New Member

Question

Cannot connect to FortiAP using 'WPA3 Enterprise Only'

Forum|Forum|1 year ago
April 8, 2025
6 replies
3353 views

Hi,

I have created on Fortigate SSID with WPA3 Enterprise Only, on the client (Windows 11) is created manually wifi profile with security type 'WPA3 - Enterprise' and encryption type 'AES'.

The client wifi card Intel AX201 support such authentications:

netsh wlan show drivers  Interface name: Wi-Fi      Driver                    : Intel(R) Wi-Fi 6 AX201 160MHz     Vendor                    : Intel Corporation     Provider                  : Intel     Date                      : 2025-01-02     Version                   : 23.110.0.5     INF file                  : oem163.inf     Type                      : Native Wi-Fi Driver     Radio types supported     : 802.11b 802.11g 802.11n 802.11a 802.11ac 802.11ax     FIPS 140-2 mode supported : Yes     802.11w Management Frame Protection supported : Yes     Hosted network supported  : No     Authentication and cipher supported in infrastructure mode:                                 Open             None                                 Open             WEP-40bit                                 Open             WEP-104bit                                 Open             WEP                                 WPA-Enterprise   TKIP                                 WPA-Enterprise   CCMP                                 WPA-Personal     TKIP                                 WPA-Personal     CCMP                                 WPA2-Enterprise  TKIP                                 WPA2-Enterprise  CCMP                                 WPA2-Personal    TKIP                                 WPA2-Personal    CCMP                                 Open             Vendor defined                                 WPA3-Personal    CCMP                                 Vendor defined   Vendor defined                                 WPA3-Enterprise 192 Bits GCMP-256                                 OWE              CCMP                                 WPA3-Enterprise  CCMP     Number of supported bands : 2                                 2.4 GHz [ 0 MHz - 0 MHz]                                 5 GHz   [ 0 MHz - 0 MHz]     IHV service present       : Yes     IHV adapter OUI           : [00 00 00], type: [00]     IHV extensibility DLL path: C:\WINDOWS\system32\IntelIHVRouter10.dll     IHV UI extensibility ClSID: {00000000-0000-0000-0000-000000000000}     IHV diagnostics CLSID     : {00000000-0000-0000-0000-000000000000}     Wireless Display Supported: Yes (Graphics Driver: Yes, Wi-Fi Driver: Yes)

But the connection is not working, on the fortigate system events wifi logs I have such logs:

date=2025-04-08 time=08:13:03 id=7490821468477980776 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043679 type="event" subtype="wireless" level="notice" action="assoc-resp" msg="AP sent association response frame to client a4:b8:f1:e5:5f:72" logdesc="Association response to wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982944568 authserver="NPS" remotewtptime="2702.669215" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT" date=2025-04-08 time=08:13:03 id=7490821468477980775 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043717 type="event" subtype="wireless" level="notice" action="layer3-roaming-rehome" msg="AP received association request frame from client a4:b8:f1:e5:5f:72" logdesc="Wireless client layer3 roaming rehome" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982936887 authserver="NPS" remotewtptime="2702.669136" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT" date=2025-04-08 time=08:13:03 id=7490821468477980774 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043676 type="event" subtype="wireless" level="notice" action="auth-resp-WPA3" msg="AP sent WPA3(non-SAE) authentication response frame to client a4:b8:f1:e5:5f:72" logdesc="Authentication response to wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982929072 authserver="NPS" remotewtptime="2702.669055" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT" date=2025-04-08 time=08:13:03 id=7490821468477980773 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043675 type="event" subtype="wireless" level="notice" action="auth-req-WPA3" msg="AP received WPA3(non-SAE) authentication request frame from client a4:b8:f1:e5:5f:72" logdesc="Authentication request from wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982921295 authserver="NPS" remotewtptime="2702.668941" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT" date=2025-04-08 time=08:13:03 id=7490821468477980772 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043679 type="event" subtype="wireless" level="notice" action="assoc-resp" msg="AP sent association response frame to client a4:b8:f1:e5:5f:72" logdesc="Association response to wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982913245 authserver="NPS" remotewtptime="2702.668851" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT" date=2025-04-08 time=08:13:03 id=7490821468477980771 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043717 type="event" subtype="wireless" level="notice" action="layer3-roaming-rehome" msg="AP received association request frame from client a4:b8:f1:e5:5f:72" logdesc="Wireless client layer3 roaming rehome" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982905028 authserver="NPS" remotewtptime="2702.668771" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT" date=2025-04-08 time=08:13:03 id=7490821468477980770 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043676 type="event" subtype="wireless" level="notice" action="auth-resp-WPA3" msg="AP sent WPA3(non-SAE) authentication response frame to client a4:b8:f1:e5:5f:72" logdesc="Authentication response to wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982896162 authserver="NPS" remotewtptime="2702.668672" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT" date=2025-04-08 time=08:13:03 id=7490821468477980769 itime="2025-04-08 08:13:04" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043675 type="event" subtype="wireless" level="notice" action="auth-req-WPA3" msg="AP received WPA3(non-SAE) authentication request frame from client a4:b8:f1:e5:5f:72" logdesc="Authentication request from wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783982879792 authserver="NPS" remotewtptime="2702.668547" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092784 devname="FGT" date=2025-04-08 time=08:13:03 id=7490821464183013523 itime="2025-04-08 08:13:03" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043679 type="event" subtype="wireless" level="notice" action="assoc-resp" msg="AP sent association response frame to client a4:b8:f1:e5:5f:72" logdesc="Association response to wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783005136936 authserver="NPS" remotewtptime="2701.381718" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092783 devname="FGT" date=2025-04-08 time=08:13:03 id=7490821464183013522 itime="2025-04-08 08:13:03" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043717 type="event" subtype="wireless" level="notice" action="layer3-roaming-rehome" msg="AP received association request frame from client a4:b8:f1:e5:5f:72" logdesc="Wireless client layer3 roaming rehome" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783005128242 authserver="NPS" remotewtptime="2701.381610" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092783 devname="FGT" date=2025-04-08 time=08:13:03 id=7490821464183013521 itime="2025-04-08 08:13:03" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043676 type="event" subtype="wireless" level="notice" action="auth-resp-WPA3" msg="AP sent WPA3(non-SAE) authentication response frame to client a4:b8:f1:e5:5f:72" logdesc="Authentication response to wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783005119286 authserver="NPS" remotewtptime="2701.378759" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092783 devname="FGT" date=2025-04-08 time=08:13:03 id=7490821464183013520 itime="2025-04-08 08:13:03" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702111740 logid=0104043675 type="event" subtype="wireless" level="notice" action="auth-req-WPA3" msg="AP received WPA3(non-SAE) authentication request frame from client a4:b8:f1:e5:5f:72" logdesc="Authentication request from wireless station" sn="FORTIAPSN" user="N/A" reason="Reserved 0" ssid="Wifi" ap="FortiAP-IT" vap="Wifi" security="WPA3 Enterprise Only" channel=6 radioid=1 stamac="a4:b8:f1:e5:5f:72" encryption="AES" eventtime=1744092783005096788 authserver="NPS" remotewtptime="2701.378633" tz="+0200" devid="FORTIGATESN" vd="root" dtime="2025-04-08 08:13:03" itime_t=1744092783 devname="FGT"

So we have in logs such order for this connection:

1. auth-req-WPA3

2.auth-resp-WPA3

3.layer3-roaming-rehome

4.assoc-resp

and this procedure repeat three times, it will not even proceed to 4-way handshake.

Once I change the authentication type on Fortigate and the client to WPA3 SAE - the connection is working.

Once I change the authentication type to WPA2 Enterprise - the connection is also working.

How could I troubleshoot this?

Stephen_G

Moderator

Hello Tutek,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Stephen_G - Fortinet Community Team

joshbergm

Explorer

Hi,

In the NPS profile on the Windows Server, do you have EAP-TLS or EAP-TTLS enabled?

TutekAuthor

New Member

Yes, NPS is on windows server with EAP-TLS enabled (based on certificates) and with WPA2-Enterprise the connection is working. But once I set WPA3-Enterprise the connection is not even forwarded to the NPS server (I don't see any logs in the event viewer) but stops at the authorization stage in Fortigate/AP.

ebilcari

Staff

Are the firmware of the FAP and FGT in the compatible/recommended versions? Check the FortiAP and FortiOS Compatibility Matrix document and choose the recommended firmware.

Emirjon

MFisherIT

Visitor III

My Intel AX201 adapter (driver 23.110.0.5) is also failing to connect when using wpa3-only-enterprise or wpa3-enterprise-transition. I am using Microsoft's (RADIUS) Network Policy Service (NPS). Our NPS network connection profile is using "PEAP-TLS" (Protected EAP with "smart card or certificate"). Our Forti-AP and FortiGate are compatible/recommended.

For troubleshooting I have disabled the 2.4GHz and 6GHz radios on our single FortiAP-231K.

The windows WLAN-Autoconfig > diagnostic log event logs show:

Connection failed. Interface = Intel(R) Wi-Fi 6 AX201 160MHz, Reason code = 0x38002

I also do not see any events in on the NPS' event logs when using WPA3.

If I just change the FortiGate's SSID security to wpa2-only-enterprise and the security on Windows Wi-Fi profile to WPA2-Enterprise; then everything works.

plsikk

Explorer

Same here - "WPA3 Enterprise only" is not working for Intel(R) Wireless-AC 9560 160MHz and HP 640/650 G5 even if driver is showing WPA3 Enterprise supported

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded