Technical Tip: How to configure WPA3 on FortiGate WiFi/AP

Description

This article describes how to configure WPA3 on FortiGate WiFi/AP.

Scope

FortiGate.

Solution

FortiGate supports GUI as well as CLI configuration of WPA3 starting from firmware version 6.2.1.

1. Go to WiFi & Switch Controller -> SSID.
2. Select Create New -> SSID.
3. In the WiFi Settings section, Security Mode drop-down list, select a WPA3 option.

4. Select 'OK'

 

Use a client with WPA3 to verify the connection.

 

To configure WPA3 in the CLI:

 

1. WPA3 OWE.

•  WPA3 OWE only.
  

  Clients that support WPA3 can connect with this SSID.

 

config wireless-controller vap
    edit "80e_owe"
        set ssid "80e_owe"
        set security owe
        set pmf enable
        set schedule "always"
   next
end

 

• WPA3 OWE TRANSITION.
  

Clients connect with normal OPEN or OWE, depending on their capability.

Clients that support WPA3 connect with the OWS standard.

Clients that cannot support WPA3 connect with an Open SSID.

 

config wireless-controller vap
    edit "80e_open"
        set ssid "80e_open"
        set security open
        set owe-transition enable
        set owe-transition-ssid "wpa3_open"
        set schedule "always"
    next

    edit "wpa3_owe_tr"
        set ssid "wpa3_open"
        set broadcast-ssid disable
        set security owe
        set pmf enable
        set owe-transition enable
        set owe-transition-ssid "80e_open"
        set schedule "always"
    next
end

 

2. WPA3 SAE.
   

• WPA3 SAE.
  

Clients that support WPA3 can connect with this SSID.

 

config wireless-controller vap

    edit "80e_sae"
        set ssid "80e_sae"
        set security wpa3-sae
        set pmf enable
        set schedule "always"
        set sae-password 12345678
    next
end

 

• WPA3 SAE TRANSITION.
  

There are two passwords in the SSID.

If a passphrase is used, the client connects with WPA2 PSK.

If the sae-password is used, the client connects with WPA3 SAE.

 

config wireless-controller vap
    edit "80e_sae-tr"
        set ssid "80e_sae-transition"
        set security wpa3-sae-transition
        set pmf optional
        set passphrase 11111111
        set schedule "always"
        set sae-password 22222222
    next
end

 

3. WPA3 Enterprise.
   

Using this option, select the auth type to use: either RADIUS authentication or local user authentication.

 

config wireless-controller vap
    edit "80e_wpa3"
        set ssid "80e_wpa3"
        set security wpa3-enterprise
        set pmf enable
        set auth radius
        set radius-server "wifi-radius"
        set schedule "always"
    next

    edit "80e_wpa3_user"
        set ssid "80e_wpa3_user"
        set security wpa3-enterprise
        set pmf enable
        set auth usergroup
        set usergroup "WIFI_Users"
        set schedule "always"
    next
end

 

From GUI:

 

 

Use a client with WPA3 Enterprise Only to verify the connection.