Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Support RADIUS MAC Authentication for MPSK on WPA3 SAE SSID 7.4.5

    Support RADIUS MAC Authentication for MPSK on WPA3 SAE SSID 7.4.5

    This release adds support for RADIUS MAC authentication over WPA3 SAE SSIDs with an MPSK profile. This enables wireless clients connecting to a WPA3 SAE SSID with an MPSK profile to authenticate using RADIUS MAC authentication against a RADIUS server. Wireless clients can connect using the passphrase from the Tunnel-Password attribute, which is provided in the RADIUS Accept-Accept packet. The first time a client connects to the SSID, the tunnel password is cached in the RADIUS server as an MPSK SAE password. In subsequent connections, the cached password is retrieved, streamlining the authentication process.

    Example Topology

    To configure a WPA3 SAE SSID to use combined MAC and MPSK authentication - CLI:

    1. Configure the RADIUS server.

      config user radius
  edit "peap"
    set server "172.16.200.55"
    set secret **********
  next
end

    2. Configure the MPSK profile.

      config wireless-controller mpsk-profile
  edit "test"
    set ssid "FOS_81F_3G_wpa3"
    set mpsk-type wpa3-sae
    config mpsk-group
      edit "g1"
        config mpsk-key
          edit "k1"
            set key-type wpa3-sae 
            set mac 01:02:03:04:05:06
            set sae-password **********
          next
        end
      next
    end  
  next
end

    3. Create a WPA3 SAE SSID with an MPSK profile applied, then enable radius-mac-auth and radius-mac-mpsk-auth.

      config wireless-controller vap
  edit "test"
    set ssid "FOS_81F_3G_wpa3"
    set security wpa3-sae
    set pmf enable
    set radius-mac-auth enable
    set radius-mac-auth-server "peap"
    set radius-mac-mpsk-auth enable
    set schedule "always"
    set mpsk-profile "test"
    set dynamic-vlan enable
    set quarantine disable
    set sae-password ENC
  next
end

    4. In the RADIUS server you configured, set the Tunnel-Password attribute for the "F8-E4-E3-D8-5E-AF" account, which is the username of the wireless client (MAC: f8:e4:e3:d8:5e:af) verified by RADIUS MAC authentication. In this example, the Tunnel-Password is set to 111111111111.

      F8-E4-E3-D8-5E-AF Cleartext-Password := "F8-E4-E3-D8-5E-AF"
                  Tunnel-Type = "VLAN",
                   Tunnel-Medium-Type = "IEEE-802",
                   Tunnel-Private-Group-Id = 100,
                   Tunnel-Password = "111111111111",
                   Fortinet-Group-Name = group_mac
    5. Confirm that the wireless client (MAC: f8:e4:e3:d8:5e:af) can connect to the SSID using the passphrase you configured in the Tunnel-Password attribute.
    FortiWiFi-81F-2R-3G4~POE (Interim)# dia wireless-controller wlac -d sta online

   vf=0 mpId=0 wtp=3 rId=2 wlan=test vlan_id=100 ip=0.0.0.0 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host= user=F8-E4-E3-D8-5E-AF group=group_mac signal=-45 noise=-95 idle=0 bw=0 use=3 chan=60 radio_type=11AX_5G security=wpa3_sae mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=
    Previous
    Next

    Support RADIUS MAC Authentication for MPSK on WPA3 SAE SSID 7.4.5

    Support RADIUS MAC Authentication for MPSK on WPA3 SAE SSID 7.4.5

    This release adds support for RADIUS MAC authentication over WPA3 SAE SSIDs with an MPSK profile. This enables wireless clients connecting to a WPA3 SAE SSID with an MPSK profile to authenticate using RADIUS MAC authentication against a RADIUS server. Wireless clients can connect using the passphrase from the Tunnel-Password attribute, which is provided in the RADIUS Accept-Accept packet. The first time a client connects to the SSID, the tunnel password is cached in the RADIUS server as an MPSK SAE password. In subsequent connections, the cached password is retrieved, streamlining the authentication process.

    Example Topology

    To configure a WPA3 SAE SSID to use combined MAC and MPSK authentication - CLI:

    1. Configure the RADIUS server.

      config user radius
  edit "peap"
    set server "172.16.200.55"
    set secret **********
  next
end

    2. Configure the MPSK profile.

      config wireless-controller mpsk-profile
  edit "test"
    set ssid "FOS_81F_3G_wpa3"
    set mpsk-type wpa3-sae
    config mpsk-group
      edit "g1"
        config mpsk-key
          edit "k1"
            set key-type wpa3-sae 
            set mac 01:02:03:04:05:06
            set sae-password **********
          next
        end
      next
    end  
  next
end

    3. Create a WPA3 SAE SSID with an MPSK profile applied, then enable radius-mac-auth and radius-mac-mpsk-auth.

      config wireless-controller vap
  edit "test"
    set ssid "FOS_81F_3G_wpa3"
    set security wpa3-sae
    set pmf enable
    set radius-mac-auth enable
    set radius-mac-auth-server "peap"
    set radius-mac-mpsk-auth enable
    set schedule "always"
    set mpsk-profile "test"
    set dynamic-vlan enable
    set quarantine disable
    set sae-password ENC
  next
end

    4. In the RADIUS server you configured, set the Tunnel-Password attribute for the "F8-E4-E3-D8-5E-AF" account, which is the username of the wireless client (MAC: f8:e4:e3:d8:5e:af) verified by RADIUS MAC authentication. In this example, the Tunnel-Password is set to 111111111111.

      F8-E4-E3-D8-5E-AF Cleartext-Password := "F8-E4-E3-D8-5E-AF"
                  Tunnel-Type = "VLAN",
                   Tunnel-Medium-Type = "IEEE-802",
                   Tunnel-Private-Group-Id = 100,
                   Tunnel-Password = "111111111111",
                   Fortinet-Group-Name = group_mac
    5. Confirm that the wireless client (MAC: f8:e4:e3:d8:5e:af) can connect to the SSID using the passphrase you configured in the Tunnel-Password attribute.
    FortiWiFi-81F-2R-3G4~POE (Interim)# dia wireless-controller wlac -d sta online

   vf=0 mpId=0 wtp=3 rId=2 wlan=test vlan_id=100 ip=0.0.0.0 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host= user=F8-E4-E3-D8-5E-AF group=group_mac signal=-45 noise=-95 idle=0 bw=0 use=3 chan=60 radio_type=11AX_5G security=wpa3_sae mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=
    Previous
    Next