Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Add support for WPA3-SAE security mode on mesh backhaul SSIDs

    Add support for WPA3-SAE security mode on mesh backhaul SSIDs

    Note

    This information is also available in the FortiWiFi and FortiAP 7.4 Configuration Guide:
    Note

    GUI support is available in FOS 7.4.1. For more information, see Add GUI support for configuring WPA3-SAE security mode on mesh backhaul SSIDs 7.4.1.

    This release supports configuring WPA3-SAE security mode for FortiAP wireless mesh backhaul SSIDs using the CLI. Wi-Fi 6E FortiAPs can also set up mesh connections over the 6GHz band as WPA3-SAE (with Hash-to-Element only enabled) is mandatory in Wi-Fi 6E technology.

    In the topology example, FAP-231F is the mesh root that broadcasts the mesh backhaul SSID with WPA3-SAE security, and FAP-23JF is the mesh leaf that uses the mesh backhaul SSID to connect back to the FortiGate.

    To configure WPA3-SAE security mode on mesh route SSIDs - CLI:
    Note

    By default, sae-h2e-only is enabled when you set the security mode to wpa3-sae.

    1. On the mesh root (backhaul) SSID, set the security mode to wpa3-sae and enable mesh-backhaul:

      config wireless-controller vap
  edit "MESHWPA3"
    set mesh-backhaul enable
    set ssid "MESHWPA3"
    set security wpa3-sae
    set pmf enable
    set sae-h2e-only enable
    set schedule "always"
    set sae-password ENC *
  next
end

    2. Add the mesh root SSID to the FortiAP profile:

      config wireless-controller wtp-profile
  edit "FAP231F-default"
    config platform
      set type 231F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set allowaccess ssh
    config radio-1
      set band 802.11ax,n,g-only
      set vap-all manual
      set vaps "MESHWPA3"
    end
    config radio-2
      set band 802.11ax-5G
      set vap-all manual
      set vaps "MESHWPA3"
    end
    config radio-3
      set mode monitor
    end
  next
end

    3. On the mesh leaf FortiAP, enable mesh leaf settings:

      FortiAP-23JF# cfg -a MESH_AP_TYPE=1
FortiAP-23JF# cfg -a MESH_AP_SSID=MESHWPA3
FortiAP-23JF# cfg -a MESH_AP_PASSWD=fortinet
FortiAP-23JF# cfg -c
    To verify FortiAP mesh configurations - CLI:

    1. From the FortiGate, verify that mesh configurations have been successful applied:

      • FortiGate-81E-POE (root) # diagnose wireless-controller wlac -c ws-mesh 0-11.11.11.3:5246
-------------------------------WS MESH INFO    1----------------------------
WTP session             : 0-11.11.11.3:5246  MP00   CWAS_RUN,91252 3,3
    Ctrl in_ifIdx       : 19/port11
         indev          : 19/port11
    Data in_ifIdx       : 19/port11
         indev          : 0/
    mesh uplink         : ethernet
    id                  : FP231FTF20000051
    mgmt_vlanid         : 0
    wtp_wanlan_mode     : wan-only
    refcnt              : 9
    deleted             : no
    plain_ctl           : disabled
    wtp-mode            : normal
    wtp-report-index    : 3
    data-chan-sec       : clear-text
    ctl-msg-offload     : ac=03ff/wtp_loc=03ff/wtp_rem=03ff/oper=03ff
    session_id          : 6fd0dc8e1431067779dee9796dc645ff
    ehapd cfg           : done
    message queue       : 0/128 max 14
    tId_10_sec          : 53777394
    Ekahau              : disabled
    Aeroscout           : disabled
    FortiPresence       : disabled
  Radio 1            : AP
    wlan cfg            : MESHWPA3  
      vap-01(1)         : MESHWPA3         e0:23:ff:84:6a:b0   lsw m            MESHWPA3         Config success State RUN(5) Age 91252
  Radio 2            : AP
    wlan cfg            : MESHWPA3  
      vap-01(1)         : MESHWPA3         e0:23:ff:84:6a:b8   lsw m            MESHWPA3         Config success State RUN(5) Age 91252
  Radio 3            : Monitor
  Radio 4            : Virtual Lan AP
    wlan cfg            : 
  Radio 5            : Not Exist
-------------------------------WS MESH INFO    2----------------------------
WTP session             : 0-11.11.11.4:25246  MP00   CWAS_RUN,90789 7,7
    Ctrl in_ifIdx       : 19/port11
         indev          : 19/port11
    Data in_ifIdx       : 19/port11
         indev          : 0/
    mesh uplink         : mesh
         wbh sta        : 2 d4:76:a0:b1:48:ff
         wbh ap         : MESHWPA3 e0:23:ff:84:6a:b8 FP231FTF20000051
    id                  : FP23JFTF21000769
    mgmt_vlanid         : 0
    wtp_wanlan_mode     : wan-only
    refcnt              : 10
    deleted             : no
    plain_ctl           : disabled
    wtp-mode            : normal
    wtp-report-index    : 9
    data-chan-sec       : clear-text
    ctl-msg-offload     : ac=03ff/wtp_loc=03ff/wtp_rem=03ff/oper=03ff
    session_id          : 74d151af1d93fa801c5d55d6605441ba
    ehapd cfg           : ongoing
    message queue       : 0/128 max 91
    tId_10_sec          : 53777387
    Ekahau              : disabled
    Aeroscout           : disabled
    FortiPresence       : disabled
  Radio 1            : AP
...
      • FortiGate-81E-POE (root) # diagnose wireless-controller wlac -d sta online
   vf=0 mpId=0 wtp=14 rId=2 wlan=MESHWPA3 vlan_id=0 ip=11.11.11.4 ip6=:: mac=d4:76:a0:b1:48:ff vci=FortiAP-FP23JF host=FortiAP-23JF user= group= signal=-39 noise=-95 idle=1 bw=58 use=5 chan=64 radio_type=11AX_5G security=wpa3_sae mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2

    2. From the FortiAP, verify the configuration on the FortiAP leaf:

      FortiAP-23JF # cw_diag -c mesh
Sys Cfg AP addr mode: dhcp
           stp mode : 0
           dflt ip  : 192.168.1.2
           dflt mask: 255.255.255.0
           dflt gw  : 192.168.1.1
Mesh Cfg Uplink     : Mesh Uplink
         AP SSID    : MESHWPA3
         AP BSSID   : 00:00:00:00:00:00
         AP PASSWD  : ******
         wbh bgscan : 0
        ddscan ssid : MESHWPA3
   local eth bridge : 2(Disable)
Mesh Oper AP Type   : Mesh Uplink
        wbh status  : running
        wbh rId     : 1
        wbh mac     : d4:76:a0:b1:48:ff
        wbh bssid   : e0:23:ff:84:6a:b8
        wbh Chan    : 144
        vap mhc     : 1
        eth type    : 0x2233
        bridge mac  : d4:76:a0:b1:48:e8
    main dhcp ip    : 11.11.11.4
    main dhcp mask  : 255.255.255.0
    main dhcp gw    : 11.11.11.11
      bh dhcp ip    : 0.0.0.0
      bh dhcp mask  : 0.0.0.0
      bh dhcp gw    : 0.0.0.0
       main ip      : 11.11.11.4
       main mask    : 255.255.255.0
       main gw      : 11.11.11.11
           bh ip    : 0.0.0.0
           bh mask  : 0.0.0.0
           bh gw    : 0.0.0.0
           bh mac   : 00:00:00:00:00:00
         eth bridge : 0(Disable)
    Previous
    Next

    Add support for WPA3-SAE security mode on mesh backhaul SSIDs

    Add support for WPA3-SAE security mode on mesh backhaul SSIDs

    Note

    This information is also available in the FortiWiFi and FortiAP 7.4 Configuration Guide:
    Note

    GUI support is available in FOS 7.4.1. For more information, see Add GUI support for configuring WPA3-SAE security mode on mesh backhaul SSIDs 7.4.1.

    This release supports configuring WPA3-SAE security mode for FortiAP wireless mesh backhaul SSIDs using the CLI. Wi-Fi 6E FortiAPs can also set up mesh connections over the 6GHz band as WPA3-SAE (with Hash-to-Element only enabled) is mandatory in Wi-Fi 6E technology.

    In the topology example, FAP-231F is the mesh root that broadcasts the mesh backhaul SSID with WPA3-SAE security, and FAP-23JF is the mesh leaf that uses the mesh backhaul SSID to connect back to the FortiGate.

    To configure WPA3-SAE security mode on mesh route SSIDs - CLI:
    Note

    By default, sae-h2e-only is enabled when you set the security mode to wpa3-sae.

    1. On the mesh root (backhaul) SSID, set the security mode to wpa3-sae and enable mesh-backhaul:

      config wireless-controller vap
  edit "MESHWPA3"
    set mesh-backhaul enable
    set ssid "MESHWPA3"
    set security wpa3-sae
    set pmf enable
    set sae-h2e-only enable
    set schedule "always"
    set sae-password ENC *
  next
end

    2. Add the mesh root SSID to the FortiAP profile:

      config wireless-controller wtp-profile
  edit "FAP231F-default"
    config platform
      set type 231F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set allowaccess ssh
    config radio-1
      set band 802.11ax,n,g-only
      set vap-all manual
      set vaps "MESHWPA3"
    end
    config radio-2
      set band 802.11ax-5G
      set vap-all manual
      set vaps "MESHWPA3"
    end
    config radio-3
      set mode monitor
    end
  next
end

    3. On the mesh leaf FortiAP, enable mesh leaf settings:

      FortiAP-23JF# cfg -a MESH_AP_TYPE=1
FortiAP-23JF# cfg -a MESH_AP_SSID=MESHWPA3
FortiAP-23JF# cfg -a MESH_AP_PASSWD=fortinet
FortiAP-23JF# cfg -c
    To verify FortiAP mesh configurations - CLI:

    1. From the FortiGate, verify that mesh configurations have been successful applied:

      • FortiGate-81E-POE (root) # diagnose wireless-controller wlac -c ws-mesh 0-11.11.11.3:5246
-------------------------------WS MESH INFO    1----------------------------
WTP session             : 0-11.11.11.3:5246  MP00   CWAS_RUN,91252 3,3
    Ctrl in_ifIdx       : 19/port11
         indev          : 19/port11
    Data in_ifIdx       : 19/port11
         indev          : 0/
    mesh uplink         : ethernet
    id                  : FP231FTF20000051
    mgmt_vlanid         : 0
    wtp_wanlan_mode     : wan-only
    refcnt              : 9
    deleted             : no
    plain_ctl           : disabled
    wtp-mode            : normal
    wtp-report-index    : 3
    data-chan-sec       : clear-text
    ctl-msg-offload     : ac=03ff/wtp_loc=03ff/wtp_rem=03ff/oper=03ff
    session_id          : 6fd0dc8e1431067779dee9796dc645ff
    ehapd cfg           : done
    message queue       : 0/128 max 14
    tId_10_sec          : 53777394
    Ekahau              : disabled
    Aeroscout           : disabled
    FortiPresence       : disabled
  Radio 1            : AP
    wlan cfg            : MESHWPA3  
      vap-01(1)         : MESHWPA3         e0:23:ff:84:6a:b0   lsw m            MESHWPA3         Config success State RUN(5) Age 91252
  Radio 2            : AP
    wlan cfg            : MESHWPA3  
      vap-01(1)         : MESHWPA3         e0:23:ff:84:6a:b8   lsw m            MESHWPA3         Config success State RUN(5) Age 91252
  Radio 3            : Monitor
  Radio 4            : Virtual Lan AP
    wlan cfg            : 
  Radio 5            : Not Exist
-------------------------------WS MESH INFO    2----------------------------
WTP session             : 0-11.11.11.4:25246  MP00   CWAS_RUN,90789 7,7
    Ctrl in_ifIdx       : 19/port11
         indev          : 19/port11
    Data in_ifIdx       : 19/port11
         indev          : 0/
    mesh uplink         : mesh
         wbh sta        : 2 d4:76:a0:b1:48:ff
         wbh ap         : MESHWPA3 e0:23:ff:84:6a:b8 FP231FTF20000051
    id                  : FP23JFTF21000769
    mgmt_vlanid         : 0
    wtp_wanlan_mode     : wan-only
    refcnt              : 10
    deleted             : no
    plain_ctl           : disabled
    wtp-mode            : normal
    wtp-report-index    : 9
    data-chan-sec       : clear-text
    ctl-msg-offload     : ac=03ff/wtp_loc=03ff/wtp_rem=03ff/oper=03ff
    session_id          : 74d151af1d93fa801c5d55d6605441ba
    ehapd cfg           : ongoing
    message queue       : 0/128 max 91
    tId_10_sec          : 53777387
    Ekahau              : disabled
    Aeroscout           : disabled
    FortiPresence       : disabled
  Radio 1            : AP
...
      • FortiGate-81E-POE (root) # diagnose wireless-controller wlac -d sta online
   vf=0 mpId=0 wtp=14 rId=2 wlan=MESHWPA3 vlan_id=0 ip=11.11.11.4 ip6=:: mac=d4:76:a0:b1:48:ff vci=FortiAP-FP23JF host=FortiAP-23JF user= group= signal=-39 noise=-95 idle=1 bw=58 use=5 chan=64 radio_type=11AX_5G security=wpa3_sae mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2

    2. From the FortiAP, verify the configuration on the FortiAP leaf:

      FortiAP-23JF # cw_diag -c mesh
Sys Cfg AP addr mode: dhcp
           stp mode : 0
           dflt ip  : 192.168.1.2
           dflt mask: 255.255.255.0
           dflt gw  : 192.168.1.1
Mesh Cfg Uplink     : Mesh Uplink
         AP SSID    : MESHWPA3
         AP BSSID   : 00:00:00:00:00:00
         AP PASSWD  : ******
         wbh bgscan : 0
        ddscan ssid : MESHWPA3
   local eth bridge : 2(Disable)
Mesh Oper AP Type   : Mesh Uplink
        wbh status  : running
        wbh rId     : 1
        wbh mac     : d4:76:a0:b1:48:ff
        wbh bssid   : e0:23:ff:84:6a:b8
        wbh Chan    : 144
        vap mhc     : 1
        eth type    : 0x2233
        bridge mac  : d4:76:a0:b1:48:e8
    main dhcp ip    : 11.11.11.4
    main dhcp mask  : 255.255.255.0
    main dhcp gw    : 11.11.11.11
      bh dhcp ip    : 0.0.0.0
      bh dhcp mask  : 0.0.0.0
      bh dhcp gw    : 0.0.0.0
       main ip      : 11.11.11.4
       main mask    : 255.255.255.0
       main gw      : 11.11.11.11
           bh ip    : 0.0.0.0
           bh mask  : 0.0.0.0
           bh gw    : 0.0.0.0
           bh mac   : 00:00:00:00:00:00
         eth bridge : 0(Disable)
    Previous
    Next