Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Configuration Guide

Enabling Beacon Protection

Enabling Beacon Protection

You can enable Beacon Protection on WPA3 SSIDs which improves Wi-Fi security by protecting beacon frames. Beacon Protection was introduced in WPA3 and is designed to enhance security in Wi-Fi networks by protecting the integrity of the beacon frames, which are essential for network discovery and connection establishment. This helps devices discover and connect to legitimate networks, reducing attack risks.

Note

Beacon Protection is supported on FortiAP K series running the "wifi7" special builds (branched out of FortiAP 7.4.x).

FortiAP F and G series running 7.4.x builds do NOT support Beacon Protection.

CLI Changes:
config wireless-controller vap
  edit <name>
    set beacon-protection {enable | disable}
end

Beacon Protection is disabled by default.

To enable Beacon Protection from the FortiGate:
config wireless-controller vap
    edit "wpa3-sae-beacon"
        set ssid "wpa3-sae-beacon"
        set security wpa3-only-enterprise
        set pmf enable
        set beacon-protection enable
        set auth radius
        set radius-server "peap"
        set local-bridging enable
        set schedule "always"
    next
end
To assign Beacon Protection to a FortiAP profile:
conf wireless-controller wtp-profile
  edit FAP441K-default
    conf radio-2
      set vaps wpa3-sae-beacon
    end
  next
end
To verify that Beacon Protection is assigned and enabled on a FortiAP:
FortiAP-441K # vcfg
-------------------------------VAP Configuration    1----------------------------
Radio Id  1 WLAN Id  0 wpa3-sae-beacon ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan10, vap=0x28a9202c, bssid=38:c0:ea:f1:51:70
           11ax high-efficiency=enabled target-wake-time=enabled
           bss-color-partial=enabled
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=enabled split_tunnel=disabled layer3_roaming=disabled
           intra_ssid_priv=disabled
           mcast_enhance=disabled igmp_snooping=disabled
           mac_auth=disabled fail_through_mode=disabled sta_info=0/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=enabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled           dhcp_option82_insertion=disabled
           dhcp_enforcement=disabled
           access_control_list=disabled
           bc_suppression=dhcp dhcp-ucast arp
           auth=WPA3 Enterprise Only, RADIUS, AES WPA keyIdx=6, keyLen=16, keyStatus=1, gTsc=000000000000
           key=92c6ab16 9239a724 bd20eaad e677d35c
           pmf=required
           beacon_prot=enabled

The following Beacon frame capture shows the FortiAP adds a message integrity check (MIC) element to the Beacon frames of SSID with Beacon Protection enabled:

IEEE 802.11 Wireless Management
    Fixed parameters (12 bytes)
    Tagged parameters (509 bytes)
        Tag: SSID parameter set: wpa3-sae-beacon
        Tag: Supported Rates 6(B), 9, 12(B), 18, 24(B), 36, 48, 54, [Mbit/sec]
        Tag: Traffic Indication Map (TIM): DTIM 0 of 0 bitmap
        Tag: Country Information: Country Code US, Environment Indoor
        Tag: Power Constraint: 0
        Tag: TPC Report Transmit Power: 24, Link Margin: 0
        Tag: Extended Supported Rates Unknown Rate, [Mbit/sec]
        Tag: RSN Information
        Tag: QBSS Load Element 802.11e CCA Version
        Tag: RM Enabled Capabilities (5 octets)
        Tag: HT Capabilities (802.11n D1.10)
        Tag: HT Information (802.11n D1.10)
        Tag: Extended Capabilities (13 octets)
        Tag: VHT Capabilities
        Tag: VHT Operation
        Tag: VHT Tx Power Envelope
        Tag: Reserved (201): Undecoded
        Tag: Reserved (244): Undecoded
        Ext Tag: HE Capabilities (IEEE Std 802.11ax/D3.0)
        Ext Tag: HE Operation (IEEE Std 802.11ax/D3.0)
        Ext Tag: Spatial Reuse Parameter Set
        Ext Tag: MU EDCA Parameter Set
        Tag: Vendor Specific: Qualcomm Inc.
        Tag: Vendor Specific: Fortinet Inc.
        Tag: Vendor Specific: Fortinet Inc.
        Tag: Vendor Specific: Fortinet Inc.
        Tag: Vendor Specific: Microsoft Corp.: WMM/WME: Parameter Element
        Tag: Vendor Specific: Qualcomm Inc.
        Tag: Vendor Specific: Qualcomm Inc.
        Tag: Management MIC
            Tag Number: Management MIC (76)
            Tag length: 16
            KeyID: 6
            IPN: a00300000000
            MIC: 0cc6d9f2580036f1

The 11th octet in "Extended Capabilities" has the Beacon Protection Flag enabled.

Tag: Extended Capabilities (13 octets)
            Tag Number: Extended Capabilities (127)
            Tag length: 13
            Extended Capabilities: 0x04 (octet 1)
            Extended Capabilities: 0x00 (octet 2)
            Extended Capabilities: 0x0f (octet 3)
            Extended Capabilities: 0x02 (octet 4)
            Extended Capabilities: 0x00 (octet 5)
            Extended Capabilities: 0x00 (octet 6)
            Extended Capabilities: 0x00 (octet 7)
            Extended Capabilities: 0x0040 (octets 8 & 9)
            Extended Capabilities: 0x40 (octet 10)
            Extended Capabilities: 0x10 (octet 11)
                .... ...0 = Complete List of NonTxBSSID Profiles: False
                .... ..0. = SAE Password Identifiers In Use: False
                .... .0.. = SAE Passwords Used Exclusively: False
                .... 0... = Enhanced Multi-BSSID Advertisement Support: False
                ...1 .... = Beacon Protection Enabled: True
                ..0. .... = Mirrored SCS: False
                .0.. .... = OCT: False
                0... .... = Local MAC Address Policy: False
            Extended Capabilities: 0x00 (octet 12)
            Extended Capabilities: 0x00 (octet 13)

Enabling Beacon Protection

Enabling Beacon Protection

You can enable Beacon Protection on WPA3 SSIDs which improves Wi-Fi security by protecting beacon frames. Beacon Protection was introduced in WPA3 and is designed to enhance security in Wi-Fi networks by protecting the integrity of the beacon frames, which are essential for network discovery and connection establishment. This helps devices discover and connect to legitimate networks, reducing attack risks.

Note

Beacon Protection is supported on FortiAP K series running the "wifi7" special builds (branched out of FortiAP 7.4.x).

FortiAP F and G series running 7.4.x builds do NOT support Beacon Protection.

CLI Changes:
config wireless-controller vap
  edit <name>
    set beacon-protection {enable | disable}
end

Beacon Protection is disabled by default.

To enable Beacon Protection from the FortiGate:
config wireless-controller vap
    edit "wpa3-sae-beacon"
        set ssid "wpa3-sae-beacon"
        set security wpa3-only-enterprise
        set pmf enable
        set beacon-protection enable
        set auth radius
        set radius-server "peap"
        set local-bridging enable
        set schedule "always"
    next
end
To assign Beacon Protection to a FortiAP profile:
conf wireless-controller wtp-profile
  edit FAP441K-default
    conf radio-2
      set vaps wpa3-sae-beacon
    end
  next
end
To verify that Beacon Protection is assigned and enabled on a FortiAP:
FortiAP-441K # vcfg
-------------------------------VAP Configuration    1----------------------------
Radio Id  1 WLAN Id  0 wpa3-sae-beacon ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan10, vap=0x28a9202c, bssid=38:c0:ea:f1:51:70
           11ax high-efficiency=enabled target-wake-time=enabled
           bss-color-partial=enabled
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=enabled split_tunnel=disabled layer3_roaming=disabled
           intra_ssid_priv=disabled
           mcast_enhance=disabled igmp_snooping=disabled
           mac_auth=disabled fail_through_mode=disabled sta_info=0/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=enabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled           dhcp_option82_insertion=disabled
           dhcp_enforcement=disabled
           access_control_list=disabled
           bc_suppression=dhcp dhcp-ucast arp
           auth=WPA3 Enterprise Only, RADIUS, AES WPA keyIdx=6, keyLen=16, keyStatus=1, gTsc=000000000000
           key=92c6ab16 9239a724 bd20eaad e677d35c
           pmf=required
           beacon_prot=enabled

The following Beacon frame capture shows the FortiAP adds a message integrity check (MIC) element to the Beacon frames of SSID with Beacon Protection enabled:

IEEE 802.11 Wireless Management
    Fixed parameters (12 bytes)
    Tagged parameters (509 bytes)
        Tag: SSID parameter set: wpa3-sae-beacon
        Tag: Supported Rates 6(B), 9, 12(B), 18, 24(B), 36, 48, 54, [Mbit/sec]
        Tag: Traffic Indication Map (TIM): DTIM 0 of 0 bitmap
        Tag: Country Information: Country Code US, Environment Indoor
        Tag: Power Constraint: 0
        Tag: TPC Report Transmit Power: 24, Link Margin: 0
        Tag: Extended Supported Rates Unknown Rate, [Mbit/sec]
        Tag: RSN Information
        Tag: QBSS Load Element 802.11e CCA Version
        Tag: RM Enabled Capabilities (5 octets)
        Tag: HT Capabilities (802.11n D1.10)
        Tag: HT Information (802.11n D1.10)
        Tag: Extended Capabilities (13 octets)
        Tag: VHT Capabilities
        Tag: VHT Operation
        Tag: VHT Tx Power Envelope
        Tag: Reserved (201): Undecoded
        Tag: Reserved (244): Undecoded
        Ext Tag: HE Capabilities (IEEE Std 802.11ax/D3.0)
        Ext Tag: HE Operation (IEEE Std 802.11ax/D3.0)
        Ext Tag: Spatial Reuse Parameter Set
        Ext Tag: MU EDCA Parameter Set
        Tag: Vendor Specific: Qualcomm Inc.
        Tag: Vendor Specific: Fortinet Inc.
        Tag: Vendor Specific: Fortinet Inc.
        Tag: Vendor Specific: Fortinet Inc.
        Tag: Vendor Specific: Microsoft Corp.: WMM/WME: Parameter Element
        Tag: Vendor Specific: Qualcomm Inc.
        Tag: Vendor Specific: Qualcomm Inc.
        Tag: Management MIC
            Tag Number: Management MIC (76)
            Tag length: 16
            KeyID: 6
            IPN: a00300000000
            MIC: 0cc6d9f2580036f1

The 11th octet in "Extended Capabilities" has the Beacon Protection Flag enabled.

Tag: Extended Capabilities (13 octets)
            Tag Number: Extended Capabilities (127)
            Tag length: 13
            Extended Capabilities: 0x04 (octet 1)
            Extended Capabilities: 0x00 (octet 2)
            Extended Capabilities: 0x0f (octet 3)
            Extended Capabilities: 0x02 (octet 4)
            Extended Capabilities: 0x00 (octet 5)
            Extended Capabilities: 0x00 (octet 6)
            Extended Capabilities: 0x00 (octet 7)
            Extended Capabilities: 0x0040 (octets 8 & 9)
            Extended Capabilities: 0x40 (octet 10)
            Extended Capabilities: 0x10 (octet 11)
                .... ...0 = Complete List of NonTxBSSID Profiles: False
                .... ..0. = SAE Password Identifiers In Use: False
                .... .0.. = SAE Passwords Used Exclusively: False
                .... 0... = Enhanced Multi-BSSID Advertisement Support: False
                ...1 .... = Beacon Protection Enabled: True
                ..0. .... = Mirrored SCS: False
                .0.. .... = OCT: False
                0... .... = Local MAC Address Policy: False
            Extended Capabilities: 0x00 (octet 12)
            Extended Capabilities: 0x00 (octet 13)