Support WPA3 options when the FortiAP radio mode is set to SAM 7.4.2

This information is also available in the FortiWiFi and FortiAP 7.4 Configuration Guide: Testing wireless network health with SAM

This release supports WPA3 (Wi-Fi Protected Access 3) options when the radio mode is set to Fortinet's SAM (Service Assurance Manager). This includes WPA3-SAE (Simultaneous Authentication of Equals) and WPA3 OWE (Opportunistic Wireless Encryption). It also includes support for WPA2/WPA3-Enterprise with certificate authentication, encompassing both PEAP and EAP-TLS.

CLI changes:

config wireless-controller wtp-profile
  edit < name >
    config radio-1
      set mode sam
      set sam-ssid < string >
      set sam-security-type { wpa-enterprise |wpa3-sae | owe } 
    end
  next 
end

Example use case

In this example, a FortiGate manages two FortiAPs. One FortiAP (FAP_1) broadcasts a test SSID using WPA3 security, while the second FortiAP (FAP_2) is configured as a SAM test client with the same WPA3 security method so it can connect with the SSID on FAP_1 and perform a SAM ping or Iperf test.

The following example shows how to configure a FortiAP profile with WPA3 Enterprise using EAP-TLS, WPA3-SAE, and OWE authentication.

To configure a FortiAP profile to run in SAM mode - CLI:

1. (Optional) Upload the CA certificate to verify the server certificate.

   1. Go to System > Certificates > Create/Import > CA Certificate and complete the fields to upload the certificate.

2. (Optional) Upload the client certificate with private key file.

   1. Go to System > Certificates > Create/Import > Certificate and click Import Certificate.

   2. Select Certificate or PKCS #12 Certificate, then follow the onscreen instructions to import the client certificate with private key file, and set the private-key-password.

3. Create an SSID and select an authentication method:

   WPA3 Enterprise authentication using EAP-TLS	WPA3-SAE authentication	OWE authentication
   config wireless-controller vap edit "sam-test-ent3" set ssid "sam-test-ent3" set security wpa3-only-enterprise set pmf enable set auth radius set radius-server "eap_tls" set schedule "always" next end	config wireless-controller vap edit "sam-test-sae" set ssid "sam-test-sae" set security wpa3-sae set pmf enable set schedule "always" set sae-password ENC next end	config wireless-controller vap edit "sam-test-owe" set ssid "sam-test-owe" set security owe set pmf enable set schedule "always" next end

4. Broadcast the SSID on FAP_1:

   WPA3 Enterprise authentication using EAP-TLS	WPA3-SAE authentication	OWE authentication
   config wireless-controller wtp-profile edit "FAP433F-sam-test" config platform set type 433F set ddscan enable end config radio-2 set band 802.11ax-5G set vap-all manual set vaps "sam-test-ent3" end next end	config wireless-controller wtp-profile edit "FAP433F-sam-test " config platform set type 433F set ddscan enable end config radio-2 set band 802.11ax-5G set vap-all manual set vaps "sam-test-sae" end next end	config wireless-controller wtp-profile edit "FAP433F-sam-test" config platform set type 433F set ddscan enable end config radio-2 set band 802.11ax-5G set vap-all manual set vaps "sam-test-owe" end next end

5. Configure the AP profile for FAP_2 to run in SAM mode and select a SAM security type. Then enable a SAM ping or Iperf test:

   SAM ping test with WPA3 Enterprise authentication using EAP-TLS	SAM Iperf test with WPA3-SAE authentication	SAM ping test with OWE authentication
   If the SAM security type is set to wpa-enterprise, you can configure SAM EAP methods and SAM certificate settings: config wireless-controller wtp-profile edit "FAP431F-sam-ent3" config radio-2 set mode sam set sam-ssid "sam-test-ent3" set sam-security-type wpa-enterprise set sam-eap-method tls set sam-client-certificate "client2.cert" set sam-private-key "client2.cert" set sam-private-key-password ENC set sam-ca-certificate "CA_Cert_1" set sam-username "tester" set sam-password ENC set sam-test ping set sam-server-ip 8.8.8.8 set sam-report-intv 60 end next end	config wireless-controller wtp-profile edit "FAP431F-sam-sae" config radio-2 set mode sam set sam-ssid "sam-test-sae" set sam-security-type wpa3-sae set sam-password ENC set sam-test iperf set sam-server-ip "172.18.56.99" set iperf-server-port 5201 set iperf-protocol tcp set sam-report-intv 60 end next end	config wireless-controller wtp-profile edit "FAP431F-sam-owe" config radio-2 set mode sam set sam-ssid "sam-test-owe" set sam-security-type owe set sam-server-ip 8.8.8.8 set sam-test ping set sam-report-intv 60 end next end

   When the "sam-eap-method" is "tls" or "both", the "sam-client-certificate", "sam-private-key", and "sam-private-key-password" settings are required. sam-client-certificate: The name of imported client certificate. sam-private-key: Uses the same name of imported client certificate. sam-private-key-password: Created when importing the client certificate. sam-ca-certificate: The name of the imported CA certificate.

6. Log in to the FAP_2 CLI to verify the configurations:

   SAM ping test with WPA3 Enterprise authentication using EAP-TLS	SAM Iperf test with WPA3-SAE authentication	SAM ping test with OWE authentication
   FortiAP-431F # rcfg < other output omitted > sam ssid : sam-test-ent3 sam bssid : 00:00:00:00:00:00 sam security type : Enterprise sam captive portal : disabled sam test : Ping sam server : 8.8.8.8 sam report interval: 60 sam eap method : EAP TLS sam client cert : 1 sam ca cert : 1 < other output omitted >	FortiAP-431F # rcfg sam ssid : sam-test-sae sam bssid : 00:00:00:00:00:00 sam security type : SAE sam captive portal : disabled sam test : Iperf sam server : 172.18.56.99 sam report interval: 60 sam iperf port : 5201 sam iperf protocol : TCP < other output omitted >	FortiAP-431F # rcfg < other output omitted > sam ssid : sam-test-owe sam bssid : 00:00:00:00:00:00 sam security type : OWE sam captive portal : disabled sam test : Ping sam server : 8.8.8.8 sam report interval: 60 < other output omitted >

7. The FortiOS WiFi event log shows the corresponding event:

   WPA3 Enterprise authentication using EAP-TLS	SAM Iperf test with WPA3-SAE authentication	SAM ping test with OWE authentication
   1: date=2023-11-10 time=12:02:16 eventtime=1699646536236321385 tz="-0800" logid="0104043711" type="event" subtype="wireless" level="notice" vd="root" logdesc="SAM ping test result" sn="FP431FTF23031585" ap="FP431FTF23031585" vap="sam-test-ent3" ssid="sam-test-ent3" stamac="80:80:2c:0c:01:9f" radioid=2 channel=161 security="WPA3 Enterprise Only" encryption="AES" action="sam-ping-result" msg="Connected to AP FP433FTF20001556, 0.0% packet loss" remotewtptime="3012.616987"	1: date=2023-11-10 time=12:20:31 eventtime=1699647630989156870 tz="-0800" logid="0104043710" type="event" subtype="wireless" level="notice" vd="root" logdesc="SAM iperf test result" sn="FP431FTF23031585" ap="FP431FTF23031585" vap="sam-test-sae" ssid="sam-test-sae" stamac="80:80:2c:0c:01:9f" radioid=2 channel=161 security="WPA3 SAE" encryption="AES" action="sam-iperf-result" msg="Connected to AP FP433FTF20001556, TCP, max rate 0.6 MB/s" remotewtptime="11.468787"	1: date=2023-11-10 time=12:28:11 eventtime=1699648091131525936 tz="-0800" logid="0104043711" type="event" subtype="wireless" level="notice" vd="root" logdesc="SAM ping test result" sn="FP431FTF23031585" ap="FP431FTF23031585" vap="sam-test-owe" ssid="sam-test-owe" stamac="80:80:2c:0c:01:9f" radioid=2 channel=161 security="OWE" encryption="AES" action="sam-ping-result" msg="Connected to AP FP433FTF20001556, 0.0% packet loss" remotewtptime="469.609833"