 can connect with this SSID.

config wireless-controller vap
    edit "80e_owe"
        set ssid "80e_owe"
        set security owe
        set pmf enable
        set schedule "always"
    next
end
To configure WPA3 OWE Transition

Clients connect with normal OPEN or OWE depending on its capability. Clients which support WPA3 connect with OWS standard. Clients which cannot support WPA3 connect with Open SSID.

config wireless-controller vap
    edit "80e_open"
        set ssid "80e_open"
        set security open
        set owe-transition enable
        set owe-transition-ssid "wpa3_open"
        set schedule "always"
    next
    edit "wpa3_owe_tr"
        set ssid "wpa3_open"
        set broadcast-ssid disable
        set security owe
        set pmf enable
        set owe-transition enable
        set owe-transition-ssid "80e_open"
        set schedule "always"
    next
end

Configuring WPA3 SAE - CLI

To configure WPA3 SAE

Clients that support WPA3 can connect with this SSID.

config wireless-controller vap
    edit "80e_sae"
        set ssid "80e_sae"
        set security wpa3-sae
        set pmf enable
        set schedule "always"
        set sae-password ********
    next
end
To configure WPA3 SAE Transition

There are two passwords in the SSID. If passphrase is used, the client connects with WPA2 PSK. If sae-password is used, the client connects with WPA3 SAE.

config wireless-controller vap
    edit "80e_sae-tr"
        set ssid "80e_sae-transition"
        set security wpa3-sae-transition
        set pmf optional
        set passphrase ********
        set schedule "always"
        set sae-password ********
    next
end
To configure WPA3 SAE and enable H2E only
config wireless-controller vap
  edit "wifi"
    set ssid "Example_SSID"
    set security wpa3-sae
    set pmf enable
    set sae-h2e-only enable
    set schedule "always"
    set sae-password ENC *
  next
end
To configure WPA3 SAE and enable SAE-PK
config wireless-controller vap
  edit "wifi"
    set ssid "Example_SSID"
    set security wpa3-sae
    set pmf enable
    set sae-pk enable
    set sae-private-key "11"
    set schedule "always"
    set sae-password ENC *
  next
end

Configuring WPA3 Enterprise - CLI

When using the following WPA3 Enterprise options, you can select the auth type to use either RADIUS authentication or local user authentication.

To configure WPA3 Enterprise 192-bit
Tooltip

By default, this option is not show in the GUI. When you configure this SSID from the CLI, the GUI will list the security option as WPA3 Enterprise 192-bit.

Using this option, you can set the security mode to wpa3-enterprise to use 192-bit encryption with PMF mandatory.

config wireless-controller vap
    edit "80e_wpa3"
        set ssid "80e_wpa3"
        set security wpa3-enterprise
        set pmf enable
        set auth radius
        set radius-server "wifi-radius"
        set schedule "always"
    next
    edit "80e_wpa3_user"
        set ssid "80e_wpa3_user"
        set security wpa3-enterprise
        set pmf enable
        set auth usergroup
        set usergroup "usergroup"
        set schedule "always"
    next
end
To configure WPA3 Enterprise Only

Using this option, you can set the security mode to wpa3-only-enterprise to use WPA3 Enterprise with PMF mandatory.

config wireless-controller vap
  edit "wpa3"
    set ssid "wpa3"
    set security wpa3-only-enterprise
    set pmf enable
    set auth radius
    set radius-server "FAC"
    set schedule "always"
  next
end
To configure WPA3 Enterprise Transition

Using this option, you can set the security mode to wpa3-enterprise-transition to use WPA3 Enterprise with PMF optional. A WPA3-Enterprise STA shall negotiate PMF when associating with an AP using WPA3-Enterprise transition mode.

config wireless-controller vap
  edit "wpa3"
    set ssid "wpa3"
    set security wpa3-enterprise-transition
    set pmf optional
    set auth radius
    set radius-server "FAC"
    set schedule "always"
  next
end