DOCUMENT LIBRARY

New Features

Home FortiGate / FortiOS 7.4.0 New Features

7.4.0

Support for Beacon Protection 7.4.4

This information is also available in the FortiWiFi and FortiAP 7.4 Configuration Guide:

Enabling Beacon Protection

This release supports Beacon Protection on WPA3 SSIDs which improves Wi-Fi security by protecting beacon frames. The Beacon Protection feature was introduced in WPA3 and is designed to enhance security in Wi-Fi networks by protecting the integrity of the beacon frames, which are essential for network discovery and connection establishment. This helps devices discover and connect to legitimate networks, reducing attack risks.

Beacon Protection is supported on FortiAP K series running the "wifi7" special builds (branched out of FortiAP 7.4.x).

FortiAP F and G series running 7.4.x builds do NOT support Beacon Protection.

CLI Changes:

config wireless-controller vap
  edit <name>
    set beacon-protection {enable | disable}
end

Beacon Protection is disabled by default.

To enable Beacon Protection from the FortiGate:

config wireless-controller vap
    edit "wpa3-sae-beacon"
        set ssid "wpa3-sae-beacon"
        set security wpa3-only-enterprise
        set pmf enable
        set beacon-protection enable
        set auth radius
        set radius-server "peap"
        set local-bridging enable
        set schedule "always"
    next
end

To assign Beacon Protection to a FortiAP profile:

conf wireless-controller wtp-profile
  edit FAP441K-default
    conf radio-2
      set vaps wpa3-sae-beacon
    end
  next
end

To verify that Beacon Protection is assigned and enabled on a FortiAP:

FortiAP-441K # vcfg
-------------------------------VAP Configuration    1----------------------------
Radio Id  1 WLAN Id  0 wpa3-sae-beacon ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan10, vap=0x28a9202c, bssid=38:c0:ea:f1:51:70
           11ax high-efficiency=enabled target-wake-time=enabled
           bss-color-partial=enabled
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=enabled split_tunnel=disabled layer3_roaming=disabled
           intra_ssid_priv=disabled
           mcast_enhance=disabled igmp_snooping=disabled
           mac_auth=disabled fail_through_mode=disabled sta_info=0/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=enabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled           dhcp_option82_insertion=disabled
           dhcp_enforcement=disabled
           access_control_list=disabled
           bc_suppression=dhcp dhcp-ucast arp
           auth=WPA3 Enterprise Only, RADIUS, AES WPA keyIdx=6, keyLen=16, keyStatus=1, gTsc=000000000000
           key=92c6ab16 9239a724 bd20eaad e677d35c
           pmf=required
           beacon_prot=enabled

The following Beacon frame capture shows the FortiAP adds a message integrity check (MIC) element to the Beacon frames of SSID with Beacon Protection enabled:

IEEE 802.11 Wireless Management
    Fixed parameters (12 bytes)
    Tagged parameters (509 bytes)
        Tag: SSID parameter set: wpa3-sae-beacon
        Tag: Supported Rates 6(B), 9, 12(B), 18, 24(B), 36, 48, 54, [Mbit/sec]
        Tag: Traffic Indication Map (TIM): DTIM 0 of 0 bitmap
        Tag: Country Information: Country Code US, Environment Indoor
        Tag: Power Constraint: 0
        Tag: TPC Report Transmit Power: 24, Link Margin: 0
        Tag: Extended Supported Rates Unknown Rate, [Mbit/sec]
        Tag: RSN Information
        Tag: QBSS Load Element 802.11e CCA Version
        Tag: RM Enabled Capabilities (5 octets)
        Tag: HT Capabilities (802.11n D1.10)
        Tag: HT Information (802.11n D1.10)
        Tag: Extended Capabilities (13 octets)
        Tag: VHT Capabilities
        Tag: VHT Operation
        Tag: VHT Tx Power Envelope
        Tag: Reserved (201): Undecoded
        Tag: Reserved (244): Undecoded
        Ext Tag: HE Capabilities (IEEE Std 802.11ax/D3.0)
        Ext Tag: HE Operation (IEEE Std 802.11ax/D3.0)
        Ext Tag: Spatial Reuse Parameter Set
        Ext Tag: MU EDCA Parameter Set
        Tag: Vendor Specific: Qualcomm Inc.
        Tag: Vendor Specific: Fortinet Inc.
        Tag: Vendor Specific: Fortinet Inc.
        Tag: Vendor Specific: Fortinet Inc.
        Tag: Vendor Specific: Microsoft Corp.: WMM/WME: Parameter Element
        Tag: Vendor Specific: Qualcomm Inc.
        Tag: Vendor Specific: Qualcomm Inc.
        Tag: Management MIC
            Tag Number: Management MIC (76)
            Tag length: 16
            KeyID: 6
            IPN: a00300000000
            MIC: 0cc6d9f2580036f1

The 11th octet in "Extended Capabilities" has the Beacon Protection Flag enabled.

Tag: Extended Capabilities (13 octets)
            Tag Number: Extended Capabilities (127)
            Tag length: 13
            Extended Capabilities: 0x04 (octet 1)
            Extended Capabilities: 0x00 (octet 2)
            Extended Capabilities: 0x0f (octet 3)
            Extended Capabilities: 0x02 (octet 4)
            Extended Capabilities: 0x00 (octet 5)
            Extended Capabilities: 0x00 (octet 6)
            Extended Capabilities: 0x00 (octet 7)
            Extended Capabilities: 0x0040 (octets 8 & 9)
            Extended Capabilities: 0x40 (octet 10)
            Extended Capabilities: 0x10 (octet 11)
                .... ...0 = Complete List of NonTxBSSID Profiles: False
                .... ..0. = SAE Password Identifiers In Use: False
                .... .0.. = SAE Passwords Used Exclusively: False
                .... 0... = Enhanced Multi-BSSID Advertisement Support: False
                ...1 .... = Beacon Protection Enabled: True
                ..0. .... = Mirrored SCS: False
                .0.. .... = OCT: False
                0... .... = Local MAC Address Policy: False
            Extended Capabilities: 0x00 (octet 12)
            Extended Capabilities: 0x00 (octet 13)

Support for Beacon Protection 7.4.4

This information is also available in the FortiWiFi and FortiAP 7.4 Configuration Guide:

Enabling Beacon Protection

Beacon Protection is supported on FortiAP K series running the "wifi7" special builds (branched out of FortiAP 7.4.x).

FortiAP F and G series running 7.4.x builds do NOT support Beacon Protection.

CLI Changes:

config wireless-controller vap
  edit <name>
    set beacon-protection {enable | disable}
end

Beacon Protection is disabled by default.

To enable Beacon Protection from the FortiGate:

config wireless-controller vap
    edit "wpa3-sae-beacon"
        set ssid "wpa3-sae-beacon"
        set security wpa3-only-enterprise
        set pmf enable
        set beacon-protection enable
        set auth radius
        set radius-server "peap"
        set local-bridging enable
        set schedule "always"
    next
end

To assign Beacon Protection to a FortiAP profile:

conf wireless-controller wtp-profile
  edit FAP441K-default
    conf radio-2
      set vaps wpa3-sae-beacon
    end
  next
end

To verify that Beacon Protection is assigned and enabled on a FortiAP:

FortiAP-441K # vcfg
-------------------------------VAP Configuration    1----------------------------
Radio Id  1 WLAN Id  0 wpa3-sae-beacon ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
           vlanid=0, intf=wlan10, vap=0x28a9202c, bssid=38:c0:ea:f1:51:70
           11ax high-efficiency=enabled target-wake-time=enabled
           bss-color-partial=enabled
           mesh backhaul=disabled
           local_auth=disabled standalone=disabled nat_mode=disabled
           local_bridging=enabled split_tunnel=disabled layer3_roaming=disabled
           intra_ssid_priv=disabled
           mcast_enhance=disabled igmp_snooping=disabled
           mac_auth=disabled fail_through_mode=disabled sta_info=0/0
           mac=local, tunnel=8023, cap=8ce0, qos=disabled
           prob_resp_suppress=disabled
           rx sop=disabled
           sticky client remove=disabled
           mu mimo=enabled           ldpc_config=rxtx
           dhcp_option43_insertion=enabled           dhcp_option82_insertion=disabled
           dhcp_enforcement=disabled
           access_control_list=disabled
           bc_suppression=dhcp dhcp-ucast arp
           auth=WPA3 Enterprise Only, RADIUS, AES WPA keyIdx=6, keyLen=16, keyStatus=1, gTsc=000000000000
           key=92c6ab16 9239a724 bd20eaad e677d35c
           pmf=required
           beacon_prot=enabled

The following Beacon frame capture shows the FortiAP adds a message integrity check (MIC) element to the Beacon frames of SSID with Beacon Protection enabled:

IEEE 802.11 Wireless Management
    Fixed parameters (12 bytes)
    Tagged parameters (509 bytes)
        Tag: SSID parameter set: wpa3-sae-beacon
        Tag: Supported Rates 6(B), 9, 12(B), 18, 24(B), 36, 48, 54, [Mbit/sec]
        Tag: Traffic Indication Map (TIM): DTIM 0 of 0 bitmap
        Tag: Country Information: Country Code US, Environment Indoor
        Tag: Power Constraint: 0
        Tag: TPC Report Transmit Power: 24, Link Margin: 0
        Tag: Extended Supported Rates Unknown Rate, [Mbit/sec]
        Tag: RSN Information
        Tag: QBSS Load Element 802.11e CCA Version
        Tag: RM Enabled Capabilities (5 octets)
        Tag: HT Capabilities (802.11n D1.10)
        Tag: HT Information (802.11n D1.10)
        Tag: Extended Capabilities (13 octets)
        Tag: VHT Capabilities
        Tag: VHT Operation
        Tag: VHT Tx Power Envelope
        Tag: Reserved (201): Undecoded
        Tag: Reserved (244): Undecoded
        Ext Tag: HE Capabilities (IEEE Std 802.11ax/D3.0)
        Ext Tag: HE Operation (IEEE Std 802.11ax/D3.0)
        Ext Tag: Spatial Reuse Parameter Set
        Ext Tag: MU EDCA Parameter Set
        Tag: Vendor Specific: Qualcomm Inc.
        Tag: Vendor Specific: Fortinet Inc.
        Tag: Vendor Specific: Fortinet Inc.
        Tag: Vendor Specific: Fortinet Inc.
        Tag: Vendor Specific: Microsoft Corp.: WMM/WME: Parameter Element
        Tag: Vendor Specific: Qualcomm Inc.
        Tag: Vendor Specific: Qualcomm Inc.
        Tag: Management MIC
            Tag Number: Management MIC (76)
            Tag length: 16
            KeyID: 6
            IPN: a00300000000
            MIC: 0cc6d9f2580036f1

The 11th octet in "Extended Capabilities" has the Beacon Protection Flag enabled.

Tag: Extended Capabilities (13 octets)
            Tag Number: Extended Capabilities (127)
            Tag length: 13
            Extended Capabilities: 0x04 (octet 1)
            Extended Capabilities: 0x00 (octet 2)
            Extended Capabilities: 0x0f (octet 3)
            Extended Capabilities: 0x02 (octet 4)
            Extended Capabilities: 0x00 (octet 5)
            Extended Capabilities: 0x00 (octet 6)
            Extended Capabilities: 0x00 (octet 7)
            Extended Capabilities: 0x0040 (octets 8 & 9)
            Extended Capabilities: 0x40 (octet 10)
            Extended Capabilities: 0x10 (octet 11)
                .... ...0 = Complete List of NonTxBSSID Profiles: False
                .... ..0. = SAE Password Identifiers In Use: False
                .... .0.. = SAE Passwords Used Exclusively: False
                .... 0... = Enhanced Multi-BSSID Advertisement Support: False
                ...1 .... = Beacon Protection Enabled: True
                ..0. .... = Mirrored SCS: False
                .0.. .... = OCT: False
                0... .... = Local MAC Address Policy: False
            Extended Capabilities: 0x00 (octet 12)
            Extended Capabilities: 0x00 (octet 13)

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

New Features

Support for Beacon Protection 7.4.4

Support for Beacon Protection 7.4.4

CLI Changes:

To enable Beacon Protection from the FortiGate:

To assign Beacon Protection to a FortiAP profile:

To verify that Beacon Protection is assigned and enabled on a FortiAP:

Support for Beacon Protection 7.4.4

Support for Beacon Protection 7.4.4

CLI Changes:

To enable Beacon Protection from the FortiGate:

To assign Beacon Protection to a FortiAP profile:

To verify that Beacon Protection is assigned and enabled on a FortiAP: