Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Home FortiAP / FortiWiFi 7.4.2 FortiWiFi and FortiAP Configuration Guide
7.4.2
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.1
7.2.0
7.0.4
7.0.2
7.0.1
7.0.0
6.4.6
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.2
6.2.0
6.0.5
6.0.4
6.0.3
5.6.4
5.4.3

Generating SAE-PK private key and password

Generating SAE-PK private key and password

You can use FortiOS to generate an SAE-PK private key and password in for SAE-PK authentication and WPA3 Security configuration with the following CLI command:

execute wireless-controller create-sae-pk [SSID] [curve:prime256v1|secp384r1|secp521r1]

Once the private key and password are generated, you can then apply them to an SSID with the security mode set to a WPA3-SAE option and SAE-PK authentication enabled.

To generate a SAE private key and password - CLI:

  1. Use the SAE-PK generation command to create a SAE-PK Private Key and password. In this example, the SSID is "Example_wpa3_sae_pk" with the curve set to prime256v1.

    execute wireless-controller create-sae-pk Example_wpa3_sae_pk prime256v1

  2. The command runs and displays the following:

    sae_pk_gen ssid Example_wpa3_sae_pk sec 3 curve prime256v1:

Searching for a suitable Modifier M value
12.98%Found a valid hash in 2178339 iterations: 0000006920878369f515848ab8d3047dc106a231c7ddd19e86ea1f2435d31f26
PasswordBase binary data for base32: b49049e0dabea2b848abc69829f7048d4469c7dde8cf49ba87e486bd31# SAE-PK password/M/private key for Sec=3.
sae_password=wsie-tyg2-x2r4
pk=1794539622f6d39bbb54d027997243a1:MHcCAQEEIHLc/EnczHEXZ6hyleMmRb0eJ2mqgWRr4nNtJ5Agqx7goAoGCCqGSM49AwEHoUQDQgAE+JUkjlb3PjP44JjdmEDCuWaytDVGeyWSBEsKsnNzbnyYD65nNYWqgfcdErBX/apbh7Fe4fo8oQcS6Xsa1m8UIA==
# Longer passwords can be used for improved security at the cost of usability:
# wsie-tyg2-x2rl-qsfs
# wsie-tyg2-x2rl-qsfl-y2mr
# wsie-tyg2-x2rl-qsfl-y2mc-t5yi
# wsie-tyg2-x2rl-qsfl-y2mc-t5ye-rvc6
# wsie-tyg2-x2rl-qsfl-y2mc-t5ye-rvcg-tr6e
# wsie-tyg2-x2rl-qsfl-y2mc-t5ye-rvcg-tr65-5dhj
# wsie-tyg2-x2rl-qsfl-y2mc-t5ye-rvcg-tr65-5dhu-touh
# wsie-tyg2-x2rl-qsfl-y2mc-t5ye-rvcg-tr65-5dhu-touh-4sdz
# wsie-tyg2-x2rl-qsfl-y2mc-t5ye-rvcg-tr65-5dhu-touh-4sdl-2mpz

  3. Copy the sae-password and pk values.

    • sae-password is the SAE Password. You can also copy one of the longer passwords instead for improved security.

    • pk is the SAE Private Key.

To apply the generated SAE private key and password to an SSID - GUI:

  1. Go to WiFi Controller > SSID and select the SSID you want to apply the SAE-PK to.

  2. In the WiFi Settings section, set the Security Mode to a WPA3 option.

  3. In SAE password, paste the sae_password value you previously generated.

  4. Enable SAE-PK authentication.

  5. In SAE-PK private key, paste the pk value you previously generated.

  6. When you are finished, click OK.

To apply the generated SAE private key and password to an SSID - CLI:

  1. From the FortiOS CLI, go to the SSID you want to configure and enter the SAE-PK Private Key and Password values you copied:

    config wireless-controller vap
  edit "wpa3-test"
    set ssid "Example_wpa3_sae_pk"
    set security wpa3-sae
    set sae-pk enable
    set sae-private-key "1794539622f6d39bbb54d027997243a1:MHcCAQEEIHLc/EnczHEXZ6hyleMmRb0eJ2mqgWRr4nNtJ5Agqx7goAoGCCqGSM49AwEHoUQDQgAE+JUkjlb3PjP44JjdmEDCuWaytDVGeyWSBEsKsnNzbnyYD65nNYWqgfcdErBX/apbh7Fe4fo8oQcS6Xsa1m8UIA=="
    set sae-password wsie-tyg2-x2r4
  next
end

  2. After applying the SSID to a FortiAP, confirm the WiFi station can connect.

    diagnose wireless-controller wlac -d sta online
   vf=0 mpId=0 wtp=3 rId=2 wlan=wpa3-test vlan_id=0 ip=0.0.0.0 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host= user= group= signal=-9 noise=-89 idle=1 bw=0 use=3 chan=161 radio_type=11AC(wave2) security=wpa3_sae mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2
Previous
Next

Generating SAE-PK private key and password

You can use FortiOS to generate an SAE-PK private key and password in for SAE-PK authentication and WPA3 Security configuration with the following CLI command:

execute wireless-controller create-sae-pk [SSID] [curve:prime256v1|secp384r1|secp521r1]

Once the private key and password are generated, you can then apply them to an SSID with the security mode set to a WPA3-SAE option and SAE-PK authentication enabled.

To generate a SAE private key and password - CLI:

  1. Use the SAE-PK generation command to create a SAE-PK Private Key and password. In this example, the SSID is "Example_wpa3_sae_pk" with the curve set to prime256v1.

    execute wireless-controller create-sae-pk Example_wpa3_sae_pk prime256v1

  2. The command runs and displays the following:

    sae_pk_gen ssid Example_wpa3_sae_pk sec 3 curve prime256v1:

Searching for a suitable Modifier M value
12.98%Found a valid hash in 2178339 iterations: 0000006920878369f515848ab8d3047dc106a231c7ddd19e86ea1f2435d31f26
PasswordBase binary data for base32: b49049e0dabea2b848abc69829f7048d4469c7dde8cf49ba87e486bd31# SAE-PK password/M/private key for Sec=3.
sae_password=wsie-tyg2-x2r4
pk=1794539622f6d39bbb54d027997243a1:MHcCAQEEIHLc/EnczHEXZ6hyleMmRb0eJ2mqgWRr4nNtJ5Agqx7goAoGCCqGSM49AwEHoUQDQgAE+JUkjlb3PjP44JjdmEDCuWaytDVGeyWSBEsKsnNzbnyYD65nNYWqgfcdErBX/apbh7Fe4fo8oQcS6Xsa1m8UIA==
# Longer passwords can be used for improved security at the cost of usability:
# wsie-tyg2-x2rl-qsfs
# wsie-tyg2-x2rl-qsfl-y2mr
# wsie-tyg2-x2rl-qsfl-y2mc-t5yi
# wsie-tyg2-x2rl-qsfl-y2mc-t5ye-rvc6
# wsie-tyg2-x2rl-qsfl-y2mc-t5ye-rvcg-tr6e
# wsie-tyg2-x2rl-qsfl-y2mc-t5ye-rvcg-tr65-5dhj
# wsie-tyg2-x2rl-qsfl-y2mc-t5ye-rvcg-tr65-5dhu-touh
# wsie-tyg2-x2rl-qsfl-y2mc-t5ye-rvcg-tr65-5dhu-touh-4sdz
# wsie-tyg2-x2rl-qsfl-y2mc-t5ye-rvcg-tr65-5dhu-touh-4sdl-2mpz

  3. Copy the sae-password and pk values.

    • sae-password is the SAE Password. You can also copy one of the longer passwords instead for improved security.

    • pk is the SAE Private Key.

To apply the generated SAE private key and password to an SSID - GUI:

  1. Go to WiFi Controller > SSID and select the SSID you want to apply the SAE-PK to.

  2. In the WiFi Settings section, set the Security Mode to a WPA3 option.

  3. In SAE password, paste the sae_password value you previously generated.

  4. Enable SAE-PK authentication.

  5. In SAE-PK private key, paste the pk value you previously generated.

  6. When you are finished, click OK.

To apply the generated SAE private key and password to an SSID - CLI:

  1. From the FortiOS CLI, go to the SSID you want to configure and enter the SAE-PK Private Key and Password values you copied:

    config wireless-controller vap
  edit "wpa3-test"
    set ssid "Example_wpa3_sae_pk"
    set security wpa3-sae
    set sae-pk enable
    set sae-private-key "1794539622f6d39bbb54d027997243a1:MHcCAQEEIHLc/EnczHEXZ6hyleMmRb0eJ2mqgWRr4nNtJ5Agqx7goAoGCCqGSM49AwEHoUQDQgAE+JUkjlb3PjP44JjdmEDCuWaytDVGeyWSBEsKsnNzbnyYD65nNYWqgfcdErBX/apbh7Fe4fo8oQcS6Xsa1m8UIA=="
    set sae-password wsie-tyg2-x2r4
  next
end

  2. After applying the SSID to a FortiAP, confirm the WiFi station can connect.

    diagnose wireless-controller wlac -d sta online
   vf=0 mpId=0 wtp=3 rId=2 wlan=wpa3-test vlan_id=0 ip=0.0.0.0 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host= user= group= signal=-9 noise=-89 idle=1 bw=0 use=3 chan=161 radio_type=11AC(wave2) security=wpa3_sae mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2
Previous
Next