Enabling Beacon Protection
You can enable Beacon Protection on WPA3 SSIDs which improves Wi-Fi security by protecting beacon frames. Beacon Protection was introduced in WPA3 and is designed to enhance security in Wi-Fi networks by protecting the integrity of the beacon frames, which are essential for network discovery and connection establishment. This helps devices discover and connect to legitimate networks, reducing attack risks.
Beacon Protection is supported on FortiAP K series running the "wifi7" special builds (branched out of FortiAP 7.4.x). FortiAP F and G series running 7.4.x builds do NOT support Beacon Protection. |
CLI Changes:
config wireless-controller vap edit <name> set beacon-protection {enable | disable} end
Beacon Protection is disabled by default.
To enable Beacon Protection from the FortiGate:
config wireless-controller vap edit "wpa3-sae-beacon" set ssid "wpa3-sae-beacon" set security wpa3-only-enterprise set pmf enable set beacon-protection enable set auth radius set radius-server "peap" set local-bridging enable set schedule "always" next end
To assign Beacon Protection to a FortiAP profile:
conf wireless-controller wtp-profile edit FAP441K-default conf radio-2 set vaps wpa3-sae-beacon end next end
To verify that Beacon Protection is assigned and enabled on a FortiAP:
FortiAP-441K # vcfg -------------------------------VAP Configuration 1---------------------------- Radio Id 1 WLAN Id 0 wpa3-sae-beacon ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1) vlanid=0, intf=wlan10, vap=0x28a9202c, bssid=38:c0:ea:f1:51:70 11ax high-efficiency=enabled target-wake-time=enabled bss-color-partial=enabled mesh backhaul=disabled local_auth=disabled standalone=disabled nat_mode=disabled local_bridging=enabled split_tunnel=disabled layer3_roaming=disabled intra_ssid_priv=disabled mcast_enhance=disabled igmp_snooping=disabled mac_auth=disabled fail_through_mode=disabled sta_info=0/0 mac=local, tunnel=8023, cap=8ce0, qos=disabled prob_resp_suppress=disabled rx sop=disabled sticky client remove=disabled mu mimo=enabled ldpc_config=rxtx dhcp_option43_insertion=enabled dhcp_option82_insertion=disabled dhcp_enforcement=disabled access_control_list=disabled bc_suppression=dhcp dhcp-ucast arp auth=WPA3 Enterprise Only, RADIUS, AES WPA keyIdx=6, keyLen=16, keyStatus=1, gTsc=000000000000 key=92c6ab16 9239a724 bd20eaad e677d35c pmf=required beacon_prot=enabled
The following Beacon frame capture shows the FortiAP adds a message integrity check (MIC) element to the Beacon frames of SSID with Beacon Protection enabled:
IEEE 802.11 Wireless Management Fixed parameters (12 bytes) Tagged parameters (509 bytes) Tag: SSID parameter set: wpa3-sae-beacon Tag: Supported Rates 6(B), 9, 12(B), 18, 24(B), 36, 48, 54, [Mbit/sec] Tag: Traffic Indication Map (TIM): DTIM 0 of 0 bitmap Tag: Country Information: Country Code US, Environment Indoor Tag: Power Constraint: 0 Tag: TPC Report Transmit Power: 24, Link Margin: 0 Tag: Extended Supported Rates Unknown Rate, [Mbit/sec] Tag: RSN Information Tag: QBSS Load Element 802.11e CCA Version Tag: RM Enabled Capabilities (5 octets) Tag: HT Capabilities (802.11n D1.10) Tag: HT Information (802.11n D1.10) Tag: Extended Capabilities (13 octets) Tag: VHT Capabilities Tag: VHT Operation Tag: VHT Tx Power Envelope Tag: Reserved (201): Undecoded Tag: Reserved (244): Undecoded Ext Tag: HE Capabilities (IEEE Std 802.11ax/D3.0) Ext Tag: HE Operation (IEEE Std 802.11ax/D3.0) Ext Tag: Spatial Reuse Parameter Set Ext Tag: MU EDCA Parameter Set Tag: Vendor Specific: Qualcomm Inc. Tag: Vendor Specific: Fortinet Inc. Tag: Vendor Specific: Fortinet Inc. Tag: Vendor Specific: Fortinet Inc. Tag: Vendor Specific: Microsoft Corp.: WMM/WME: Parameter Element Tag: Vendor Specific: Qualcomm Inc. Tag: Vendor Specific: Qualcomm Inc. Tag: Management MIC Tag Number: Management MIC (76) Tag length: 16 KeyID: 6 IPN: a00300000000 MIC: 0cc6d9f2580036f1
The 11th octet in "Extended Capabilities" has the Beacon Protection Flag enabled.
Tag: Extended Capabilities (13 octets) Tag Number: Extended Capabilities (127) Tag length: 13 Extended Capabilities: 0x04 (octet 1) Extended Capabilities: 0x00 (octet 2) Extended Capabilities: 0x0f (octet 3) Extended Capabilities: 0x02 (octet 4) Extended Capabilities: 0x00 (octet 5) Extended Capabilities: 0x00 (octet 6) Extended Capabilities: 0x00 (octet 7) Extended Capabilities: 0x0040 (octets 8 & 9) Extended Capabilities: 0x40 (octet 10) Extended Capabilities: 0x10 (octet 11) .... ...0 = Complete List of NonTxBSSID Profiles: False .... ..0. = SAE Password Identifiers In Use: False .... .0.. = SAE Passwords Used Exclusively: False .... 0... = Enhanced Multi-BSSID Advertisement Support: False ...1 .... = Beacon Protection Enabled: True ..0. .... = Mirrored SCS: False .0.. .... = OCT: False 0... .... = Local MAC Address Policy: False Extended Capabilities: 0x00 (octet 12) Extended Capabilities: 0x00 (octet 13)