Fortinet black logo

New Features

Supporting WPA3 on FAP  6.2.1

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:244456
Download PDF

Supporting WPA3 on FAP 6.2.1

This feature is implemented on FortiOS 6.2.0 b0816 and FAP-S/W2 6.2.0 b0218. The GUI configuration is implemented in FortiOS 6.2.1 b0885.

In October 2017, Mathy Vanhoef published a document exposing a flaw in WPA2 networks known as Key Reinstallation Attack (KRACK). To avoid the attack, the Wi-Fi Alliance announced in January that WPA2 enhancements and a new WPA3 standard is coming in 2018.

The Wi-Fi Alliance defined three areas for improvement:

  • Enhanced Open: The Wi-Fi Alliance proposes using Opportunistic Wireless Encryption (OWE) (RFC 8110) to improve security in these such networks.
  • WPA3 Personal: WPA3-Personal uses Simultaneous Authentication of Equals (SAE).
  • WPA3 Enterprise: WPA3-Enterprise contains a new 192-bit security level.

All three areas incorporate Protected Management Frames (PMF) as a prerequisite to protect management frame integrity.

To configure WPA3 in the GUI:
  1. Go to WiFi & Switch Controller > SSID.
  2. Click Create New > SSID.
  3. In the WiFi Settings section Security Mode dropdown list, select a WPS3 option.

  4. Click OK.

Use a client with WPA3 to verify the connection.

To configure WPA3 in the CLI:
  1. WPA3 OWE.
    1. WPA3 OWE only. Clients which support WPA3 can connect with this SSID.
       config wireless-controller vap
      	edit "80e_owe"
      	set ssid "80e_owe"
      	set security owe
      	set pmf enable
      	set schedule "always"
      	next
      end
    2. WPA3 OWE TRANSITION. Clients connect with normal OPEN or OWE depending on its capability. Clients which support WPA3 connect with OWS standard. Clients which cannot support WPA3 connect with Open SSID.
      config wireless-controller vap
      	edit "80e_open"
      	set ssid "80e_open"
      	set security open
      	set owe-transition enable
      	set owe-transition-ssid "wpa3_open"
      	set schedule "always"
      	next
      							
      	edit "wpa3_owe_tr"
      	set ssid "wpa3_open"
      	set broadcast-ssid disable
      	set security owe
      	set pmf enable
      	set owe-transition enable
      	set owe-transition-ssid "80e_open"
      	set schedule "always"
      	next
      end
  2. WPA3 SAE.
    1. WPA3 SAE. Clients which support WPA3 can connect with this SSID.
      config wireless-controller vap
      	edit "80e_sae"
      	set ssid "80e_sae"
      	set security wpa3-sae
      	set pmf enable
      	set schedule "always"
      	set sae-password 12345678
      	next
      end
    2. WPA3 SAE TRANSITION. There are two passwords in the SSID. If passphrase is used, the client connects with WPA2 PSK. If sae-password is used, the client connects with WPA3 SAE.
      config wireless-controller vap
      	edit "80e_sae-tr"
      	set ssid "80e_sae-transition"
      	set security wpa3-sae-transition
      	set pmf optional
      	set passphrase 11111111
      	set schedule "always"
      	set sae-password 22222222
      	next
      end
  3. WPA3 Enterprise. Using this option, you can select the auth type to use either RADIUS authentication or local user authentication.
    config wireless-controller vap
    	edit "80e_wpa3"
    	set ssid "80e_wpa3"
    	set security wpa3-enterprise
    	set pmf enable
    	set auth radius
    	set radius-server "wifi-radius"
    	set schedule "always"
    	next
    
    	edit "80e_wpa3_user"
    	set ssid "80e_wpa3_user"
    	set security wpa3-enterprise
    	set pmf enable
    	set auth usergroup
    	set usergroup "usergroup"
    	set schedule "always"
    	next
    end

Use a client with WPA3 to verify the connection.

Supporting WPA3 on FAP 6.2.1

This feature is implemented on FortiOS 6.2.0 b0816 and FAP-S/W2 6.2.0 b0218. The GUI configuration is implemented in FortiOS 6.2.1 b0885.

In October 2017, Mathy Vanhoef published a document exposing a flaw in WPA2 networks known as Key Reinstallation Attack (KRACK). To avoid the attack, the Wi-Fi Alliance announced in January that WPA2 enhancements and a new WPA3 standard is coming in 2018.

The Wi-Fi Alliance defined three areas for improvement:

  • Enhanced Open: The Wi-Fi Alliance proposes using Opportunistic Wireless Encryption (OWE) (RFC 8110) to improve security in these such networks.
  • WPA3 Personal: WPA3-Personal uses Simultaneous Authentication of Equals (SAE).
  • WPA3 Enterprise: WPA3-Enterprise contains a new 192-bit security level.

All three areas incorporate Protected Management Frames (PMF) as a prerequisite to protect management frame integrity.

To configure WPA3 in the GUI:
  1. Go to WiFi & Switch Controller > SSID.
  2. Click Create New > SSID.
  3. In the WiFi Settings section Security Mode dropdown list, select a WPS3 option.

  4. Click OK.

Use a client with WPA3 to verify the connection.

To configure WPA3 in the CLI:
  1. WPA3 OWE.
    1. WPA3 OWE only. Clients which support WPA3 can connect with this SSID.
       config wireless-controller vap
      	edit "80e_owe"
      	set ssid "80e_owe"
      	set security owe
      	set pmf enable
      	set schedule "always"
      	next
      end
    2. WPA3 OWE TRANSITION. Clients connect with normal OPEN or OWE depending on its capability. Clients which support WPA3 connect with OWS standard. Clients which cannot support WPA3 connect with Open SSID.
      config wireless-controller vap
      	edit "80e_open"
      	set ssid "80e_open"
      	set security open
      	set owe-transition enable
      	set owe-transition-ssid "wpa3_open"
      	set schedule "always"
      	next
      							
      	edit "wpa3_owe_tr"
      	set ssid "wpa3_open"
      	set broadcast-ssid disable
      	set security owe
      	set pmf enable
      	set owe-transition enable
      	set owe-transition-ssid "80e_open"
      	set schedule "always"
      	next
      end
  2. WPA3 SAE.
    1. WPA3 SAE. Clients which support WPA3 can connect with this SSID.
      config wireless-controller vap
      	edit "80e_sae"
      	set ssid "80e_sae"
      	set security wpa3-sae
      	set pmf enable
      	set schedule "always"
      	set sae-password 12345678
      	next
      end
    2. WPA3 SAE TRANSITION. There are two passwords in the SSID. If passphrase is used, the client connects with WPA2 PSK. If sae-password is used, the client connects with WPA3 SAE.
      config wireless-controller vap
      	edit "80e_sae-tr"
      	set ssid "80e_sae-transition"
      	set security wpa3-sae-transition
      	set pmf optional
      	set passphrase 11111111
      	set schedule "always"
      	set sae-password 22222222
      	next
      end
  3. WPA3 Enterprise. Using this option, you can select the auth type to use either RADIUS authentication or local user authentication.
    config wireless-controller vap
    	edit "80e_wpa3"
    	set ssid "80e_wpa3"
    	set security wpa3-enterprise
    	set pmf enable
    	set auth radius
    	set radius-server "wifi-radius"
    	set schedule "always"
    	next
    
    	edit "80e_wpa3_user"
    	set ssid "80e_wpa3_user"
    	set security wpa3-enterprise
    	set pmf enable
    	set auth usergroup
    	set usergroup "usergroup"
    	set schedule "always"
    	next
    end

Use a client with WPA3 to verify the connection.