Explorer

Solved

How to turn ON the WPA3 SAE-PK feature of FortiAP 231F

Forum|Forum|3 years ago
January 30, 2023
5 replies
5926 views

Hello there!

I have recently purchased Fortigate 40F together with FortiAP 231F, to set up a WLAN environment in my laboratory to test iot equipments. What I am interested in is "SAE public key" as introduced as part of WPA3 R3 spec, and it is introduced as a new feature since FortiOS 7.2.0.

My question is:

Has anyone ever tried to associate a SAE-PK-capable STA with a FortiAP(7.2.1 or newer) that support SAE-PK? If so, is there any tutorial simple enough to guide us through the first integration with regard to this SAE-PK authentication. For example, how to configure wpa_supplicant and what is the wireless sniffer capture like?

P.S:

Whenever I unclick the local standalone option, the SSID turns OFF automatically.

Somehow there is a rule between the "SAE-PK authentication" and "local standalone" parameter?

However, it can be found nowhere in any document.

Thank you very much, experts.

Best answer by grithnir

Through days of debugging and testing, it comes to a happy ending.

The story can be told in brief:

1. the latest fortiOS 7.2.4 has newly introduced a feature to check your SAE password and SAE-PK private Key at runtime, YOU SHALL NOT PASS unless you input the valid SAE password and SAE-PK private key PAIR.

Unfortunately, there's no such check and remind mechanism back in 7.2.3, so that

a wrong configuration will be activated down to FortiAp, leading to the FortiAP ending up

with malfunctional BSS. That's why I have seen radio LED OFF.

2. How to generate these two attributes? Please refer to the github page https://github.com/vanhoefm/hostap-wpa3/

3. TAC fella said there will be updates in documents to deal with this stuff.

Cheers, Experts!

adambomb1219

SuperUser

WPA3-SAE is just a PSK. You should only need to configure that PSK on the WPA3 capable device.

grithnirAuthor

Explorer

Sorry, It's "SAE-PK" or "SAE public key" , not PSK, as known as pre shared key.

adambomb1219

SuperUser

But it still uses a PSK, and, if I understand correctly, happens automatically through the WPA3 spec: https://www.wi-fi.org/beacon/thomas-derham-nehru-bhandaru/wi-fi-certified-wpa3-december-2020-update-brings-new-0

grithnirAuthor

Explorer

Whatever so-called "PSK" understanding is, WPA3 spec tells, that's it.

Anyone had a go with SAE-PK? Yes or no? Of course, transition disabled.

grithnirAuthor

Explorer

And whenever I unclick the "local standalone" option while SAE-PK is enabled under SSID setting, the FortiAP radio LED is sure to go off with this radio turned off.

Do you know what is the trick here? Is there any documents carrying this fact?

Screen Shot 2023-02-06 at 10.56.06.png

grithnirAuthor

Explorer

update.

grithnirAuthorAnswer

Explorer

Through days of debugging and testing, it comes to a happy ending.

The story can be told in brief:

1. the latest fortiOS 7.2.4 has newly introduced a feature to check your SAE password and SAE-PK private Key at runtime, YOU SHALL NOT PASS unless you input the valid SAE password and SAE-PK private key PAIR.

Unfortunately, there's no such check and remind mechanism back in 7.2.3, so that

a wrong configuration will be activated down to FortiAp, leading to the FortiAP ending up

with malfunctional BSS. That's why I have seen radio LED OFF.

2. How to generate these two attributes? Please refer to the github page https://github.com/vanhoefm/hostap-wpa3/

3. TAC fella said there will be updates in documents to deal with this stuff.

Cheers, Experts!

CK_admin

New Member

So how is this done in the Windows world? I'm pretty new to all of this and haven't been able to figure out how to generate a password out of a private key. Thank you!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded