FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Article Id 282429

This article describes when there is a connectivity issue between FortiAP and Aruba UXI Sensor 'UX-G6C'/Printer is an Epson 'TM-m30II' when PMF is enabled in the WPA2 SSID configured on FortiAP Profile.

Scope FortiAP.

DISABLE (Protected Management Frame) 802.1W in the SSID to make it work. Make sure that rogue suppression is not happening in the environment.



802.11W PMF (Protected Management Frame) is used to protect the wireless networks from Rogue FortiAP and de-auth attacks as disassociation can be refused by FortiAP or the client only when the management protection frame is enabled.

Integrity check is enabled in PMF if this check fails, then disassociation is refused. FortiAP will broadcast MFPC(Management Frame Protection Capable) when the PMF bit is set to 1 in the beacon frame.

When the devices in question UX-G6C and Epson 'TM-m30II' try to connect to a WPA2-based FortiAP SID, the connection does not go through.

This behavior was reported on FortiAP deployed on FortiLANCloud. There is an advanced setting in the SSID to enable or disable PMF as shown below:




The user was claiming that FortiAP is sending WPA3 info in the probe response, which might be causing a connection drop.

Upon further investigation, if this was the case, the RSN extension IE would be shown in the screenshot below:





Following the probe response packet from the WPA2 SSID from FortiAP which does not have the RSN extension field: