If there is a requirement to switch the security mode of the SSID from WPA3 to WPA2, attempting this change via the GUI or CLI may result in the following error.

CLI Reference:

config wireless-controller vap
    edit "Guest"
        set ssid "Guest"
        set security wpa3-only-enterprise
        set pmf enable
        set auth usergroup
        set local-bridging enable
        set schedule "always"
    next
end

FortiGate (Guest) # set security wpa2-only-personal
Couldn't set security wpa2-only-personal since this vap is in use in wtp-profile "test" radio-3 (Unsupport security type for 6GHz radio)
Command fail. Return code -37

The above error occurs only when the SSID is broadcasted on a 6GHz radio.

Note:

The 6GHz band supports only the following security modes.

1. WPA3 Enterprise 192-bit.
2. WPA3 Enterprise Only.
3. WPA3 SAE with Hash-to-Element (H2E) is only enabled.
4. Opportunistic Wireless Encryption (OWE) with OWE transition mode disabled.

Solution:

Remove the respective SSID from Radio 3 (6GHz) first, then change the security mode.