Technical Tip: Only super_admin accounts can view WiFi SSID passphrase after upgrade to FortiOS v7.4.10 or v7.6.5

Starting in FortiOS v7.4.10 and v7.6.5, only super_admin accounts are able to view reversible secrets in cleartext.

Before the upgrade, a profile administrator account can view reversible secrets. For an SSID in tunnel mode, this requires an administrator with read-write access permission to 'WiFi & Switch' and read-only access permission to 'Network', see Administrator profiles.

To view the WPA2 Passphrase, go to WiFi & Switch Controller -> SSIDs -> WiFi Settings -> Select the 'eye' icon next to the Passphrase field. The existing passphrase displays in cleartext.

After the upgrade, a profile administrator account is only able to change the WPA2 passphrase and cannot view the existing passphrase after configuration. This is expected.

An administrator with super_admin permissions is still able to view the SSID passphrase in cleartext.

Notes:

• Administrators are not able to view administrator credentials in cleartext, including their own, either before or after upgrade. Administrator passwords are stored as an irreversible hash using either the SHA256 or PBKDF2 algorithm, see Technical Tip: Enforcing PBKDF2 as hash function for administrator accounts in FortiOS v7.2.11 and later.
• While the restriction above applies for most reversible secrets stored on the firewall, it does not apply to Guest Administrators viewing guest user passwords. However, in FortiOS v7.6.5 and v7.6.6, there is a known issue with this exception, see the article Technical Tip: Guest user password shows 'ENC XXXX' after upgrade to v7.0.14, v7.2.7, v7.4.9 and v7.6.5.

Related articles:

Technical Tip: Minimum permissions for FortiGate operations

Technical Tip: Guest User Management account