Supporting WPA3 on FAP 6.2.1
This feature is implemented on FortiOS 6.2.0 b0816 and FAP-S/W2 6.2.0 b0218. The GUI configuration is implemented in FortiOS 6.2.1 b0885.
In October 2017, Mathy Vanhoef published a document exposing a flaw in WPA2 networks known as Key Reinstallation Attack (KRACK). To avoid the attack, the Wi-Fi Alliance announced in January that WPA2 enhancements and a new WPA3 standard is coming in 2018.
The Wi-Fi Alliance defined three areas for improvement:
- Enhanced Open: The Wi-Fi Alliance proposes using Opportunistic Wireless Encryption (OWE) (RFC 8110) to improve security in these such networks.
- WPA3 Personal: WPA3-Personal uses Simultaneous Authentication of Equals (SAE).
- WPA3 Enterprise: WPA3-Enterprise contains a new 192-bit security level.
All three areas incorporate Protected Management Frames (PMF) as a prerequisite to protect management frame integrity.
To configure WPA3 in the GUI:
- Go to WiFi & Switch Controller > SSID.
- Click Create New > SSID.
- In the WiFi Settings section Security Mode dropdown list, select a WPS3 option.
- Click OK.
Use a client with WPA3 to verify the connection.
To configure WPA3 in the CLI:
- WPA3 OWE.
- WPA3 OWE only. Clients which support WPA3 can connect with this SSID.
config wireless-controller vap edit "80e_owe" set ssid "80e_owe" set security owe set pmf enable set schedule "always" next end
- WPA3 OWE TRANSITION. Clients connect with normal OPEN or OWE depending on its capability. Clients which support WPA3 connect with OWS standard. Clients which cannot support WPA3 connect with Open SSID.
config wireless-controller vap edit "80e_open" set ssid "80e_open" set security open set owe-transition enable set owe-transition-ssid "wpa3_open" set schedule "always" next edit "wpa3_owe_tr" set ssid "wpa3_open" set broadcast-ssid disable set security owe set pmf enable set owe-transition enable set owe-transition-ssid "80e_open" set schedule "always" next end
- WPA3 OWE only. Clients which support WPA3 can connect with this SSID.
- WPA3 SAE.
- WPA3 SAE. Clients which support WPA3 can connect with this SSID.
config wireless-controller vap edit "80e_sae" set ssid "80e_sae" set security wpa3-sae set pmf enable set schedule "always" set sae-password 12345678 next end
- WPA3 SAE TRANSITION. There are two passwords in the SSID. If passphrase is used, the client connects with WPA2 PSK. If sae-password is used, the client connects with WPA3 SAE.
config wireless-controller vap edit "80e_sae-tr" set ssid "80e_sae-transition" set security wpa3-sae-transition set pmf optional set passphrase 11111111 set schedule "always" set sae-password 22222222 next end
- WPA3 SAE. Clients which support WPA3 can connect with this SSID.
- WPA3 Enterprise. Using this option, you can select the
auth
type to use either RADIUS authentication or local user authentication.config wireless-controller vap edit "80e_wpa3" set ssid "80e_wpa3" set security wpa3-enterprise set pmf enable set auth radius set radius-server "wifi-radius" set schedule "always" next edit "80e_wpa3_user" set ssid "80e_wpa3_user" set security wpa3-enterprise set pmf enable set auth usergroup set usergroup "usergroup" set schedule "always" next end
Use a client with WPA3 to verify the connection.