Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

WPA2 Security

Copy Link
Copy Doc ID c67ff8dd-1365-11ed-9eba-fa163e15d75b:161294
Download PDF

WPA2 Security

WPA2 security with pre-shared keys (PSK) for authentication is called WPA2-Personal. This can work well for one person or a group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.

A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes Role-Based Access Control (RBAC) possible.

This section contains the following topics:

By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP). You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accommodate clients with either TKIP or AES, enter:

config wireless-controller vap

edit example_wlan

set security wpa-personal

set passphrase "hardtoguess"

set encrypt TKIP-AES

end

WPA2 Security

WPA2 security with pre-shared keys (PSK) for authentication is called WPA2-Personal. This can work well for one person or a group of trusted people. But, as the number of users increases, it is difficult to distribute new keys securely and there is increased risk that the key could fall into the wrong hands.

A more secure form of WPA2 security is WPA2-Enterprise. Users each have their own authentication credentials, verified through an authentication server, usually RADIUS. FortiOS can also authenticate WPA2-Enterprise users through its built-in user group functionality. FortiGate user groups can include RADIUS servers and can select users by RADIUS user group. This makes Role-Based Access Control (RBAC) possible.

This section contains the following topics:

By default, WPA2 security encrypts communication using Advanced Encryption Standard (AES). But some older wireless clients support only Temporal Key Integrity Protocol (TKIP). You can change the encryption to TKIP or negotiable TKIP-AES in the CLI. For example, to accommodate clients with either TKIP or AES, enter:

config wireless-controller vap

edit example_wlan

set security wpa-personal

set passphrase "hardtoguess"

set encrypt TKIP-AES

end