FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sparta_FTNT
Staff
Staff
Description
This article explains how to configure WPA3 on FortiGate WiFi/AP.

Solution
FortiGate supports GUI as well as CLI configuration of WPA3 starting from firmware version 6.2.1


To configure WPA3 in the GUI:

1) Go to WiFi & Switch Controller -> SSID
2) Click Create New -> SSID.
3) In the WiFi Settings section Security Mode drop down list, select a WPS3 option.


4) Click 'OK'

Use a client with WPA3 to verify the connection.

To configure WPA3 in the CLI:

1) WPA3 OWE.

- WPA3 OWE only.
  Clients which support WPA3 can connect with this SSID.
#config wireless-controller vap
edit "80e_owe"
set ssid "80e_owe"
set security owe
set pmf enable
set schedule "always"
next
end
- WPA3 OWE TRANSITION.
  Clients connect with normal OPEN or OWE depending on its capability.
  Clients which support WPA3 connect with OWS standard.
  Clients which cannot support WPA3 connect with Open SSID.
#config wireless-controller vap
edit "80e_open"
set ssid "80e_open"
set security open
set owe-transition enable
set owe-transition-ssid "wpa3_open"

set schedule "always"
next
edit "wpa3_owe_tr"
set ssid "wpa3_open"
set broadcast-ssid disable
set security owe
set pmf enable
set owe-transition enable
set owe-transition-ssid "80e_open"

set schedule "always"
next
end
2) WPA3 SAE.

- WPA3 SAE.
  Clients which support WPA3 can connect with this SSID.
#config wireless-controller vap
edit "80e_sae"
set ssid "80e_sae"
set security wpa3-sae
set pmf enable
set schedule "always"
set sae-password 12345678
next
end
- WPA3 SAE TRANSITION.
  There are two passwords in the SSID.
  If passphrase is used, the client connects with WPA2 PSK.
  If sae-password is used, the client connects with WPA3 SAE.
#config wireless-controller vap
edit "80e_sae-tr"
set ssid "80e_sae-transition"
set security wpa3-sae-transition
set pmf optional
set passphrase 11111111
set schedule "always"
set sae-password 22222222
next
end
3) WPA3 Enterprise.
     Using this option, select the auth type to use either RADIUS authentication or local user authentication.
#config wireless-controller vap
edit "80e_wpa3"
set ssid "80e_wpa3"
set security wpa3-enterprise
set pmf enable
set auth radius
set radius-server "wifi-radius"
set schedule "always"
next
edit "80e_wpa3_user"
set ssid "80e_wpa3_user"
set security wpa3-enterprise
set pmf enable
set auth usergroup
set usergroup "usergroup"
set schedule "always"
next
end
Use a client with WPA3 to verify the connection.

Contributors