Fortinet black logo

New Features

Home FortiGate / FortiOS 7.2.0 New Features

WPA3 enhancements to support H2E only and SAE-PK 7.2.1

7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:645349
Download PDF

WPA3 enhancements to support H2E only and SAE-PK 7.2.1

This release supports WiFi 6 Release 2 security enhancements by adding support for Hash-to-Element (H2E) only and Simultaneous Authentication of Equals Public Key (SAE-PK) for FortiAP models that support WPA3-SAE security modes.

When the security mode is set to WPA3-SAE or WPA3-SAE-Transition, the following options are available:

  • Hash-to-Element (H2E) only: Use hash-to-element-only mechanism for PWE derivation.
  • Simultaneous Authentication of Equals Public Key (SAE-PK): Enable or disable WPA3 SAE-PK.
    • When SAE-PK authentication is enabled, you are required to set an SAE-PK private-key.
To enable H2E only - GUI:
  1. From the FortiGate GUI, navigate to WiFi & Switch Controller > SSIDs and click Create New > SSID.
  2. In Security mode, select either WPA3-SAE or WPA3-SAE-Transition.

  3. In SAE password, enter a password.

  4. Enable Hash-to-Element (H2E) only.

  5. When you are finished, click OK.

To enable SAE-PK - GUI:
  1. From the FortiGate GUI, navigate to WiFi & Switch Controller > SSIDs and click Create New > SSID.
  2. In Security mode, select either WPA3-SAE or WPA3-SAE-Transition.

  3. In SAE password, enter a password.

  4. Enable SAE-PK authentication.

    When SAE-PK authentication option is enabled, the SAE-PK private key is mandatory.

  5. In SAE-PK private key, enter a private key.

    The private key can be generated by a third-party tool (for example, sae_pk_gen in wpa_supplicant v2.10) to meet the encryption requirement. FortiOS will verify the private key and reject invalid input.

  6. When you are finished, click OK.

To enable H2E only - CLI:
config wireless-controller vap
  edit "wifi"
    set ssid "Example_SSID"
    set security wpa3-sae
    set pmf enable
    set sae-h2e-only enable
    set schedule "always"
    set sae-password ENC *
  next
end
To enable SAE-PK - CLI:
config wireless-controller vap
  edit "wifi"
    set ssid "Example_SSID"
    set security wpa3-sae
    set pmf enable
    set sae-pk enable
    set sae-private-key "******"
    set schedule "always"
    set sae-password ENC *
  next
end

Note: When SAE-PK authentication option is enabled, the sae-private-key is mandatory. The sae-private-key can be generated by a third-party tool (for example, sae_pk_gen in wpa_supplicant v2.10) to meet the encryption requirement. FortiOS will verify the private key and reject invalid input.

Previous
Next

WPA3 enhancements to support H2E only and SAE-PK 7.2.1

This release supports WiFi 6 Release 2 security enhancements by adding support for Hash-to-Element (H2E) only and Simultaneous Authentication of Equals Public Key (SAE-PK) for FortiAP models that support WPA3-SAE security modes.

When the security mode is set to WPA3-SAE or WPA3-SAE-Transition, the following options are available:

  • Hash-to-Element (H2E) only: Use hash-to-element-only mechanism for PWE derivation.
  • Simultaneous Authentication of Equals Public Key (SAE-PK): Enable or disable WPA3 SAE-PK.
    • When SAE-PK authentication is enabled, you are required to set an SAE-PK private-key.
To enable H2E only - GUI:
  1. From the FortiGate GUI, navigate to WiFi & Switch Controller > SSIDs and click Create New > SSID.
  2. In Security mode, select either WPA3-SAE or WPA3-SAE-Transition.

  3. In SAE password, enter a password.

  4. Enable Hash-to-Element (H2E) only.

  5. When you are finished, click OK.

To enable SAE-PK - GUI:
  1. From the FortiGate GUI, navigate to WiFi & Switch Controller > SSIDs and click Create New > SSID.
  2. In Security mode, select either WPA3-SAE or WPA3-SAE-Transition.

  3. In SAE password, enter a password.

  4. Enable SAE-PK authentication.

    When SAE-PK authentication option is enabled, the SAE-PK private key is mandatory.

  5. In SAE-PK private key, enter a private key.

    The private key can be generated by a third-party tool (for example, sae_pk_gen in wpa_supplicant v2.10) to meet the encryption requirement. FortiOS will verify the private key and reject invalid input.

  6. When you are finished, click OK.

To enable H2E only - CLI:
config wireless-controller vap
  edit "wifi"
    set ssid "Example_SSID"
    set security wpa3-sae
    set pmf enable
    set sae-h2e-only enable
    set schedule "always"
    set sae-password ENC *
  next
end
To enable SAE-PK - CLI:
config wireless-controller vap
  edit "wifi"
    set ssid "Example_SSID"
    set security wpa3-sae
    set pmf enable
    set sae-pk enable
    set sae-private-key "******"
    set schedule "always"
    set sae-password ENC *
  next
end

Note: When SAE-PK authentication option is enabled, the sae-private-key is mandatory. The sae-private-key can be generated by a third-party tool (for example, sae_pk_gen in wpa_supplicant v2.10) to meet the encryption requirement. FortiOS will verify the private key and reject invalid input.

Previous
Next